Difference between revisions of "Journal:Cyberbiosecurity for biopharmaceutical products"

From LIMSWiki
Jump to navigationJump to search
(Saving and adding more.)
(Saving and adding more.)
Line 32: Line 32:
Cyberbiosecurity is an emerging discipline encompassing vulnerabilities and corrective measures needed to address the unique risks existing at the intersection of cybertechnology and [[biotechnology]]. An early, inclusive definition of cyberbiosecurity is “understanding the vulnerabilities to unwanted surveillance, intrusions, and malicious and harmful activities which can occur within or at the interfaces of comingled life and medical sciences, cyber, cyber-physical, supply chain and infrastructure systems, and developing and instituting measures to prevent, protect against, mitigate, investigate, and attribute such threats as it pertains to security, competitiveness, and resilience.”<ref name="MurchCyber18">{{cite journal |title=Cyberbiosecurity: An Emerging New Discipline to Help Safeguard the Bioeconomy |journal=Frontiers in Bioengineering and Biotechnology |author=Murch, R.S.; So, W.K.; Buchholz, W.G. et al. |volume=6 |pages=39 |year=2018 |doi=10.3389/fbioe.2018.00039}}</ref>
Cyberbiosecurity is an emerging discipline encompassing vulnerabilities and corrective measures needed to address the unique risks existing at the intersection of cybertechnology and [[biotechnology]]. An early, inclusive definition of cyberbiosecurity is “understanding the vulnerabilities to unwanted surveillance, intrusions, and malicious and harmful activities which can occur within or at the interfaces of comingled life and medical sciences, cyber, cyber-physical, supply chain and infrastructure systems, and developing and instituting measures to prevent, protect against, mitigate, investigate, and attribute such threats as it pertains to security, competitiveness, and resilience.”<ref name="MurchCyber18">{{cite journal |title=Cyberbiosecurity: An Emerging New Discipline to Help Safeguard the Bioeconomy |journal=Frontiers in Bioengineering and Biotechnology |author=Murch, R.S.; So, W.K.; Buchholz, W.G. et al. |volume=6 |pages=39 |year=2018 |doi=10.3389/fbioe.2018.00039}}</ref>


To place context around the area of cyberbiosecurity, it is worth reviewing the established terms that contribute to this emerging discipline. Cybersecurity considers the security of digital [[information]] that is propagated and stored through networks of connected electronic devices.<ref name="LordWhat19">{{cite web |url=https://digitalguardian.com/blog/what-cyber-security |title=What is cyber security? Definition, best practices & more |author=Lord, N. |work=Digital Guardian |date=15 May 2019}}</ref> In general, biosecurity refers to the threat to living organisms and the environment due to exposures to biological agents, such as pathogens, whether occurring naturally or intentionally created.<ref name="IMNRCGlob06">{{cite book |url=https://www.nap.edu/catalog/11567/globalization-biosecurity-and-the-future-of-the-life-sciences |title=Globalization, Biosecurity, and the Future of the Life Sciences |author=Institute of Medicine and National Research Council of the National Academies |publisher=National Academies Press |year=2006 |isbn=0309654181}}</ref> A cyber-biological interface results when biological information is measured, monitored, or altered, and converted to digital information, or in the reverse, when digital information is used to manipulate a biological system. Similarly, a cyber-physical interface occurs when a physical mechanism is controlled or monitored by a digital means, such as the computer controlled mixing speed of a bioreactor. Importantly, cyber-physical interfaces may alter biological properties, blurring the lines of individualized definitions. Our intent in this publication is not to further refine the definition of cyberbiosecurity, as we believe that is best done through ongoing dialog within relevant stakeholder communities. Therefore, we rely on a working understanding of cyberbiosecurity as stated by Peccoud ''et al.''<ref name="PeccoudCyber18">{{cite journal |title=Cyberbiosecurity: From Naive Trust to Risk Awareness |journal=Trends in Biotechnology |author=Peccoud, J.; Gallegos, J.E.; Murch, R. et al. |volume=36 |issue=1 |pages=4–7 |year=2018 |doi=10.1016/j.tibtech.2017.10.012 |pmid=29224719}}</ref>, in referring to “the new risks emerging at the frontier between cyberspace and biology.” For the purposes of this paper, we focus on cyberbiosecurity for the manufacture of biopharmaceuticals, to raise awareness of the existing risks that will be compounded through innovation in both the emerging types of biologically-manufactured therapies and the increasingly automated processes used to develop and manufacture them.
To place context around the area of cyberbiosecurity, it is worth reviewing the established terms that contribute to this emerging discipline. [[Cybersecurity]] considers the security of digital [[information]] that is propagated and stored through networks of connected electronic devices.<ref name="LordWhat19">{{cite web |url=https://digitalguardian.com/blog/what-cyber-security |title=What is cyber security? Definition, best practices & more |author=Lord, N. |work=Digital Guardian |date=15 May 2019}}</ref> In general, biosecurity refers to the threat to living organisms and the environment due to exposures to biological agents, such as pathogens, whether occurring naturally or intentionally created.<ref name="IMNRCGlob06">{{cite book |url=https://www.nap.edu/catalog/11567/globalization-biosecurity-and-the-future-of-the-life-sciences |title=Globalization, Biosecurity, and the Future of the Life Sciences |author=Institute of Medicine and National Research Council of the National Academies |publisher=National Academies Press |year=2006 |isbn=0309654181}}</ref> A cyber-biological interface results when biological information is measured, monitored, or altered, and converted to digital information, or in the reverse, when digital information is used to manipulate a biological system. Similarly, a cyber-physical interface occurs when a physical mechanism is controlled or monitored by a digital means, such as the computer controlled mixing speed of a [[bioreactor]]. Importantly, cyber-physical interfaces may alter biological properties, blurring the lines of individualized definitions. Our intent in this publication is not to further refine the definition of cyberbiosecurity, as we believe that is best done through ongoing dialog within relevant stakeholder communities. Therefore, we rely on a working understanding of cyberbiosecurity as stated by Peccoud ''et al.''<ref name="PeccoudCyber18">{{cite journal |title=Cyberbiosecurity: From Naive Trust to Risk Awareness |journal=Trends in Biotechnology |author=Peccoud, J.; Gallegos, J.E.; Murch, R. et al. |volume=36 |issue=1 |pages=4–7 |year=2018 |doi=10.1016/j.tibtech.2017.10.012 |pmid=29224719}}</ref>, in referring to “the new risks emerging at the frontier between cyberspace and biology.” For the purposes of this paper, we focus on cyberbiosecurity for the manufacture of biopharmaceuticals, to raise awareness of the existing risks that will be compounded through innovation in both the emerging types of biologically-manufactured therapies and the increasingly automated processes used to develop and manufacture them.


