What You Can Learn from Pfizer’s Cybersecurity Practices

Faced with the same cybersecurity risks all industrial firms now battle, the pharmaceutical company addresses both technical and cultural challenges.

Because smart manufacturing can't even leave the garage if it isn't secure, Jim LaBonty, director of global automation at Pfizer Global Engineering, led off the Life Sciences Forum at the 2016 Automation Fair® event in Atlanta last November by detailing how Pfizer approaches cybersecurity.

"When we talk about security risks, it's not a matter of when, but rather how, one contains and limits the impact of a cybersecurity risk to industrial manufacturing," says LaBonty. "Every challenge to devices, applications, computers, networks and physical facilities is serious and needs to be considered when protecting plants and manufacturing sites.

“The key takeaway is that no single product, methodology or technology can secure today's manufacturing control system applications. We need to collectively work together on all aspects, such as patching software and running antivirus programs, to make sure we've established integrated layers of defense," he adds.

LaBonty reports that a war on automation infrastructures is underway, and that external intrusions and attacks have been ramping up for the past 10 years. However, he adds that control systems no longer can rely on their historically physical isolation, because so many now have links to higher-level enterprise systems and the Internet to get useful data out. Unfortunately, this creates security vulnerabilities that must be managed.

"Pfizer isn't perfect when it comes to cybersecurity, but we're working with our plant sites to establish these secure layers," he explains. "We're finding that they have different levels of security capabilities, but we also know this is a continuous process for everyone. This is because intrusions and cyberattacks are growing increasingly sophisticated.

“In fact, the number of attempted cyberattacks on most manufacturing sites — including Pfizer's — is now in the millions per day, so we've got to get cybersecurity infrastructures in place from our global networks down to the plant floor,” LaBonty adds. “Our initial cybersecurity designs were usually two network interface cards (NICs), Ethernet and servers, but we've been updating them to better designs."

More Threats to Control

As if the existing security situation wasn't dire enough, LaBonty reports that traditional hackers increasingly are joined by nation-states bankrolling teams of attackers breaking into corporate networks down to their lowest levels, mostly to discredit and disrupt their brands.

"Control systems must establish Defense-in-Depth (DiD), but they can also look at sending network logs and data back up to users for inspection," says LaBonty. "This can be very helpful because it lets users see if anything has changed or gone wrong at the control level, which is a huge advantage.

 “We've rigorously added another layer with secure zones protecting each business asset from the others. These secure areas are divided by purpose-built firewall gateways.” — Jim LaBonty, Pfizer Global Engineering

“DiD strategies can also define authorized traffic, so, at Pfizer, we use a series of firewalls as our network goes down to the controls level, where there are more secure zones. Firewalls aren't too costly, and they can pay for themselves quickly. We're also using software to analyze network traffic patterns, which gives good indications when something or someone is trying to transgress and is a proactive indicator of what to investigate," he notes.

Share and Aware

Beyond these technical fixes, LaBonty reports that manufacturers, system integrators, suppliers and contractors must share their cybersecurity knowledge so they can develop and present a unified response to probes, intrusions, threats and attacks.

"Awareness by everyone is the key, because we're only as secure as our weakest link," he says. "Our older networks just had one firewall between IT and the production levels below, but, behind this castle-and-drawbridge, there was a free-for-all of data going everywhere. So we've rigorously added another layer with secure zones protecting each business asset from the others. These secure areas are divided by purpose-built firewall gateways, such as the Allen-Bradley® Stratix® 5950 security appliance from Rockwell Automation. We also segmented a lot of older equipment away from our newer systems and devices."

Similar to physical networks, LaBonty notes that cybersecurity also requires users to decide on and establish clear demarcation lines between their site automation teams and their IT counterparts.

"It’s good for security to establish clear roles and responsibilities, and it also helps when different players need to talk to each other," he adds. "This demarcation is also important because Pfizer outsources a lot of IT, and they're not familiar with our individual sites. So we definitely don't want them trying to manage any production because they don't know the ramification of their actions."

Be Mindful of Easy Entry Spots

Finally, personnel and organizational issues like these are the most important cybersecurity issues for process control and automation users and suppliers to solve, according to LaBonty.

"The easiest and most popular ingress for cyberattack is spearphishing, which tricks people into opening emails and clicking on links that download malware," he says. "So, educating workforces on policies and procedures to protect against these threats is also crucial."

Learn about Rockwell Automation Life Sciences Solutions.

The Journal From Rockwell Automation and Our PartnerNetwork™ is published by Putman Media, Inc.


Subscribe to Rockwell Automation and receive the latest news, thought leadership and information directly to your inbox.

Recommended For You