Avoiding the Risks of Ransomware Strikes in Life Sciences

By Travis Tidwell, Business Development Lead, Rockwell Automation

While Life Sciences companies have become even more important to all of us during the pandemic, they have always been challenged with unique cybersecurity risk. Operating within a highly validated environment that typically runs 24×7, these manufacturing systems do not follow a standard lifecycle timeline and these systems typically cannot implement security updates in a timely manner.

In addition, many pharmaceutical and biomanufacturing companies are under pressure to reduce cost, adapt to market demands and increase quality across their products. This is leading to an accelerated adoption of digital technologies, more interconnected systems and highly automated manufacturing processes to meet business initiatives around agile manufacturing capabilities and stronger data integrity compliance. However, these digital transformation initiatives are adding more complexity to the security risk equation by expanding the attack surface for threat actors to target mission-critical systems, many of which are legacy systems running outdated operating systems.

Unfortunately, with the evolving threat landscape, many manufacturing organizations within the Life Sciences sector have been subjected to cyberattacks, including ransomware. The result of these incidents can have major consequences and business impact.

In late 2020, Favera, a pharmaceutical manufacturer headquartered in Luxembourg, announced that it was the victim of a cyberattack that caused its operations to come to a halt. While it is unknown how long it took the organization to restore operations, this incident had an adverse effect on its manufacturing and supply to consumers.

And let’s not forget the NotPetya attack on Merck in 2017, which was reported to result in $1.4B in losses for Merck.

What’s at stake

Downtime from a cyberattack is costly and unproductive. However, it’s not only a financial or intellectual property impact, but also a community impact. Trillions of products (including medicines and vaccines) are delivered to hospitals and the global market annually to support our loved ones – moms, dads, sons, daughters and so on. When you think about the broad consumption of these products, our daily lives depend on the mission of Life Science companies to ensure supply reliability and product quality.

These manufacturing operations are essential to our economy. Sadly, many threat actors are motivated to carry out cyberattacks for various reasons – financial gains, espionage or competitive advantages – because they understand what’s at stake and how vulnerable many Life Sciences manufacturing facilities are to sophisticated threats, and modern-day tactics and techniques.

Steps to mitigate risk

Fortunately, several steps can be taken to mitigate the risk of cyberattacks and improve your overall cybersecurity posture. Following are some recommended action areas, based on recurring exposures seen in Life Sciences cybersecurity assessments. As you read through the questions below, reflect on your organization’s current practices and where you may be in the maturity of your cybersecurity journey.

• How are you bringing together IT and OT stakeholders? – You must share domain knowledge and experience from both worlds to evaluate and mitigate risk. Use a Cybersecurity Framework such as NIST to identify gaps in your IT/OT security posture using a cross-functional team (IT Staff, Security SMEs, Control Engineers, and third-party trusted partners). Use this framework to develop or maintain a unified strategy that addresses the converged IT and OT environments.
• How are you prioritizing security gaps? – You must be efficient with risk reduction decisions to get the greatest return on risk avoidance investments. Use a risk-based approach to prioritize those gaps and develop a strategic roadmap for closing the gaps based on criticality levels or the asset owner’s risk tolerance. Not all ICS vulnerabilities share the same risk level; align on risk.
• How are you protecting home field advantage? – You must have a defendable architecture specific to your OT/ICS environment. Many attacks focused on OT often start in the IT environment and then navigate to OT. Implement a modern cybersecurity architecture that incorporates leading practices such as:
• Industrial Demilitarized Zone-FW/IT-OT Network Segregation and Micro Segmentation for safeguarding the OT perimeter and high value, vulnerable assets within OT – see this CISA example.
• Identity and Access Management to enforce access and password policies
• Multi-factor authentication to enhance the security of remote access connections
• Endpoint device protection to enhance data integrity and security
• USB security controls to enforce removable media policies

This allows you to leverage a layered defense strategy to help keep out unauthorized users.

• How are you maintaining situational awareness? – You can’t effectively respond to threats if you don’t know the status of your OT/ICS environment. Be sure to deploy continuous threat monitoring controls to detect anomalous or suspicious activity in your OT network. Keep asset inventory updated and establish a baseline that alerts the security team when unauthorized devices or users come on the network.
• How are you preparing for the handling of incident responses? – Your ability to respond decisively to security incidents is determined by your organization’s readiness. Establish a business continuity plan that focuses on operational resiliency and perform tabletop exercises to pressure test those incident response playbooks ahead of “game day.” Role play through situational questions such as:
  • Can the plant be isolated and run in a state of autonomy? If so, how long?
  • Does the plant personnel know what production lines to run or focus on during a state of isolation?
  • What key stakeholders are required and authorized to make critical and timely decisions during a security breach or incident?
  • What specialized OT/ICS resources are on retainer for incident response investigations and remediation activities?
  • If wiped out, how long does it take to recover or rebuild from an attack versus paying a potential ransomware fee?

You play how you practice, so be prepared.

How are you driving cultural awareness? – Your biggest threat, unintentionally in many cases, comes from within the organization. Hold regular cyber awareness training for personnel, including activities such as password hygiene and phishing email exercises.

Reducing business and cybersecurity risk must be a priority of all life sciences organizations. Implementing network segmentation, deploying threat detection services and creating an endpoint security strategy for secure, centralized management of portable media in the OT environment are a few of the steps to take to better secure an organization’s network. This will help improve product quality, reduce losses and risk and optimize production operations. A win-win for any life sciences firm.

About the Author

Travis Tidwell, business development lead, Rockwell Automation. Travis has over 14 years of experience in the automation industry.  In his current role he is responsible for helping Rockwell Automation customers find ways to increase the security posture of their industrial control systems environments through a combination of strategic and tactical approaches.