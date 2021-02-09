“The Merck incident really brought home to us that pharmaceutical companies are susceptible to these things—and that it's not just the power industry that’s targeted for attacks,” said Brian Hrankowsky, associate senior consultant engineer at Eli Lilly and Co., during a presentation at the Emerson Exchange Virtual Series. “That brought a new focus on cyber security at all levels for us.”

The NotPetya ransomware attack on Merck in 2017 reportedly affected some 30,000 computers and 7,500 servers at the company. In the end, Merck ended up claiming $1.3 billion in losses from the event.

To shore up its own cybersecurity efforts in the wake of the Merck event, Eli Lilly conducted a number of external audits and developed action plans around how to shore up its cybersecurity deficiencies and gaps—both at the IT levels and at the OT (operations technology) levels, according to Hrankowsky. “Our corporate engineering group recognized that Emerson provides a lot of really good security solutions for the DeltaV platform—so that we wouldn’t have to design it ourselves,” he said.

Hrankowsky noted that Lilly’s IT department prefers for everyone in the company to “use IT’s enterprise solutions and practices, but using Emerson’s architecture allowed IT to continue using their desired solutions in the IT space without worrying about compatibility with DeltaV.”

Addressing inconsistencies

To begin its cybersecurity update, Lilly conducted a high-level assessment of what the company was doing in terms of IT and OT cybersecurity. In the process, the teams discovered several good practices already in place. For example, Hrankowsky noted that, with DeltaV, Lilly uses separate credentials for access to that system and maintains separate domains and networks between IT and OT.

“Our IT systems administration is separate from our automation system administration,” he added.

One particularly negative aspect of Lilly’s cybersecurity approach, however, is that “we were pretty inconsistent about adhering to Emerson security and administrative practices,” said Hrankowsky. “That's not to say we were doing a bad job, we just weren't doing things the same way across the sites and we had a pretty narrow focus on patching and anti-virus while not looking at other things like the whitelisting or consistently applying a backup recovery. Plus, we really were not looking at any external security standards.”

Alexandre Peixoto, DeltaV product marketing manager at Emerson, explained that Emerson’s initial goals for Lilly’s cybersecurity project were “to develop a reference architecture that met both our internal expectations and aligned with our support practices and objectives. We wanted to compare systems against that reference architecture and then close the gaps through how we implemented the architecture to bring consistency across the various systems within the network.”

Strategy implementation

Following the initial assessment, Lilly and Emerson began working toward specific preparations to get operational buy-in for a more consistent approach to cybersecurity.

“From a planning standpoint we did a lot of upfront work; we almost went into overdrive,” said Kurt Russell, consultant engineer at Eli Lilly. “We were trying to gather any and every piece of information we could locate in terms of Emerson documentation and external information—gathering everything we could about how to develop what we thought would be a solid architecture.”

This work brought the Department of Homeland Securities’ “Seven Strategies to Defend ICS (industrial control systems)” to the group’s attention. Russell noted that this document was helpful in terms of giving the group a better idea of the various attack vectors and what remediation steps could be used to counteract those attacks.

Armed with this information, Russell said, “We did a risk/reward analysis and decided to specifically pursue six of the seven strategies.”

The cybersecurity components used to address these six strategies included the Emerson Smart Firewall, McAfee endpoint security, McAfee application whitelisting, DeltaV backup and recovery, and an automated patch management server.

“At that point, we had to try to get all the terminology and topology together. That was where one of the challenges began, because Lilly’s terminology for some of the reference levels of an architecture and Emerson’s didn't line up,” said Russell. “So that was among the first challenges—to create one unified terminology or reference we could use in conversations externally with Emerson and internally.”

Russell described the resulting architecture and terminology as being a hybrid in that, for everything above the firewall, Lilly terminology was used for the IT levels. For everything below the Emerson smart firewall, Emerson’s terminology was used.

“We had to swivel back and forth between the Lilly and Emerson terminologies for the reference levels of an architecture, but it allowed us to have effective conversations with each of the parties,” Russell said.

With terminology references set, development of the reference architecture began in an attempt to cover as many of Lilly’s systems at once, even though the company’s systems vary widely in size. “Some systems may have only 50 I/O points while others have thousands. Likewise, some systems have 10 nodes while others have hundreds. Plus, some systems are used just for coding and testing and others are used directly in manufacturing,” said Russell. “The hard part was trying to come up with a single architecture that could be applicable to any system with minimal adjustments or modifications.”

Execution phase

To develop and implement the architecture, Hrankowsky said the team at Lilly began by looking at all the documents available for how to implement the various products from Emerson. “We had a lot of calls at this point to get help because we were really trying to dig in and do it ourselves to make sure we understood how things worked,” he said. “Once we got through a number of clarifications, we started some initial discussions directly with Emerson and it turned out that we were going to need a lot more help than just a few half-hour meetings here and there. So we set up a schedule and spent about an hour every month really digging into the details on a number of the different aspects that we were going to have to figure out with our implementation.”

“Don’t expect the business [side] to understand fully the impact of these solutions. They understand cybersecurity is important, but they don't really understand what all of the risks are, what the impact of them could be, and why all these extra tools are really needed. So you have to walk it through with them—not just once, but multiple times to get them to understand why you're doing this.”

The initial target for implementation focused on 50 of Lilly’s systems that needed to adhere to the reference architecture. This meant that the gaps between Lilly’s then current security reality and the new architecture for those systems had to be discovered.

Hrankowsky explained that the teams started with an offline system that had most of the required cybersecurity components installed. The main components that needed to be installed were the Emerson Smart Firewall and application whitelisting.

Beginning in this fashion, i.e., closing the gaps on systems with some security already in place, enabled Lilly to calculate how long the cybersecurity implementation process would take, what would be involved with each system, how many resources would be required for each, what would be required for a system in a production environment, what the expected downtime impact could be, and how to plan implementation of the other systems at other Lilly sites.

“This also gave us a chance to demo the functionality for some of our stakeholders so they could see what this looks like, what these tools are, and why it was a good choice to use the Emerson technologies instead of developing our own,” said Hrankowsky. “As a result, it was a very successful first implementation.”

Lessons learned

“Don’t expect the business [side] to understand fully the impact of these solutions,” advised Hrankowsky. “They understand cybersecurity is important, but they don't really understand what all of the risks are, what the impact of them could be, and why all these extra tools are really needed. So you have to walk it through with them—not just once, but multiple times to get them to understand why you're doing this.”

He also noted that Lilly’s OT interactions with IT around installing the Emerson Smart Firewall took longer than anticipated. “There are multiple tiers in the in IT’s security infrastructure to go through; and even after you've gotten people to understand what to do, a new person comes along and ask questions and then you go over it all over again. I think we probably answered the IT group’s questions a dozen times—if not two dozen—so that they fully understood how Emerson’s solutions work.”

And, as with any technology implementation in manufacturing that can—in any way—interface with IT systems, a lot of time was spent going over the ownership of who owned what. Hrankowsky said, “IT wants to be able to own everything, but it's really important on our end that the business IT people stick to the business IT solutions and the engineering and leave the manufacturing systems to be handled by people who understand manufacturing.”