Pharmaceutical manufacturers need to consider cybersecurity for PLCs

Pharmaceutical manufacturers need to enact cybersecurity measures for their programmable logic controller (PLCs) to prevent hackers from causing damage that could have major repercussions for the health of the company's customers.
By Steven Pflantz, PE, CRB October 18, 2018

In 2018, programmable logic controllers (PLCs) like this are interconnected to a plant-wide control system in a pharmaceutical plant, and are a much more interesting and available target for hackers. Courtesy: CRBIt might seem crazy anyone would try to hack into a programmable logic controller (PLC)—especially for a pharmaceutical manufacturing facility. It would seem there are many more viable targets out there for a hacker than some random PLC. 

Unfortunately, this is no longer the case. Industrial control systems (ICSs) have become a target of interest for cyber criminals. Consider the negative economic impact and consumer distrust from a major retailer being hacked. This is especially true for a pharmaceutical manufacturer if it appears the prescription drugs had been tampered with. This is possible because of how easy it is to connect everything over the same network.

Networking control systems used to be a major hassle. Everyone had their own proprietary control network, physical infrastructure, and network protocol. Sharing among systems required interface gateways gave limited interface capabilities. It was hard to talk amongst systems. Now, the manufacturing industry has migrated towards use of a more common network protocol with Ethernet. 

It has become easier to connect and network systems together, which is a blessing and a curse. Users have the ability to connect automation networks together and provide a wonderful level of data availability. That connectivity and accessibility on a worldwide network can be a hazard, though.

There are some "philosophical" differences in the way information technology (IT) systems are operated versus control systems—operation technology (OT) systems. Both require a different approach to cybersecurity.

OT systems are designed to differentiate the network systems used for industrial controls versus those used for businesses, banking, etc. Both use the same basic network infrastructure, but the applications being run are quite different.

IT systems prioritize data security above all else. They need the latest software patches and upgrades installed. In an office environment, it is merely an annoyance. If a cyber threat is severe enough and out of control, users shut the PC down or cut it off from the rest of the world to stop the threat from progressing.

Now think about those same concepts from an OT perspective. Control systems are intended to run 24/7. Constantly rebooting to install patches and upgrades is not possible. In the life sciences realm, validated systems provide more reason to avoid continual software patches and upgrades. A validated system that has been stopped and changed and has to be validated again. Shutting things off to stop access or progression of a threat is not desirable.

In 2018, programmable logic controllers (PLCs) like this are interconnected to a plant-wide control system in a pharmaceutical plant, and are a much more interesting and available target for hackers. Courtesy: CRBThe threats can be quite different, as well. Consider a scenario where a hacker gains access to a control system network on the plant floor. Gaining access to a network and flooding the network with garbage so it crashes can achieve a hacker’s objective. Doing this is much easier than accessing encrypted files. Forcing the pharmaceutical plant to shut down can cause losses of production, process, and maybe worse if the shutdown can causes instability or dangerous conditions.

Responding to these threats is difficult, but there are things pharmaceutical manufacturers can do to prevent a hack from ever happening. As OT systems are designed, companies need to keep the connection and access points in mind. It’s not just the network connection on the other side of the firewall that is a potential concern.

The reason many companies restrict or prohibit the use of USB memory sticks is using them is a potential point for a virus or malware. Also think about laptops used for control system configuration and each time they connect to a network. Also think about tablets, phones, and instrument calibration equipment too. Any device that can connect to multiple networks can be a source of trouble. It’s easy to take cybersecurity and good cyber hygiene for granted. Pharmaceutical manufacturers that appropriate steps will only help the bottom line, but they can potentially save lives.

Steven Pflantz, PE, is an associate/instrumentation and controls engineer at CRB, a CFE Media content partner. This article originally appeared on CRB’s blog. Edited by Chris Vavra, production editor, Control Engineering, CFE Media, cvavra@cfemedia.com.