Bryan L. Singer, CISSP
|
The adoption of open networks in manufacturing environments, and the expanding connectivity and decentralization of computer
systems and databases, are making the need to secure a company's automation and production systems more important than ever.
The direct linking of manufacturing systems to information systems through the presence of Ethernet on the factory-floor creates
an environment where traditional information technology (IT) and manufacturing worlds collide. This trend increases the vulnerability
of these systems to the same security threats facing today's IT environments. Attacks — whether direct or indirect — from
hackers, worms, viruses, and employees can affect the safety and security of people, products, processes, and productivity.
|
With increasing pressure from consumers and government bodies to ensure product authenticity and safety, life sciences companies
need to consider security solutions that help them maintain regulatory requirements and also protect their manufacturing processes.
One way companies can ensure their operations and systems are completely secure, is by staying educated and up-to-date on
existing and emerging security threats to their facilities and developing a detailed and comprehensive plan of action similar
to the one described in this article.
POOR SECURITY INCURS COSTS
Though most manufacturers acknowledge that threats exist, it is difficult for them to determine just how vulnerable their
systems are and what measures can improve factory floor security. An ARC Advisory Group report states that 92 percent of manufacturers
claim plant security is of the utmost importance.1 However, only 3.6 percent state that their facility is "completely secure," meaning they are satisfied with precautions
taken to protect assets from internal and external threats. While the need to improve the security of manufacturing control systems is an important issue across all industries, it is
especially critical for the life sciences industry. With millions of dollars invested in the research and development of
a single product, one incident of counterfeiting or product tampering can have a significant impact on a company's bottom
line.2 According to the International AntiCounterfeiting Coalition, counterfeiting pharmaceutical products has become a $350 billion
per year problem.3 Criminal investigations of counterfeit drugs by the FDA has more than doubled in the last two years.4
RECOGNIZING SECURITY THREATS
Figure 1. Defense Measures For Security and Data Protection
|
Concerns typically faced by IT managers — viruses, Trojan horses and phishing — combined with the threat of espionage keep
plant-floor security managers awake at night. Viruses and Trojan horses can wreak havoc on computer systems and render them
inoperable. Phishing relies on fake credibility to lure victims into revealing proprietary information based on the tendency
to trust the security of a brand name. Personalized e-mails linked to legitimate-looking web sites inform recipients that
their password or other vital information has been compromised, and urges them to click on the web link to update their profiles.
The link takes the victims to a fake web site where any corporate or financial data entered are routed directly to the phisher.
Computer security practitioners define a specific threat facing every company as social engineering. It is the practice of
obtaining confidential information by manipulation of legitimate users. Parties interested in stealing a company's proprietary
information contact unsuspecting employees via telephone or the Internet to request specific information. These scammers are
looking to find anyone who might divulge information about a product or production process. If combined with other bits of
information gathered from other unsuspecting employees, this detail can provide them with valuable information about a drug's
recipe or manufacturing process.
