Skip to main content
close search
site logo
Dive Brief

Pfizer segmented IT/OT after a board-level security directive

Published April 21, 2021
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Drug production area, Merck (KGaA) Darmstadt, Germany
Permission granted by Merck KGaA

Dive Brief:

  • After pharmaceutical company Merck became a collateral victim of the NotPetya ransomware spree, Pfizer's board directed its manufacturing arm to better secure its production floor systems, according to Jim LaBonty, director, head of global automation engineering at Pfizer, during a Claroty webcast Tuesday. The board wanted more focus on OT and industrial control systems (ICS) security.
  • Pfizer's IT and engineering organizations joined to form a combined security program.  In 2018, the program executed a security analysis and finished a technology audit, which determined who Pfizer would partner with, who would be its security consultancy firm, and decided what technologies needed piloting. 
  • During the 2018 analysis period, the program conducted a technology audit because "we had no idea really, in the OT world, where the IT tools work perfectly well in the production," said LaBonty.

Dive Insight:

Though Pfizer began implementing its "industrial firewall" between enterprise IT and manufacturing OT in 2015, the company has continued to add segmentation on the production floor. Production sites with existing segmentation layers were easier for the security organization to implement firewall technologies, according to LaBonty. 

The company learned from three or four production sites using a firewall implemented in 2014 — "the impact they were having were minimal or zero between IT and OT," he said. NotPetya became the "obvious" lesson for Pfizer: "Segmentation made a lot of sense."  

Segmentation is a defensive measure that still allows for data flow between IT and OT, though it limits data traffic. However, companies reconciling issues with data flows must strike a delicate balance between big data and Industry 4.0 initiatives, and security, said Nick Cappi, VP of product management and technical support at PAS, via email to Cybersecurity Dive. 

As of 2020, 53% of companies have internal network segmentation in place, up 6% from 2019, according to Fortinet's 2020 State of Operational Technology and Cybersecurity Report. Data was collected in an April 2020 survey of OT leaders. 

Without efficient segmentation, cyberattacks can latch onto OT environments from IT environments. "If you have your production environments in a flat network environment, that's close to the email … there's obviously concern," said LaBonty. 

Pfizer's enterprise-level security is a constant target for cyberattacks and cybercriminals. "We're not immune at Pfizer," he said. "One of our [main chief medical officers] just at the end of last December, early January, was impacted by ransomware." The attack "took out" their production environment, because they lacked segmentation between IT and OT. 

"When the malware did come in through email, it went everywhere. It went to the office environment, but it also went to the factory floor," said LaBonty. 

Companies running OT know the risk of IT/OT connections, and have bolstered their OT infrastructures with supervisory controls and data acquisition systems (SCADA) for improved IT/OT convergence, according to Fortinet. 

Converging IT and OT security marks a cultural shift dependent on communication. Almost half of companies don't have a technical operations center (TOC) or a security operations center (SOC), according to the Fortinet survey. More than three-quarters of the companies with SOCs "do not have all OT activities centrally visible" to the SOC. 

Pfizer's SOC is in-house and fully integrated with IT and OT professionals. "A big part of the success of the Pfizer program is the collaboration, the willingness to work with each other. It's not always the same goals or mindsets," said LaBonty. 

Though the program was created in 2018, Pfizer's IT/OT security collaboration has made "huge, huge strides" in the last six months, said LaBonty. "It's a journey, it's not so very quick … it does take time. It does take cultural differences to be melded and blended together." 

But companies struggle with IT/OT convergence because some of the required skill sets require hands-on experience, said Cappi. Overcoming issues with segmentation or convergence "will only happen with combining resources." 

Though segmentation is an important defensive measure, convergence-related issues are more pressing in modern businesses. The user experience within OT  which includes industrial internet of things, data lakes, and Industry 4.0 ideals — is at stake with more air gapping. All components are "dependent on data moving from the manufacturing floor to the cloud," slowing the availability of real-time data, said Cappi. 

Recommended Reading

Filed Under: Strategy

Editors' picks

Company Announcements

View all | Post a press release
Excelsior Orthopaedics Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
American Trust Retirement Data Breach Investigation
From Migliaccio and Rathod LLP
January 07, 2025
Medusind Data Breach Investigation
From Migliaccio and Rathod LLP
January 08, 2025
Editors' picks
Latest in Strategy
Industry Dive is an Informa TechTarget business.
© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.