FDA's New OT Cybersecurity Guidance: A Critical Roadmap for Pharmaceutical and Biotech Manufacturing Security

The landscape of pharmaceutical cybersecurity and biotech cybersecurity fundamentally shifted in June 2025 when the FDA issued its groundbreaking white paper, "Securing Technology and Equipment (Operational Technology) Used for Medical Product Manufacturing." (Download here) This comprehensive guidance represents the agency's most definitive stance yet on protecting the increasingly connected manufacturing environments that produce life-saving medications and medical devices.

For cybersecurity leaders at large pharmaceutical and biotechnology companies, this guidance isn't merely advisory—it's a roadmap that will shape FDA cybersecurity compliance requirements for years to come. As ransomware attacks against operational technology surge 46 percent and threat actors increasingly target medical manufacturing infrastructure, the FDA's emphasis on securing connected production systems has never been more critical.

The Regulatory Imperative: Why the FDA Acted Now

The FDA's decision to publish comprehensive operational technology security guidance stems from an alarming convergence of factors threatening medical product supply chains. Recent cyberattacks have demonstrated the devastating potential of compromised manufacturing systems, with incidents like the NotPetya attack causing $10 billion in global damages and specifically impacting pharmaceutical giant Merck & Co.

The regulatory landscape has evolved rapidly beyond traditional FDA medical device security to encompass the entire manufacturing ecosystem. The agency's white paper acknowledges that "manufacturing infrastructure can be particularly vulnerable with connected devices, Industrial Internet of Things (IIoT), and smart technologies becoming more ubiquitous." These connected technologies, collectively known as operational technology, "have historically been designed to prioritize consistent functionality over cybersecurity."

Michael Elmore, Chief Information Security Officer at GSK, articulates the urgency facing pharmaceutical leaders: "Coming to Pharma and recognizing that we're putting things in people's body scared me straight as a CISO. Whether that's vaccine, HIV medication, the safety impacts that come with not getting this right viscerally keeps me up at night."

The stakes extend far beyond individual companies. As the FDA notes, if cybersecurity of manufacturers or supply chain participants is compromised, "it could drastically affect the health of thousands or millions of patients and consumers." This patient-safety imperative drives the agency's comprehensive approach to securing medical manufacturing infrastructure.

Breaking Down the FDA's Technical Framework

The FDA's guidance establishes three critical focus areas that form the foundation of compliant operational technology security: Technical Information Exchange, Security Standards and Compliance, and Security by Design. Each area addresses specific vulnerabilities that have emerged as pharmaceutical and biotech companies integrate sophisticated automation, robotics, and serialization technologies into their production environments.

Technical Information Exchange requirements recognize that modern manufacturing systems involve complex ecosystems of interconnected devices from multiple vendors. The guidance emphasizes the critical importance of comprehensive device visibility, noting that "some connected hardware modules are embedded within other equipment and may be hidden from the end user." Organizations must develop complete inventories of all connected systems, including software bills of materials (SBOMs) that detail every component's security profile.

The Security Standards and Compliance framework mandates alignment with established cybersecurity standards, particularly NIST guidelines, FIPS 140-2/3 encryption standards, and CISA best practices. The FDA explicitly states that "many Commercial Off-the-Shelf (COTS) products may not natively comply with these security requirements and may need reconfiguration." This requirement places significant implementation burden on manufacturers who must ensure every system component meets federal security standards.

Most significantly, the Security by Design principle demands that cybersecurity considerations be integrated from the earliest phases of system design and procurement. The guidance warns that organizations cannot rely on retrofitting security into existing systems, stating that "until these guidelines are industry standard practice, considerable vulnerabilities may be inherent in many OT configurations."

The Zone and Conduit Architecture: A New Security Paradigm

Central to the FDA's technical recommendations is the implementation of zone and conduit architecture, aligned with ISA-99 / IEC 62443 standards. This approach represents a fundamental departure from traditional flat network designs that have dominated pharmaceutical manufacturing for decades.

The FDA's guidance explains that "implementing zone and conduit architecture with three tiers (presentation, application, and data) greatly improves network security and overall network performance compared to a flat network where all devices share the same bandwidth." This architecture creates logical security boundaries that can contain potential breaches and prevent lateral movement of threats across manufacturing systems.

A zone represents "a collection of assets that have common security requirements," while conduits provide "controlled communication between zones." This design philosophy ensures that critical production systems remain isolated from potential attack vectors while maintaining necessary operational connectivity. The FDA emphasizes that under the least privilege principle, "OT assets can communicate only with assets in their zone," with any cross-zone communication requiring specific security policies and controlled conduits.

