What you’ll learn in this article:
- The importance of prioritizing OT cybersecurity in life sciences organizations to mitigate digital transformation risks and comply with evolving regulations
- The differences between IT and OT cybersecurity, and why traditional IT security measures may not adequately protect OT systems
The life sciences industry is known for delivering new technologies including often life-saving and life-changing pharmaceuticals, medical devices, biotechnologies and related innovations. Many life sciences companies are investing in significant digital transformation projects to help keep pace with new discoveries and innovations. While these projects aim to help reduce costs and improve operational efficiency, they can also potentially introduce cybersecurity risks through newly connected devices, systems and plants.
As the responsibility for securing operational technology (OT) systems at the plant level (for both physical and cyber risks) shifts away from engineering and operations to CIOs and CISOs, it’s important to help IT leaders understand how OT and IT cybersecurity differ. This includes demonstrating why securing OT systems should be a top priority and what a comprehensive OT cybersecurity program looks like.
OT Cybersecurity Must Be a Top Priority — Now
While life sciences companies have long prioritized protecting IT systems, many have fallen behind in applying the necessary protections to critical OT systems. With the evolution of — and dependence on — technology to drive business forward and the rising sophistication of threat actors specifically targeting OT systems, that lack of prioritization should be of immediate concern.
Operations represent the revenue-generating side of a manufacturing business, directly linked to getting products to market and to patients on time. That, combined with the lack of necessary protections, makes your OT systems potentially attractive targets for cybercriminals focused on disrupting production, inflicting physical damage and endangering public safety. In fact, according to a report by IBM and the Ponemon Institute, the average cost of a data breach has risen to a highest-ever figure of $4.88 million.1
As the threat landscape for OT systems expands, regulatory bodies around the world are introducing stricter compliance requirements for OT cybersecurity, including the continuing evolution of cyber regulations from the FDA and SEC in the United States and the European Union’s NIS2 and CRA directives that mandate specific controls and reporting requirements. It’s no longer optional for organizations to ignore this critical part of their business.
IT and OT Cybersecurity: Different Breeds of the Same Species
While the CEOs and board members of life sciences companies are often presented with metrics generated by IT security tools, these tools don’t truly measure OT security. This means leaders potentially have an inaccurate view and false sense of security about the effectiveness of cyber investments.
IT manages electronic data and communication systems within a company, and OT controls the physical processes and industrial equipment — like machines on a factory floor or access control systems — in real time through dedicated hardware and software. Both are critically important, but if your organization is using IT tools to monitor and defend against threats on the OT side, your business may be vulnerable. IT cybersecurity infrastructure often cannot adequately protect OT systems as they are not configured to detect and monitor OT assets that use proprietary protocols or lack the ability to apply security patches and antivirus updates.
Read More: What OT/IT Cybersecurity Means for Your Industrial Organization
Successful OT cyberattacks have the potential to adversely impact the physical world and threaten plant safety and product quality. The consequences can be devastating from completely shutting down operations to compromising the integrity of products like medical devices and life-saving medicines.
It’s Not If, It’s When
Did you know 80% of industrial plants have more servers and IT than an average bank, yet nearly one in five organizations have no OT cybersecurity awareness training to improve the security culture across the organization?2 The threat actors associated with the rising occurrence of OT cyberattacks are often the most sophisticated and organized. They know your business and your vulnerabilities. They also know you’re hesitant to pause production to upgrade critical protections because speed to market is everything.
The human stakes are highest in the life sciences industry, so you’re being watched and targeted. The mission of these cybercriminals is to inflict catastrophic damage — to your organization’s profits and global reputation, as well as the health and well-being of the people who depend on the products you manufacture.
Getting Started
OT cyberattacks will happen, so the number one objective of an OT cybersecurity program should be to build resilience. It’s important to think about the full journey — from identifying and predicting to analyzing, evaluating and addressing threats.
The SANS Institute formulated the Five Critical Controls for OT Cybersecurity3 to help organizations build an effective cybersecurity journey:
- Developing an ICS incident response plan in preparation for an attack
- Building a defensible architecture
- Gaining ICS network visibility and monitoring
- Using secure remote access
- Conducting risk-based vulnerability management that prioritizes and mitigates vulnerabilities appropriate for industrial, high-availability environments.
OT vulnerabilities have made life sciences companies prime targets for cybercrime. Do you know where your organization stands? A vulnerability assessment can be a productive (and enlightening) first step.
Connect with a Honeywell OT cybersecurity specialist today to schedule a vulnerability assessment or explore our OT network visibility and monitoring solution.
References
1 IBM and Ponemon Institute, “Cost of a Data Breach Report 2024,” July 2024. [Accessed May 23, 2025]
2 KPMG, “The (CS) 2AI-KPMG Control System Cybersecurity Annual Report,” 2024. [Accessed April 7, 2025]
3 SANS, “The Five ICS Cybersecurity Critical Controls,” Robert M. Lee and Tim Conway, November 7, 2022. [Accessed April 7, 2025]