The biopharmaceutical industry contributes nearly one trillion dollars to the U.S. economy, and has been highly successful in industrializing biotechnologies to produce biologic therapeutics.<ref name="PhRMATheEcon17">{{cite web |url=http://phrma-docs.phrma.org/files/dmfile/PhRMA_GoBoldly_Economic_Impact.pdf |format=PDF |title=The Economic Impact of the U.S. Biopharmaceutical Industry: 2015 National and State Estimates |author=TEConomy Partners |publisher=Pharmaceutical Research and Manufacturers of America |date=October 2017 |accessdate=14 March 2019}}</ref> Biopharmaceutical products, or biologics, use engineered biological systems as platforms to manufacture therapeutic products to prevent or treat a variety of health conditions, such as cancer, diabetes, autoimmune disorders, and microbial infections. These products include vaccines, traditional protein therapeutics such as monoclonal antibodies, as well as emerging biotechnologies such as cell and [[Genomics|gene therapies]].
The biopharmaceutical industry contributes nearly one trillion dollars to the U.S. economy, and has been highly successful in industrializing biotechnologies to produce biologic therapeutics.<ref name="PhRMATheEcon17">{{cite web |url=http://phrma-docs.phrma.org/files/dmfile/PhRMA_GoBoldly_Economic_Impact.pdf |format=PDF |title=The Economic Impact of the U.S. Biopharmaceutical Industry: 2015 National and State Estimates |author=TEConomy Partners |publisher=Pharmaceutical Research and Manufacturers of America |date=October 2017 |accessdate=14 March 2019}}</ref> Biopharmaceutical products, or biologics, use engineered biological systems as platforms to manufacture therapeutic products to prevent or treat a variety of health conditions, such as cancer, diabetes, autoimmune disorders, and microbial infections. These products include vaccines, traditional protein therapeutics such as monoclonal antibodies, as well as emerging biotechnologies such as cell and [[Genomics|gene therapies]].
Line 42: Line 42:
The second area of concern is the integrity of the data associated with the biopharmaceutical manufacturing process, including data related to supply chain and cyberphysical systems. Biopharmaceutical manufacturers are complex organizations that rely on technology as part of daily operations to tightly monitor and control biopharmaceutical production processes. The notion of a digital thread, which refers to data that follows a product and informs decisions throughout its life cycle, can be applied to the biopharmaceutical industry.<ref name="WangTheFut18">{{cite journal |title=The Future of Manufacturing: A New Perspective |journal=Engineering |author=Wang, B. |volume=4 |issue=5 |pages=722–28 |year=2018 |doi=10.1016/j.eng.2018.07.020}}</ref> The digital thread of the manufacturing of biopharmaceuticals includes data that support the development and scale up of the manufacturing process, clinical data, post-approval data, and the equipment used to manufacture the product. As the number of interconnected devices and systems that inform digital threads increases, cybersecurity vulnerability increases, because one vulnerable device can result in a threat that compromises a single point, or an entire process, system, or supply chain. Further, as a result of greater dependence on automation and decentralized manufacturing, the security of information transfer from site to site is critical to ensure the efficacy of the production process. While many cybersecurity concerns related to biopharmaceutical processes can be mitigated by existing best practices, standards, and regulations, the additional complexities at the cyber-biological interfaces during biopharmaceutical manufacturing processes, described below, warrant further examination.
The second area of concern is the integrity of the data associated with the biopharmaceutical manufacturing process, including data related to supply chain and cyberphysical systems. Biopharmaceutical manufacturers are complex organizations that rely on technology as part of daily operations to tightly monitor and control biopharmaceutical production processes. The notion of a digital thread, which refers to data that follows a product and informs decisions throughout its life cycle, can be applied to the biopharmaceutical industry.<ref name="WangTheFut18">{{cite journal |title=The Future of Manufacturing: A New Perspective |journal=Engineering |author=Wang, B. |volume=4 |issue=5 |pages=722–28 |year=2018 |doi=10.1016/j.eng.2018.07.020}}</ref> The digital thread of the manufacturing of biopharmaceuticals includes data that support the development and scale up of the manufacturing process, clinical data, post-approval data, and the equipment used to manufacture the product. As the number of interconnected devices and systems that inform digital threads increases, cybersecurity vulnerability increases, because one vulnerable device can result in a threat that compromises a single point, or an entire process, system, or supply chain. Further, as a result of greater dependence on automation and decentralized manufacturing, the security of information transfer from site to site is critical to ensure the efficacy of the production process. While many cybersecurity concerns related to biopharmaceutical processes can be mitigated by existing best practices, standards, and regulations, the additional complexities at the cyber-biological interfaces during biopharmaceutical manufacturing processes, described below, warrant further examination.


