Regulatory compliance as a cyber security strategy tool

04 January 2017

A recently published white paper describes some of the most effective industrial security tools pharmaceutical companies have at their disposal in the era of Industry 4.0. Control Engineering Europe reports.

To tackle increasing cyber security threats companies need to put cyber security at the very heart of the business. This does now appear to be happening and, according to the Global State of Information Security Survey 2016, respondents increased their information security budgets by 24% within the past year, reflecting a greater willingness to invest in keeping facilities secure. 

The pharmaceutical industry is a particularly attractive target for cyber attacks, so pharmaceutical companies need to assess weak points and implement appropriate security measures. Bitsight, an organisation that measures how vulnerable companies and industries are to cyber attacks, reported that cyber security attacks on the healthcare and pharmaceutical industries have worsened at a faster rate than other industry sectors. With the average ‘clean up’ time for these sectors following a cyber attack being just over five days.

Pharmaceutical production control systems used to be proprietary and limited to the individual research and production facility. A typical industrial control system would not be directly connected to the Internet. However, an increasing need for automation and robotics, remote access and factory-wide connectivity has changed production and control systems significantly in recent years.

The introduction of the Industrial Internet of Things (IIoT) is the next major step towards a fully connected smart factory. The benefits of the IIoT-enabled pharmaceutical production facility are clear. Collecting and strategically interpreting production data using analytics and turning this information into insight can enhance productivity and help reduce errors.

Protection through compliance 
Operating in one of the world’s most heavily regulated industries, pharmaceutical companies need to abide by a variety of complex laws, regulations and guidelines. Sometimes, these can become the basis for an effective industrial security strategy.

The Food and Drug Administration (FDA) 21 CFR Part 11 is one of the most established regulations within the industry. It requires organisations to implement controls, electronic audit trails and systems validations and establishes standard expectations for industrial security through the use of reliable electronic documentation of the pharmaceutical manufacturing process. 

There were initial concerns that FDA 21 CFR Part 11 may discourage innovation and technological advances. However, compliance is not just about ticking boxes. For the most part, its requirements go hand in hand with the security necessities of todays manufacturing facilities. 

By reviewing historical documentation and records, organisations are able to detect where security breaches have occurred and in turn, identify and better protect the more vulnerable points in the system. This way, engineering and manufacturing data is protected against unauthorised access, modification or deletion to ensure accuracy, consistency, and completeness. So, ultimately, successful FDA 21 CFR Part 11 compliance will also result in a more organised, efficient and secure production process. 

Put simply, Electronic Records provide secure data. Authenticated electronic signatures ensure that operators and supervisors identify themselves in a safe and secure way when making any changes in the production process. 

Combined with the implementation of smart machines and the resulting influx of big data, achieving regulatory compliance in the industry is not an easy task. To fulfil the requirements of these complex regulations and protect their facilities, smart pharmaceutical manufacturers are turning to validation-friendly applications and industrial software.

Smart SCADA security
Intelligent SCADA software such as Zenon from Copa-Data, ensure that a HMI/SCADA system is compliant with industry regulations, and should provide built-in cyber security capabilities. Such a ‘Security by Design’ approach will mean that software and its components are designed to guarantee secure operations.

Built in software security features that protect companies against data loss and unauthorised access include a file signature functionality that recognises manipulated program files, strong encryption, secure authentication and automatic synchronisation of files in the network with ‘click-and-forget technology’.

Integrated user administration, for example, ensuresthat  unauthorised users cannot gain control of equipment. It means most user operations can be locked - even access to Windows Desktop. This way, if a security breach does occur, it can be easily contained and access to other applications can be prevented.

Best practice also dictates that pharmaceutical manufacturers should encrypt valuable data. This could mean compressing production data and sending it through the network and to web clients in an encrypted form, as well as ensuring passwords are encrypted to protect project data and expertise.

Some HMI/SCADA software uses its own network protocol to communicate between the individual software products. This  allows data to be transferred to separate binary data packages and machine-readable information in plain text is never communicated in the complete communication concept. Further client authentication at the connection set up stage also prevents access to the network.
Potential attackers would then need to overcome a number of barriers before they get to the core of the production system. The overall strategy is topped off with open dialogue and documentation about security. A HMI/SCADA software provider should work closely with its customers to strengthen security guidelines and build on its industry experience.

Update and communicate
Knowledge and understanding of cyber security risks should not end with engineering and IT staff. According to respondents of the Global State of Information Security Survey 2016, the most cited source of security compromise lies with employees.

Internal security compromises may not be intentional, but could prove just as damaging as an external attack. For this reason organisations need to consider how much the average employee actually knows about keeping industrial systems secure. This could be as simple as encouraging staff to use strong passwords, delete unwarranted e-mails and update computers regularly. These basic measures go beyond the IT and engineering departments and should include other departments; even senior management.

After a thorough assessment of the system’s potential vulnerabilities, creating a procedure and then training members of staff on industrial security should be the next step. Larger organisations might find it helpful to appoint a Chief Information Security Officer to manage industrial security issues and communicate the importance of cyber security, helping to create an engaged workforce and a company culture built on safety and security.

Industrial technology is evolving at an incredible rate. While upcoming trends such as cloud computing, IIoT and big data are certainly beneficial for the manufacturing industry, they also generate entirely new challenges for those managing the industrial security and data protection of organisations. While the days of Stuxnet may be behind us, manufacturers do need to stay ahead of the industrial security game if they want to avoid security breaches and the negative consequences they entail. 

Contact Details and Archive...

Print this page | E-mail this page