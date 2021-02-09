Eli Lilly Updates Its Cybersecurity

Working with Emerson Automation Solutions, Eli Lilly and Co. is extending its cybersecurity practices by basing its approach around the company’s use of the DeltaV automation system.

David Greenfield
Feb 9th, 2021

“The Merck incident really brought home to us that pharmaceutical companies are susceptible to these things—and that it's not just the power industry that’s targeted for attacks,” said Brian Hrankowsky, associate senior consultant engineer at Eli Lilly and Co., during a presentation at the Emerson Exchange Virtual Series. “That brought a new focus on cyber security at all levels for us.”

The NotPetya ransomware attack on Merck in 2017 reportedly affected some 30,000 computers and 7,500 servers at the company. In the end, Merck ended up claiming $1.3 billion in losses from the event.

“That's not to say we were doing a bad job, we just weren't doing things the same way across the sites and we had a pretty narrow focus on patching and anti-virus while not looking at other things like the whitelisting or consistently applying a backup recovery. Plus, we really were not looking at any external security standards.”

To shore up its own cybersecurity efforts in the wake of the Merck event, Eli Lilly conducted a number of external audits and developed action plans around how to shore up its cybersecurity deficiencies and gaps—both at the IT levels and at the OT (operations technology) levels, according to Hrankowsky. “Our corporate engineering group recognized that Emerson provides a lot of really good security solutions for the DeltaV platform—so that we wouldn’t have to design it ourselves,” he said.

Hrankowsky noted that Lilly’s IT department prefers for everyone in the company to “use IT’s enterprise solutions and practices, but using Emerson’s architecture allowed IT to continue using their desired solutions in the IT space without worrying about compatibility with DeltaV.”

Addressing inconsistencies
To begin its cybersecurity update, Lilly conducted a high-level assessment of what the company was doing in terms of IT and OT cybersecurity. In the process, the teams discovered several good practices already in place. For example, Hrankowsky noted that, with DeltaV, Lilly uses separate credentials for access to that system and maintains separate domains and networks between IT and OT.

“Our IT systems administration is separate from our automation system administration,” he added.

One particularly negative aspect of Lilly’s cybersecurity approach, however, is that “we were pretty inconsistent about adhering to Emerson security and administrative practices,” said Hrankowsky. “That's not to say we were doing a bad job, we just weren't doing things the same way across the sites and we had a pretty narrow focus on patching and anti-virus while not looking at other things like the whitelisting or consistently applying a backup recovery. Plus, we really were not looking at any external security standards.”

Alexandre Peixoto, DeltaV product marketing manager at Emerson, explained that Emerson’s initial goals for Lilly’s cybersecurity project were “to develop a reference architecture that met both our internal expectations and aligned with our support practices and objectives. We wanted to compare systems against that reference architecture and then close the gaps through how we implemented the architecture to bring consistency across the various systems within the network.”

Strategy implementation
Following the initial assessment, Lilly and Emerson began working toward specific preparations to get operational buy-in for a more consistent approach to cybersecurity.

Alexandre Peixoto, DeltaV product marketing manager, Emerson.Alexandre Peixoto, DeltaV product marketing manager, Emerson.“From a planning standpoint we did a lot of upfront work; we almost went into overdrive,” said  Kurt Russell, consultant engineer at Eli Lilly. “We were trying to gather any and every piece of information we could locate in terms of Emerson documentation and external information—gathering everything we could about how to develop what we thought would be a solid architecture.”

This work brought the Department of Homeland Securities’ “Seven Strategies to Defend ICS (industrial control systems)” to the group’s attention. Russell noted that this document was helpful in terms of giving the group a better idea of the various attack vectors and what remediation steps could be used to counteract those attacks.

Armed with this information, Russell said, “We did a risk/reward analysis and decided to specifically pursue six of the seven strategies.”

The cybersecurity components used to address these six strategies included the Emerson Smart Firewall, McAfee endpoint security, McAfee application whitelisting, DeltaV backup and recovery, and an automated patch management server.

“At that point, we had to try to get all the terminology and topology together. That was where one of the challenges began, because Lilly’s terminology for some of the reference levels of an architecture and Emerson’s didn't line up,” said Russell. “So that was among the first challenges—to create one unified terminology or reference we could use in conversations externally with Emerson and internally.”

Russell described the resulting architecture and terminology as being a hybrid in that, for everything above the firewall, Lilly terminology was used for the IT levels. For everything below the Emerson smart firewall, Emerson’s terminology was used.

