Pfizer Security Incident

An article from Dive Brief Pfizer segmented IT/OT after a board-level security directive Published April 21, 2021 Samantha Schwartz Reporter post share post print email license Permission granted by Merck KGaA Dive Brief: After pharmaceutical company Merck became a collateral victim of the NotPetya ransomware spree, Pfizer's board directed its manufacturing arm to better secure its production floor systems, according to Jim LaBonty, director, head of global automation engineering at Pfizer, during a Claroty webcast Tuesday. The board wanted more focus on OT and industrial control systems (ICS) security. Pfizer's IT and engineering organizations joined to form a combined security program. In 2018, the program executed a security analysis and finished a technology audit, which determined who Pfizer would partner with, who would be its security consultancy firm, and decided what technologies needed piloting. During the 2018 analysis period, the program conducted a technology audit because "w e had no idea really, in the OT world, where the IT tools work perfectly well in the production," said LaBonty. Dive Insight: Though Pfizer began implementing its "industrial firewall" between enterprise IT and manufacturing OT in 2015, the company has continued to add segmentation on the production floor. Production sites with existing segmentation layers were easier for the security organization to implement firewall technologies, according to LaBonty. The company learned from three or four production sites using a firewall implemented in 2014 "the impact they were having were minimal or zero between IT and OT," he said. NotPetya became the "obvious" lesson for Pfizer: "Segmentation made a lot of sense." Segmentation is a defensive measure that still allows for data flow between IT and OT , though it limits data traffic. However, companies reconciling issues with data flows must strike a delicate balance between big data and Industry 4.0 initiatives, and security, said Nick...

... (truncated for display)