The relevant stakeholder communities should establish a means of identifying and assessing the potential new vulnerabilities and threats, toward the development of effective risk mitigation strategies. For example, the NIST ''Framework for Improving Critical Infrastructure Cybersecurity'' is a voluntary, standards-based approach for identifying and protecting assets and systems, and detecting, responding to, and recovering from cyber intrusions.<ref name="BarrettFrame18">{{cite web |url=https://www.nist.gov/publications/framework-improving-critical-infrastructure-cybersecurity-version-11 |title=Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 |author=Barrett, M.P. |publisher=NIST |doi=10.6028/NIST.CSWP.04162018 |date=16 April 2018 |accessdate=14 March 2019}}</ref> While the framework was originally developed for critical infrastructure systems where it has been widely adopted since its introduction in 2014, its focus on business drivers for cybersecurity risk assessment and practices makes it broadly applicable to many industries.
To further encourage the community's consideration of cyberbiosecurity vulnerabilities and mitigations, we include insights into the development of current cybersecurity best practices and guidance for [[medical device]]s as a useful model for the path forward for a best-practices risk-mitigation framework for biopharmaceutical manufacturing's cyberbiosecurity. It is our hope that current biopharmaceutical industry practices can inform risk-mitigation for emerging classes of biotherapeutics and innovative production platforms for established classes of biotherapeutics. Current practices may also illuminate parallel considerations related to cyberbiosecurity in other biomanufacturing sectors and applications, such as synthetic biology approaches to the production of commodity chemicals and biofuels.
==Risks associated with the biological manufacturing platform in biopharmaceutical manufacturing workflows==
While best practices for cybersecurity apply to biopharmaceutical manufacturing, biological systems present unique vulnerabilities in production processes. Cyberbiosecurity vulnerabilities may be considered with regard both to using an engineered biological system as the manufacturing platform, as is the case for protein therapeutics, and for products that are themselves an engineered biological system, as for cellular therapies. The dynamic nature of genetic information that aids survival in natural environments poses challenges in engineering and manufacturing settings. For example, some change in the genetic information of a cell population is unavoidable during expansion and growth in a bioreactor, so biomanufacturing processes must contend with heterogeneous populations of cells that may yield a heterogeneous product, whether biomolecular or cellular. The ability of biological systems to alter the content and expression of their genetic information presents significant complexity for biopharmaceutical manufacturing unique to those posed by cybersystems that must be considered in strategies for cyberbiosecurity risk mitigation.
===Challenges of genetic information===
Two fundamental distinctions between digital and biological information are relevant in considering the cyber-biological interface during the end-to-end biopharmaceutical manufacturing process. First, genetic information evolves naturally when replicated. Mechanisms that drive natural changes in [[DNA sequencing|DNA sequence]] include mutation, recombination, horizontal gene transfer, and others. Second, the expression of this information can change depending on how an organism senses and responds to its environment. This dependence on context, which encompasses all aspects of the system in which the genetic information exists, cannot always be predicted. The same sequence of DNA may have dramatically different consequences for function depending on surrounding DNA sequences, intra- and inter-molecular interactions within the cell, and extracellular conditions. Thus, the impact of changes, whether due to natural “drift” or through malicious introduction, is difficult to predict, detect, and mitigate.
===Protein therapeutics===
State-of-the-art biomanufacturing of protein therapeutics uses engineered mammalian cells as the manufacturing platform. One notable example is Chinese hamster ovary (CHO) cells used as the host cell system.<ref name="JayapalRecomb07">{{cite journal |title=Recombinant protein therapeutics from CHO Cells - 20 years and counting |journal=Chemical Engineering Progress |author=Jayapal, K.P.; Wlashcin, K.F.; Hu, W.S.; et al. |volume=103 |issue=10 |pages=40–7 |year=2007 |url=https://experts.umn.edu/en/publications/recombinant-protein-therapeutics-from-cho-cells-20-years-and-coun}}</ref> To better assess potential vulnerabilities at the cyber-biological interface in this process, we consider the flow of genetic information in a typical biomanufacturing workflow.