“We had to swivel back and forth between the Lilly and Emerson terminologies for the reference levels of an architecture, but it allowed us to have effective conversations with each of the parties,” Russell said.

With terminology references set, development of the reference architecture began in an attempt to cover as many of Lilly’s systems at once, even though the company’s systems vary widely in size. “Some systems may have only 50 I/O points while others have thousands. Likewise, some systems have 10 nodes while others have hundreds. Plus, some systems are used just for coding and testing and others are used directly in manufacturing,” said Russell. “The hard part was trying to come up with a single architecture that could be applicable to any system with minimal adjustments or modifications.”

 Execution phase
To develop and implement the architecture, Hrankowsky said the team at Lilly began by looking at all the documents available for how to implement the various products from Emerson. “We had a lot of calls at this point to get help because we were really trying to dig in and do it ourselves to make sure we understood how things worked,” he said. “Once we got through a number of clarifications, we started some initial discussions directly with Emerson and it turned out that we were going to need a lot more help than just a few half-hour meetings here and there. So we set up a schedule and spent about an hour every month really digging into the details on a number of the different aspects that we were going to have to figure out with our implementation.”

“Don’t expect the business [side] to understand fully the impact of these solutions. They understand cybersecurity is important, but they don't really understand what all of the risks are, what the impact of them could be, and why all these extra tools are really needed. So you have to walk it through with them—not just once, but multiple times to get them to understand why you're doing this.”

The initial target for implementation focused on 50 of Lilly’s systems that needed to adhere to the reference architecture. This meant that the gaps between Lilly’s then current security reality and the new architecture for those systems had to be discovered.

Hrankowsky explained that the teams started with an offline system that had most of the required cybersecurity components installed. The main components that needed to be installed were the Emerson Smart Firewall and application whitelisting.

Beginning in this fashion, i.e., closing the gaps on systems with some security already in place, enabled Lilly to calculate how long the cybersecurity implementation process would take, what would be involved with each system, how many resources would be required for each, what would be required for a system in a production environment, what the expected downtime impact could be, and how to plan implementation of the other systems at other Lilly sites.

“This also gave us a chance to demo the functionality for some of our stakeholders so they could see what this looks like, what these tools are, and why it was a good choice to use the Emerson technologies instead of developing our own,” said Hrankowsky. “As a result, it was a very successful first implementation.”

Lessons learned
“Don’t expect the business [side] to understand fully the impact of these solutions,” advised Hrankowsky. “They understand cybersecurity is important, but they don't really understand what all of the risks are, what the impact of them could be, and why all these extra tools are really needed. So you have to walk it through with them—not just once, but multiple times to get them to understand why you're doing this.”

He also noted that Lilly’s OT interactions with IT around installing the Emerson Smart Firewall took longer than anticipated. “There are multiple tiers in the in IT’s security infrastructure to go through; and even after you've gotten people to understand what to do, a new person comes along and ask questions and then you go over it all over again. I think we probably answered the IT group’s questions a dozen times—if not two dozen—so that they fully understood how Emerson’s solutions work.”

And, as with any technology implementation in manufacturing that can—in any way—interface with IT systems, a lot of time was spent going over the ownership of who owned what. Hrankowsky said, “IT wants to be able to own everything, but it's really important on our end that the business IT people stick to the business IT solutions and the engineering and leave the manufacturing systems to be handled by people who understand manufacturing.”

