- After pharmaceutical company Merck became a collateral victim of the NotPetya ransomware spree, Pfizer's board directed its manufacturing arm to better secure its production floor systems, according to Jim LaBonty, director, head of global automation engineering at Pfizer, during a Claroty webcast Tuesday. The board wanted more focus on OT and industrial control systems (ICS) security.
- Pfizer's IT and engineering organizations joined to form a combined security program. In 2018, the program executed a security analysis and finished a technology audit, which determined who Pfizer would partner with, who would be its security consultancy firm, and decided what technologies needed piloting.
- During the 2018 analysis period, the program conducted a technology audit because "we had no idea really, in the OT world, where the IT tools work perfectly well in the production," said LaBonty.
Though Pfizer began implementing its "industrial firewall" between enterprise IT and manufacturing OT in 2015, the company has continued to add segmentation on the production floor. Production sites with existing segmentation layers were easier for the security organization to implement firewall technologies, according to LaBonty.
The company learned from three or four production sites using a firewall implemented in 2014 — "the impact they were having were minimal or zero between IT and OT," he said. NotPetya became the "obvious" lesson for Pfizer: "Segmentation made a lot of sense."
Segmentation is a defensive measure that still allows for data flow between IT and OT, though it limits data traffic. However, companies reconciling issues with data flows must strike a delicate balance between big data and Industry 4.0 initiatives, and security, said Nick Cappi, VP of product management and technical support at PAS, via email to Cybersecurity Dive.
As of 2020, 53% of companies have internal network segmentation in place, up 6% from 2019, according to Fortinet's 2020 State of Operational Technology and Cybersecurity Report. Data was collected in an April 2020 survey of OT leaders.
Without efficient segmentation, cyberattacks can latch onto OT environments from IT environments. "If you have your production environments in a flat network environment, that's close to the email … there's obviously concern," said LaBonty.
Pfizer's enterprise-level security is a constant target for cyberattacks and cybercriminals. "We're not immune at Pfizer," he said. "One of our [main chief medical officers] just at the end of last December, early January, was impacted by ransomware." The attack "took out" their production environment, because they lacked segmentation between IT and OT.
"When the malware did come in through email, it went everywhere. It went to the office environment, but it also went to the factory floor," said LaBonty.
Companies running OT know the risk of IT/OT connections, and have bolstered their OT infrastructures with supervisory controls and data acquisition systems (SCADA) for improved IT/OT convergence, according to Fortinet.
Converging IT and OT security marks a cultural shift dependent on communication. Almost half of companies don't have a technical operations center (TOC) or a security operations center (SOC), according to the Fortinet survey. More than three-quarters of the companies with SOCs "do not have all OT activities centrally visible" to the SOC.
Pfizer's SOC is in-house and fully integrated with IT and OT professionals. "A big part of the success of the Pfizer program is the collaboration, the willingness to work with each other. It's not always the same goals or mindsets," said LaBonty.
Though the program was created in 2018, Pfizer's IT/OT security collaboration has made "huge, huge strides" in the last six months, said LaBonty. "It's a journey, it's not so very quick … it does take time. It does take cultural differences to be melded and blended together."
But companies struggle with IT/OT convergence because some of the required skill sets require hands-on experience, said Cappi. Overcoming issues with segmentation or convergence "will only happen with combining resources."
Though segmentation is an important defensive measure, convergence-related issues are more pressing in modern businesses. The user experience within OT — which includes industrial internet of things, data lakes, and Industry 4.0 ideals — is at stake with more air gapping. All components are "dependent on data moving from the manufacturing floor to the cloud," slowing the availability of real-time data, said Cappi.