Defense Strategies for CISOs: Strengthening Cybersecurity in Pharma Manufacturing

Introduction

Innovation in new drugs, treatments, and therapies is crucial. Consequently, research and development (R&D) data has become a high-value target for cybercriminals. The most representative example is the rollout of COVID-19 vaccines and other breakthroughs in life sciences, which significantly increased the risks of cyberattack faced by the pharmaceutical industry. Attackers may attempt to steal critical research data or disrupt production processes during vaccine development and distribution phases.

As pharmaceutical companies move towards continuous manufacturing, they have made progress in enhancing production efficiency and quality control. These companies now rely on highly integrated automated systems and data analytics tools, including Manufacturing Execution Systems (MES), public cloud services, and interconnected manufacturing environments on the factory floor. This connectivity not only increases potential entry points for cyberattacks but also requires systems to operate continuously and maintain high stability. Any system failure or malicious attack could interrupt continuous production, leading to product quality issues and supply chain disruptions, ultimately resulting in significant losses.

Given the direct impact of pharmaceuticals on human health, governments worldwide impose strict regulations on drug development and production. In the United States, the FDA’s “Pharmaceutical cGMPs for the 21st Century,” introduced in 2002, brought in the concept of risk management, emphasizing that regulatory and control measures should correspond to risk levels to ensure drug quality and safety. This article primarily focuses on current cyber threats and challenges and explores ways to mitigate these risks.

Key Cyber Risks in Pharma Manufacturing

Ransomware Attacks

The pharmaceutical industry is particularly vulnerable to ransomware attacks, which typically encrypt critical production data and demand ransom. The 2017 NotPetya attack on Merck serves as a chilling warning, having caused months of operational disruption and highlighting how the convergence of IT and Operational Technology (OT) has made factory systems new targets for attacks. The NotPetya malware initially gained access through the update process of Ukrainian tax software MEDoc. It then spread across networks using the EternalBlue SMBv1 vulnerability. Additionally, it employed other propagation techniques to infect even patched computers, such as using a modified version of Mimikatz to extract user passwords from the LSASS (Local Security Authority Subsystem Service) process. The malware was designed to spread rapidly through networks without user interaction, sometimes shutting down computers within minutes.

Once executed, it overwrote the master boot record, preventing system boot. Although the ransom note demanded payment for decryption, NotPetya appeared to be purely destructive. The damage it caused was irreversible, fundamentally erasing files with no hope of recovery. Once hackers successfully infiltrate manufacturing systems, they can potentially paralyze production processes and cause enormous economic losses.

Threats to OT/ICS Systems

OT and ICS are crucial for maintaining precise and granular control over pharmaceutical production processes. However, the reliance on legacy systems and the unique demands of the operational environment make these systems vulnerable to attack. The EKANS ransomware, which specifically targets ICS environments, exemplifies the growing threat to OT systems in the pharmaceutical sector.

EKANS malware poses a significant threat, as attackers could forcibly shut down or damage equipment, steal intellectual property, and even cause major health and safety risks with their disruptions. The unique nature of pharmaceutical manufacturing means that any system failure could have severe consequences. Issues ranging from incorrect dosage formulations to complete production line shutdowns, and potential contamination risks, not only threaten the financial health of the company but, more critically, the strict regulatory environment. Additionally, the need for continuous production in the pharmaceutical industry, which must comply with current Good Manufacturing Practices (cGMP), Good Automated Manufacturing Practices (GAMP), and Federal Regulation Title 21 (CFR21), could result in regulatory penalties and reputational damage.

Intellectual Property (IP) Theft

The theft of sensitive data, including proprietary formulas, research data, and patient information, is a major concern for the pharmaceutical industry. The cost of developing each drug in the pharmaceutical industry ranges from $161 million to $4.54 billion (expressed in 2019 US dollars). The specific therapeutic area of anticancer drugs is estimated to be the highest ($944 million to $4.54 billion). Consequently, the theft of pharmaceutical intellectual property can have a significant impact on company revenues. This necessitates pharmaceutical companies to take measures to protect their critical data. Moreover, maintaining data integrity is crucial in the pharmaceutical industry, as data tampering could affect drug formulations and potentially threaten patient safety. On the other hand, patient data breaches may violate privacy protection regulations such as the Health Insurance Portability and Accountability Act (HIPAA), exposing companies to legal action and reputational damage.