For pharmaceutical manufacturers, this architecture proves particularly valuable because it allows segmentation of different production lines, quality control systems, and regulatory compliance functions without disrupting operational workflows. Companies can isolate biologics manufacturing from small molecule production, or separate clinical trial material production from commercial manufacturing, while maintaining integrated oversight and control.

Implementing IEC 62443 Compliance with Identity-Based Microsegmentation

The FDA's endorsement of IEC 62443 standards creates both an opportunity and a challenge for pharmaceutical manufacturers. While the standards provide clear technical requirements for securing industrial control systems, implementing these requirements in complex, interconnected manufacturing environments requires sophisticated tools and methodologies that go beyond traditional network security approaches.

IEC 62443's core principle of zones and conduits aligns perfectly with modern identity-based microsegmentation architectures that are transforming how pharmaceutical companies approach operational technology security. Rather than relying on static network configurations and IP-based rules, identity-based approaches create dynamic security policies that follow devices and users regardless of their network location.

Elisity's IdentityGraph™ technology addresses one of the most challenging aspects of IEC 62443 implementation: comprehensive asset discovery and classification. The standard requires organizations to maintain detailed inventories of all industrial control system components, including their security requirements and communication patterns. Traditional discovery methods often miss embedded devices or fail to provide the contextual information necessary for effective policy creation.

The Elisity IdentityGraph™ continuously discovers and classifies assets within pharmaceutical manufacturing environments, automatically correlating metadata from multiple sources to build comprehensive device profiles. This capability proves essential for meeting IEC 62443 requirements for device identification and authentication (CR 1.2), as the system can accurately identify and authenticate all software processes and devices before granting network access.

For pharmaceutical manufacturers implementing zone-based architectures, Elisity's dynamic policy engine enables granular control over communication between different production areas. The system can enforce least privilege access principles (CR 7.7) by ensuring that devices and users operate with only the minimum necessary permissions. Production line PLCs, for example, can be restricted to communicate only with authorized human-machine interfaces and quality control systems, preventing unauthorized lateral movement between different manufacturing zones.

The platform's ability to implement zone boundary protection (CR 5.2) proves particularly valuable in pharmaceutical environments where different production lines may handle different products or operate under different regulatory requirements. Biologics manufacturing zones can be completely isolated from small molecule production areas, while still maintaining necessary connections to shared quality control and regulatory compliance systems.

Elisity's approach to IEC 62443 compliance extends beyond technical controls to include comprehensive audit capabilities that pharmaceutical companies need for regulatory reporting. The system maintains detailed logs of all network activities (CR 2.8), enabling thorough analysis and compliance with both FDA requirements and broader regulatory frameworks. This capability becomes essential when demonstrating compliance to auditors or responding to regulatory inquiries about cybersecurity practices.

Real-World Implementation: Lessons from Industry Leaders

The practical application of FDA guidance becomes evident through the experiences of forward-thinking pharmaceutical and biotech companies that have proactively implemented advanced cybersecurity architectures. These real-world deployments provide valuable insights into both the challenges and benefits of comprehensive operational technology security.

Bryan Holmes, VP of Information Technology at Andelyn Biosciences, describes the journey of building FDA-compliant security into a state-of-the-art gene therapy manufacturing facility: "As we were building out and designing our facilities, state-of-the-art facilities, we needed state-of-the-art systems. And likewise, we needed state-of-the-art security in order to manage our environment and get the visibility into it."

Watch! Microsegmentation Case Study with Bryan Holmes, VP, of Information Technology and Andelyn Bioscience 

Andelyn's experience illustrates the complexity of securing modern pharmaceutical manufacturing. The company needed to protect sophisticated manufacturing equipment for gene therapy treatments for rare and ultra-rare diseases, where production batches can take "upwards of four or five, six weeks to produce and longer to then be released into either clinical trials or commercial side." A cybersecurity incident affecting these systems would have direct patient impact, making robust security not just a compliance requirement but a patient safety imperative.

The implementation challenge proved significant enough that Andelyn initially pursued traditional network access control solutions but found them inadequate for the complex, interconnected nature of modern manufacturing systems. Holmes explains the critical lesson learned: "The simplicity of policy creation, simulation, deployment is something that how do you understand the impact of something you're doing to the network to ensure that your user experience isn't impacted."

Scaling Security Across Global Manufacturing Operations

The challenges multiply exponentially when implementing FDA-aligned cybersecurity across global pharmaceutical operations. GSK's experience implementing microsegmentation across 275 global sites demonstrates both the scale of the challenge and the transformative potential of modern security architectures.

Micahel Elmore, CISO, GSK - Case Study

Mike Elmore at GSK explains the magnitude of the challenge: "When I joined GSK we had $200 million US lined up to go and do segmentation across 75 sites. This required a whole team to be deployed to a site, manually identify what an IT and an OT asset is in that traditional way. It took us nearly 6 months to a year to go from discovery to fully optimized and fully segmented. You times that by 75 sites, the time to value and the time to secure becomes elongated."

