Securing Your Company's Manufacturing Data

December 1, 2005
Bryan L. Singer, CISSP

Volume 18, Issue 12

A 2000 cyber crime study revealed that 71 percent of security breaches were caused by people who worked within the company.

The adoption of open networks in manufacturing environments, and the expanding connectivity and decentralization of computer systems and databases, are making the need to secure a company's automation and production systems more important than ever. The direct linking of manufacturing systems to information systems through the presence of Ethernet on the factory-floor creates an environment where traditional information technology (IT) and manufacturing worlds collide. This trend increases the vulnerability of these systems to the same security threats facing today's IT environments. Attacks — whether direct or indirect — from hackers, worms, viruses, and employees can affect the safety and security of people, products, processes, and productivity.

Bryan L. Singer, CISSP

With increasing pressure from consumers and government bodies to ensure product authenticity and safety, life sciences companies need to consider security solutions that help them maintain regulatory requirements and also protect their manufacturing processes. One way companies can ensure their operations and systems are completely secure, is by staying educated and up-to-date on existing and emerging security threats to their facilities and developing a detailed and comprehensive plan of action similar to the one described in this article.

POOR SECURITY INCURS COSTS

Though most manufacturers acknowledge that threats exist, it is difficult for them to determine just how vulnerable their systems are and what measures can improve factory floor security. An ARC Advisory Group report states that 92 percent of manufacturers claim plant security is of the utmost importance.1 However, only 3.6 percent state that their facility is "completely secure," meaning they are satisfied with precautions taken to protect assets from internal and external threats.

While the need to improve the security of manufacturing control systems is an important issue across all industries, it is especially critical for the life sciences industry. With millions of dollars invested in the research and development of a single product, one incident of counterfeiting or product tampering can have a significant impact on a company's bottom line.2 According to the International AntiCounterfeiting Coalition, counterfeiting pharmaceutical products has become a $350 billion per year problem.3 Criminal investigations of counterfeit drugs by the FDA has more than doubled in the last two years.4

RECOGNIZING SECURITY THREATS

Concerns typically faced by IT managers — viruses, Trojan horses and phishing — combined with the threat of espionage keep plant-floor security managers awake at night. Viruses and Trojan horses can wreak havoc on computer systems and render them inoperable. Phishing relies on fake credibility to lure victims into revealing proprietary information based on the tendency to trust the security of a brand name. Personalized e-mails linked to legitimate-looking web sites inform recipients that their password or other vital information has been compromised, and urges them to click on the web link to update their profiles. The link takes the victims to a fake web site where any corporate or financial data entered are routed directly to the phisher.

Figure 1. Defense Measures For Security and Data Protection

Computer security practitioners define a specific threat facing every company as social engineering. It is the practice of obtaining confidential information by manipulation of legitimate users. Parties interested in stealing a company's proprietary information contact unsuspecting employees via telephone or the Internet to request specific information. These scammers are looking to find anyone who might divulge information about a product or production process. If combined with other bits of information gathered from other unsuspecting employees, this detail can provide them with valuable information about a drug's recipe or manufacturing process.

Internal security breaches caused by employees may be more frightening than external threats. A cyber crime study by the Federal Bureau of Investigation and the Computer Security Institute released in 2000 found that 71 percent of security breaches were caused by individuals who worked within the organization.5 It was also discovered that the majority of internal disruptions are accidental and could easily have been prevented with better plant security policies in place. Whether it is an accident caused by an untrained employee programming a controller, or a disgruntled worker tampering with a maintenance system, current IT technologies designed to prevent outside attacks offer little protection.

Life sciences companies focus on validating their systems to ensure adherence to regulatory requirements. If manufacturing data are lost or don't meet validation requirements, The Food and Drug Administration (FDA) will shut down production, causing significant revenue loss. Validation is costly and time-consuming. As a result, many companies are reluctant to update technology or alter processes for security purposes. This reduces plant-floor security to less of a priority than validation. Compounding the problem is the faulty assumption by many that if a process is validated, it is also secure.

APPLY COMMON SENSE

A basic approach to developing a security program involves assessment, design, implementation, and maintenance. Common sense tells us that an effective security program requires knowing what to protect and how to protect it. Generally you only need to protect things that add value to your business and should only apply protection in proportion to the value of the item.

Assemble a security team combining the IT and manufacturing departments and others who have a vested interest such as the chief information officer, chief security officer, and chief financial officer. Designate a security risk manager who will assume ownership and responsibility for implementing all four parts of the program.

Assessment. At the outset, it is essential to understand the assets and vulnerabilities of a facility. Simply applying security technologies without understanding the risks provides little protection from internal or external threats. Identify valuable assets and examine possible weaknesses to help managers responsible for security understand what needs protection and where to focus security efforts. Security risk managers can then develop a clear plan to secure the facility after assessing the probability of a given threat, and determine the level of toleration for the identified risk.

