Do you struggle with modern data backup methods on industrial automation? Sometimes these “islands of automation” are not conducive to well-established methods when there is no apparent network connection. In cases such as these, a frequent choice is to use a flash drive. This technology is available in most Human Machine Interfaces (HMIs) and Programmable Logic Controllers (PLCs). A flash drive’s ease of use, availability, and portability are both advantages and risks.
FDA/EMA-regulated companies are in a constant state of diligence regarding cybersecurity risks. Identifying and controlling points of vulnerability consumes considerable resources for both business continuity and mitigation of quality risks. A brief review of existing and emerging risks is warranted to educate companies on the “seemingly” small risks; however, historical review shows that these perceived small risks can have significant consequences.
In February 2021, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) published a blog titled “Using Caution with USB Drives” (here). Although the BioPharm industry is not specifically mentioned, the fundamental threat should be understood by QA and the relevant automation engineering functions. This blog notes, “Attackers can use USB drives to infect other computers with malware that can detect when the USB drive is plugged into a computer. The malware then downloads malicious code onto the drive. When the USB drive is plugged into another computer, the malware infects that computer.” The response to this threat is for companies to assess where flash drives are currently used, and how to mitigate this risk in the future using the established principles in ICH Q9, “Quality Risk Management.” The topic of the vulnerability of USB ports is also identified in a report from the European Union Agency for Cybersecurity (ENISA) titled “ENISA Threat Landscape 2023” (here), which notes, “USBs also had a resurgence by groups that are financially motived. We expect attacks via USB to be used in targeted attacks…”
Most recently, the FDA published a draft guidance titled “Select Updates for the Premarket Cybersecurity Guidance: Section 524B of the FD&C Act” (here) that highlights the attention cybersecurity is gaining, which should be no surprise to anyone. Noted in this draft guidance is the often-missed technology of PLCs; the “FDA considers a ‘cyber device’ to include devices that are or contain software, including software that is firmware or programmable logic.” This quote is footnoted in the draft guidance to include a definition of a PLC.
Company sites and third-party vendors should understand this risk as it is often missed by traditional IT departments; however, automation engineering personnel are much more familiar with such risks. This is a key reason for identifying automation components in your site’s CSV inventory.