In December 2020, COVID-19 vaccine data from Pfizer and German biotech company BioNTech was accessed following a cyberattack on the European Medicines Agency (EMA) in Amsterdam, Netherlands. During the pandemic, cyberattacks targeting healthcare institutions and pharmaceutical companies became more frequent, with hackers—including state-sponsored spies and cybercriminals—seeking to capture the latest information related to the pandemic.

Supply Chain Attacks

The complexity of pharmaceutical supply chains, coupled with their reliance on third-party vendors, creates multiple points of vulnerability. In 2014, RedHat Cyber’s industrial control system (ICS) security expert Joel Langill studied a malware called Dragonfly (also known as Energetic Bear) targeting OT systems. The attackers first used spear phishing to gather information on target suppliers, then focused on small supplier enterprises (with fewer than 50 employees) in pharmaceutical organizations. By trojanizing these companies’ software and attacking their websites’ open-source content management systems, they enabled visitors to download trojan-infected applications, which included tools and drivers for industrial control systems. His research report revealed that three of the compromised companies supplied products widely used across food, beverage, and pharmaceutical industries.

• Mesa: Produces industrial cameras and related software. Mesa’s Automated Guided Vehicle (AGV) applications are often found in pharmaceutical factories.
• MB Connect Line: Provides remote maintenance solutions for production facilities and packaging machinery, frequently applied in the pharmaceutical industry.
• eWon: An industrial security equipment and portal software supplier, part of the ACT’L Group, which also owns BiiON, a company specializing in industrial system integration for the pharmaceutical and biotech industries, and KEOS, a supplier of environmental monitoring systems commonly found in pharmaceutical and life science facilities.

Challenges in Deploying OT Security

Unique Challenges of IT and OT Integration

The convergence of IT and OT in the pharmaceutical industry has led to traditionally independent manufacturing systems becoming closely connected with corporate networks, bringing new security challenges. Many OT/ICS systems use outdated hardware and software that lack regular security updates or patches. Hackers can potentially access manufacturing processes through IT systems, manipulate production data, or cause production disruptions.

Balancing Cybersecurity and Operational Efficiency

Maintaining robust cybersecurity defenses without impacting production is a significant challenge for the pharmaceutical industry. Security control measures often require downtime for updates and validation, which can affect production schedules. For example, automatic security updates are a common practice in many organizations, aimed at enhancing security by ensuring that systems use the latest patches and fixes. However, this approach carries inherent risks. Allowing third parties to control and modify internal network devices or endpoints without verification can introduce vulnerabilities or cause disruptions if those latest patches are not properly tested.

The Importance of Regulatory Compliance for Cybersecurity

The pharmaceutical industry must comply with stringent regulations. For instance, control systems, manufacturing processes, and related utilities are validated (to confirm reproducible and consistent drug quality) and must meet current Good Manufacturing Practice (cGMP), Good Automated Manufacturing Practice (GAMP), and Federal Regulation Title 21 (CFR21) requirements, among others. As regulations increasingly incorporate cybersecurity requirements, pharmaceutical companies risk production shutdowns or delays in drug market entry if they fail to meet these standards.

Implementing a Robust OT Cybersecurity Framework

In a typical enterprise network architecture, IT and OT networks should be separated due to their different application needs. IT networks use the internet, email, and file sharing, while OT networks do not permit such practices and require stricter control changes. OT network protocols, often developed without security in mind, are vulnerable when exposed to IT networks. Characterizing, segmenting, and isolating IT and OT devices is ideal to meet both security and performance requirements.