The security of the genetic information at the cyber-biological interface is assured initially through the integrity of the [[Nucleaic acid methods|nucleic acid]] used to transfect a cell line. Programmable DNA synthesizers and sequencers specify and confirm the DNA sequence that is then stably transfected into host cells for cell line development. This process effectively transfers digital information into a “genetic thread” that parallels the digital thread of the manufacturing process. A selection of clonal cells with desired phenotypes for yield and stability are then passaged under defined conditions to produce master cell banks, which are passaged further to produce working and production cell banks. Throughout these workflows, consistent cell culture expansion protocols are used to achieve consistent context for the genetic information, with the intent of minimizing natural mutations. Contextual security of the genetic information during production is also maximized through well-defined process control strategies. This context includes bioreactor growth conditions, such as feeding strategy, dissolved oxygen concentration, gas flow, sparge rates, pH, and temperature. Cell populations that exhibit genetic instability during bioreactor growth are identified through deviations from established process parameters, so that processes can be aborted at early stages, and there is no risk to product quality. Genetic stability across the expanded cell populations is also monitored for transgene sequence and copy number, including the testing of post-production cell banks to ensure data across the full thread of genetic information. As the natural evolution of the cells during expansion cannot be reversed, the security of the master cell banks is critical to ensure the consistency of the product through its lifecycle, and redundancies are built into storage strategies to guard against any single failure mode.
At the state of the art, the industry is mitigating risks associated with the uncertainty in product safety profiles due to natural variation or contamination in the biological system, through extensive control and quality assurance strategies, following established best practices and rigorous regulatory guidance. Furthermore, as facility access is currently managed to ensure both protection of trade secrets and compliance with current U.S. [[Food and Drug Administration]] [[good manufacturing practice]] regulations, it is difficult to imagine scenarios where malicious or adventitious acts on bioprocess workflows would go undetected for established manufacturing facilities producing protein therapeutics through large batch processes. However, a malicious intrusion increases uncertainty at the cyber-biological interface and could trigger batch losses, with significant economic impacts for the industry and could potentially result in drug shortages.<ref name="NashOneYear18">{{cite web |url=https://www.wsj.com/articles/one-year-after-notpetya-companies-still-wrestle-with-financial-impacts-1530095906 |title=One Year After NotPetya Cyberattack, Firms Wrestle With Recovery Costs |author=Nash, K.S.; Castellanos, S.; Janofsky, A. |work=The Wall Street Journal |date=27 June 2018}}</ref>
During the production of protein therapeutics, cyberbiosecurity vulnerabilities exist at each point where genetic information is stored, expressed, replicated, or monitored through cyber or cyber-physical systems. A simple example is the storage of master cell banks in a freezer with networked alarm and [[Environmental monitoring|temperature monitoring systems]], where failure in the network can introduce uncertainty in the viability of the master cell bank. A more malicious variation of this simple scenario is a cyberintrusion that corrupts the digital record that documents the storage conditions for the master cell bank. In both cases, the uncertainty of the cells' viability presents a vulnerability, even if the actual impact on the stored cells was negligible.
A more complex example of a dynamic cyber-biological interface is a perfusion bioreactor. In this process, flow rates of media into the reactor and biomass removal out of the reactor are balanced to maintain a desired cell density within the bioreactor. The cell density is optimized for process yield, and growth rate is controlled through parameters such as nutrient limitation.
The cyberphysical components of the system control media and biomass flow rates, which in turn constrain cellular growth rate and product yield. Thus, the vulnerabilities associated with the cyberphysical control system propagate into vulnerabilities in the biological output of the process.<ref name="BielserPerfusion18">{{cite journal |title=Perfusion mammalian cell culture for recombinant protein manufacturing - A critical review |journal=Biotechnology Advances |author=Bielser, J.M., Wolf, M., Souquet, J. et al. |volume=36 |issue=4 |pages=1328–40 |year=2018 |doi=10.1016/j.biotechadv.2018.04.011 |pmid=29738813}}</ref>
As typical [[workflow]]s for the production of protein therapeutics are fully established and industrialized, many of the risks are mitigated by current manufacturing practices. However, this discussion is intended to prompt a systematic evaluation of vulnerabilities and threats at the cyber-biological interfaces for these processes, both to reduce remaining vulnerabilities to malicious acts, and to inform risk-mitigation strategies for less-industrialized manufacturing workflows.


