This paper presents seven BioPhorum manufacturing patching practices. It provides guidance to help focus your thoughts and ideas if you are tackling the same issues within your manufacturing environment. It identifies barriers that can make patching difficult (or even impossible) and proposes mitigation practices that you should consider to overcome these barriers and associated risks and use to support a successful program of patching within the manufacturing environment.
Viewing related articles
Cyber Education Series: Guidance on how to write a disaster recovery playbook for the manufacturing environment
This ‘how-to’ guide is intended to help companies decide what they should consider in advance of a disaster event and what to include in the disaster recovery playbook. It is not a definitive set of steps to recover an impacted manufacturing plant. Rather, it can be used as a prompt to develop the detail needed to create a disaster recovery playbook for a manufacturing plant, customizable to any organization.
Pharmaceutical manufacturers are developing and using Configuration Management Databases (CMDB) to maintain inventories of the IT and automation assets used by the manufacturing and laboratory systems at their production facilities. A CMDB can provide access to accurate data, including available assets, where they are, how they are configured, and the relationships that exist between them; all of which are vital functions for lifecycle management, change management, incident management and patching.
The information model typically used by the standard CMDB installation is based on the idea that all systems used by the enterprise are software based and described by a class of objects called an application. This does not always align to the needs within an operations technology (OT) environment. Therefore, the BioPhorum Cyber Security members, using their extensive combined knowledge, have collaborated to design a common information model describing a manufacturing system detailed in a shop floor/OT CMDB. The proposed model is intended to be a free, reusable, standard structure which can be adapted for specific company needs, providing a good starting point for configuration data modelers working in the OT space.
In pharmaceutical manufacturing plants, it is sometimes the case that there is no single place to view an inventory of manufacturing assets. Conversely there may be many data sources with manual processes required to compile a single view. This is a problem for the entire enterprise, not just manufacturing; it is a constant and ongoing balance of enterprise (IT) vs manufacturing (OT) tools, policies and proceedures.
Managing this asset information can become a significant manual effort. Without trustworthy data, there is an unclear view of the cybersecurity risk that assets contribute to the manufacturing plant and enterprise. The absence of good information makes planning of patching and lifecycle management exceedingly difficult.
This compels manufacturers to develop Configuration Management Databases (CMDB’s) to maintain inventories of the assets used at their production facilities. Here the BioPhorum Cyber Security members have been investigating the underlying use cases that drive the design, needs and benefits of each member’s CMDB application/s. Through a compare and share process, they have asked the questions “What are our peers doing?”. This paper starts to draw parallels and highlight differences. It gives an insight into the complex and diverse ways of setting up, maintaining, and managing a manufacturing shop floor CMDB.
With each new challenge, organizations are working to improve their response and reduce the time and effort required. Companies are all investing in routine patching where possible, reducing this activity in urgent situations, as well as investing in other mitigation options such as isolation where appropriate – more options means reduced impact. This paper provides a summary of what the members of the BioPhorum IT Cyber Security Workstream are doing.
This paper characterizes this framework, and the associated mixed environments, to illustrate the drivers and success metrics for the key functions of business management of information systems, and that of plant-floor instrumentation and controls engineering. For people working in this arena, this paper will help develop an understanding of this landscape and foster a cooperative approach to implementing network resilience and cybersecurity solutions that allow more robust and secure delivery of essential drug products to the market.
As the maturity of digital manufacturing plants increases, so does the risk of a cybersecurity or other digital incident. A successful phishing attack, for example, could adversely impact manufacturing operations and potentially take a facility offline for hours, days or even longer. A company’s ability to minimize the risk of a digital disaster in its manufacturing plants, and quickly restore operations if one occurs, is a vital area for investment to ensure delivery of drug products to patients. To do this, biopharmaceutical manufacturers must understand the cyber resilience at their differing plants and how each site fits into the context of their overall business.