The six-step guide to stronger cybersecurity for life sciences manufacturing
- August 08, 2023
In the highly regulated life sciences industry, any kind of security breach poses a significant risk. Life sciences companies have several important physical and technical areas to protect, including manufacturing plants, laboratory equipment, critical clinical data, product specifications, and intellectual property such as scientific know-how and trade secrets.
External disruptions — pandemics, geopolitical instability, supply chain uncertainty and chronic labor and skills shortages — are some of the many problems life sciences organizations worry about. But the potential for internal disruption is growing rapidly, too. This is because IT and operational technology (OT) departments in manufacturing businesses are often poorly aligned, resulting in increased cybersecurity vulnerabilities.
This misalignment is an unintended byproduct of industry evolution. To improve productivity and efficiency, life sciences manufacturers are increasingly integrating automation into their plants, moving functions to the cloud and adopting Industry 4.0 principles. Given the pervasive digitalization of plant operations, OT is becoming more reliant on IT functions to support its productivity.
Leaders question how and where to start securing the network. Based on the industry experience of the NTT DATA life sciences team, here's a high-level framework with six essential steps that every life sciences manufacturing company can use as a roadmap for improving their security:
Step 1: Establish governance and steering
Engagement governance plays a crucial role in achieving trusted, predictable and reliable service partnerships, especially in bridging the gap between IT and OT. The governance framework could include predefined processes characterized by regular and open communication, clear and enforced processes and well-defined roles and responsibilities to reduce risk and prevent issues. This model is typically divided into strategic, engagement and operational levels and involves stakeholders at all levels.
Step 2: Conduct an audit of assets and network visibility
Asset discovery and network visibility are the key fundamental functions to a secure posture. The reasoning is simple: “You cannot protect what you cannot see.” This step should provide insights into a detailed inventory of the assets, including their configuration status and current version, and sketch out connections mapping between assets and virtual network segment zones.
This enables life sciences organizations to validate asset lifecycles on retired and decommissioned assets, as well as identify hidden rogue assets that have never been listed on the purchased asset spreadsheet. Additionally, it helps the team segment the network for a north-south protection based on assets.
Step 3: Create a customized set of rules
Effective industrial and OT security requires the organization to establish policies and procedures that match the specific environment. A typical OT environment in any life sciences manufacturing operations has a diverse set of systems and are largely heterogenous. Consequently, OT environments need multiple, and probably customized, sets of rules. Tailoring policies and procedures to match the specific environment is crucial for an efficient security strategy.
Step 4: Conduct training for compliance and benchmarks
Promoting OT security awareness and providing training at various skill levels fosters a strong security culture. Encouraging team members to obtain professional certifications, as well as taking a deep dive into the standards and benchmarks such as those outlined in NIST’s initial public draft of its Special Publication (SP) 800-82r3, Guide to Operational Technology (OT) Security, helps create a more efficient and resilient workforce while bolstering the security of OT systems throughout the company.
Step 5: Secure access by hardening and patching
Implementing robust access control and authentication mechanisms to prevent unauthorized access is a key measure. By adopting agent-based and real-time agentless profiling and management tools on OT endpoints, coupled with additional contextual data (like asset location, criticality, owner), OT security practitioners can apply laser-like focus and filtering of information to create relevant data. This allows for accurate, efficient and consistent application of patching and other compensating controls.
The rich endpoint data coupled with metadata such as operational impact as well as third-party data (such as vulnerabilities, backup, patch and unblocked data), gives OT practitioners context specific to their exact assets. It also helps them implement firewalls and access control to limit network access to only authorized personnel.
Step 6: Implement a Zero Trust policy
According to NIST’s Special Publication (SP) – 800-207, “Zero Trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet) or based on asset ownership (enterprise or personally owned).”
Zero Trust should be a way of operation and practical. Zero Trust means the users and devices in the IT and OT environments may be potential threats or are vulnerable and at risk of a cybersecurity incident. Hence it's needed to check the authenticity of the users and validate the devices they are using by verifying their security posture on a continuous basis.
Zero Trust can be summarized into three pillars which, when combined, yield an in-depth defensive strategy that mitigates risks and limits vulnerabilities to help avoid exploiting potential:
- Never trust, always verify
- Continuous validation of all actions and data flows
- Grant the least amount of privileges
A roadmap to cybersecurity
This six-step guide serves as a roadmap for life sciences companies to bolster their manufacturing cybersecurity. Establishing governance, auditing assets, creating customized rules, conducting training, securing access and implementing a Zero Trust policy can help any organization build a strong foundation to mitigate risks effectively.
By focusing on cybersecurity fundamentals and embracing industry best practices, life sciences manufacturing operations can safeguard their assets, data and intellectual property to create a positive impact on their bottom line.
As we move into 2022 and beyond, security leaders must empower their teams to have the flexibility and awareness to tackle challenges in this rapidly changing environment. CISOs can never take their eye off the technologies that dominate our field, but it’s just as essential to continue to nurture the people and processes to get the most out of those new technologies.