Companies in this article
Emerson
Pharmaceutical production. Source: Getty images
Eli Lilly Updates Its Cybersecurity
Working with Emerson Automation Solutions, Eli Lilly and Co. is extending its cybersecurity practices by basing its approach around the company’s use of the DeltaV automation system.
Feb 9th, 2021
The resource kit contains booklets, pamphlets with stands, flip charts, pocket information guides and two sample cartons containing placebos.
Updatable Pharma Kit Packaging Saves Co. $200,000 and Counting
Incorporating a kit with a slide cover is providing production flexibility and cost savings—updating the kits only means replacing one component.
Feb 9th, 2021
XPlanar eliminates the need to move the plasma jet; instead, a floating planar mover carries the workpiece into position for precise surface treatment. Source: Plasmatreat
OEM Redesigns Equipment to Incorporate XPlanar Floating Movers
The levitating material handling technology from Beckhoff is being used by Plasmatreat in its equipment to position materials beneath spray nozzles for plasma pre-treatment and coating.
Feb 4th, 2021
Screen Shot 2021 02 04 At 10 06 48 Am
RLC Releases Report on Fixing Recycling in the U.S.
The Recycling Leadership Council (RLC), a broad coalition of stakeholders brought together to identify the federal government’s role in fixing the U.S. recycling system, released the Blueprint for America’s Recycling System.
Feb 5th, 2021
Top right: Franny Tacy, Chief Creative Officer and Farmer at Franny's Farmacy and Franny's Farm in North Carolina. Bottom right: Blake Patterson, MarketHub CEO.
Retail and E-Comm: 4 Cannabis Considerations in Uncertain Economic Times
How are brands coping with changes in the market, distribution and consumer behavior?
Feb 4th, 2021
View Product Demos On Demand
Sponsored
View Product Demos On Demand
Missed part or all of PACK EXPO Connects? Browse dozens of demos by category or search by keyword. Find solutions to your packaging and processing challenges now through March 31.
Jan 7th, 2021
Getty Images Screen Image
Setting a Design “North Star” in a Fragmented, Emerging Market
Cristin Rudolph, VP of Consumer Products at Green Thumb Industries (GTI), discusses the intersection between classic packaging design and fast-changing cannabis industry packaging design.
Jan 28th, 2021
Dove
Dove’s Sleek New Refillable Deodorant Pack
The global health and beauty brand launches new deodorant packaging that is circular by design, with a reusable stainless-steel case that can be refilled with deodorant sticks.
Jan 28th, 2021
Sm Graphic Sookne
Where's my Vaccine?
unPACKed with PMMI podcast tackles why distribution of Pfizer and Moderna's COVID-19 vaccine isn't matching its breathtakingly fast approval.
Jan 27th, 2021
Automation, specialty devices and personalization are trends leading the way in pharma/med device investments.
Six Trends Influencing New Pharma and Med Device Investments
Automation is the leading trend, with specialty devices and pharmaceuticals also on the rise.
Jan 26th, 2021
Image #1 in the article text.
Report: Innovative New Machinery at PACK EXPO Connects
PMMI Media Group editors—covering a virtual event instead of an in-person exposition—divided and conquered to collectively take in as much of PACK EXPO Connects as possible. Here’s what they saw in the machinery category.
Jan 25th, 2021
View Product Demos On Demand
Sponsored
View Product Demos On Demand
Missed part or all of PACK EXPO Connects? Browse dozens of demos by category or search by keyword. Find solutions to your packaging and processing challenges now through March 31.
Jan 7th, 2021
Companies in the life sciences industry need a granular view of the flow of products traveling through the supply chain, from the initial supplier to the patient.
Consequences of Supply Chain Blind Spots and Solutions in New Survey
Companies lose millions due to spoilage; improved tracking methods increase end-to-end visibility and mitigate loss.
Jan 22nd, 2021
V Fzd H Eh B 1920 60070403d672e
Bumble Bee CEO One-Minute Video: How To Communicate Through Crisis
Jan Tharp, CEO of Bumble Bee Seafood, has navigated turbulent waters. Recently, Jan sat down with OEM's Stephanie Neil during PACK EXPO Connects to discuss her journey to the top of this revamped CPG. Watch this 'Management Minute' with Jan.
Jan 20th, 2021
Getty Images 1230124575
How FDA Food Supply Data Supports COVID-19 Vaccine Distribution
In the latest FDA Voices post, Dr. Stephen Hahn and Frank Yiannas, M.P.H. discuss how the new data analysis tool, 21 FORWARD, is helping food and agriculture workers receive vaccines.
Jan 20th, 2021
Jt Pi8nn2 1280 5ff6451ce19f0
Supply Chain Resiliency in the Face of Covid-19
MIT's Dr. David Simchi-Levi visited with Keren Sookne, Healthcare Packaging, during PACK EXPO Connects to re-examine how life science companies think about the supply chain.
Jan 19th, 2021
Image #1 in the article text.
Report: Innovative New Pharma & Medical Devices at PACK EXPO Connects