The traditional approach would have required massive investment in both technology and human resources, with deployment timelines that could stretch into decades. More critically, the manual nature of traditional segmentation approaches created opportunities for errors and gaps that sophisticated threat actors could exploit.

GSK's solution involved implementing identity-based microsegmentation that could automatically discover and classify devices across IT, IoT, and OT environments. This approach enabled the company to "cut microsegmentation implementation for each site from one year for a single location to one week for three to four locations per week," while reducing total project investment from $200 million to $50 million—a 75% cost reduction.

The Critical Role of Identity-Based Security

The FDA's emphasis on comprehensive asset visibility and control aligns perfectly with emerging identity-based security architectures that are transforming how pharmaceutical companies approach network security. Rather than relying on network location or IP addresses to determine access rights, identity-based approaches focus on what a device is, who's using it, and what it needs to do.

This paradigm shift proves particularly valuable in pharmaceutical manufacturing environments where devices frequently move between production areas, quality control laboratories, and maintenance facilities. Traditional network-based security models struggle with this mobility, often requiring complex reconfigurations when equipment is relocated or repurposed.

Identity-based microsegmentation addresses this challenge by attaching security policies directly to device identities rather than network locations. When a critical piece of manufacturing equipment moves from one production line to another, its security policies move with it automatically, ensuring consistent protection without manual intervention from IT teams.

The approach also enables more granular control over device communications. Rather than broadly allowing all traffic within a production zone, identity-based policies can specify exactly which systems each device can communicate with and for what purposes. This level of granularity proves essential for meeting FDA requirements while maintaining operational flexibility.

Advanced Threat Protection in Manufacturing Environments

The sophisticated nature of modern pharmaceutical manufacturing creates unique security challenges that traditional cybersecurity approaches struggle to address. Production systems often run specialized protocols and software that conventional security tools don't recognize, creating blind spots that threat actors can exploit.

Recent research demonstrates the scale of this challenge. The 2025 Honeywell Cyber Threat Report revealed that ransomware attacks jumped 46 percent in the first quarter of 2025, with operational technology systems representing prime targets. Of the 55 cybersecurity incidents companies disclosed through SEC Form 8-K in 2024, more than half involved direct attacks on OT systems.

These attacks often leverage lateral movement techniques to maximize their impact once they gain initial access to manufacturing networks. The LYNX ransomware attack on Malaysian pharmaceutical manufacturer Xepa-Soul Pattinson in February 2025 exemplifies this threat vector. Attackers gained initial access through phishing emails, then used SMB file-sharing protocols to spread throughout segmented networks, ultimately exfiltrating 500 GB of sensitive data and encrypting critical servers.

Identity-based microsegmentation provides multiple layers of protection against these advanced threats. By requiring continuous authentication and authorization for all device communications, the approach makes it significantly more difficult for attackers to move laterally through manufacturing networks even if they compromise individual systems.

Compliance Automation and Audit Readiness

The FDA's guidance introduces substantial documentation and audit requirements that create ongoing operational challenges for pharmaceutical manufacturers. Organizations must demonstrate continuous compliance with security standards while maintaining detailed records of all security decisions and policy changes.

Traditional approaches to compliance documentation often involve manual processes that are both time-intensive and error-prone. Security teams must manually correlate information from multiple systems to provide auditors with comprehensive views of their security posture, a process that can take weeks to complete and often reveals gaps in coverage or documentation.

Modern identity-based security platforms address these challenges through comprehensive automation and built-in audit capabilities. These systems maintain detailed logs of all device communications, policy decisions, and security events, providing auditors with real-time visibility into security posture and compliance status.

The automation extends to policy creation and management. Rather than requiring security teams to manually configure firewall rules and access controls for each device, modern platforms can automatically generate and enforce policies based on device identities and compliance requirements. This approach not only reduces the operational burden on security teams but also ensures more consistent policy enforcement across global manufacturing operations.

The Business Case: ROI and Risk Mitigation

While the FDA's guidance establishes clear compliance requirements, the business case for comprehensive operational technology security extends far beyond regulatory obligations. The financial impact of cybersecurity incidents in pharmaceutical manufacturing can prove devastating, with production disruptions potentially costing millions of dollars in lost revenue and delayed patient treatments.

IBM's 2024 Cost of a Data Breach Report shows pharmaceutical companies face average breach costs of $4.88 million, with the potential for significantly higher costs when attacks affect production systems. For companies producing critical medications or conducting clinical trials, the impact extends beyond immediate financial losses to include delayed drug approvals, compromised research data, and potential patient safety risks.

