Email Subscription

Never miss the latest news and offers - subscribe now!

Never miss the latest news and offers - subscribe now!

Cybersecurity: Making the Most of Regulatory Standards

June 16, 2022

Share this page

What are the ISA/IEC 62443 standards? Can they help us? And how are they positioned in the fight against cyberattacks? These are the questions that were going through my mind when I started to write this blog. 

 

Previously we recognized how the pandemic brought Operational technology (OT) and Information technology (IT) closer together and discussed the inevitable increase in risk from cyberattack. We looked at ways to mitigate it through combat against social engineering. With regulatory compliance being such an important aspect of the biopharmaceutical industry, I now want us to take a brief look at regulatory standard ISA/IEC 62443 and see how it has become a best standard of practise in allowing us to fully understand and mitigate cyber risks as OT and IT integrate.

 

International Electrotechnical Commission (IEC) 1

 

is the world’s leading organization for the preparation and publication of international standards for all electrical, electronic, and related technologies. These are known collectively as “electrotechnology”.

 

International Society of Automation (ISA)2

 

The ISA99 committee addresses industrial automation and control systems whose compromise could result in any, or all, of the following situations:

 

  • endangerment of public or employee safety
  • loss of public confidence
  • violation of regulatory requirements
  • loss of proprietary or confidential information
  • economic loss
  • impact on national security

 

Regulatory Bodies and the Need to Build a Regulatory Program

 

In the life science industry specifically, there are organizations in place to regulate the development, production, and life cycle of products coming to market, to ensure our safety and the efficacy of the approved product.

 

One of the most obvious examples of a regulatory organization is the Food and Drug Administration (FDA). The FDA provides guidance documents that lay out requirements the organizations must follow in order to meet the current published federal policies. In recent years, the FDA has accepted a series of standards, such as those developed by the IEC, to help companies build their regulatory programs. These standards help teams to have a clear and defined ‘rule book’ to follow, whereas in some cases the guidance provided by the regulatory agencies may be more generic.

 

It is essential for each manufacturer to take the necessary steps to build their own regulatory program within their facility, using the provided guidance of the relevant regulatory organizations. The creation of a regulatory program doesn’t have to be unduly complex, but the content will be vast.  The program content should be designed based on specific regulatory references like the FDA, identifying those references as the standard; it should also define how the product will be manufactured and how it will be maintained after it gets to market. In summary, a regulatory program sets out to identify the life of the product, from beginning to end, while keeping within the regulatory boundaries of the identified agency. It is essentially developed to create a process that catches quality mistakes prior to release and ultimately prevents those quality mistakes from happening in the first place.

 

Automation, IT, and 62443

 

In the biotech industry, there are so many different groups/departments within a manufacturing company that will ‘touch’ a product in some way before it leaves a facility. As such, for the automation and IT groups, it is essential to have the controls and security in place to meet the federal requirements to have absolute assurance of quality and integrity of what is being created.

 

Many automation and IT teams are following the ISA/IEC 62443 series of standards, that are currently recognized by the FDA, to secure industrial automation and control systems (IACS) throughout their lifecycle. This series includes methods for mitigating cyber-attacks, assessing current system security risk, patch management and much more. ISA/IEC 62443 lays out the fundamental ways to protect systems from security breaches while also assessing risk.

 

Full understanding of risk and conducting effective risk assessments is one of the biggest challenges for the automation and IT teams. By assessing a systems security risk, these teams can unite to develop strategies to keep the identified risk areas safe and create methods for mitigation should an attack occur. The importance of having a well-developed standard to follow, with a proven methodology that works and is accepted by a regulatory body, can play an essential part in keeping the public safe. This is the primary goal for any regulatory organization.

 

Creating a robust regulatory program focused on cybersecurity, as automated equipment connects with the world of Information Technology, is a great task. A task lightened by making the most of the ISA/IEC 62443 standards.

 

 

References

 

 

Kate Green, Automation Engineer, Research and Development

Kate is an automation engineer for the digital solutions team based in Westborough, Massachusetts. She graduated from the University of Maryland, Baltimore County with a Bachelor’s degree in Chemical Engineering. She has been working as an automation engineer in the life science world since early 2020 and previously worked as a process engineer in cosmetic manufacturing.
Kate is an automation engineer for the digital solutions team based in Westborough, Massachusetts. She graduated from the University of Maryland, Baltimore County with a Bachelor’s degree in Chemical Engineering. She has been working as an automation engineer in the life science world since early 2020 and previously worked as a process engineer in cosmetic manufacturing.
Read more
  • Category
  • Author
  • Sort By
Results