Cyber security threats are everywhere. Threats posed by cyber-attacks are real. For most businesses, it is not a question of if you will be attacked, but when. Recent headlines have focused our attention on the need for greater due diligence to combat cyber threats. In validation circles, many validation engineers have failed to directly address cyber security threats with respect to validated systems. Many companies have an overall cybersecurity threat assessment, but don’t necessarily look at them when it comes to protecting validated systems. While protecting computer systems is the purview of all IT organizations regardless of size; understanding and managing the impact of cyber threats in a validated computing system environment is less known and less discussed.
Validated systems by their very nature are designed to manage and control highly regulated processes. Thus the information stored in validated computer systems is highly sensitive and must be protected throughout its lifecycle. If you look at the textbook definition of validation according to the FDA; Validation is confirmation by examination and provision of objective evidence that software specification conforms to user needs and intended uses, and that the particular requirements implemented through software can be consistently fulfilled. The IEEE 1012 Independent Verification and Validation Standard upon which the FDA validation guidance was based, states that the definition of validation is the process of providing objective evidence that the system, software, or hardware and its associated products conform to requirements (e.g., For correctness, completeness, consistency, and accuracy) for all lifecycle activities during each stage of the lifecycle process (acquisition, supply, development, operation, and maintenance): satisfy standards, practices, and conventions during the lifecycle processes; and successfully completes each lifecycle validation activity and satisfy all the criteria for initiating and succeeding lifecycle activities.
Cybersecurity is the process of applying security measures for confidentiality, integrity, and availability of assets. Unpacking these definitions reveals some very interesting points regarding the overall security of the system. First, the ability for system to consistently fulfill implementation objectives implies stability and security of the environment. Secondly, the randomness and rapid propagation of cyber attacks is driving the need for validation engineers to rethink current validation strategies and revise/adopt current validation processes to protect validated systems against cyber security threats and vulnerabilities.
As we review the types of validation testing that we know as IQ/IQ/PQ/UAT, we need a new strategy that focuses on our readiness to be able to protect against a cyber security threat. That type of assessment is called a CyQ.
When reviewing the type of testing conducted by most validation engineers, it is clear from the above analysis that more needs to be done to protect validated systems from the threat of cyber attacks. CyQ testing represents a new validation testing strategy designed to help identify, assess and evaluate on a continuous basis the risk, threats and vulnerabilities to validated systems environments. CyQ testing for validated systems environments begins with a comprehensive security risk assessment. This assessment provides documented evidence of cybersecurity risk, controls and mitigation strategies for validated systems environments.
So what should you do next?
You should first of all conduct an initial cybersecurity risk assessment. This will help you understand where you are today and where the gaps are in your current strategy.
You should embrace the CyQ as a part of your overall validation strategy going forward. Cybersecurity risks and attacks force us to change the way we look at validated computer systems. Even as we move into the era of software assurance, the goal of validation is still clear. Validation confirms that a system is suitable for production use. How can you confirm and assure that a system is suitable for production if it is vulnerable to cyber threats that you have not yet assessed?
You should also develop written standards and policies for cybersecurity qualification and develop a cyber security incident response plan. Finally, you should reeducate your validation team to understand the unique threats posed by cyber security events on validated computer systems. Your team may already be familiar with IQ, OQ, PQ, and UAT testing but they may not be familiar with cybersecurity testing and assessments. For all validated systems moving forward, the CyQ should be a critical part of the way we validate computer systems. What is your cybersecurity assessment score? Are your validated systems vulnerable?