Protect Pharmaceutical Firms from Cyber Threats

Protect Pharmaceutical Firms from Cyber Threats

Digitization and connectivity can transform pharma operations, but first require a robust industrial-security strategy to safeguard intellectual property, product quality and more.

By Mark Cristiano, Network and Security Services business development manager, Rockwell Automation

Pharmaceutical producers are transforming their operations through digitization to improve competitiveness drastically. Access to more data and simpler control architectures can help improve changeover time and drive production toward operational excellence. Others are using a modern manufacturing execution system (MES) to help increase their number of batches processed by more than 50% or to go fully paperless.

We’ll likely see this trend continue as new regulations, such as anti-counterfeiting laws, push even more pharma producers to adopt connected and information-enabled operations.

But digitization in pharma can’t be discussed without also addressing industrial security. Already today, many pharmaceutical company leaders fear that greater connectivity will put their intellectual property and other sensitive information at risk. They also worry outsiders will interfere with production in ways that can compromise product quality.

While these concerns are well-founded, they needn’t stop digitization plans. By following established best practices and using industry resources, pharma firms can strengthen industrial-security strategies and better protect trade secrets, operations and products.

No Cure-All Solution

No lone security technology or technique can protect pharmaceutical operations from every threat.

You’d expect a bank to do more than simply lock its doors to protect not only its physical funds but also its sensitive data, such as customer financial information. So, shouldn’t a connected pharmaceutical operation — worth millions or billions of dollars — also take a multifaceted approach to protecting its physical and digital assets?

That’s the logic behind Defense-in-Depth (DiD) security. It assumes any one point of protection can and likely will be defeated, and thus uses multiple layers of protection. The security approach, recommended in the IEC 62443 standard series (ISA99), calls for deploying protective measures across six levels:

  1. Policies and procedures
  2. Physical
  3. Network
  4. Computer
  5. Application
  6. Device

A Prescription for Pharma

Jim LaBonty, director of global automation for Pfizer Global Engineering, has experience deploying comprehensive security in pharma operations. His company uses security zones, divided by purpose-built firewalls, to help protect business assets from each other. The company also segments older equipment away from newer systems and devices, and draws a line between automation and IT teams.

“It’s good for security to establish clear roles and responsibilities, and it helps when different players need to talk to each other,” he says.

He uses software that can analyze network traffic patterns. Anomaly-detection software, for example, can monitor traffic passively between industrial network assets and analyze communications at their deepest level. Detected anomalies can be reported to security or other personnel to help support efficient investigation, response or recovery efforts.

An industrial demilitarized zone is another key security measure for pharma. It establishes a barrier between the production and enterprise zones that restricts traffic from directly traveling between them.

Authentication, authorization and accounting software also can restrict who can access a network and what they can do on it, as well as provide a complete audit trail of their actions.

Where to Find Help

It can be easy to feel anxious or overwhelmed by industrial cybersecurity threats. Sometimes, just knowing where to begin is a challenge. Not to worry. Here are some resources available to help you:

  • Converged Plantwide Ethernet reference architectures offer guidance for creating future-ready network architectures while also addressing security risks.
  • Training and certification courses can equip IT and OT personnel with the skills to securely manage and administer networked industrial control systems.
  • Security services can help conduct security assessments and deploy new technologies, or even manage aspects of your security program on an ongoing basis.

Learn about Rockwell Automation Industrial Security Solutions.



The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.


Check Out the February Issue

The JOURNAL from Rockwell Automation and Our PartnerNetwork™ is a bimonthly magazine, published by Putman Media, Inc., designed to educate engineers about leading-edge industrial automation methods, trends and technologies.