IT SYSTEMS

Systems and Data Security Concerns on the Supply Chain

JIM CUMMINGS Written by JIM CUMMINGS
17/05/2016

Serialization requirements following the implementation of serialization mandates around the world will raise new security concerns.

In the United States, the Drug Supply Chain Security Act (DSCSA) will require pharmaceutical companies, CMOs and drug laboratories to apply a certain number of regulations from November 2017. In the European Union, the Falsified Medicines Directive (FMD) also demands certain steps to make the drug supply chain safer from 2019. However, more data exchange between production sites, authorities and laboratories following the application of the DSCSA means that systems and data security are becoming more and more important.

Serialization, Data Exchange and Security Concerns

The requirement put forth by the FDA (US Food and Drug Administration) and many other regulatory bodies to serialize prescription pharmaceuticals’ individual saleable units has created the need to pass data to and from packaging lines and the enterprise as well as outside the enterprise to supply chain trading partners. This inherently creates a security issue that has generally not existed in the past as a large number of packaging lines were closed systems disconnected in almost every way from the outside world. Indeed, Industrial Control Systems hacking, malware, and viruses are on the rise, as highlighted by a revised US Homeland security bulletin.

Data Security and Serialization Mandates

Many have stated that the implementation of serialization solutions to meet the DSCSA compliance dates 2017 or FMD deadlines in 2019 has negatively impacted their business. However, those impacts will pale in comparison to the potential compromise of the business. One does not need to have personal, confidential or corporate data stolen for this to be an issue. Imagine if you have to halt packaging operations across the board while remediation takes place due to some threat to your infrastructure.

While few people would purposely create a direct attack against a packaging line churning out bottles of prescription cough syrup, that is not the concern. The majority of systems affected by these sorts of intrusions are simply caught up in the tide of these attacks. You do not have to be the intended target of an attack to be devastated by one.

Systems Security through architectural layers in a serialization solution

Fortunately, there are many lessons learned in the IT world that can be directly applied to the packaging floor. An excellent starting point would be the understanding and implementation of the concepts and best practices outlined by ISA the International Society of Automation, specifically in ISA-99 technical report. A key component of the report as defined by ISA-99.01.01, is the implementation of a robust Level 3 system above all Level 2 systems as a critical element in securing corporate infrastructure through a conduit and zoning model, where a zone is defined as grouping of logical or physical assets that share common security requirements and conduits are defined as a logical grouping of communication channels, connecting two or more zones.

This provides an important isolation of the architectural layers of a serialization solution and ensures that we do not have direct, unfettered access from the packaging line to the enterprise and vice versa. In the rush to meet the upcoming deadlines it is easy to miss this item as historically implementations on the packaging floor were a low, if any risk to the enterprise. The data sharing requirements of the DSCSA itself and the nature of unit level serialization systems have changed the level of required connectivity, in most cases, quite dramatically.

An additional source of information to secure your new serialization is the paper Seven Steps to Effectively Defend Industrial Control Systems provided by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) which operates within the National Cybersecurity and Integration Center (NCCIC), a division of the Department of Homeland Security’s Office of Cybersecurity and Communications (DHS CS&C). There are number of useful resources available to you at no charge on this very helpful site.

JIM CUMMINGS
JIM CUMMINGS

Jim Cummings is VP Americas at Adents. He has an extensive background in instrumentation, automation and information systems for manufacturing. He also was a founding member and chairman of the Control Systems Integrators Association (CSIA).

DISCOVER MORE ...

The Falsified Medicines Directive (FMD) 2011/62/EU
The Falsified Medicines Directive (FMD) 2011/62/EU
To fight against this scourge, the European Union (EU) has put in place directive 2011/62/EU or Falsified Medicines Directive with which pharmaceutical manufacturers (whether MAH or CMO) as well as their supply chain partners will have to comply by early 2019.
What we learned from the Pharma CMO Summit in Lisbon
What we learned from the Pharma CMO Summit in Lisbon
DIscussions during the CMO summit revealed that the level of serialization-readiness among CMOs is concerning given approaching DSCSA and FMD deadlines.