Attacks and Vulnerabilities
Critical infrastructure
Features
Industrial Cyber Attacks
Malware, Phishing & Ransomware
Pharma
Regulation, Standards and Compliance
Supply Chain Security
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

Need for cyber defenses across pharmaceutical industry against cybersecurity risks, supply chain attacks

October 29, 2023
Need for cyber defenses across pharmaceutical industry against cybersecurity risks supply chain attacks

Organizations in the pharmaceutical industry face significant cybersecurity risks due to their possession of sensitive data and valuable technology. With patient information, patented drugs, and research projects at stake, the sector has emerged as a prime target for cybercriminals. Rapid pace of technological advancements, increased use of automation tools, and reliance on third-party vendors have also further compounded the cybersecurity challenges faced by pharma companies. 

Increased risk is driven by the sector’s dependence on third-party supply chains, cloud technology, and IoT, which expand the potential vulnerabilities and necessitate diligent security measures. Subcontractors and vendors are vital in essential functions like research and supply chain management, underscoring the importance of mitigating cybersecurity risks in pharmaceutical supply chains.

Phishing and ransomware attacks pose constant threats, while insider threats from individuals with authorized access to sensitive data also compromise cybersecurity. To address these challenges, the industry must implement robust security protocols and comprehensive strategies to protect digital assets and mitigate cyber-attacks. Failing to do so could result in severe consequences such as loss of trust, damage to reputation, and financial decline. Recent high-profile attacks have urged pharmaceutical companies to prioritize enhanced security measures, despite the sector’s traditional lag in cybersecurity.

Understanding unique cybersecurity challenges 

Industrial Cyber reached out to experts in the pharmaceutical sector to gain insights into the distinct challenges faced by the industry in protecting its industrial environment. Additionally, they examined the factors that differentiate the pharmaceutical sector from other critical manufacturing sectors regarding cybersecurity posture.

Francesco Ferri, OT security deployment and operations lead at GSK
Francesco Ferri, OT security deployment and operations lead at GSK

The industrial environment in the pharmaceutical sector is subject to compliance with regulatory requirements, Francesco Ferri, OT security deployment and operations lead at GSK, told Industrial Cyber. “For example, control systems, manufacturing processes, and related utilities are validated (to confirm repeatable and consistent medicine quality) and must comply with current Good Manufacturing Practices (cGMP), Good Automated Manufacturing Practice (GAMP), and Code of Federal Regulations Title 21 (CFR21) requirements (among others). Therefore, any OT Security related activity must be assessed to determine the impact on the validation status,” he added.

Ferri identified that one of the challenges is balancing risk mitigation vs manufacturing downtime as well as validation effort while addressing vulnerabilities, applying a security control, or deploying new technology. “Documentation and validation play a big role in the planning and implementation process. Information sharing and threat intelligence are the basis to identify and manage potential outsider/insider threats, usually, the amount of information to be reviewed is large and non-always applicable.”

Another challenge is collecting more pharmaceutical sector-specific data to help focus on what matters and optimizing effort, according to Ferri. “In general, OT security’s primary focus is Safety, Availability, Integrity, and Confidentiality (differing from the well-known IT C.I.A. triad).” 

“A key factor that sets the pharmaceutical sector apart is that Integrity takes priority over availability (Safety is always the main focus),” Ferri observed. “Data Integrity is key for the release of product batches and to comply with regulatory requirements in terms of data retention and data availability for inspections and audits. OT Cybersecurity plays an instrumental role to ensure the integrity of current and historical GxP data for the retention period dictated by regulatory requirements.”

GxP, which stands for Good, Variables, and Practice, is a set of regulations and quality guidelines established by the U.S. FDA (Food and Drug Administration) for compliance-related activities. Its purpose is to ensure the safety of pharmaceutical products systematically and comprehensively while maintaining process quality throughout the manufacturing, control, storage, and distribution stages.

John Allen, vice president of cyber risk and compliance at Darktrace
John Allen, vice president of cyber risk and compliance at Darktrace

Pharmaceutical companies face three key challenges when it comes to safeguarding their industrial environments, John Allen, vice president of cyber risk and compliance at Darktrace told Industrial Cyber. “First, they deal with a lot of extremely valuable data, for example, proprietary recipes and formulations that are based on hundreds of different data points. Second, many are still running legacy systems that are difficult to implement security controls on, and when they introduce newer systems, these systems are more interconnected and increase the potential attack surface. Finally, the sensitive nature of their processes and controls means that the impact of a cyber incident can be extreme,” they added.

Allen mentioned that there’s no single aspect that sets the pharmaceutical industry apart from other critical manufacturing sectors. “It’s a combination of dollars, data, and potential damage. The pharmaceutical industry generates billions in annual revenue and profits, often from a single or a few drugs. Moreover, they have highly valuable and significant amounts of intellectual property that must be protected. And finally, recovering from an impacted process is complex due to the numerous controls and validation requirements so the potential damage is immense.”

