TCR2 Builds Cybersecurity Precautions into its Maryland Manufacturing Facility

Cybersecurity is playing an increasingly important role across multiple industries, including the biopharma industry. The number of cyberattacks has increased over the past several years, especially during the height of the pandemic with multiple assaults on organizations like the World Health Organization (WHO) and the Department of Health and Human Services.

Not only have organizations been attacked, so have individual companies. