Food and Drug Administration of the United States (FDA) has released A white paper emphasizing the need to integrate cybersecurity into advanced and intelligent technologies used in the manufacture of medical products. Modern manufacturing environments count on an increasing number of connected devices, called operational technologies (OT), which were Traditionally built for reliability rather than security. Consequently, it can be difficult to determine the communications of the network that occur, when they occur and where they come from, which makes it more difficult to detect and reaction to cyberrencies.
Commercial manufacturing equipment often does not comply with national or international cybersecurity standards by default. This deficit requires the deliberate design and configuration of the system. The integration of cybersecurity in standard industry practices, whatever the size of the company, will considerably reduce the risks for the manufacturing sector of American medical products and its supply chain.
In his’Secure technology and equipment (operational technology) used for medical Product manufacturing“White paper, the FDA identifies that There is a balance to be found between the creation of an operational environment that is easy to use and which provides operations against as many threats as possible. The White Paper outline Key considerations in three categories, including exchange of technical information, safety standards and compliance and security by design. These practices are taken from advice referenced and shaped by the practical experience of FDA with the collaboration of the industry and the deployment of non -manufacturing operational technologies.
“The overestimation of safety or ease of use can have serious ramifications for public health, access to patients in care, the availability of advanced products and pandemic preparation,” he added. “Like a quality insurance program, a solid cybersecurity process is one of the pillars that support safe, efficient and reliable production of medical products.”
Data violation and Ransomware attacks On hospital systems and medical clinics have become more omnipresent in recent years, which has led to significant HHS, other government and private sector services to mitigate damage and reduce the efficiency of these attacks. As very publicized as these attacks are, manufacturing and Supply chain attacks have the potential for the same greater harm patients, medical advancement and public health safety. The FDA develops policies, advice, strategies and regulatory scientific tools for OT security And the resilience of the supply chain to respond to its public health mission.
The FDA document on the manufacture of medical products has identified that OT cybersecurity begins by raising awareness of the physical and digital landscape of each production line and the broader corporate infrastructure. Manufacturing equipment, sensors, plumbing and electrical systems that make up any production facility create the operational environment. Digital technologies and orders often connect to a larger building, an installation or business networks that allow remote monitoring and the operation of production. A complete understanding of all these elements and their connections is an integral part of the creation of a secure OT environment.
Operating environments may include almost all industrial assets managed by industrial control systems (CI), such as programmable logical controllers (PLC), remote terminal units (RTU), intelligent electronic devices (IED) and distributed control systems (DCS). These devices must often operate continuously for months or years under potentially harsh or severe conditions.
Consequently, many OTS have been designed to prioritize the coherent features on cybersecurity and did not provide for the conditions accessible to the constantly connected Internet of the modern industry. As such, they are more vulnerable to modern cyber-menices such as exploits distributed to denial of service (DDOS) or vulnerability. In addition, it is sometimes difficult to say what, when and where communications occur.
Organizations that try to secure their industrial networks are often faced with two major challenges covering the lack of visibility and the lack of control. They often find it difficult to manage CIs and OT systems because they are integrated into larger networks, especially when using technologies inherited with complex communication requirements. This leads to a lack of visibility on the devices on the network and how they interact, which makes the risk assessment difficult and the implementation of effective safety measures. In addition, many devices start uncluttered or unchanged connections, further reducing control. Without complete knowledge of the communications of the devices, organizations cannot adequately secure their network environments.
The FDA has followed cybersecurity expert recommendations, such as special NIST publications such as federal standards on information products (FIPS 140-2 and 140-3) and NIST SP 800-82, CISA directives and strict network routing requirements are used to protect networks. In the short term, it may be easier and trying to make exceptions or define permissive network rules. However, this would create a risk of long -term cybersecurity unacceptable for government networks and, likewise, for medical products manufacturing.
The FDA white paper has identified that many standard commercial products (COTS) may not natively respect these security requirements and may require reconfiguration to operate. Even if it is not a standard practice of the current industry to comply with the FIPs or the similar security guidelines, the advantage of implementing them quickly and in a global manner can prevail from afar on the inconvenience in the short term.
“Until these guidelines are considered a standard practice of industry, there may be considerable vulnerabilities inherent in many OT configurations,” he added. “The availability of default security may change because industry requires security as a reference for manufacturing excellence.
Covering the exchange of technical information, the white paper of the FDA has identified that the adoption of connected and intelligent manufacturing systems often requires major equipment updates and the integration of various hardware, software and micrologists from several suppliers. Each component, including automated operations, sensors and software, can incorporate various software packages, hardware versions and firmware, many of which are not entirely controlled by the main equipment supplier. This complexity makes it essential that the integration teams have a detailed knowledge of all the elements used (for example, via material And Software materials).
Special security considerations are necessary for integration teams, in particular temporary staff, including rapid abolition of privileged access after deployment. Suppliers and specialists from the manufacturer need an in -depth technical understanding of network traffic and compatibility with safety standards before the start of deployment. Good alignment of software and infrastructure requirements can prevent conflicts and security gaps.
As manufacturing systems generally involve products from several suppliers and sources, in -depth mapping and understanding of each OT component and its connections are vital. This approach improves the deployment process and strengthens the overall security of the manufacturing network.
With regard to safety standards and compliance, the FDA noted that the security of hardware and software is easier in the event of standards and industry -scale guidelines, such as FIP, FIP, NIST SP-800, And IEC 62443are followed. Federal agencies and other regulated organizations must comply with these standards, which provide a solid framework to protect networks with connected OT systems. Although all OT products do not come with integrated compliance, the continuation of these standards strengthens the defense against cyberrenchers that can disrupt critical supply chains.
To guarantee compliance, federal agencies require that systems are authorized to exploit (ATO) the process, which involves safety assessments, planning and continuous monitoring. For cloud systems, the Fedramp program Ensures that federal security requirements are met.
The ATO process helps to identify potential security impacts, compliance gaps and necessary mitigation stages before the systems become operational. Safety analyzes and documentation journals are used to discover unknown risks before, such as undocumented communications. The results of these evaluations guide organizations and suppliers in the fight against vulnerabilities and compliance.
Finally, the FDA white paper has emphasized security by design, highlighting the importance of building products, networks and procedures with integrated cybersecurity from the start. Define the communication routes and align with the established standards rationalizes deployment while strengthening overall security. Organizations, in particular the largest with various needs, benefit from processes such as changes control cards (CCB) to examine shared resources changes and prevent involuntary problems. Like many critical services share resources, compromise OTS can create vulnerabilities, which makes it crucial for implementators to ensure that all OTS meet current security standards.
If the necessary features are missing, companies should ask the sellers to add required safety capacities and to put pressure for compliance with the government or widely accepted standards. Although it may seem binding, this reduces the risks of violation and reassures customers and regulators. Creation of a OT security plan Requires an understanding of cybersecurity practices and commercial needs to decide on appropriate protections. Federal systems show that membership of FIPs, CISA orientations and consensual standards allows a secure and efficient OT deployment.
The FDA had in 2023 Final guidance published establishment New cybersecurity requirements for cyber devices, which includes information that the sponsor of prior submission to marketing for a cyber-appareil must provide in his submission. The document also requires that health care stakeholders introduce their provisions for infrastructure cybersecurity that cover the software material bill (SBOM) and vulnerability disclosure reports.