==References==
==References==

Revision as of 20:21, 15 July 2019

Full article title Cyberbiosecurity for biopharmaceutical products
Journal Frontiers in Bioengineering and Biotechnology
Author(s) Mantle, Jennifer L.; Rammohan, Jayan; Romatseva, Eugenia F.; Welch, Joel T.; Kauffman, Leah R.;
McCarthy, Jim; Schiel, John; Baker, Jeffrey C.; Strychalski, Elizabeth A.; Rogers, Kelley C; Lee, Kelvin H.
Author affiliation(s) National Institute for Innovation in Manufacturing Biopharmaceuticals, National Institute of Standards and Technology,
U.S. Food and Drug Administration
Primary contact Email: KHL at udel dot edu
Editors Murch, Randall S.
Year published 2019
Volume and issue 7
Page(s) 116
DOI 10.3389/fbioe.2019.00116
ISSN 2296-4185
Distribution license Creative Commons Attribution 4.0 International
Website https://www.frontiersin.org/articles/10.3389/fbioe.2019.00116/full
Download https://www.frontiersin.org/articles/10.3389/fbioe.2019.00116/pdf (PDF)

Abstract

Cyberbiosecurity is an emerging discipline that addresses the unique vulnerabilities and threats that occur at the intersection of cyberspace and biotechnology. Advances in technology and manufacturing are increasing the relevance of cyberbiosecurity to the biopharmaceutical manufacturing community in the United States. Threats may be associated with the biopharmaceutical product itself or with the digital thread of manufacturing of biopharmaceuticals, including those that relate to supply chain and cyberphysical systems. Here, we offer an initial examination of these cyberbiosecurity threats as they stand today, as well as introductory steps toward paths for mitigation of cyberbiosecurity risk for a safer, more secure future.

Keywords: cyberbiosecurity, cybersecurity, biopharmaceutical manufacturing, engineering biology, cell therapy, gene therapy, supply chain

Introduction

Cyberbiosecurity is an emerging discipline encompassing vulnerabilities and corrective measures needed to address the unique risks existing at the intersection of cybertechnology and biotechnology. An early, inclusive definition of cyberbiosecurity is “understanding the vulnerabilities to unwanted surveillance, intrusions, and malicious and harmful activities which can occur within or at the interfaces of comingled life and medical sciences, cyber, cyber-physical, supply chain and infrastructure systems, and developing and instituting measures to prevent, protect against, mitigate, investigate, and attribute such threats as it pertains to security, competitiveness, and resilience.”[1]

