Digitizing Pharma: Keep Industrial Security Threats in Check

Pharma producers are transforming their operations through digitization to drastically improve competitiveness.

Access to more data and simpler control architectures can help improve changeover time and drive production toward operational excellence. Others are using a modern MES to help increase their number of batches processed by more than 50 percent, or to go fully paperless.

We’ll likely see this trend continue as new regulations, like anti-counterfeiting laws, push even more pharma producers to adopt connected and information-enabled operations.

But digitization in pharma cannot be discussed without also addressing industrial security. Already today, many pharma companies fear that greater connectivity will put their intellectual property and other sensitive information at risk. And they worry that outsiders will interfere with production in ways that can compromise product quality.

While these concerns are well-founded, they needn’t stop your digitization plans. By following established best practices and using industry resources, you can strengthen your industrial-security strategy and better protect trade secrets, operations and products.

No Cure-All Solution

There is no lone security technology or technique that can protect pharma operations from every threat.

You’d expect a bank to do more than simply lock its doors to protect not only its physical funds but also its sensitive data like customer financial information. So shouldn’t a connected pharma operation – worth millions or billions of dollars – also take a multifaceted approach to protecting its physical and digital assets?

That’s the logic behind defense-in-depth security. It assumes any one point of protection can and likely will be defeated, and thus uses multiple layers of protection. The security approach, recommended in the IEC 62443 standard series (ISA99), calls for deploying protective measures across six levels:

1. Policies and procedures
2. Physical
3. Network
4. Computer
5. Application
6. Device

A Prescription for Pharma

At the 2016 Automation Fair^® event from Rockwell Automation, Jim LaBonty, director of global automation for Pfizer Global Engineering, spoke about deploying comprehensive security in pharma operations.

LaBonty mentioned his company uses security zones, divided by purpose-built firewalls, to help protect business assets from each other. Furthermore, he said the company segments older equipment away from newer systems and devices, and that lines must be drawn between automation and IT teams.

“It’s good for security to establish clear roles and responsibilities, and it helps when different players need to talk to each other,” he said.

LaBonty also talked about using software that can analyze network traffic patterns. Anomaly-detection software, for example, can passively monitor traffic between industrial network assets and analyze communications at their deepest level. Detected anomalies can be reported to security or other personnel to help support efficient investigation, response or recovery efforts.

An industrial demilitarized zone is another key security measure for pharma. It establishes a barrier between the production and enterprise zones that restricts traffic from directly traveling between them.

Authentication, authorization and accounting software also can restrict who can access your network and what they can do on it, as well as provide a complete audit trail of their actions.

Symptoms of Anxiety?

It can be easy to feel anxious or overwhelmed by industrial-security threats. Sometimes, just knowing where to begin is a challenge. Not to worry. There are plenty of resources available to help you, including the following:

• Converged Plantwide Ethernet reference architectures offer guidance for creating future-ready network architectures while also addressing security risks.
• Training and certification courses can equip your IT and OT personnel with the skills they need to securely manage and administer networked industrial control systems.

Security services can help you conduct security assessments and deploy new technologies, or even manage aspects of your security program on an ongoing basis.

To learn more about these resources, visit our industrial-security web page.

Automation Fair is a trademark of Rockwell Automation Inc.