Securing Your Company's Manufacturing Data - Avoid breaches by knowing what to protect and how to protect it from external threats and internal accidents. - BioPharm International


Securing Your Company's Manufacturing Data
Avoid breaches by knowing what to protect and how to protect it from external threats and internal accidents.

BioPharm International
Volume 18, Issue 12

Internal security breaches caused by employees may be more frightening than external threats. A cyber crime study by the Federal Bureau of Investigation and the Computer Security Institute released in 2000 found that 71 percent of security breaches were caused by individuals who worked within the organization.5 It was also discovered that the majority of internal disruptions are accidental and could easily have been prevented with better plant security policies in place. Whether it is an accident caused by an untrained employee programming a controller, or a disgruntled worker tampering with a maintenance system, current IT technologies designed to prevent outside attacks offer little protection.

Life sciences companies focus on validating their systems to ensure adherence to regulatory requirements. If manufacturing data are lost or don't meet validation requirements, The Food and Drug Administration (FDA) will shut down production, causing significant revenue loss. Validation is costly and time-consuming. As a result, many companies are reluctant to update technology or alter processes for security purposes. This reduces plant-floor security to less of a priority than validation. Compounding the problem is the faulty assumption by many that if a process is validated, it is also secure.


A basic approach to developing a security program involves assessment, design, implementation, and maintenance. Common sense tells us that an effective security program requires knowing what to protect and how to protect it. Generally you only need to protect things that add value to your business and should only apply protection in proportion to the value of the item.

Assemble a security team combining the IT and manufacturing departments and others who have a vested interest such as the chief information officer, chief security officer, and chief financial officer. Designate a security risk manager who will assume ownership and responsibility for implementing all four parts of the program.

Assessment. At the outset, it is essential to understand the assets and vulnerabilities of a facility. Simply applying security technologies without understanding the risks provides little protection from internal or external threats. Identify valuable assets and examine possible weaknesses to help managers responsible for security understand what needs protection and where to focus security efforts. Security risk managers can then develop a clear plan to secure the facility after assessing the probability of a given threat, and determine the level of toleration for the identified risk.

Design. Once the assessment is complete and assets and vulnerabilities are identified, managers can develop ways to reduce security risks to acceptable levels. This may involve a variety of risk mitigation technologies and processes, including limiting physical access to automation systems, assigning user names and passwords to all personnel, and tightening control of computers and software used on the automation network.

Implementation. Managers can deploy risk reduction countermeasures for improved security after designing a risk mitigation strategy. This includes technology like firewalls, intrusion detection systems, software for user authentication and authorization, and defined policies and procedures for plant personnel. Protect crucial systems with multiple defensive layers to guard against all identified threats. Once in place, validate the system and test it for known security vulnerabilities.

Maintenance. Ongoing maintenance is essential to a sound security strategy. This includes auditing, monitoring, and reevaluating the system on an ongoing basis to search for new, unidentified vulnerabilities. A key component of maintaining the security solution is implementing a business continuity and recovery program to respond to severe business interruptions. It is also critical to enforce all security policies and procedures involving management and plant floor personnel. An effective security program is only as strong as its weakest link.


As plant-floor systems become increasingly interconnected to the rest of the enterprise, opportunities for external and internal security breaches increase. The outer layer of a company, normally protected by the IT domain, is essentially the outer fortress wall of the plant floor. This wall employs technologies such as firewalls and encryption to protect systems and data from unauthorized users (hackers and phishers).

Within the fortress, companies also need to be concerned with intentional security attacks and accidental breaches from employees and partners. While IT protects a company's assets from external threats, control systems, user authentication, and role-based authorization help protect production assets and intellectual property from internal security breaches.

Companies can protect information inside the perimeter by implementing role, location, and process-based authentication between inner and outer areas. Plant-floor technologies with built-in authentication make application of security much easier. Set up the enforcement along the lines of WHO can do WHAT from WHERE :

  • Who — Would you want your human resource manager modifying a controller program or forcing an output? Depending on the roles established on the plant floor, engineers and technicians are probably the only employees who should have access to plant floor equipment, and they can be identified by name. We refer to this as role-based security
  • Where — Would you want engineers forcing an output on a critical process from their office? More than likely, you want them close to the process, forced to go to the PC or panel attached locally so they could quickly ascertain whether they've done the right thing. We refer to this as location-based security.
  • What — If a technician were trained only on how to start up Production Line One, you wouldn't want him changing a program on Line Two. Although the line may be within sight, she does not have any responsibility or training on Line Two. Accidents caused by these types of oversights are commonplace on the plant floor. Isolating to this level is called process-based security

Develop policies and procedures that will educate employees and define processes to further support your security program and offer the best return on investment. An addendum would be to enact appropriate policies and procedures with any third-party contract organizations. Make sure these organizations guarantee protection of your data and intellectual property as if they were their own. It is a good idea to seek the advice of security providers that have consultants available who can help customers plan and build effective strategies using security technologies and best practices available.

Currently, no specific mandates for process control security measures in the life sciences industry exist. The closest thing to a mandate is FDA's 21 CFR Part 11 requirement, which defines parameters by which pharmaceutical companies can author, approve, store, and distribute electronic records.6

It is recommended that security-risk managers and chief information officers in the life sciences industry get involved in organizations' standards committees, such as the Instrumentation, Systems and Automation Society to influence the direction for potential future government regulations.7 Technical committees, such as the SP-99 (manufacturing and control systems security), are already paving the way for security standards.

Bryan L. Singer,CISSP, is leader of Security Services with Rockwell Automation, 2100 Riverchase Center, Suite 210, Birmingham, AL 35244, 205.605.0125; fax 205.985.7233


1. Moore W, Slansky R, Hill R. The new world of manufacturing security. ARC Strategies 2003 August.

2. Internally generated statistic at Rockwell Automation 2004.

3. Toran MW. Industry risk report: The life sciences; industry consolidation, a challenging global economy, increasing federal regulations and fear of terrorism are creating new exposures for the pharmaceutical industry. How they address these exposures will have a significant impact on their bottom line. Risk and Insurance 2003 December.

4. Vaczek D. FDA Praises advances on counterfeiting. Pharmaceutical & Medical Packaging News 2005 July:18.

5. Stephanou T. Assessing and exploring the internal security of an organization. SANS Institute 2001 March.

6. Code of Federal Regulations. Electronic Records; Electronic Signatures. 21 CFR Part 11. 2002.

7. For more information on ISA, visit

blog comments powered by Disqus



Bristol-Myers Squibb and Five Prime Therapeutics Collaborate on Development of Immunomodulator
November 26, 2014
Merck Enters into Licensing Agreement with NewLink for Investigational Ebola Vaccine
November 25, 2014
FDA Extends Review of Novartis' Investigational Compound for Multiple Myeloma
November 25, 2014
AstraZeneca Expands Biologics Manufacturing in Maryland
November 25, 2014
GSK Leads Big Pharma in Making Its Medicines Accessible
November 24, 2014
Author Guidelines
Source: BioPharm International,
Click here