PMMI Media Group editors—covering a virtual event instead of an in-person exposition—divided and conquered to collectively take in as much of PACK EXPO Connects as possible. Here’s what they saw in the pharma category.
Jan 14th, 2021
Getty Images 1178747427
Serialization 101
Fraud is a serious issue for drug manufacturing, and pharmaceutical and medical device regulations using serialization have been mandated to defend against counterfeiting.
Jan 13th, 2021
Medical Supplies Packaging Delivery Design From Antalis Packaging
Improving Home Care with Thoughtful Shipper Redesign
When the last mile includes the doorstep, design accommodates patients with limited dexterity post-surgery or diagnosis.
Jan 11th, 2021
Getty Images 627196908
Quotables and By the Numbers to Start the Year
Quotes and stats on clinical trial demographics, modes of transportation, the personalized medicine market, and more...
Jan 7th, 2021
More in Home
Getty Images 157393884
Traceability and Challenges in Perishable Food and E-commerce
Serialization, logistics for COVID-19 vaccines and treatments, and how food is starting to feel a lot more like pharma regarding regulatory hurdles and temperature control.
Jan 4th, 2021
Getty Images 1268181219
Med Device Market Shifting Business Models to Automation and Technology
Four out of five medical device companies interviewed for a new PMMI white paper believe automation and other technological advances are one of the biggest changes to manufacturing in recent years.
Jan 4th, 2021
Uvd Robot 5e8671227f569 png
Counting Down the Top 10 Articles of 2020 - #1: COVID-19 Use Cases for Mobile Robotics
Join us as we look back at the most-read Healthcare Packaging stories of 2020. Coming in at #1, how robots can tackle tasks to help combat the spread of COVID-19.
Jan 1st, 2021
Regular Compact Cotton Icecream Gj Copy 5efcba6f7203d png
Counting Down the Top 10 Articles of 2020 - #2: Tampons in a Whimsical Ice Cream Pint
Join us as we look back at the most-read Healthcare Packaging stories of 2020. Coming in at #2, feminine care company Rael launches a unique recyclable carton in stores and online.
Dec 31st, 2020
Getty Images Global Supply Chain 1 5f442ddc74eae png
Counting Down the Top 10 Articles of 2020 - #3: Pandemic Shapes the Future Supply Chain
Join us as we look back at the most-read Healthcare Packaging stories of 2020. Coming in at #3, five megatrends that will shape the future of business and the world.
Dec 30th, 2020
LOLI Beauty uses recycled, recyclable, and refillable food-grade glass containers for its micellars (e.g., tonics, toners, and serums) and its balms and powders.
Home Compostable Bags for Zero-Waste Beauty Brand
As part of its holistic strategy to ‘stir up a clean + conscious change,’ D2C superfood beauty company LOLI uses less than 0.5% plastic in its packaging, opting instead for glass jars, paperboard, and compostable courier bags.
Dec 30th, 2020
The Respimat® re-usable inhaler by Boehringer Ingelheim was awarded as the winner of the “Eco-design” award. The inhaler can be used with up to six cartridge refills. Crucially, this helps reduces plastic waste and CO2 emissions by up to 73% and 71% respectively compared to conventional inhalers.
Counting Down the Top 10 Articles of 2020 - #4: 2020 Pharmapack Award Winners
Join us as we look back at the most-read Healthcare Packaging stories of 2020. Coming in at #4: pharma and med device packaging advancements.
Dec 29th, 2020
A medical worker prepares a syringe to administer the BioNTech/Pfizer COVID-19 vaccine.
Cold Chain Doubts Delay Vaccine Distribution in Germany
Vaccines sent to certain German cities may have reached up to 7 C higher than the acceptable temperature range in transportation.
Dec 28th, 2020
Getty Images 685013243 5eac5bfeeff4b png
Counting Down the Top 10 Articles of 2020 - #5: Preparing the Supply Chain for a Coronavirus Vaccine
Join us as we look back at the most-read Healthcare Packaging stories of 2020. Coming in at #5: supply chain considerations amid the deadly pandemic.
Dec 28th, 2020
Nurse Panel 1 Copy 5eab1b2e13ea2
Counting Down the Top 10 Articles of 2020 - #6: Nurses Reveal Their Packaging Pain Points
Join us as we look back at the most-read Healthcare Packaging stories of 2020. Coming in at #6: we cover the ever-popular nurses’ panel at HealthPack, in which device packaging is reviewed from the user perspective.
Dec 25th, 2020
Screen Shot 2020 12 21 At 3 04 55 Pm
Counting Down the Top 10 Articles of 2020 - #7: Annual Package Design Gallery
Join us as we look back at the most-read Healthcare Packaging stories of 2020. Coming in at #7: the Annual OTC Package Design Gallery, including trends on the aisles.
Dec 24th, 2020
The rapid success of LastObject’s reusable cotton swabs shows that the market is ready for alternatives to single-use products. The tip is made of Thermolast M from Kraiburg TPE to meet requirements of durability, cleaning, and skin contact.
A TPE for sustainable cotton swabs
LastSwab meets EU Directive which bans single-use plastic products ahead of time.
Dec 23rd, 2020