The Information Technology Phorum (BPIT) will be tackling cyber-security and plant resilience in 2018. This is a vast subject for the phorum to approach. Initially they are conducting a survey on plant resilience to understand which of the many issues are important for the members. They will then work together to start on priority initiatives which can address some of the questions posed by the subject. While the prevention side may be more about improving what is already in place, the recovery aspect of plant resiliency is expected to be leading the in-depth discussions.
The issue of plant resiliency impacts all members and not only from cyber threats. Those members whose plants have suffered from natural disasters, like that of Hurricane Maria impacting Puerto Rico earlier this year, found that they have very similar challenges with plant recovery. It is also clear that newer cyber attacks, impacting data integrity, are possible.
The goal for BPIT is to take the findings from the survey and use this to bring together initiatives and work programs that focus on key aspects of plant resiliency. It is anticipated that ensuring data integrity will be increasingly important too. The collaboration of member companies will help create best practices to enable independent plant operations, speedier recovery, and improved protection standards with the goal of minimizing the impact on biopharmaceutical manufacturing from cyber attacks and natural disasters.
The survey results will be collated and reviewed in January 2018, and priority work agreed at a BPIT leaders call at the end of the month.
A cyber attack suffered by Merck MSD in June 2017 prompted a new discussion about cyber-security and plant resilience at the recent BPIT meeting in October 2017, San Francisco, USA.
Terry Rice, Merck MSD CISO, explained to the Phorum how it had been exposed to a malware attack through its use of document management software. Merck MSD kindly shared some of its learnings from the event with the group, and continues to speak about the incident to the US government amongst others.
The serious impact of such an event is clear to the BPIT Phorum and it raised some in-depth discussions about the issues surrounding an attack. Hackers regularly target organisations, but this amount of damage is unusual as protection methods often work. It is increasingly the case that it is when, not if, a large-scale cyber security incident occurs.
As a starting point, recent practice-sharing sessions have looked at recovery, segmentation and protection. Future collaborations, supported by workstream charters, will look at both tactical and strategic deliverables in the cyber security space.
Merck MSD kindly shared some of its learning points on the recovery side, including the level of customer service it received from its suppliers. As it was the only bio-pharmaceutical company impacted by this malware attack, it was able to quickly get operations back online. Had this not been the case and several companies been attacked the pressure, and ultimately recovery timescale, would have increased for everyone involved.
The case study of this event raised questions around how prepared members were in their plant resiliency. It raised issues around how digital plants are set up and the vulnerabilities that are faced by all members. While it is essential that all parts of the business are able to communicate and that plants continue their digital transformation alongside an Internet of Things, architectures may need to change and this is a place where the team will focus. Other areas of focus also include how to manage outsourced suppliers. Do the other business interests held by a third party increase the risk for the member?
These questions along with any others raised in the survey will form part of initiatives and work programs within BPIT in the new year.