Pharmaceutical Technology - October 2020

PharmTech - Regulatory Sourcebook - October

Issue link:

Contents of this Issue


Page 42 of 75

Pharmaceutical Technology Regulatory Sourcebook October 2020 43 packages that block USB ports, detection of mobile devices or rogue systems, and virus scanning. Solutions providers also face a mismatch when it comes to introducing new OT cybersecurity measures to old infrastructure. In industrial control systems, facility operators are tied to the equipment. This means that if there is a dryer or granulator that has been running for 30 to 40 years, its controls may have been introduced back when it was built. There is a reluctance to disturb this type of equipment because it is a validated environment and it works. The equipment may be running an old operating system (OS) and using software that is no longer supported and can- not be patched for current vulnerabilities, which means that the OS may need to be updated. In contrast, current vendor solutions are de- signed around the IEC 62443 set of cybersecu- rity standards (levels one through to four) for in- dustrial control systems (2). The benefit of those standards is the common understanding of se- curity requirements, such as intrusion detection, that are required to be integrated into the offering. An additional challenge for bio/pharma facil- ity operators is the regulatory requirement to preser ve data integrity throughout the manu- facturing process. For legacy systems, where vulnerabilities to attacks are greater, preserving data integrity can prove challenging. This is be- cause legacy systems did not have data protection measures when they were originally built, and these measures needed to be introduced at a later date by solutions providers. Additionally, as bio/ pharma manufacturers increase the implementa- tion of digitalization and Pharma 4.0 concepts, seeking the promise of increased productivity, these business drivers require exposure of criti- cal asset and device data to the functional and business layers, which increases potential cyber- attack vectors. Furthermore, a new challenge is that most of the OT, Internet of Things (IoT), and industrial IoT technology solutions are being developed and introduced using cloud services. Most OT legacy systems are air-gapped (i.e., physically isolated for cybersecurity), thus creating additional chal- lenges in working with cloud-based solutions. New technologies on the market, therefore, have a variety of additional security measures that are aimed to mitigate risk in this field. COVID-19 has also added a new challenge: with staff required to work remotely, the deployment of manual operations at legacy systems in response to an evolving cyber issue may not be feasible. Solutions Innovative solutions to these complex challenges are needed. An industry best practice is that be- fore any new technology solutions are introduced to a legacy environment, a comprehensive, high level "All Threats All Hazards" assessment of the facility should be conducted. This process will cap- ture the current state of potential risks and threats, identify areas within legacy environments that may be vulnerable, and identify assets. This effort will lead to an understanding of the importance of each individual control system as it relates to the legacy operation. It is also necessary that solu- tions providers have deep domain knowledge of the manufacturing operation and the aged equip- ment to successfully deploy bespoke, effective cy- bersecurity solutions. For legacy systems, where there is potential for greater vulnerability to attacks, preserving

Articles in this issue

Archives of this issue

view archives of Pharmaceutical Technology - October 2020 - PharmTech - Regulatory Sourcebook - October