There are many factors that affect the success of pharmaceutical companies in today’s market — the ability to adjust manufacturing to meet fluctuating supply and demand, speed to market, development of novel therapeutics — to name a few. One factor, however, that is often not considered at all, or at least until it is too late, is cybersecurity.
Cybersecurity seems to be a buzzword every year, however, the full implications of industrial cybersecurity for pharmaceutical applications are not yet widely considered. Yet, the number of industrial organizations experiencing incidents is steadily rising — 90% of organizations surveyed experienced at least one ‘damaging cybersecurity attack’ between 2017 and 2019.
Although the potential consequences of a cybersecurity incident are nothing new to pharma companies — who have been working to manage production downtime and proprietary information for decades — the continuing digitalization of industrial networks in pharma organizations has increased this exposure to all-time highs.
Managing cybersecurity effectively for industrial facilities requires more than just technical stop gaps, and a full program approach is needed to bring personnel and technical solutions together. Although investing time and energy into cybersecurity may feel like one task too many for an industry already facing shortages in skilled labor, investing time upfront will save many headaches and crucial hours of unexpected downtime in the future.
The cost of security incidents
The most common types of cybersecurity incidents for industrial systems include ransomware and data loss/theft, but in some cases the manipulation of physical systems has led to physical equipment damage and even longer outages.
The average ransomware incident in 2021 led to over 20 days of business interruption. Unlike traditional IT systems where information confidentiality is prioritized over availability and all other considerations, continued safe operations is the number one priority for pharma facilities. When considering the potential market impacts of lost production for a key drug product during peak demand, or the competitive advantage loss from delaying the rollout of a new treatment for nearly a month, it becomes easier to understand the potential costs of a cybersecurity event.
Although the availability of production systems is the number one concern for all industrial sites, pharma companies often face higher potential consequences than other industrial organizations due to lost or stolen data. Historian data and batch records provide critical information for determining the results of manufacturing trials and ensuring the safety of the patients using the treatments. Inability to verify operational conditions can lead to the loss of multiple batches and millions of dollars in lost product. The NotPetya cybersecurity incident in 2017 resulted in nearly $10 billion in total damages around the world, but one of the hardest hit companies was Merck with an estimated $870 million in damages.
In many cases, stolen data can be even more costly than lost data. In the highly competitive world of new drug development, confidential information about proprietary formulas and production methods, one ingredient or data point being leaked could mean the difference between a highly successful new drug and a failed startup or development program.
Starting the journey
The following five steps can help move any organization forward in their cybersecurity journey.
- Make a plan: Defining an organization’s cybersecurity objective, management structure, and overall approach is the first step towards improving cybersecurity outcomes.
- Conduct training: The next step is conducting training on the new cybersecurity management practices and industrial cybersecurity awareness for employees to develop an understanding of why cybersecurity activities are critical to ongoing safe and successful operations.
- Assess risks: Identifying the current state of the industrial network architecture and connected assets is the first part of identifying risks. From there, conducting a cybersecurity risk assessment to identify potential pathways for attackers and consequences of an incident ensures that mitigative controls are applied where they are needed most.
- Implement controls: After identifying the highest risk assets and scenarios, cybersecurity measures such as effective network segmentation, basic system hardening, and improved cybersecurity monitoring can be implemented to improve the availability, integrity and confidentiality of the system.
- Track results: Tracking the results of the program over time and adjusting each of the earlier steps to improve the cybersecurity achieved within the organization helps to ensure a continued focus on cybersecurity and to implement real-world lessons learned.
Taking a holistic approach
When getting started with cybersecurity, leveraging the right references and standards can reduce development time and ensure that industry best practices are incorporated into the organizational approach.
ANSI/ISA-62443 standards set best practices for security and provide a way to assess the level of security performance by offering a series of requirements and methods to manage security challenges in industrial automation and control systems (IACS) and industrial environments.
The standards take a holistic approach to cybersecurity challenges, bridging the gap between OT and IT as well as between process safety and cybersecurity. A founding principle of the ANSI/ISA-62443 standards is the concept of shared responsibility as an essential building block of automation cybersecurity.
The ANSI/ISA-62443 series of standards includes multiple parts which provide additional context for the key steps above including:
2-1 Establishing an Industrial Automation and Control Systems Security Program: This standard describes the elements contained in a cybersecurity management system for use in the IACS environment and provides guidance on how to meet the requirements described for each element
3-2 Security Risk Assessment for System Design: This standard helps define a system under consideration (SUC) for an IACS, divide that system into zones and assess risk and security requirements for each zone.
3-3 System Security Requirements and Security Levels: This standard provides detailed technical control system requirements, including defining the requirements for control system capability security levels.
Ultimately, implementing an effective cybersecurity management system upfront can help to improve the resiliency of industrial pharmaceutical networks and prevent an unexpected cybersecurity incident leading to lost production, delays in new drug development, or the loss/theft of crucial operational and development data.