To place context around the area of cyberbiosecurity, it is worth reviewing the established terms that contribute to this emerging discipline. Cybersecurity considers the security of digital information that is propagated and stored through networks of connected electronic devices.[2] In general, biosecurity refers to the threat to living organisms and the environment due to exposures to biological agents, such as pathogens, whether occurring naturally or intentionally created.[3] A cyber-biological interface results when biological information is measured, monitored, or altered, and converted to digital information, or in the reverse, when digital information is used to manipulate a biological system. Similarly, a cyber-physical interface occurs when a physical mechanism is controlled or monitored by a digital means, such as the computer controlled mixing speed of a bioreactor. Importantly, cyber-physical interfaces may alter biological properties, blurring the lines of individualized definitions. Our intent in this publication is not to further refine the definition of cyberbiosecurity, as we believe that is best done through ongoing dialog within relevant stakeholder communities. Therefore, we rely on a working understanding of cyberbiosecurity as stated by Peccoud et al.[4], in referring to “the new risks emerging at the frontier between cyberspace and biology.” For the purposes of this paper, we focus on cyberbiosecurity for the manufacture of biopharmaceuticals, to raise awareness of the existing risks that will be compounded through innovation in both the emerging types of biologically-manufactured therapies and the increasingly automated processes used to develop and manufacture them.

The biopharmaceutical industry contributes nearly one trillion dollars to the U.S. economy, and has been highly successful in industrializing biotechnologies to produce biologic therapeutics.[5] Biopharmaceutical products, or biologics, use engineered biological systems as platforms to manufacture therapeutic products to prevent or treat a variety of health conditions, such as cancer, diabetes, autoimmune disorders, and microbial infections. These products include vaccines, traditional protein therapeutics such as monoclonal antibodies, as well as emerging biotechnologies such as cell and gene therapies.

Although the processes differ in how various classes of therapeutics are manufactured, in each process, information flows repeatedly between biological information (i.e., genetic) and cyber (i.e., digital) information. Securing this information flow through thoughtful assessment of vulnerabilities and threats for biopharmaceutical manufacturing is critical for public health, economic security, and national security. The focus of this publication is to illuminate these vulnerabilities and threats to encourage the broad stakeholder community to work toward the development of appropriate risk mitigation strategies, both for the current state-of-the-art and for the emerging technologies that represent the future state of the industry. Novel threats to the security of biological and related information along interfaces relevant to human health and manufacturing processes will continue to emerge as innovation progresses.

The interface of biological and digital information in biomanufacturing creates two primary concerns in evaluating cyberbiosecurity vulnerabilities, that recur throughout multiple processes in the end-to-end workflow (see Figure 1 in Peccoud et al.[4]). The first concern is the nature of the biological manufacturing platform, as information contained in biological systems is subject to both evolution and context in ways that may not be well-understood or predictable. The variation that biological systems introduce in manufacturing presents risks for product consistency. The industry has developed extensive bioprocess control strategies and release testing to mitigate risks for established classes of biotherapeutics to ensure consistent product with minimal lot-to-lot variability. However, this biological variation presents challenges for innovating flexible scaling of existing large-batch processes. The issue of inherent biological variation is a critical challenge in the manufacture of emerging classes of gene and cellular therapies where typical small-batch manufacturing across a wider diversity of product types precludes the reliance on large historical data sets to allow identification of subtle process deviation. For these small-batch products, subtle genetic deviation during cellular expansion steps may be magnified in vivo due to differences between the host and the patient.

The second area of concern is the integrity of the data associated with the biopharmaceutical manufacturing process, including data related to supply chain and cyberphysical systems. Biopharmaceutical manufacturers are complex organizations that rely on technology as part of daily operations to tightly monitor and control biopharmaceutical production processes. The notion of a digital thread, which refers to data that follows a product and informs decisions throughout its life cycle, can be applied to the biopharmaceutical industry.[6] The digital thread of the manufacturing of biopharmaceuticals includes data that support the development and scale up of the manufacturing process, clinical data, post-approval data, and the equipment used to manufacture the product. As the number of interconnected devices and systems that inform digital threads increases, cybersecurity vulnerability increases, because one vulnerable device can result in a threat that compromises a single point, or an entire process, system, or supply chain. Further, as a result of greater dependence on automation and decentralized manufacturing, the security of information transfer from site to site is critical to ensure the efficacy of the production process. While many cybersecurity concerns related to biopharmaceutical processes can be mitigated by existing best practices, standards, and regulations, the additional complexities at the cyber-biological interfaces during biopharmaceutical manufacturing processes, described below, warrant further examination.

The relevant stakeholder communities should establish a means of identifying and assessing the potential new vulnerabilities and threats, toward the development of effective risk mitigation strategies. For example, the NIST Framework for Improving Critical Infrastructure Cybersecurity is a voluntary, standards-based approach for identifying and protecting assets and systems, and detecting, responding to, and recovering from cyber intrusions.[7] While the framework was originally developed for critical infrastructure systems where it has been widely adopted since its introduction in 2014, its focus on business drivers for cybersecurity risk assessment and practices makes it broadly applicable to many industries.

