Internal security breaches caused by employees may be more frightening than external threats. A cyber crime study by the Federal
Bureau of Investigation and the Computer Security Institute released in 2000 found that 71 percent of security breaches were
caused by individuals who worked within the organization.5 It was also discovered that the majority of internal disruptions are accidental and could easily have been prevented with
better plant security policies in place. Whether it is an accident caused by an untrained employee programming a controller,
or a disgruntled worker tampering with a maintenance system, current IT technologies designed to prevent outside attacks offer
Life sciences companies focus on validating their systems to ensure adherence to regulatory requirements. If manufacturing
data are lost or don't meet validation requirements, The Food and Drug Administration (FDA) will shut down production, causing
significant revenue loss. Validation is costly and time-consuming. As a result, many companies are reluctant to update technology
or alter processes for security purposes. This reduces plant-floor security to less of a priority than validation. Compounding
the problem is the faulty assumption by many that if a process is validated, it is also secure.
APPLY COMMON SENSE
A basic approach to developing a security program involves assessment, design, implementation, and maintenance. Common sense
tells us that an effective security program requires knowing what to protect and how to protect it. Generally you only need
to protect things that add value to your business and should only apply protection in proportion to the value of the item.
Assemble a security team combining the IT and manufacturing departments and others who have a vested interest such as the
chief information officer, chief security officer, and chief financial officer. Designate a security risk manager who will
assume ownership and responsibility for implementing all four parts of the program.
Assessment. At the outset, it is essential to understand the assets and vulnerabilities of a facility. Simply applying security technologies
without understanding the risks provides little protection from internal or external threats. Identify valuable assets and
examine possible weaknesses to help managers responsible for security understand what needs protection and where to focus
security efforts. Security risk managers can then develop a clear plan to secure the facility after assessing the probability
of a given threat, and determine the level of toleration for the identified risk.
Design. Once the assessment is complete and assets and vulnerabilities are identified, managers can develop ways to reduce security
risks to acceptable levels. This may involve a variety of risk mitigation technologies and processes, including limiting physical
access to automation systems, assigning user names and passwords to all personnel, and tightening control of computers and
software used on the automation network.
Implementation. Managers can deploy risk reduction countermeasures for improved security after designing a risk mitigation strategy. This
includes technology like firewalls, intrusion detection systems, software for user authentication and authorization, and
defined policies and procedures for plant personnel. Protect crucial systems with multiple defensive layers to guard against
all identified threats. Once in place, validate the system and test it for known security vulnerabilities.
Maintenance. Ongoing maintenance is essential to a sound security strategy. This includes auditing, monitoring, and reevaluating the system
on an ongoing basis to search for new, unidentified vulnerabilities. A key component of maintaining the security solution
is implementing a business continuity and recovery program to respond to severe business interruptions. It is also critical
to enforce all security policies and procedures involving management and plant floor personnel. An effective security program
is only as strong as its weakest link.
A CRITICAL BUSINESS FUNCTION
As plant-floor systems become increasingly interconnected to the rest of the enterprise, opportunities for external and internal
security breaches increase. The outer layer of a company, normally protected by the IT domain, is essentially the outer fortress
wall of the plant floor. This wall employs technologies such as firewalls and encryption to protect systems and data from
unauthorized users (hackers and phishers).
Within the fortress, companies also need to be concerned with intentional security attacks and accidental breaches from employees
and partners. While IT protects a company's assets from external threats, control systems, user authentication, and role-based
authorization help protect production assets and intellectual property from internal security breaches.
Companies can protect information inside the perimeter by implementing role, location, and process-based authentication between
inner and outer areas. Plant-floor technologies with built-in authentication make application of security much easier. Set
up the enforcement along the lines of
— Would you want your human resource manager modifying a controller program or forcing an output? Depending on the roles
established on the plant floor, engineers and technicians are probably the only employees who should have access to plant
floor equipment, and they can be identified by name. We refer to this as role-based security
— Would you want engineers forcing an output on a critical process from their office? More than likely, you want them close
to the process, forced to go to the PC or panel attached locally so they could quickly ascertain whether they've done the
right thing. We refer to this as location-based security.
— If a technician were trained only on how to start up Production Line One, you wouldn't want him changing a program on Line
Two. Although the line may be within sight, she does not have any responsibility or training on Line Two. Accidents caused
by these types of oversights are commonplace on the plant floor. Isolating to this level is called process-based security
Develop policies and procedures that will educate employees and define processes to further support your security program
and offer the best return on investment. An addendum would be to enact appropriate policies and procedures with any third-party
contract organizations. Make sure these organizations guarantee protection of your data and intellectual property as if they
were their own. It is a good idea to seek the advice of security providers that have consultants available who can help customers
plan and build effective strategies using security technologies and best practices available.
Currently, no specific mandates for process control security measures in the life sciences industry exist. The closest thing
to a mandate is FDA's 21 CFR Part 11 requirement, which defines parameters by which pharmaceutical companies can author, approve,
store, and distribute electronic records.6
It is recommended that security-risk managers and chief information officers in the life sciences industry get involved in
organizations' standards committees, such as the Instrumentation, Systems and Automation Society to influence the direction
for potential future government regulations.7
Technical committees, such as the SP-99 (manufacturing and control systems security), are already paving the way for
Bryan L. Singer,CISSP, is leader of Security Services with Rockwell Automation, 2100 Riverchase Center, Suite 210, Birmingham, AL 35244, 205.605.0125; fax 205.985.7233
1. Moore W, Slansky R, Hill R. The new world of manufacturing security. ARC Strategies 2003 August.
2. Internally generated statistic at Rockwell Automation 2004.
3. Toran MW. Industry risk report: The life sciences; industry consolidation, a challenging global economy, increasing federal
regulations and fear of terrorism are creating new exposures for the pharmaceutical industry. How they address these exposures
will have a significant impact on their bottom line. Risk and Insurance 2003 December.
4. Vaczek D. FDA Praises advances on counterfeiting. Pharmaceutical & Medical Packaging News 2005 July:18.
5. Stephanou T. Assessing and exploring the internal security of an organization. SANS Institute 2001 March.
6. Code of Federal Regulations. Electronic Records; Electronic Signatures. 21 CFR Part 11. 2002.
7. For more information on ISA, visit