Security has never been more important for pharmaceutical manufacturer Pfizer. Millions around the world are depending on the company for their COVID-19 vaccine as the pandemic continues to devastate countries around the globe. Pfizer has set a global goal of producing 2.5 billion vaccine doses by the end of the year and cybersecurity is an integral component to meeting that goal.
In April, Jim LaBonty, the head of global automation engineering at Pfizer, took part in a discussion with cybersecurity company Claroty about what the pharmaceutical manufacturer is doing to secure the supply chain.
“COVID-19 and that program is the first priority right now. A close second is securing that production capability,” LaBonty said. “We’ve been able to build up our production capability across the globe to be able to supply billions of doses. A typical vaccine is 100-200 million doses and now going into billions is definitely moving the bar up really high. We have to secure that.”
Among the topics discussed were IT-OT convergence and how Pfizer has ensured cyber technologies are being implemented smoothly.
“I’ve been dealing with this word convergence for 15 years,” LaBonty said. “I think convergence is not the two worlds becoming one world; it’s an interconnection of the two worlds of IT and OT. It’s not convergence where they’ll become one. We do need the convergence of communication and being able to work across the boundaries of production manufacturing systems and the traditional pure IT environment. We need understanding, skill-building and cooperation. A big part of the success of the Pfizer program is the collaboration.”
LaBonty has been working to strengthen Pfizer’s security posture for several years, but he says the company redoubled their efforts after the biopharmaceutical industry was hit with a wakeup call in 2017. That is the year the Merck and Co. pharmaceutical company was hit by a major cyberattack that crippled more than 30,000 laptop and desktop computers and 7,500 servers. Ultimately, the attack cost the company $1.3 billion.
“That was the wakeup call for Pfizer to really start to think about the potential impact of a cybersecurity malware hit,” LaBonty said. “At the end of 2017, our board made a strong directive to better secure our production floor systems. We had already started a program to better secure the manufacturing arena and put technologies in place to protect the environment, but there was a strong message from our board to focus more on the OT environment, the actual production floor systems, and the industrial control systems to ensure those systems were well covered from a potential cyber impact.”
For this reason, Pfizer decided to adopt an OT-focused solution to secure its manufacturing environments. Ultimately, the pharmaceutical manufacturer chose to work with Claroty to secure its sites.
“We had to have a tool that gave us visibility to what was actually in the production floor. You can’t protect what you don’t know so having a complete inventory, having that visibility, knowing what’s talking to what is imperative to being able to understand and protect our environment,” LaBonty said. “Claroty is one of our number one tools, it helps with the first phase of the NIST CFS framework which is to identify. Once you identify then you can protect it which is the next phase.”
LaBonty said segmentation is a key security measure, particularly when it comes to protecting your organization from cyber-attacks such as malware which can infiltrate the IT side of an operation and make its way to the production floor.
“Segmenting the IT and OT networks has become even more important over the last few years,” LaBonty said. “Phishing exercises of using email to bring malware into an organization have been pretty highly successful. Wherever an email system is, if you have your production environments in a flat network environment, that’s close to the email and not segmented away, there’s obviously a concern. And the need for segmentation was emphasized earlier this year when.
“We’re not immune at Pfizer. [We were recently] impacted by ransomware that took out their production environment because they still had a very flat IT OT layered environment. They had not yet embarked on the segmentation process so when the malware came in through the email it went everywhere. It went through the office environment and it also went to the factory floor and made their computer systems inoperable. It became very clear to us at Pfizer that segmentation is a good defense mechanism.”
To fully secure its facilities, Pfizer has had to implement different systems across its various global locations.
“We were looking for that silver bullet. There is no silver bullet,” LaBonty said. “We had to select five different technologies with each providing an element of the overall security fabric and each one of those provides a threat protection feed into our global SOC. “
Integral to Pfizer’s cybersecurity efforts is it’s security operations center that has been tasked with balancing the demands of the pharmaceutical manufacturer’s IT and OT environments.
“Our SOC is an integrated SOC,” LaBonty said. “It’s looking at the business and the manufacturing and leveraging the expertise and knowledge and experience of that SOC for the OT environment. Of course, the OT environment is a different environment, it’s not to be treated exactly the same as IT so there’s some learning, some skill building in our SOC and our IT experts understanding the production environment more. Over the whole journey, that’s one thing I’m still seeing as an opportunity, is to continue to build and upskill that understanding and knowledge of production in our very capable cyber-IT professionals and how to integrate well with those production environments.”
As Pfizer’s vaccine rollout continues, the organization must ensure its production facilities are protected without interrupting production. While this has been especially important during the pandemic, it’s an ongoing reality for the pharmaceutical manufacturer.
“Production is king, it will always be king in manufacturing,” LaBonty said. “We wanted to ensure what we put in place was monitoring the traffic in the network in the production environment, but we didn’t want to impact it in any way shape, or form.”