Cybersecurity concerns as IT and OT merge in pharma

Departments handling Information Technology (IT) and Operational Technology (OT) are both experienced in complying with laws, regulations, industry standards, and guidelines. OT has been largely concerned with the physical security in all stages of manufacturing, testing, development, stocking, and shipment, while IT has traditionally focused on network, system, and data protection.

“The lines are blurring, with the growing threat of malicious cyber-attack ever-present and impacting risk assessment, shareholder confidence,

Jeff Whitney,
VP, Marketing
Arecont Vision Costar

and operational activity,” said Jeff Whitney, VP of Marketing at Arecont Vision Costar. “Industrial equipment increasingly features IoT (internet of things) connectivity leveraging network infrastructure either in parallel or in conjunction with IT systems. IoT is of huge benefit to manufacturing, but also presents potential pathways to cyber risk for commercial espionage, product tampering, terrorism, activist actions, and both data and product theft without the implementation of new levels of security.”

Organizations in the pharmaceutical and other manufacturing industries now require security audits and risk assessment of equipment throughout the supply chain, manufacturing process, and both storage and shipment. This includes their partners and suppliers and will continue to evolve into new pharmaceutical industry security standards, best practices, and different laws around the world.

A popular target

Paul Baratta, Manager of Business Development for Healthcare Segment in the U.S. at Axis Communications pointed out that a Deloitte study found the pharmaceutical industry to be a major target of cybercriminals around the world that is costing several millions of dollars worth of intellectual property losses in the industry.

“Bio-Pharma is constantly being attacked by hackers and attempts are made daily,” Baratta said. “Training and more training and employee awareness to possible threats is the best defense. It’s simple rules. For example, if you don’t recognize a sender of an email don’t open or download the attachment or if you find any drives somewhere, never put them in any company-owned devices. Firewalls and VPOs are only a minor way to protect from ill will hackers.”

Priorities that matter

Speaking on a similar note, Eric Green, Senior Product Marketing Manager at Honeywell pointed out that IT often receives the most attention when it comes to safeguarding the integrity of data and assets and this approach could turn out to be costly.

“OT -- systems that monitor, control and protect processes, equipment, and operational environments -- can be another entry point, and often needs similar or more care in today’s ever-connected technology landscape,” Green pointed out. “As a physical security provider, it’s incumbent on us to provide the features and tools necessary to not just co-exist but enhance the cybersecurity posture of the environments in which our products reside. Our products undergo extensive cybersecurity testing and review. We are constantly tracking cybersecurity software standards and best practices to ensure our products integrate securely into our customer's environments.”

Protecting corporate information

Securing data that could hurt businesses in the wrong hands is a priority for most pharmaceutical companies. Baratta stressed this as he added that effective cybersecurity is about assessing risks and taking effective risk mitigation with appropriate steps that include password protection of all devices.

“This includes also all the security devices that are part of the network. It needs to be ensured that they are protected from intrusion, backdoors, and even manufacturers, who provide service portals, which may allow for a foreign government to gain access to your IT infrastructure,” Baratta added.

It is imperative that security and vulnerability management is foremost with proper passwords, firewalls, testing and training of the users and employees. Hardening guides and other references are available for security devices, which can be used to tunnel into systems.