The ROI calculations for modern security implementations often prove compelling. GSK's experience demonstrates total cost of ownership reductions of 75% compared to traditional segmentation approaches, while achieving significantly faster deployment timelines and more comprehensive coverage. Similar implementations at other pharmaceutical companies have shown 33% reductions in OT device onboarding costs and 75% reductions in firewall management overhead.

These operational efficiencies become even more valuable when considered alongside risk mitigation benefits. Companies implementing comprehensive microsegmentation report significant reductions in cyber insurance premiums, with some organizations achieving 20% or more reductions in annual premiums. The combination of reduced operational costs and lower insurance expenses often justifies security investments based purely on financial returns, independent of compliance requirements.

Implementation Roadmap: A Phased Approach

Successfully implementing FDA-aligned cybersecurity requires a structured, phased approach that balances security improvements with operational continuity. Pharmaceutical manufacturers cannot afford disruptions to critical production systems, making careful planning and testing essential for successful deployments.

Phase 1: Assessment and Baseline Establishment begins with comprehensive discovery of all connected devices and systems across manufacturing environments. This phase involves deploying discovery tools that can identify both managed and unmanaged devices, including embedded systems within manufacturing equipment that may not be immediately visible. Organizations must also conduct gap analyses comparing current security postures against FDA requirements and industry standards.

Phase 2: Architecture Design and Pilot Implementation focuses on developing zone and conduit architectures that align with FDA guidance while meeting operational requirements. This phase typically involves selecting representative production areas for pilot implementations, allowing security teams to test policies and procedures before broader deployment. Pilot implementations also provide opportunities to train staff and refine operational procedures.

Phase 3: Production Deployment and Policy Enforcement involves the systematic rollout of security policies and controls across all manufacturing environments. This phase requires careful coordination with production teams to ensure minimal disruption to manufacturing operations. Organizations typically implement policies in monitor-only mode initially, allowing security teams to verify proper operation before enabling enforcement.

Phase 4: Continuous Monitoring and Optimization establishes ongoing processes for maintaining security posture and adapting to evolving threats. This phase includes regular policy reviews, threat hunting activities, and continuous improvement of security controls based on operational feedback and emerging threat intelligence.

Future-Proofing Pharmaceutical Cybersecurity

The FDA's guidance represents just the beginning of an evolving regulatory landscape that will increasingly emphasize cybersecurity in medical product manufacturing. Organizations that implement comprehensive security architectures now will be better positioned to adapt to future requirements and emerging threats.

The convergence of artificial intelligence, edge computing, and advanced manufacturing technologies will create new security challenges that traditional approaches cannot address. Identity-based security architectures provide the flexibility and automation capabilities necessary to secure these emerging technologies while maintaining compliance with evolving regulatory requirements.

Pharmaceutical companies must also prepare for increased scrutiny from regulatory bodies, customers, and partners regarding cybersecurity practices. The FDA's guidance establishes a baseline that will likely expand to include more prescriptive requirements over time. Organizations that proactively implement comprehensive security programs will demonstrate leadership in patient safety and regulatory compliance.

Conclusion: Taking Action on FDA Cybersecurity Requirements

The FDA's operational technology cybersecurity guidance represents a watershed moment for pharmaceutical and biotech manufacturing security. The agency's comprehensive framework provides clear direction for protecting the increasingly connected systems that produce life-saving medications and medical devices.

For cybersecurity leaders at large pharmaceutical and biotech companies, the guidance creates both urgency and opportunity. Organizations that act quickly to implement FDA-aligned security architectures will gain competitive advantages in regulatory compliance, operational efficiency, and risk mitigation. Companies that delay action risk falling behind both regulatory requirements and industry best practices.

The experiences of companies like GSK and Andelyn Biosciences demonstrate that comprehensive operational technology security is both achievable and cost-effective when approached with the right technologies and strategies. Identity-based microsegmentation platforms like Elisity enable rapid deployment of FDA-compliant security controls without disrupting critical manufacturing operations.

The path forward requires commitment to security by design principles, comprehensive asset visibility, and automated policy enforcement. Organizations that embrace these principles will not only meet FDA requirements but will also establish robust foundations for protecting patient safety and business continuity in an increasingly connected world.

The stakes could not be higher. As Mike Elmore at GSK emphasizes, pharmaceutical cybersecurity is fundamentally about patient safety: "Whether that's vaccine, HIV medication, the safety impacts that come with not getting this right viscerally keeps me up at night." The FDA's guidance provides the roadmap—now it's time for pharmaceutical and biotech leaders to act.

To learn more about how Elisity's identity-based microsegmentation platform can help your organization achieve FDA cybersecurity compliance while reducing operational complexity and costs, schedule a demo with our pharmaceutical cybersecurity specialists.