To further encourage the community's consideration of cyberbiosecurity vulnerabilities and mitigations, we include insights into the development of current cybersecurity best practices and guidance for medical devices as a useful model for the path forward for a best-practices risk-mitigation framework for biopharmaceutical manufacturing's cyberbiosecurity. It is our hope that current biopharmaceutical industry practices can inform risk-mitigation for emerging classes of biotherapeutics and innovative production platforms for established classes of biotherapeutics. Current practices may also illuminate parallel considerations related to cyberbiosecurity in other biomanufacturing sectors and applications, such as synthetic biology approaches to the production of commodity chemicals and biofuels.

Risks associated with the biological manufacturing platform in biopharmaceutical manufacturing workflows

While best practices for cybersecurity apply to biopharmaceutical manufacturing, biological systems present unique vulnerabilities in production processes. Cyberbiosecurity vulnerabilities may be considered with regard both to using an engineered biological system as the manufacturing platform, as is the case for protein therapeutics, and for products that are themselves an engineered biological system, as for cellular therapies. The dynamic nature of genetic information that aids survival in natural environments poses challenges in engineering and manufacturing settings. For example, some change in the genetic information of a cell population is unavoidable during expansion and growth in a bioreactor, so biomanufacturing processes must contend with heterogeneous populations of cells that may yield a heterogeneous product, whether biomolecular or cellular. The ability of biological systems to alter the content and expression of their genetic information presents significant complexity for biopharmaceutical manufacturing unique to those posed by cybersystems that must be considered in strategies for cyberbiosecurity risk mitigation.

Challenges of genetic information

Two fundamental distinctions between digital and biological information are relevant in considering the cyber-biological interface during the end-to-end biopharmaceutical manufacturing process. First, genetic information evolves naturally when replicated. Mechanisms that drive natural changes in DNA sequence include mutation, recombination, horizontal gene transfer, and others. Second, the expression of this information can change depending on how an organism senses and responds to its environment. This dependence on context, which encompasses all aspects of the system in which the genetic information exists, cannot always be predicted. The same sequence of DNA may have dramatically different consequences for function depending on surrounding DNA sequences, intra- and inter-molecular interactions within the cell, and extracellular conditions. Thus, the impact of changes, whether due to natural “drift” or through malicious introduction, is difficult to predict, detect, and mitigate.

Protein therapeutics

State-of-the-art biomanufacturing of protein therapeutics uses engineered mammalian cells as the manufacturing platform. One notable example is Chinese hamster ovary (CHO) cells used as the host cell system.[8] To better assess potential vulnerabilities at the cyber-biological interface in this process, we consider the flow of genetic information in a typical biomanufacturing workflow.

The security of the genetic information at the cyber-biological interface is assured initially through the integrity of the nucleic acid used to transfect a cell line. Programmable DNA synthesizers and sequencers specify and confirm the DNA sequence that is then stably transfected into host cells for cell line development. This process effectively transfers digital information into a “genetic thread” that parallels the digital thread of the manufacturing process. A selection of clonal cells with desired phenotypes for yield and stability are then passaged under defined conditions to produce master cell banks, which are passaged further to produce working and production cell banks. Throughout these workflows, consistent cell culture expansion protocols are used to achieve consistent context for the genetic information, with the intent of minimizing natural mutations. Contextual security of the genetic information during production is also maximized through well-defined process control strategies. This context includes bioreactor growth conditions, such as feeding strategy, dissolved oxygen concentration, gas flow, sparge rates, pH, and temperature. Cell populations that exhibit genetic instability during bioreactor growth are identified through deviations from established process parameters, so that processes can be aborted at early stages, and there is no risk to product quality. Genetic stability across the expanded cell populations is also monitored for transgene sequence and copy number, including the testing of post-production cell banks to ensure data across the full thread of genetic information. As the natural evolution of the cells during expansion cannot be reversed, the security of the master cell banks is critical to ensure the consistency of the product through its lifecycle, and redundancies are built into storage strategies to guard against any single failure mode.

At the state of the art, the industry is mitigating risks associated with the uncertainty in product safety profiles due to natural variation or contamination in the biological system, through extensive control and quality assurance strategies, following established best practices and rigorous regulatory guidance. Furthermore, as facility access is currently managed to ensure both protection of trade secrets and compliance with current U.S. Food and Drug Administration good manufacturing practice regulations, it is difficult to imagine scenarios where malicious or adventitious acts on bioprocess workflows would go undetected for established manufacturing facilities producing protein therapeutics through large batch processes. However, a malicious intrusion increases uncertainty at the cyber-biological interface and could trigger batch losses, with significant economic impacts for the industry and could potentially result in drug shortages.[9]

During the production of protein therapeutics, cyberbiosecurity vulnerabilities exist at each point where genetic information is stored, expressed, replicated, or monitored through cyber or cyber-physical systems. A simple example is the storage of master cell banks in a freezer with networked alarm and temperature monitoring systems, where failure in the network can introduce uncertainty in the viability of the master cell bank. A more malicious variation of this simple scenario is a cyberintrusion that corrupts the digital record that documents the storage conditions for the master cell bank. In both cases, the uncertainty of the cells' viability presents a vulnerability, even if the actual impact on the stored cells was negligible.

