Q&A on cybersecurity for GxP monitoring systems

Cybersecurity in GxP monitoring systems
Life Science
Welcome to another video question and answer from our webinar: "Cybersecurity in your GxP monitoring system." In this video, our Senior GxP Regulatory Expert Paul Daniel answers the questions we didn’t get to during the webinar. If you missed the live webinar, you can watch it now. 
If you have further questions, please post them in the comment section below the transcript of the video.

[00:00:05] Hello and welcome to another Vaisala video blog. Today's blog is answering questions that we received during a recent webinar: “Cybersecurity in Your GxP Monitoring System”.
Welcome to our senior regulatory expert, Paul Daniel ([email protected]).
First question:
“I have to access a lot of different systems, each with a different password. Can I use a password manager to manage my passwords in a GMP facility?”
Paul: Oh, I love password managers and use them in my personal life. This way, I can have complex, secure passwords for all my online accounts. But I only have to remember just the one password to get into the manager. But I haven't really thought about using it from work because most of our systems are single-sign-on (SSO) or they use active directory. I would assume that if you were at a large company, you'd also use single-sign-on and you would not need to remember a bunch of passwords. But if you were part of a smaller company, you could end up in this situation. I don't see anything conceptually wrong with using a password manager for four GMP password, so long as:
  • You are meeting password complexity requirements.
  • You are not sharing passwords
  • You are not writing them down on paper
Since passwords are stored virtually in your password manager, which is a password-protected environment with a complex password, you have technically met the spirit of the GMP requirements. However, there might be a logistic problem here because your password manager would need to be installed on your workstation. That could be violating a company policy. Your safest course is probably to bring the idea to your quality and IT groups and see what they have to say.
Next question:
“Does the risk of getting hacked increase in a cloud based monitoring system? Is security better or worse in the cloud?"
Paul: That's a big question because there's so many [types] of cloud out there, it's hard to know where to begin. Generally, security is going to be better in the cloud. To limit the scope of my answer, let's say we're talking about software as a service (SaaS), in which case your application is running on a public cloud service like Microsoft Azure or Amazon Web Services (AWS).
On one hand, your risk is reduced because a good chunk of the infrastructure and programming is coming straight from Amazon or Microsoft. They have more resources, experience, and competency than the average I.T. department, especially regarding security.
On the other hand, risk will stay the same because you still need to make sure that your own implementation of the cloud tool is safe and secure. In the end, you must be following the same four basic security practices that we covered in the webinar:
  • Following good practices with passwords
  • Demanding security features from vendors in your user requirements documents
  • Selecting competent vendors and auditing them
  • Following best practices around backup, recovery and control
Overall, you are probably safe with a cloud service, but you still need to follow good practice. Now, if we're talking about a cloud that's limited to infrastructure as a service, you are still responsible for your server deployment and all the responsibilities that accompany that. In this situation, it’s not as low-risk as SaaS, but still probably lower risk than a traditional on premise system.
Next question:
"The industrial Internet of Things (IIoT) makes people nervous because it causes systems to jump Purdue model levels, which is level 2 straight to the Internet. What can you tell me to make me comfortable with IIoT?"
Paul: If you're like me and you just heard about Purdue models, you're like, what's that? Basically, the Purdue Enterprise Reference Architecture (PERA) is a way of understanding and industrial control system by separating the parts in the layer. Level two is where controllers and sensors live, say, on your manufacturing line. The Internet is going to be somewhere much higher up at level five. So this question is basically saying: “If I use the IIoT and to empower the sensors on the manufacturing line, am I opening up a portal between the Internet and my manufacturing line.
I have to say I agree that it sounds risky. Our webinar was about how to defend a complex server-based system from cyber-attack. In our own software – the viewLinc continuous monitoring system - we have a lot of known fixes, a lot of resources to easily fix any errors.
But with IIoT, you may be dealing with a lot of 3rd-party devices that don't have a whole lot of resources for security controls or upgradability. I agree that we are exposing these devices to potential attacks over the Internet. I don't think there's anything I can say that will make you comfortable with the IIoT, because I'm not comfortable with it. Until there is standardization around security procedures for IoT devices, I think there's just too much risk. I love the idea of things being networked. We can enhance productivity through interconnection in a private network, but I am not comfortable with critical industrial devices exposed to the Internet.
No doubt we'll see some more progress on this front in the next few years. I mean, it took Internet security more than 30 years to get to where it is today. IIoT security just needs some time to catch up.
Final question:
"Does Vaisala pay security companies to audit viewLinc for exploits, or offer bounties for found bugs bounties?"
Paul: No. Vaisala is not engaged in any arrangements to pay bounties for bugs found in our systems. Yes, we do use external security consulting firms to perform audits on our systems to help us identify weaknesses and improve our software. Our latest round of security updates was based on four specific issues that we found with the help of a security consulting company. I wouldn't normally describe this as looking for exploits, but since it did help us improve our software. I suppose it is incorrect to say we hired them to find exploits.

Conclusion:  Thank you to all who joined us for the live webinar! If you watch the recorded webinar and have any questions, please email Paul or leave comments in the fields below.
You can learn more about the specific security updates in viewLinc 5.1 here.

Space-proof measurement technology

How can your GxP measurement and monitoring processes benefit from Vaisala's space-proof technology? Learn more about how Vaisala solutions are used in NASA's Mars Exploration Program.

Watch Now


Add new comment