A Secure Supply Chain Starts at Home – and Encompasses All Partners
Of course, for any pharmaceutical company, the first link in a cyber-secure supply chain is their own infrastructure and core manufacturing sites. Internally, companies must take a risk-based approach to cybersecurity that follows global best practices, identifies priorities, and applies technologies, policies and procedures based on a defense-in-depth strategy.
Through a risk assessment, the pharmaceutical company will also establish the security level required for any contracted process.
The next hurdle is determining if the CMOs being considered share the pharmaceutical company’s cybersecurity posture – and apply the same level of rigor. Again, a cybersecurity risk assessment is the best way to assess the CMO’s security posture and achieve this goal. Ideally, the assessment should be conducted at the contract manufacturer’s site before any agreement is formalized.
Beyond defining a CMO’s overall security posture, an assessment will also identify gaps that could expose pharmaceutical business assets to risk. The pharmaceutical company next determines what solutions will mitigate that risk and adequately isolate the CMO’s system from their own – while still retaining visibility to critical processes or information. Appropriate solutions include network segmentation, purpose-built firewalls, secure remote access, security zones and other technologies.
Maintaining Compliance with Security Standards
Ultimately, the pharmaceutical company and the contract manufacturer must agree on the security standards to be followed. But as we all know, agreeing to standards and maintaining compliance to them can be two very different things.
Therefore, a risk-based approach to supply chain cybersecurity must extend to CMO system design, deployment and monitoring – and to the ownership of the manufacturing assets and information infrastructure. A pharmaceutical company has three choices when it comes to ownership with varying degrees of associated risk:
- CMO owns the manufacturing assets and information infrastructure. This approach requires the lowest capital expenditure. But it also relies on the CMO having the expertise to maintain the appropriate security posture with limited oversight.
- CMO owns the manufacturing assets, while the pharmaceutical company retains ownership of the information infrastructure. This option minimizes capital expense by taking advantage of production assets in place. However, the pharmaceutical company retains ownership and management of the infrastructure, which is typically deployed via an industrial data center on a segmented network.
- Pharmaceutical company retains ownership of production assets and information infrastructure. In this scenario, the pharmaceutical company incurs higher capital costs – but a higher level of security assurance. The CMO provides only the production space and personnel to run the equipment.