Xertified XoT devices to secure life science equipment

It was obvious from the first meeting that there is a case for Xertified to secure vulnerable life science equipment. Promising cyber security improvements in fifteen minutes or less seemed like an interesting promise, stretching what I thought was even possible. One week later we are all much wiser, this is what we learned.

Xertified and Biotage ran a one-week test in the Testa Center to test if their ”XoT solution” could improve the cyber security posture of life science equipment. Another goal for the project was to learn about customer demands on cyber security in life sciences.

During the week Xertified and Testa Center ran test cases with the XoT-device using the Cytiva Xcellerex Disposable Reactor 50 liters, the ReadyToProcess Wave25 bioreactor, an ÄKTA ready flux instrument, the Applikon/Getinge Easy Controller 2 tower and bioreactor, as well as a Mettler Toledo IND570 floor scale.

Test and interviews for cyber security insights

Tests were conducted to try out communication, functionality, and to reduce cyber security attack surfaces. The team also conducted interviews with participants and stakeholders to learn about life science and biotech demands on cyber security. A discussion was held with subject matter experts on cyber security implementation, instrumentation development, customers’ feedback, as well as on remote service and maintenance.

Reduced attack surface

The tests revealed that most instruments in this test received cyber security benefits from utilizing the Xertified offering using XoT-devices and management systems. 

Happy faces from left to right, Martin Eriksson, Mats Loman, and Mattias Waldau, after successful tests on the XDR 50.

Universities and small-medium businesses could be the early adopters

From the interviews, it was derived that the typical “big-pharma” customer usually has an IT department with in-house cyber security expertise. It was also found that the “big-pharma” customer normally does not allow for the introduction of new devices after the manufacturing process has been deployed, verified, and in production. The interviews revealed that universities usually are early adopters of new technology and usually work in cyber security risk environments as their lab often gives open access to students and researchers even as they work with forefront research. On the other hand, universities tend to be price sensitive. 

The best fit for the XoT solution in life science equipment seems to be to support equipment and instruments that are sold to the small and medium business (SMB) segment. The SMBs usually have a basic to an above-average understanding of cyber security and understand the need for improved security if it comes as a combined or integrated solution. 

Other findings

We also found a lot of ideas for new features on the XoT device, the client package, and the management portal that would be beneficial for the life science industry.

The original time plan was adjusted during Tuesday as the RTU (real-time unit), ÄKTA Go, Pure, and Pilot 600 was ruled out from the original test plan due to their network design. Time ran out while we were testing the ReadyToProcess Wave 25, so the results are inconclusive on that specific device.

Improved security in fifteen minutes?

So, did we get the improved cyber security posture in just fifteen minutes per instrument? Not for the first or second instrument, but for the third and fourth, yes, we did! 

We also learned about the reasons why very few labs and even fewer process manufacturers allow for public internet access to the control systems, even when the users demand it.

With the learnings from this project, Xertified should soon be able to make it possible for labs to securely use more Internet-connected instruments and services in the labs, by using their XoT technology.