However, with Industry 4.0 and digital transformation, connecting IT and OT networks is invevitable. This integration requires a multi-layered protection architecture, collaboration with OT cybersecurity professionals, sustainable defense technologies, and continuous monitoring and response processes. The overarching principles for multi-layered protection can be divided into five aspects for organizational reference:

Strengthening OT Cybersecurity Governance

Developing a strategic OT cybersecurity plan is crucial for ensuring long-term commitment and resource allocation. This plan should integrate OT security with enterprise risk management, ensuring that cybersecurity measures align with industry standards and regulatory requirements.

Building a Cross-Functional Cybersecurity Team

Effective OT cybersecurity requires collaboration between IT, OT, and procurement teams. This cross-functional approach ensures that cybersecurity considerations are integrated into every aspect of the pharmaceutical manufacturing process, from vendor selection to network management.

Cybersecurity Risk Management

Cybersecurity risk management is a critical component in supporting OT protection. Regular assessments of an enterprise’s OT system operations, along with its associated data processing, storage, and transmission, can reduce cyber risks arising from OT operations, OT assets, and personnel. This encompasses asset management, threat/vulnerability scanning, mitigation, and supply chain risk management:

• IT/OT Asset Management: Organizations should implement a comprehensive and accurate IT/OT asset inventory to effectively manage risks within the OT environment. Accurate asset information supports multiple risk management objectives, including threat assessments, vulnerability management, and tracking of legacy assets.
• Threat and Vulnerability Management: Ensure all machinery and equipment undergo threat and vulnerability scanning before deployment, and any identified security issues must be documented. Ensure that there are no known but unresolved security issues before deployment. For example, the severity of vulnerabilities, calculated according to the Common Vulnerability Scoring System (CVSS), must be below the acceptable residual risk level within the product’s security environment.
• Supply Chain Security Management: It is recommended to require product suppliers to manage security risks based on supply chain contract management. This will serve as one of the evaluation criteria for future equipment procurement.

Network Security

Network Security for OT systems involves boundary protection, segmentation, centralized logging, monitoring, and malware protection. It focuses on protecting both external and internal communications. Key points include:

• Network Boundary Protection: Use firewalls to isolate networks and manage connections between different segments, enhancing security by preventing direct communication between different levels.
• Zero Trust Principles for OT: Adjust Zero Trust Architecture (ZTA) implementation to prevent lateral movement risks within zones, ensuring redundancy and minimizing risks to OT operations.
• Strict Control of OT Network Access: Control access to OT networks strictly, allowing only necessary connections via firewalls, bastion hosts, jump boxes, or DMZs, with strict monitoring and logging.
• Network Segmentation: Segment networks to limit attack spread and confine intrusions to specific areas, minimizing security incident impacts.
• Document Network Topology: Maintain and regularly update precise documentation of network topology for both IT and OT networks.
• Deploy Firewalls and IDS: Use firewalls and Intrusion Detection Systems (IDS) to monitor, filter traffic, and respond to suspicious activities, identifying and blocking potential threats.
• Protect Remote Access: Restrict OT asset connections to the public internet, justify and document any exceptions, and implement extra security measures like logging, multi-factor authentication (MFA), and mandatory access through a proxy.

Endpoint Protection

Organizations should review existing endpoint protection capabilities to determine how they can support OT environment defense without compromising operational performance, security, or capability:

• Anti-Malware: Install antivirus and anti-malware on all endpoints to detect and mitigate threats without impacting OT operations. Use the most suitable mechanisms for the OT environment to protect against malware and Advanced Persistent Threats (APTs).
• Configuration Management: Keep comprehensive and updated records of IT and OT asset configurations for effective vulnerability management, response, and recovery. Regularly review and update these records.
• Default System Policies: Disable unnecessary features like macros by default. Establish policies for authorized users to request activation of needed services.
• Malicious Incident Detection: Deploy real-time monitoring systems with efficient logging, anomaly behavior analysis, and real-time alerts to promptly detect malicious incidents.
• Unauthorized Applications Detection: Review and analyze unauthorized applications, scripts, tasks, and changes, including security updates, to manage them without compromising OT performance.
• Installation Approval: Establish policies so that approval is required before new hardware, firmware, or software can be installed. Maintain an allowlist of approved versions after risk assessments. Align these processes with change control and testing for OT assets.
• Device Control: Restrict external device usage to prevent unauthorized data transfer and malware introduction. Limit USB and removable media use, disable AutoRun, and secure physical ports. Allow access through approved exceptions only.