Design. Once the assessment is complete and assets and vulnerabilities are identified, managers can develop ways to reduce security risks to acceptable levels. This may involve a variety of risk mitigation technologies and processes, including limiting physical access to automation systems, assigning user names and passwords to all personnel, and tightening control of computers and software used on the automation network.

Implementation. Managers can deploy risk reduction countermeasures for improved security after designing a risk mitigation strategy. This includes technology like firewalls, intrusion detection systems, software for user authentication and authorization, and defined policies and procedures for plant personnel. Protect crucial systems with multiple defensive layers to guard against all identified threats. Once in place, validate the system and test it for known security vulnerabilities.

Maintenance. Ongoing maintenance is essential to a sound security strategy. This includes auditing, monitoring, and reevaluating the system on an ongoing basis to search for new, unidentified vulnerabilities. A key component of maintaining the security solution is implementing a business continuity and recovery program to respond to severe business interruptions. It is also critical to enforce all security policies and procedures involving management and plant floor personnel. An effective security program is only as strong as its weakest link.

A CRITICAL BUSINESS FUNCTION

As plant-floor systems become increasingly interconnected to the rest of the enterprise, opportunities for external and internal security breaches increase. The outer layer of a company, normally protected by the IT domain, is essentially the outer fortress wall of the plant floor. This wall employs technologies such as firewalls and encryption to protect systems and data from unauthorized users (hackers and phishers).

Within the fortress, companies also need to be concerned with intentional security attacks and accidental breaches from employees and partners. While IT protects a company's assets from external threats, control systems, user authentication, and role-based authorization help protect production assets and intellectual property from internal security breaches.

Companies can protect information inside the perimeter by implementing role, location, and process-based authentication between inner and outer areas. Plant-floor technologies with built-in authentication make application of security much easier. Set up the enforcement along the lines of WHO can do WHAT from WHERE:

  • Who — Would you want your human resource manager modifying a controller program or forcing an output? Depending on the roles established on the plant floor, engineers and technicians are probably the only employees who should have access to plant floor equipment, and they can be identified by name. We refer to this as role-based security

  • Where — Would you want engineers forcing an output on a critical process from their office? More than likely, you want them close to the process, forced to go to the PC or panel attached locally so they could quickly ascertain whether they've done the right thing. We refer to this as location-based security.

  • What — If a technician were trained only on how to start up Production Line One, you wouldn't want him changing a program on Line Two. Although the line may be within sight, she does not have any responsibility or training on Line Two. Accidents caused by these types of oversights are commonplace on the plant floor. Isolating to this level is called process-based security

Develop policies and procedures that will educate employees and define processes to further support your security program and offer the best return on investment. An addendum would be to enact appropriate policies and procedures with any third-party contract organizations. Make sure these organizations guarantee protection of your data and intellectual property as if they were their own. It is a good idea to seek the advice of security providers that have consultants available who can help customers plan and build effective strategies using security technologies and best practices available.

Currently, no specific mandates for process control security measures in the life sciences industry exist. The closest thing to a mandate is FDA's 21 CFR Part 11 requirement, which defines parameters by which pharmaceutical companies can author, approve, store, and distribute electronic records.6

It is recommended that security-risk managers and chief information officers in the life sciences industry get involved in organizations' standards committees, such as the Instrumentation, Systems and Automation Society to influence the direction for potential future government regulations.7 Technical committees, such as the SP-99 (manufacturing and control systems security), are already paving the way for security standards.

Bryan L. Singer,CISSP, is leader of Security Services with Rockwell Automation, 2100 Riverchase Center, Suite 210, Birmingham, AL 35244, 205.605.0125; fax 205.985.7233 BLSinger@ra.rockwell.com

REFERENCES.

1. Moore W, Slansky R, Hill R. The new world of manufacturing security. ARC Strategies 2003 August.

2. Internally generated statistic at Rockwell Automation 2004.

3. Toran MW. Industry risk report: The life sciences; industry consolidation, a challenging global economy, increasing federal regulations and fear of terrorism are creating new exposures for the pharmaceutical industry. How they address these exposures will have a significant impact on their bottom line. Risk and Insurance 2003 December.

4. Vaczek D. FDA Praises advances on counterfeiting. Pharmaceutical & Medical Packaging News 2005 July:18.

5. Stephanou T. Assessing and exploring the internal security of an organization. SANS Institute 2001 March.

6. Code of Federal Regulations. Electronic Records; Electronic Signatures. 21 CFR Part 11. 2002.

7. For more information on ISA, visit www.isa.org.