With a rich heritage in biotech, Cytiva provides technologies and services that advance and accelerate the development and manufacturing of therapeutics.
Operating in over 40 countries worldwide, the company conducts fundamental biological research and develops pioneering vaccines, biologic drugs and novel cell and gene therapies. With over 100 locations globally, Cytiva knows that shaping the future of life sciences requires a firm grip on all aspects of security.
Searching for the right solution for an expansive digital roadmap
When Cytiva was acquired by a new parent company, there was an immediate need to change out and upgrade the physical security systems and infrastructure. They wanted to move away from older, disparate on-premises solutions and were committed to a cloud-first approach to minimize infrastructure demands on their team.
The company also had big expansion plans on the horizon, so they wanted a scalable security solution that could meet immediate requirements and evolve alongside future needs.
According to Larry Allen, Technical Product Owner for Facilities, Security and Crisis Management at Cytiva, “Following the acquisition, we became a lot more autonomous as an entity. We had more freedom to invest in our wishlist and evolve our physical security the way we wanted to. Our first objective was to simplify our operations through unification and standardize video and access control on one platform. Beyond that, we wanted access to a toolset of features, plugins or integrations that would align with our digital roadmap.”
To make sure everything from decision-making to deployment went smoothly, Cytiva enlisted the help of Johnson Controls, a Genetec-certified systems integrator with experience in complex, enterprise-level deployments. After hearing Cytiva’s must-haves for physical security and helping the team solidify a plan forward, Johnson Controls designed the platform architecture using Genetec Security Center Software as a Service (SaaS) Edition that would unify Cytiva’s security technology, including access control and video surveillance.
Building a hybrid access control system
Today, the Cytiva team manages access control and video surveillance using Security Center across 17 of their most critical research and manufacturing sites. Each site averages 20 cameras and 30 doors, but some of the larger locations have up to 500+ cameras and 550 access points.
“We’re in the business of bioprocessing, gene therapy and cellular analysis; not physical security software. In the past, staying on top of vulnerability patching, software updates and just managing those environments was challenging,” according to Allen.
“Moving forward with Genetec Security Center SaaS edition helps us minimize the lifecycle management of the software. When the vendor handles the bulk of that, it saves us time and offers us more reliability.”
With the Security Center SaaS edition security management platform, Cytiva was able to build a hybrid deployment model that works for the company. While the team’s Synergis access control system is fully hosted in the cloud, the Omnicast surveillance system and all video recordings are managed and stored locally at various sites.
At some of Cytiva’s smaller sites, the company has installed the Genetec Streamvault appliance, which includes video surveillance access control solutions for simple deployment. The Federation feature bridges all systems together, aiming to give teams a unified security view.
“The Security Center SaaS edition allows us to expand security across new and existing sites quickly, using cloud services where possible. This has been critical for us because during a global, company-wide upgrade like this, adding more and more servers just gets unwieldy,” Allen says. “The time our team will spend managing that hardware adds to the total cost of ownership. At some point, you’re just not saving money anymore. So, with the SaaS edition and the hybrid deployment, we’re able to operate leaner.”
With a solid foundation in place, the Cytiva team is slowly adding features and functionalities to help boost operator confidence and efficiency with security operations and response. Johnson Controls provides onsite training and support to the Cytiva team. They have also set up Plan Manager for the Cytiva security team, a map-based interface within Security Center, to help operators navigate each site and address any alarms or events that come up across the locations.
Automating identity and access management
As part of the design and build, Johnson Controls also recommended that Cytiva implement Genetec ClearID. This physical identity and access management (PIAM) solution has not only helped to standardize processes for employee access requests, but higher levels of automation have also saved personnel time.
“Since installing Genetec ClearID, we’ve seen a 30% efficiency gain in our resources. We have improved our workflow processes, so there’s just less time required for provisioning and managing employee [access control] credentials and access rights,” says Allen.
Prior to the implementation, each facility had specific policies and procedures around how to handle access and credentialing requests. Most of the time, an employee would reach out to the security team and request access. Once certain criteria were met, they would grant them access manually by changing cardholder access rights within the organization’s access control system.
“In the past, sometimes access requests would fall through the cracks or someone wouldn't get the approval they were looking for,” Allen says.
“With ClearID, the self-service aspect has been the biggest benefit. Now, requesting access can be done by the employee, and the entire process is automated until access is granted by the assigned area approver.”
The PIAM module has also helped Cytiva’s security team strengthen audit quality. “Now, when we are audited, we can quickly demonstrate that every step from the request by the employee to the approval and granting of access by the authorized individual is logged automatically by ClearID. There’s no possibility for human error, so from an audit standpoint, we have better quality data to support regulatory compliance,” continues Allen.
Strengthening compliance and cybersecurity best practices
With over 100 locations globally, Cytiva is committed to maintaining high-level security while ensuring compliance with various mandates. These include the General Data Protection Regulations (GDPR), Biomedical Advanced Research and Development Authority (BARDA), and Chemical Facility Anti-Terrorism Standards (CFATS), among others. Part of honoring these regulations and keeping operations running smoothly means maintaining cybersecurity and privacy best practices.
“In the past, we needed to give more people access to our physical security systems to service those access requests. Since the provisioning workflows are all automated within ClearID now, we’ve been able to restrict access to the application itself to a very limited group of system users. This makes our security operations far more secure and resilient,” explains Allen.
Even during the decision-making phase, the team needs to ensure every vendor they partner with and every solution they deploy meets very strict cybersecurity and privacy standards. After the in-house cyber team put Genetec to the test with a comprehensive assessment, they knew they were headed in the right direction.
“There are a lot of companies out there that either haven't done much in the cybersecurity space, or they have, but don’t have the information we need prepared. Genetec responded with a lengthy package of documents to support our assessment and turned it all around in quite a short amount of time. This suggested that they were not only prepared but very informed about all cybersecurity aspects,” says Allen.
In Europe, the team has also begun trialing Genetec Clearance to heighten privacy protection and better meet GDPR requirements. This cloud-based digital evidence management system aims to aid investigations by compiling evidence in one central location and help the Cytiva team service requests for information from citizens, automate data retention periods and enable automated privacy masking to better protect individuals’ identities.
Expanding security in biotech
Further Cytiva site expansions and additional security features are mapped out in a 3-year, 5-year and 10-year phased plan.
Priorities right now include setting up and piloting the Genetec Mission Control decision support module. By guiding operators through response to incidents with standard operating procedures, the team believes this tool will help them further strengthen compliance and security.
In the future, Cytiva wants to look at how to leverage its investments for operational benefits, such as adding cameras to monitor manufacturing at some locations where processes are heavily regulated. The firm is also discussing having regional operations centers to increase security and incident response across global sites.
“Genetec Security Center and the ClearID module have allowed us to standardize our security policies and operations across all our sites. We’ve also been able to optimize our resources because we’re working more efficiently within a single unified platform. Partnering with Johnson Controls and Genetec has been instrumental to our success. We feel confident moving forward with our digital roadmap, especially knowing everything is centered around this one robust, unified solution,” Allen says.
This article originally ran in Security, a twice-monthly security-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.