According to Deloitte, the pharmaceutical industry is increasingly the most targeted sector by cybercriminals globally, due to the massive value attributed to associated intellectual property and the increased digitisation of the market. As pharmaceutical companies gradually adopt a more robust online presence, with collaboration, open access, and expanding use of IoT all central to increased agility and responsiveness, the frequency and severity of attacks against them grows. Just a few weeks ago, for example, pharmaceutical companies in the U.K, U.S., and Canada were targeted by nefarious actors looking to steal proprietary information regarding COVID-19 vaccinations.
As an industry, pharmaceutical companies are unique in a number of ways. The value of novel treatments and the associated research they produce is extremely high. A pharma organisation lives on the distinction of its intellectual property, and the research, lab time, testing, and surrounding data that leads to these important breakthroughs. Decreasing the time it takes to develop drugs, treatments, etc. means embracing a more agile technical landscape. Collaboration with external stakeholders, greater control and reporting on the production systems through IoT, and increased access to research and other unique data results in a naturally more open posture around the critical systems and data that are the lifeblood of the industry.
As this change takes place, these companies ascend in the list of targets for motivated bad actors. Both the size of many leading companies and the valuable data they hold make them attractive targets, either to steal precious IP for resale or for purely monetary gain through a ransom.
Common Pharma Use Cases for Micro-Segmentation
Working with companies in the pharmaceutical field, I come across a number of common threads and concerns. Some of these are to be expected, such as the protection of intellectual property, while others are less obvious from the outside, such as the collaborative, shared use of common research facilities, applications, and systems.
As such, the most common risks are as follows:
This is the clearest and most commonly stated threat and use case for micro-segmentation. The original research performed by pharmaceutical companies is often what differentiates them, in large part determining the company’s inherent value. Access to or loss of this data is deemed a high risk, whether it is made accessible for rival organisations or, in many cases, it is ransomed back to the organisation it was originally stolen from. This is a risk both from outsider groups and nefarious actors, but also insiders who may be leaking sensitive data unknowingly. Flat networks, heterogeneous environments, and a lack of visibility and control over east-west lateral movement and application access all exacerbate the issue.
Perhaps most relevant to the situation we find ourselves in facing COVID-19, multiple pharmaceutical companies often collaborate on treatment or vaccine research. This connects two disparate environments with potentially very different security postures and controls in place. Additionally, the collaboration may be a variety of external users or groups accessing common backend systems. Visibility is key here – reviewing connectivity and establishing trust before defining controls to minimise or mitigate risk.
Core research, storage, or production applications/environments hold critical data. Often, organisations will start by looking at a small number of critical production applications, mapping the connectivity in and out of them before creating stringent policies to protect data and, sometimes, to bolster their Zero Trust posture. We often hear this called a “crown jewels initiative.”
From software applications to the physical production lines, we see heavy and increasing use of IoT. Connected devices to monitor, report on, and centrally control physical systems used during the manufacturing and testing of the actual product. These IoT/OT (Operational Technology) devices and networks are increasingly connected to IT systems – with the extent of this interdependency not always clear. Having worked in the Critical Infrastructure and Operational Technology spaces previously, I’ve seen this connectivity represent unknown risk, with the physical systems, if not targeted directly, still within the blast radius of any collateral damage caused by IT system compromise.
Finally – we see the pharmaceutical industry come under the broadening compliance mandates, such as LPM in France, the NIS-Directive in the wider EU, and the various ISO standards.
These standards primarily deal with the security of critical applications and services in OES (Operators of Essential Services) - for which some pharmaceutical companies fall under. These are essential services that must remain working at all costs – power generation, sanitation, telecoms, medicine production. The critical infrastructure mandates that apply in this case all refer to the separation and segmentation of the essential systems from-lower risk/importance areas of the network.
How Illumio ASP Helps
Illumio can help in a variety of ways. We concentrate primarily on the visualisation of access into and out of critical systems and applications, and subsequently create controls around access to such systems, ranging from broad to extremely fine-grained. Through this process – micro-segmentation – the primary concern of lateral movement into the IP-hosting parts of the infrastructure, and subsequent data exfiltration, is easily addressed.
External use of collaborative systems can be visualised and determined to allow great agility and speed of work while maintaining the critical security required. The increased use of IoT platforms in research and production areas can safely be implemented without risk to the environments they’re inevitably connected to.
Application ringfencing and environmental separation are core platform use cases. By clearly mapping infrastructure based on business language rather than network constructs, connectivity between workloads is easily understood. We can then build upon this map to construct extremely simple segmentation policy defining the allowed connectivity (or not) between these systems.
Lastly, the Illumio platform successfully protects critical systems in accordance with the relevant industry mandates and controls - including the securing of critical applications in the water treatment industry, healthcare services, airlines, and electrical services for industry.
With the expanding focus on cybersecurity in the pharmaceutical industry, we’ll see more micro-segmentation use cases reveal themselves in the future. The core of these, I think, will primarily involve the protection and access around high-value, high-risk systems and data and the prevention of lateral movement into, and compromise of these systems. Application-centric mapping and control are paramount, and the pharmaceutical industry is appropriately taking strides to address such risks today.
To learn more about Illumio ASP, visit https://www.illumio.com/products/adaptive-security-platform.