A more complex example of a dynamic cyber-biological interface is a perfusion bioreactor. In this process, flow rates of media into the reactor and biomass removal out of the reactor are balanced to maintain a desired cell density within the bioreactor. The cell density is optimized for process yield, and growth rate is controlled through parameters such as nutrient limitation.

The cyberphysical components of the system control media and biomass flow rates, which in turn constrain cellular growth rate and product yield. Thus, the vulnerabilities associated with the cyberphysical control system propagate into vulnerabilities in the biological output of the process.[10]

As typical workflows for the production of protein therapeutics are fully established and industrialized, many of the risks are mitigated by current manufacturing practices. However, this discussion is intended to prompt a systematic evaluation of vulnerabilities and threats at the cyber-biological interfaces for these processes, both to reduce remaining vulnerabilities to malicious acts, and to inform risk-mitigation strategies for less-industrialized manufacturing workflows.

References

  1. Murch, R.S.; So, W.K.; Buchholz, W.G. et al. (2018). "Cyberbiosecurity: An Emerging New Discipline to Help Safeguard the Bioeconomy". Frontiers in Bioengineering and Biotechnology 6: 39. doi:10.3389/fbioe.2018.00039. 
  2. Lord, N. (15 May 2019). "What is cyber security? Definition, best practices & more". Digital Guardian. https://digitalguardian.com/blog/what-cyber-security. 
  3. Institute of Medicine and National Research Council of the National Academies (2006). Globalization, Biosecurity, and the Future of the Life Sciences. National Academies Press. ISBN 0309654181. https://www.nap.edu/catalog/11567/globalization-biosecurity-and-the-future-of-the-life-sciences. 
  4. 4.0 4.1 Peccoud, J.; Gallegos, J.E.; Murch, R. et al. (2018). "Cyberbiosecurity: From Naive Trust to Risk Awareness". Trends in Biotechnology 36 (1): 4–7. doi:10.1016/j.tibtech.2017.10.012. PMID 29224719. 
  5. TEConomy Partners (October 2017). "The Economic Impact of the U.S. Biopharmaceutical Industry: 2015 National and State Estimates" (PDF). Pharmaceutical Research and Manufacturers of America. http://phrma-docs.phrma.org/files/dmfile/PhRMA_GoBoldly_Economic_Impact.pdf. Retrieved 14 March 2019. 
  6. Wang, B. (2018). "The Future of Manufacturing: A New Perspective". Engineering 4 (5): 722–28. doi:10.1016/j.eng.2018.07.020. 
  7. Barrett, M.P. (16 April 2018). "Framework for Improving Critical Infrastructure Cybersecurity Version 1.1". NIST. doi:10.6028/NIST.CSWP.04162018. https://www.nist.gov/publications/framework-improving-critical-infrastructure-cybersecurity-version-11. Retrieved 14 March 2019. 
  8. Jayapal, K.P.; Wlashcin, K.F.; Hu, W.S.; et al. (2007). "Recombinant protein therapeutics from CHO Cells - 20 years and counting". Chemical Engineering Progress 103 (10): 40–7. https://experts.umn.edu/en/publications/recombinant-protein-therapeutics-from-cho-cells-20-years-and-coun. 
  9. Nash, K.S.; Castellanos, S.; Janofsky, A. (27 June 2018). "One Year After NotPetya Cyberattack, Firms Wrestle With Recovery Costs". The Wall Street Journal. https://www.wsj.com/articles/one-year-after-notpetya-companies-still-wrestle-with-financial-impacts-1530095906. 
  10. Bielser, J.M., Wolf, M., Souquet, J. et al. (2018). "Perfusion mammalian cell culture for recombinant protein manufacturing - A critical review". Biotechnology Advances 36 (4): 1328–40. doi:10.1016/j.biotechadv.2018.04.011. PMID 29738813. 

Notes

This presentation is faithful to the original, with only a few minor changes to presentation, grammar, and punctuation. In some cases important information was missing from the references, and that information was added. The original article listed references alphabetically; this version, by design, lists them in order of appearance.