Cybersecurity concerns are growing in the pharmaceutical industry, primarily stemming from the sector’s growing reliance on third-party suppliers, adoption of digitization and industrial IoT (IIoT) technologies, and shift towards hybrid/multi-cloud environments. The deteriorating threat landscape comes in the midst of the COVID-19 vaccine rollout and development, and other breakthroughs in life sciences, thereby further escalating the danger levels posed by cybercriminals to this critical sector.
Sophos determined that the impact of cyberattacks on the pharmaceutical organizations includes lack of availability of critical systems and business disruptions that may halt research and development (R&D) and drug production, and loss of data including intellectual property (IP), clinical trial data and patient data. Cyberattacks can also influence loss of market position, bring about financial losses caused by lost revenue and additional costs of lawsuits, regulatory non-compliance and potentially hefty fines, loss of consumer trust, and reduced shareholder value.
Companies in the pharmaceutical industry hold data worth billions of dollars, often consisting of classified IP, R&D data on pharmaceutical advances and technologies, proprietary information on drugs and development, and patient and clinical trials data. Access to such critical and sensitive information makes the pharmaceutical sector an extremely attractive target for cybercriminals.
Sophos data showed that the pharmaceutical industry has a predicted compound annual growth rate of 13.7 percent through 2027, as billions of people rely on this sector for their daily medications. “An interruption to manufacturing lifesaving drugs and inventing new therapies can have deadly consequences. Yet, this industry is among the most threatened by cyber crime globally,” the company revealed last month.
Booz Allen Hamilton said in a recent publication that the future state of cybersecurity for pharmaceutical companies is having an integrated security operations center (SOC) where company data is classified, reinforced with physical access controls, and the company is alerted to anomalous behavior through the use of analytics. Such companies must also put in place an incident response plan made more effective with improved detection efforts while adopting a strong frontline defensive posture with baseline behavior profiles for detecting anomalous network behavior.
Given the heightened threat landscape covering the pharmaceutical industry, Industrial Cyber reached out to industry experts to assess ground realities and work on identifying the various best practices and measures that can strengthen the cybersecurity posture of the sector.
The challenge facing many pharmaceuticals sectors is securing the ‘availability’ of operations at the manufacturing sites, Brian Duffy, global director of operational technology (OT) security at Ipsen Pharmaceutical, told Industrial Cyber. “A lot of flat networks are interconnected with corporate networks and this leads to a single point entry into OT assets. In order to have an air gap approach segmentation and a flexible ‘zero trust’ culture with our IT colleagues, it’s important to set up shared services between IT/OT convergence correctly,” he added.
The pharmaceutical sector faces many cybersecurity challenges, including network complexity, aging OT environments converging with IT, an expanding attack surface, mergers and acquisitions of different IT strategies, a cyber security skills shortage, insider threats, and compliance obligations while at the same time keeping up with innovation during a global pandemic, Troy Ament, field chief information security officer for healthcare at Fortinet, told Industrial Cyber.
The pharmaceutical industry deals with extremely volatile chemicals that require highly specific conditions, such as certain temperatures and pressures, Jessica Amado, head of cyber research for Sepio Systems, told Industrial Cyber. “Any changes to these conditions would have extremely detrimental consequences that spill over to the physical world. Imagine, for example, that the manufacturing process of a COVID vaccine got slightly altered. Even minimal changes could cause catastrophic effects, and if it was manipulated only very slightly, it would likely go unnoticed,” she added.
Now, the COVID vaccine could be used as a very, very dangerous weapon because it gets distributed to millions of people across the world, according to Amado. “Of course, this scenario can be applied to any medication or drug, but it is an extremely unique challenge faced by the pharmaceutical industry that, if not managed properly, can result in fatal outcomes,” she added.
The convenience of digitization with its enabled analytics-led data management and technological breakthroughs has led legacy OT devices and systems in the pharmaceutical industry to converge with IT networks. The re-alignment exposes the outdated OT systems to a wider threat surface resulting in IT/OT convergence, leading to the weakening of the cybersecurity posture at such installations.
“More and more requests to extract energy, key performance indicators, predictive maintenance using smart IIoT technologies have been a major part of getting critical data out of the OT zones,” Duffy said. “The effect this can lead to poor practice when transmitting the Level 0, 1, 2, 3 asset data up through one-directional gateway within the OT DMZ. ‘System by Design’ plays a key part when architecting the solution for IIoT devices. Also ensuring that IIoT devices meet ISA 62443 certification programs that give devices a security level,” he added.
IIoT has many factors of improvement when decisions need to be made around supply chain and environmental conditions at industrial factories, Duffy said. “IIoT could compromise OT/ICS estates when the incorrect product or design is selected without the OT subject matter experts’ voice in their areas and security at the governance meetings,” he added.
The pharma industry’s increased focus on new technologies is helping organizations be more innovative, but it also increases their risk and expands their attack surface, Ament said. “IoT enables pharma firms to improve access to patient data and documents, monitor industry trends, and manage devices. However, the mass of connected devices increases the attack surface and presents new privacy challenges that offer more opportunities for hackers to exploit vulnerabilities in organizations’ systems,” he added.