Carlos Buenano CTO for OT at Armis
Carlos Buenano CTO for OT at Armis

Carlos Buenano, CTO for OT at Armis, told Industrial Cyber that what sets the pharmaceutical industry apart from other critical manufacturing sectors in terms of cybersecurity is the high value and sensitivity of their information, the strict regulatory environment, and the potential for physical damage. “This requires the industry to invest in robust cybersecurity measures and stay updated on the latest threats and compliance standards. Additionally, the industry’s reliance on complex supply chains and legacy systems presents unique challenges in terms of securing their industrial environment.”

He added that the pharmaceutical industry deals with highly sensitive and valuable information, including trade secrets, intellectual property, personal health data, and confidential research and development data. They are subject to strict regulations and compliance standards, such as HIPAA for health data and Good Manufacturing Practices (GMP) for the production of drugs. 

Buenano further outlined that the pharmaceutical industry is also at risk of physical damage to their production facilities and equipment, and lastly, several pharmaceutical companies have outdated and legacy systems and infrastructure, thus making it challenging to implement modern cybersecurity measures and leaving them vulnerable to cyber threats.

Impact of regulations on cybersecurity strategies, supply chain management

Given the highly regulated nature of the pharmaceutical sector, the executives assess the impact of regulations on cybersecurity strategies and supply chain management within the industry. They examine the role of regulatory compliance, such as FDA requirements, in planning and responding to cybersecurity for pharmaceutical manufacturers.

Ferri said that regulatory requirements have always been part of the deployment of cyber security controls, technologies, processes, and procedures, but now regulatory authorities have started looking at cyber security-specific requirements, (e.g. medical devices requirements recently released by the FDA). “Authorities have also started to include cyber security specific questions during inspections and audits at manufacturing sites.”

“Validation of OT assets must not be altered by any activity (e.g. software updates, patching, installation of antivirus, etc),” Ferri added. “Therefore regulatory compliance and the impact on OT Assets are an integral part of activities planning and any response to incidents, as integrity of the GxP data and process validation are paramount.”

“Most recently, the FDA’s focus for cybersecurity has been around medical devices, however, it has long been a driving influence for cybersecurity in the pharmaceutical manufacturing space for years,” according to Allen. “Indirectly, the required controls and validations introduce significant costs to any recovery efforts, which encourages organizations to adopt appropriate cybersecurity practices. Specifically, CFR 21 Part 11 has been requiring adequate protection of electronic records for years.”

Buenano said that the regulations in the pharmaceutical sector significantly impact cybersecurity and supply chain management. “Compliance with these regulations is critical to protecting sensitive data and ensuring the integrity of the pharmaceutical supply chain. Pharmaceutical companies must have robust cybersecurity strategies and measures in place to comply with regulations and safeguard patient health information and company data.”

“The FDA requires pharmaceutical companies to conduct risk assessments and implement controls to mitigate potential cybersecurity risks,” according to Buenano. “This includes protecting against unauthorized access, data breaches, and cyber attacks that could compromise the safety, quality, and effectiveness of pharmaceutical products. Companies must also have incident response plans in place to quickly and effectively respond to any cyber incidents, as well as conduct regular testing and monitoring of their systems to identify and address any vulnerabilities.”

Regulatory compliance also impacts supply chain management in the pharmaceutical industry, Buenano noted. “Pharmaceutical companies must also ensure that their suppliers and vendors are compliant with regulatory requirements and have robust cybersecurity measures in place. This can include conducting regular audits and requiring third-party suppliers to adhere to strict security standards,” he added.

Prescription for protection against rising ransomware threats 

The pharmaceutical sector is frequently targeted by ransomware attacks due to its high value. The executives analyze the factors that make it attractive to cybercriminals and investigate how pharmaceutical companies have adjusted their cybersecurity measures to address the specific threat of ransomware, particularly its impact on production.

“Intellectual properties and sensitive information like patient data, clinical trials data, and data on drugs under development have always been a target of cyber threats,” GSK’s Ferri said. “In recent years the pharmaceutical sector has seen an increase of ransomware attacks affecting pharmaceutical production likely due to IT / OT integration, making the IT environment one of the key risks for OT.”

Ferri added that the integration of IT/OT is facilitating data analysis to support decision-making and production optimization. “However, at the same time, it has increased the connectivity between two environments with different security approaches and management. This has introduced a risk of potential lateral movement from IT to OT. Pharmaceutical organizations must manage the flow of data and services between the two environments with network segmentation, zero trust policies, and a set of layered controls (defense in depth) to minimize the attack surface and the chance of threats moving from IT to OT.”

Allen said that the “pharmaceutical industry is full of high-value targets for cybercriminals because of the huge amounts of revenue that they bring in. The fact that there are numerous manufacturing facilities and plants around the globe, which are often running legacy systems, means that there is no shortage of targets for them.”

