OT Security Challenges
Leaders of Industry is a series of conversations between operational technology, critical infrastructure (CI), and security experts from Armis and other leading companies and institutions. The series explores critical considerations for protecting the OT and CI assets that keep our manufacturing operations, public and private institutions, and cities humming.
This conversation on preparing for the unknown, navigating cyber-risk, and delivering manufacturing and operational excellence during a global pandemic features the following experts:
It is no surprise that pharmaceutical companies have been at risk of cyber-attacks as many cybercriminals aim to steal their sensitive and confidential data such as drug prescriptions, research for treatments and patient’s information. This has become more prominent since the Covid –19 pandemic as pharmaceutical companies became the target of OT threats.
Enter the perfect storm: Covid-19, where operations were turned upside down.
According to the UK’s National Cyber Security Center (NCSC), there were more than 200 successful pharmaceutical company breaches due to the pandemic. Some of the most recognizable attacks in recent years in the pharmaceutical industry include the cyber-attacks on AstraZeneca and Pfizer in 2020 and IPCA Laboratories in 2022.
With Covid-19 seemingly in the rear-view mirror, I had the opportunity to discuss with Dennis Reitz of Takeda Pharmaceuticals, and Jason Rivera, Takeda’s cybersecurity support partner at Security Risk Advisors. We discussed the lessons learned post-pandemic and how proper preparation can make all the difference.
Keith: Welcome Dennis and Jason. Dennis, How did you initially navigate the disruption of the pandemic while trying to keep your manufacturing sites secure, and the production of pharmaceuticals operational?
Dennis: Originally, our plan was always to be on site for all projects but we had to shift to a more collaborative work environment to accomplish site security assessments and the implementation of security controls. It wasn’t much different from the enterprise model of virtual collaboration and remote work. Fortunately, we had already prioritized technology investments pre-pandemic which actually helped us through the restraints and uncertainty of that time.
Controls and technologies for 3rd party security and asset visibility at the site levels just had that much more value when we needed them the most. Those investments were able to be extended to mitigate any new and potential ‘attack surface’. We also had a lot of great partners, including SRA, who supported us during this time.
Jason: Firstly, to comment on Dennis’ and Takeda’s experience, a lot of the organizations we have worked with haven’t had the formality, strategy, or investment to navigate with such little resistance as Takeda. Takeda was able to make quick, pragmatic decisions and focus on technology investments to gain perspective and visibility into their OT, manufacturing, and distribution environments.
The point is, Takeda started from a good vantage point. While the times were challenging, the work around securing OT never stopped. Threat actors aren’t stopping and every organization needs to find a way to move the needle, whether amidst a pandemic or geopolitical crisis or not, just as Takeda did.
Keith: Dennis, I am hearing planning and preparation is the key to success. What are your thoughts on the continuation of digital transformation, and the pressures the pandemic, combined with the heightened cybersecurity landscape we find ourselves in, may put on these digital advancements, if any?
Dennis: Our approach to industry 4.0 and digital transformation really has not been influenced by the evolving cyber landscape or the pandemic so much as it is about thinking about the future and where the industry is going. The pandemic challenged us to think differently in areas we usually wouldn’t. We know that information and operational technology, for example, is moving to the cloud, so we are deciding how to handle that, as not all assets and operations can be cloud hosted. In reviewing existing standards, it was never about inventing anything new. It was about taking those concepts that already existed, and applying them to OT environments, taking the same approach, leveraging known good practices, and applying them to OT environments.
Keith: Dennis and Jason, it seems we are approaching a clear inflection point – a point in time where OT and IT are no longer separated by offices, people, and technologies. As OT is now introduced to the risks of IT, 3rd party connections, and the Internet, risk inherited by OT clearly needs to be realized and addressed differently, as never before. How do we plan for that evolution?
Jason: Interestingly enough, a driver that may be overlooked here is that cybersecurity insurers are having a heavy hand in how businesses prioritize their efforts and investment into OT and Cyber Physical systems security. Performing risk assessments against OT assets, environments, and sites as well as having a network separation or implementation strategy are now requisites for insurers. Whereas before, I don’t think the insurers were hip to understanding the risk.
Even something as simple as having a defined list of what is considered an OT asset type, its vulnerabilities, and its patch and configuration management is a big start. Thus, having IT and OT security subject matter expertise is critical. I think we see this manifested at the Board and CISO/CIO levels and as a result cyber practices found within IT are now bleeding over into OT.
We need to understand, however, that traditional enterprise IT and OT systems are completely different from application stacks and compatibility (thinking endpoint agents) to real-time system performance needs, down to what exactly do you do if an alert fires on your OT. So overall, the biggest shift I’m seeing is more to the investment into skills and capabilities of IT teams to now handle the Cyber Physical systems security. This is no longer the thing you leave in the corner and just hope it’ll be okay. If CISOs don’t have the remit of CPS/OT today, they will tomorrow and they know it.
Dennis: Part of what we’re doing at Takeda is to change the way everyone thinks, our vendors included, about the handling of OT technology in these environments. Typically, technology in OT is different from IT, but now we have to teach and promote this cross-discipline and figure out the responsibilities in order to ensure we are all working from the same playbook. As an organization, we’re trying to figure that out and teach each other how it can be done and handled.
But overall, our success is a testament to the build of the whole global program in the first place. We didn’t have to drastically adjust our scope or methodology of program goals. I think we handled it all really well. I don’t know if we really would have done anything differently.
As we exit the perfect storm called Covid-19, we oftentimes get caught up in the struggles that were faced, and the failures that ensued. However, if we look closely, we can find successes such as Takeda, the global manufacturer, and distributor of vaccines that seemingly defied the odds in the midst of unheralded OT cyber threats:
It can be argued whether or not Vince Lombardi coined the term ‘hope is not a strategy’, but regardless, it can not be argued that proper planning certainly pays off when faced with the inevitable ‘unknown’, which is always, seemingly, right around the corner.
Thanks to Dennis and Jason for sharing the successes of Takeda, and the values of preparation and good partnership.
For more information on Takeda, visit https: www.takeda.com
For more information on Security Risk Advisors, visit https://sra.io/
Watch Mike Towers, Takeda CISO, speak about the importance of Asset Visibility
Read how Takeda minimizes supply continuity risks at manufacturing plants here
Interested in how Armis can expose your unknown Attack-Surface? Get a Free Trial
Sign up to receive the latest news