Not to be outdone, IIoT poses additional opportunities and risks to pharma companies, as it enables faster production, optimal processes, and energy efficiencies but further expands the attack surface and introduces new security threats, according to Ament. “This growing reliance on cloud technologies, from hybrid to multi-cloud environments, further extends the touchpoints that companies need to secure, which increases the risk of a data breach,” he added.
“More worrisome is that the interconnectedness of IIoT means that any of these entry points can be used as a gateway to more critical systems,” Amado said. “In other words, a hardware attack tool can get plugged into a computer (which is much more accessible) and, through lateral movement, target a component of OT. The covert nature of these devices means they can bypass even the most stringent security measures, including air-gapping and zero trust,” she added.
Stuxnet is one of the most famous examples of how a hardware-based attack can cause physical damage to ICS, and the same technique could very easily get applied to the pharmaceutical industry, if it hasn’t already, according to Amado.
Given that the critical components of the pharmaceutical industry are centered around innovation with R&D investments, IP, clinical, and patented data, it is imperative to quickly put in place an appropriate approach and strategy to secure data, servers, and intellectual property from cyber-attacks.
“The right approach is to implement an OT-related security framework within the pharmaceutical industrial site, like ISA 62443 or NIST 800-82, etc.,” Duffy said. “These framework pillars not only guide but give instructions around identifying inventory situational awareness, detection, security OT/ICS training, backup/restore and risk assessing the critical assets like servers, PLCs, SCADAs, and their data flows at the manufacturing sites. By protecting the availability of manufacturing operations, this saves lives and keeps critical medicines available,” he added.
There are multiple and ever-evolving cyber threats facing pharmaceutical companies, including compliance needs, nation-stated sponsored attackers, and increasing network complexity, Ament said. “Rather than try to solve each issue separately, a better plan is to take a comprehensive architectural approach to cybersecurity. This style of approach provides the automation, visibility, and fast response to threats that easily demonstrate compliance and defeat attackers,” he added.
Pharmaceutical companies need to look towards building a framework that helps secure data, restrict data access, improve data recovery, secure software, hardware, and physical equipment, and improve employee awareness, according to Ament. “A cybersecurity platform approach is vital to help enable some important technologies that can help secure the hybrid working environments of today such as zero trust network access and secure SD-WAN,” he added.
Amado said that the right approach and strategy to be put in place in the pharmaceuticals industry is access controls and most pharmaceutical entities know this. “However, the key is to ensure that access controls are getting properly enforced. As I mentioned, hardware attack tools bypass air-gapping and zero trust security protocols. In other words, even if there might be access controls present, they are ineffective if they are getting undermined,” she added.
It goes without saying that, as the attack surface expands beyond traditional perimeters, asset visibility and access controls must do the same, according to Amado. “Enterprises can no longer enforce their security measures to their immediate boundaries and assume they’re protected. What about the devices employees use when working remotely? What about when BYODs get used outside the office? Access controls must apply in these areas, meaning asset visibility must do so, too,” she added.
Given the increased ransomware trends observed in 2021 across the critical infrastructure sector, there is a rising awareness of cybersecurity threats both within the community and from the executive branches of governments across the world. Last month, the U.S. administration released its Water Sector Action plan that safeguards the nation’s water resources from cybersecurity attacks.
Assessing if regulations in the pharmaceuticals sector could be expected any time soon, Duffy said that “OT cybersecurity regulations can be as part of internal or external audits on the security framework, lots of external companies offer this service.”
“I see this becoming the norm within Life Sciences Pharmaceuticals in the near future, the OT/ICS security posture will be tested alongside quality at Cybersecurity Factory Acceptance testing (CFAT) and Cybersecurity Site Acceptance (CSAT) testing,” according to Duffy. “Merging both quality validation tests and security tests to build a solid foundation for the OT asset to operate and perform a regulatory task at the end of the day,” he added.
“We do, especially as it relates to compliance,” Ament said. “As healthcare regulatory requirements evolve and become more complex, the difficulty of manually achieving network-wide visibility and enforcing the required security controls only increases. In addition, demonstrating compliance can be time-consuming, especially when networks are composed of disparate point products that don’t share reporting capabilities,” he added.
Traditionally, pharmaceutical companies have focused their security efforts on meeting compliance requirements, according to Ament. “But the reality is that most organizations struggle to demonstrate comprehensive compliance – and data integrity is an important new requirement to address as digitalization takes hold,” he added.
There are existing regulations applicable to the pharmaceutical sector, but they are often outdated, limited in scope, or intended to apply to healthcare overall, Amado said. “So, it’s definitely time that pharma receives updated, comprehensive regulations that focus on the current and future threat landscape. We have seen various countries such as the US and UK increase their focus on cybersecurity, especially in the critical infrastructure domain,” she added.
“As the pharmaceutical industry falls under critical infrastructure, I would hope that regulations for this specific sector get developed, according to Amado. “However, it’s often the case that regulations come after a series of significant events, so it is difficult to predict when such regulations might come to fruition. But when it comes to cybersecurity, it’s always better to be proactive, as opposed to reactive,” she concluded.
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.