Traditionally, pharmaceutical companies relied on air gapping and tight manual controls, but these are proving increasingly ineffective through the industry 4.0 transition, Allen added. 

“The industry is transitioning to a defense in depth approach to combat ransomware threats,” according to Allen. “That means locking down the perimeter, segmenting networks, and deploying advanced AI-powered monitoring and analysis tools to detect and stop ransomware attacks before they can impact manufacturing processes.”

Buenano said that in terms of the impact on production, ransomware attacks can be devastating for pharmaceutical companies, as they often rely on complex production processes that require precise data and formulas. “Any disruption or loss of this data can have serious consequences for production timelines and the company’s bottom line. To mitigate this risk, companies are implementing more robust disaster recovery plans to ensure that production can continue in the event of a ransomware attack.” 

Furthermore, Buenano pointed out that companies are prioritizing investments in secure systems and implementing regular backups to mitigate the potential impact of a data breach on production.

Examining cyber threat prioritization and resource allocation

Due to the intricate nature of the pharmaceutical supply chain, the executives examine how organizations prioritize their responses to cyber threats and incidents. Additionally, they exchange best practices and strategies for efficiently allocating resources and attention to critical areas.

Starting with the basics, Ferri listed full visibility of hardware, operating systems, firmware, and software versions used in the organization’s OT assets (asset management); identifying the crown jewels based on business objectives as well as GxP criticality and product availability; and triage all the sector-specific intelligence, existing and new vulnerabilities applying a risk-based approach to address only what is necessary to mitigate the risk and minimize the downtime. He also suggested deploying a layered set of controls (defense in depth); segmenting the networks and managing the flow of data and services between IT and OT to allow secure data sharing and remote access.

Ferri also recommended maintaining an OT security training and awareness program, because OT security is everyone’s responsibility, and commonly employees are the main target. He also pointed to making sure the restore process is well developed and tested to minimize Recovery Time Objective (longer downtime would adversely affect the supply of medicines) and Recovery Point Objective (loss of GxP data could be related to current product release or batches in the market, causing supply disruption and product recalls). 

“Contrary to what many may think, it’s relatively easy to identify the most critical assets in a pharmaceutical environment,” Allen observed. “However, what’s not always obvious are the seemingly lower priority assets that attackers can use to pivot to more valuable assets and sometimes to the most critical assets. Understanding the potential attack paths is key to understanding your true risk. It’s important to do everything you can to protect and prioritize the most critical assets, but that’s just the beginning.”

Buenano said that organizations should prioritize responses to cyber threats and incidents in the pharmaceutical supply chain by identifying and assessing risks, focusing on critical assets and processes, creating a response plan, regularly updating risk assessments, investing in cybersecurity tools and training, and collaborating with industry partners. “By following these best practices, organizations can effectively allocate resources and attention to critical areas and mitigate the impact of cyber threats on their supply chain operations.”

Handling production disruptions and FDA impact

In the event of production line disruptions due to cybersecurity incidents, the executives analyze the unique challenges that pharmaceutical companies encounter, which may not be evident in other critical infrastructure sectors. They also evaluate whether FDA audits or permission are necessary to resume production.

Ferri said that cyber incidents that lead to production disruption, data manipulation, and a potential product shortage would lead to a more critical impact on the business when compared with a data breach declaration. “If there are concerns around GxP data integrity and product quality, this would trigger an internal investigation, batch review, hold on product release, product recall, and potential manufacturing disruption with the involvement of regulatory authorities.”

Apart from the disruption of medicine supply (with a possible impact on patients), Ferri pointed out that organizations could face a breach of trust, internal and external investigations, risk of fines, and potentially further delays in manufacturing restarting.

“Regulations (e.g. NIS2) are categorizing the pharmaceutical sector as critical infrastructure resulting in new security requirements on top of existing regulatory requirements,” he added.

Allen pointed out that this is a big part of why the damages from a cyber incident can be so significant. “In a Good Manufacturing Process (GMP) plant. you can’t just swap out impacted systems and start back up. Even for a planned shutdown, significant effort is required for documentation and planning around the shutdown and return to service. Recovering from a cyber incident can require considerably more effort.”

Ultimately, Allen added that the organization needs to be able to demonstrate that after any rebuild, repair, or replacement, the process is under control and will reliably produce the expected results. “In some cases that may require revalidation, but other times, regulators may perform an audit, and an organization will need to address the output.”

Whether or not FDA audits or permission are required to restart production after a cybersecurity incident would depend on the severity and impact of the incident, Armis’ Buenano said. “In some cases, the FDA may conduct an audit to ensure that appropriate measures have been taken to address the issue and ensure the safety of products. However, the decision to restart production ultimately lies with the company, and they may choose to do so after implementing their own internal processes and protocols,” he concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems