Issue link: https://www.e-digitaleditions.com/i/1300450
www.biopharminternational.com October 2020 BioPharm International eBook 29 cols as well as networks where it is not possible to fully monitor the operational network or to detect and control intrusions. Due to their age, legacy networks do not include cyber-risk mitiga- tion elements that are all standard features in the modern OT cyberse- curity suite. These features include data loss prevention applications, packages that block USB ports, detec tion of mobile dev ices or rogue systems, and virus scanning. Solutions providers also face a mis- match when it comes to introducing new OT cybersecurity measures to old infrastructure. In industrial con- trol systems, facility operators are tied to the equipment. This means that if there is a dryer or granula- tor that has been running for 30 to 40 years, its controls may have been introduced back when it was built. There is a reluctance to disturb this type of equipment because it is a validated environment and it works. The equipment may be running an old operating system (OS) and using software that is no longer supported and cannot be patched for current vulnerabilities, which means that the OS may need to be updated. In contrast, current vendor solu- tions are designed around the IEC 62443 set of cybersecurity stan- dards (levels one through to four) for industrial control systems (2). The benefit of those standards is the common understanding of secu- rity requirements, such as intrusion detection, that are required to be integrated into the offering. An additional challenge for bio/ pharma facility operators is the reg ulator y requirement to pre- serve data integrity throughout the manufacturing process. For legacy systems, where vulnerabilities to attacks are greater, preserving data integrity can prove challenging. This is because legacy systems did not have data protection measures when they were originally built, and these measures needed to be introduced at a later date by solu- tions providers. Additionally, as bio/ pharma manufacturers increase the implementation of digitalization and Pharma 4.0 concepts, seeking the promise of increased produc- tivity, these business drivers require exposure of critical asset and device data to the functional and business layers, which increases potential cyber-attack vectors. Furthermore, a new challenge is that most of the OT, Internet of Things (IoT), and industrial IoT technolog y solutions are being developed and introduced using cloud services. Most OT legacy sys- tems are air-gapped (i.e., physically isolated for cybersecurity), thus cre- ating additional challenges in work- ing with cloud-based solutions. New technologies on the market, therefore, have a variety of addi- tional security measures that are aimed to mitigate risk in this field. COVID-19 has also added a new challenge: with staff required to work remotely, the deployment of manual operations at legacy sys- tems in response to an evolving cyber issue may not be feasible. SOLUTIONS I n novat ive s olut ion s to t he s e complex challenges are needed. An industry best practice is that before any new technology solu- tions are introduced to a legacy environment, a comprehensive, high level "All Threats All Hazards" assessment of the facility should be conducted. This process will cap- ture the current state of potential risks and threats, identif y areas within legacy environments that may be vulnerable, and identify assets. This effort will lead to an understanding of the importance of each individual control system as it relates to the legacy opera- tion. It is also necessary that solu- tions providers have deep domain knowledge of the manufacturing operation and the aged equipment to successf ully deploy bespoke, effective cybersecurity solutions. For legacy systems, where there is potential for greater v ulnera- bility to attacks, preserving data integrity can also prove especially challenging. To protect data and safeguard its integrity, legacy sys- tem owners must include the appli- cable regulatory requirements from the Code of Federal Regulations (CFR) Part 11 (3) when assigning risk- based security target levels, espe- cially regarding manufact uring execution systems and process con- trol systems, and data integrity in master recipes and batch records. The 21 CFR Part 11 regulation on electronic records and electronic signatures requires data integrity, user authentication, and access control (3). Implementation of the IEC-62443 requirements support data integ- rity and compliance with these regulations. One example is the security target level 4 requirements for authentication and identifica- tion requiring multifactor authen- tication for all users. Another is the security target level 4 requirements for use control, which requires the control system to support dual approval where an action can result in serious impact on the industrial process (2). B e s t p r a c t i c e i n t h i s a r e a involves combining accountability, audit trails, and security. There are Regulatory Sourcebook Data Integrity For legacy systems, preserving data integrity can prove challenging.