Systems and Data Security Concerns on the Supply Chain

In the United States, the Drug Supply Chain Security Act (DSCSA) will require pharmaceutical companies, CMOs and drug laboratories to apply a certain number of regulations from November 2017. In the European Union, the Falsified Medicines Directive (FMD) also demands certain steps to make the drug supply chain safer from 2019. However, more data exchange between production sites, authorities and laboratories following the application of the DSCSA means that systems and data security are becoming more and more important.

The requirement put forth by the FDA (US Food and Drug Administration) and many other regulatory bodies to serialize prescription pharmaceuticals’ individual saleable units has created the need to pass data to and from packaging lines and the enterprise as well as outside the enterprise to supply chain trading partners. This inherently creates a security issue that has generally not existed in the past as a large number of packaging lines were closed systems disconnected in almost every way from the outside world. Indeed, Industrial Control Systems hacking, malware, and viruses are on the rise, as highlighted by a revised US Homeland security bulletin.

Many have stated that the implementation of serialization solutions to meet the DSCSA compliance dates 2017 or FMD deadlines in 2019 has negatively impacted their business. However, those impacts will pale in comparison to the potential compromise of the business. One does not need to have personal, confidential or corporate data stolen for this to be an issue. Imagine if you have to halt packaging operations across the board while remediation takes place due to some threat to your infrastructure.

While few people would purposely create a direct attack against a packaging line churning out bottles of prescription cough syrup, that is not the concern. The majority of systems affected by these sorts of intrusions are simply caught up in the tide of these attacks. You do not have to be the intended target of an attack to be devastated by one.

Fortunately, there are many lessons learned in the IT world that can be directly applied to the packaging floor. An excellent starting point would be the understanding and implementation of the concepts and best practices outlined by ISA the International Society of Automation, specifically in ISA-99 technical report. A key component of the report as defined by ISA-99.01.01, is the implementation of a robust Level 3 system above all Level 2 systems as a critical element in securing corporate infrastructure through a conduit and zoning model, where a zone is defined as grouping of logical or physical assets that share common security requirements and conduits are defined as a logical grouping of communication channels, connecting two or more zones.

This provides an important isolation of the architectural layers of a serialization solution and ensures that we do not have direct, unfettered access from the packaging line to the enterprise and vice versa. In the rush to meet the upcoming deadlines it is easy to miss this item as historically implementations on the packaging floor were a low, if any risk to the enterprise. The data sharing requirements of the DSCSA itself and the nature of unit level serialization systems have changed the level of required connectivity, in most cases, quite dramatically.

An additional source of information to secure your new serialization is the paper Seven Steps to Effectively Defend Industrial Control Systems provided by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) which operates within the National Cybersecurity and Integration Center (NCCIC), a division of the Department of Homeland Security’s Office of Cybersecurity and Communications (DHS CS&C). There are number of useful resources available to you at no charge on this very helpful site.