Pfizer Divides IT and OT Infrastructure Following High-Level Cybersecurity Decision

Pfizer, one of the world's leading pharmaceutical companies, has been on a mission to fortify its IT-OT (Information Technology-Operational Technology) security since 2015. The company began implementing an "industrial firewall" between its enterprise IT and manufacturing OT systems, a move that has proven crucial in the face of potential cyber threats.

In 2018, Pfizer's security program underwent a thorough security analysis and technology audit, a decision driven by a lack of understanding of IT tools in the production environment. The audit was a significant step towards improving the company's cybersecurity posture.

Last December and early January saw a ransomware attack that affected Pfizer's main chief medical officer, causing disruption to their production environment. The attack underscored the importance of segmentation between IT and OT, as without it, cyberattacks can potentially latch onto OT environments from IT environments.

Following the attack, Pfizer's board directed its manufacturing arm to focus on securing production floor systems and industrial control systems (ICS). This decision was influenced by Merck's attack by the NotPetya ransomware, which served as an "obvious" lesson for Pfizer.

In response, Pfizer merged its IT and engineering organizations to form a combined security program in 2018. This move has led to significant strides in the last six months, according to LaBonty. The company has also continued to add segmentation on the production floor since 2015.

Collaboration with Johnson Controls has been instrumental in improving the security of Pfizer's production floors. Companies running OT have bolstered their OT infrastructures with supervisory controls and data acquisition systems (SCADA) for improved IT/OT convergence.

Segmentation allows for data flow between IT and OT but limits data traffic. This is a crucial aspect, as all components within OT are "dependent on data moving from the manufacturing floor to the cloud," according to Cappi. However, overcoming issues with segmentation or convergence "will only happen with combining resources," he adds.

As of 2020, 53% of companies have internal network segmentation in place, according to Fortinet's 2020 State of Operational Technology and Cybersecurity Report. Yet, more than three-quarters of the companies with SOCs "do not have all OT activities centrally visible" to the SOC.

The user experience within OT, which includes industrial internet of things, data lakes, and Industry 4.0 ideals, is at stake with more air gapping. This presents a challenge as the company navigates the balance between security and operational efficiency.

Despite these challenges, Pfizer continues to make progress in its IT-OT security journey. The company's SOC is in-house and fully integrated with IT and OT professionals. Almost half of companies don't have a technical operations center (TOC) or a security operations center (SOC), according to the Fortinet survey, making Pfizer's efforts even more commendable.

Converging IT and OT security marks a cultural shift dependent on communication, and Pfizer is embracing this change as it continues to protect its critical infrastructure.