Application Security

Software security protection mechanisms provide organizations with the ability to ensure that applications and services supporting OT are correctly used and maintained. By implementing the following measures, organizations can significantly enhance endpoint security and thereby improve overall software security capabilities:

• Application Allowlisting: Allow only approved applications to run in the OT environment to prevent unauthorized or malicious software, reducing security risks.
• Patch Management: Implement a strict process for timely application of security patches. Regularly scan for vulnerabilities and address them promptly, using virtual patching if upgrades are not possible.
• Secure Code Development: Follow best practices in software development, such as conducting code reviews, using analysis tools, and performing regular security testing to ensure robust and secure code.
• Configuration Management and Application Hardening: Ensure all applications and services are securely configured by disabling unnecessary features, restricting permissions, using strong encryption, and regularly updating configurations. This reduces the system’s attack surface and enhances overall security. Organizations should implement application allowlisting policies, allowing only approved applications to run in the OT environment. This prevents unauthorized or potentially malicious software from executing on the system, reducing security risks.

Continuous Monitoring and Visibility

Organizations must ensure protective measures remain effective over time through continuous monitoring and security assessments.

• Network Monitoring:

Network monitoring involves reviewing alerts and logs to analyze signs of potential network security incidents. Organizations should consider automation to assist with monitoring tasks. Tools and capabilities that support Behavior Anomaly Detection (BAD), Security Information and Event Management (SIEM), Intrusion Detection Systems (IDS), or TXOne EdgeIPS can help monitor network traffic and generate alerts when abnormal or suspicious traffic is identified. The following capabilities should also be considered:

1. Asset management, including the discovery and inventory of devices connected to the network
2. Network traffic monitoring to establish baselines for typical data flows and inter-device communication
3. Performance diagnostics to detect and address network performance issues
4. Misconfiguration and failure detection in network devices

• System Use Monitoring:

Monitoring users and systems ensures that their behavior aligns with expectations and helps identify events such as file access and modification, configuration changes, log recording, auditing, and running processes. Information collected through system use monitoring solutions can be used for troubleshooting OT systems, identifying system misconfigurations, and forensic analysis. Further considerations include:

1. Impact of host agents on device performance
2. Impact of active scanning on devices
3. Bandwidth capacity of network infrastructure

• Architecture Views:

Architecture views utilize automated tools to help users maintain continuous security and efficiency throughout their lifecycle. Visual representations provide a multidimensional view of an organization’s cybersecurity posture. These views offer detailed insights into the overall security status, including the ratio of protected/unprotected assets, asset health status and anomaly detection, asset exposure level assessment, and an overview of asset lifecycle:

1. Global System View
2. Multi-Asset Harm View
3. Updatability and Patchability View
4. Security Use Case View

Enhancing Security with Rigorous Maintenance Tracking

Continuous improvement in cybersecurity practices is vital for adapting to the evolving threat landscape. Regular security assessments, combined with the use of innovative tools like TXOne Networks’ Portable Inspector, can help maintain a high level of security without disrupting production processes.

Developing a Rapid Response Capability

Given the severe impact of cybersecurity incidents in the pharmaceutical industry, establishing a swift and effective incident response capability is critical. Utilizing platforms like SageOne for comprehensive threat detection and response can help pharmaceutical companies quickly identify and mitigate cyber threats, minimizing downtime and preventing further damage.

Conclusion

As the pharmaceutical industry continues to innovate and embrace digital transformation, the importance of robust cybersecurity measures cannot be overstated. By adopting a comprehensive OT cybersecurity framework, CISOs can protect their organizations from the increasingly sophisticated cyber threats that target pharmaceutical manufacturing processes. This proactive approach not only ensures the security and integrity of critical assets but also helps maintain regulatory compliance and safeguard the company’s reputation.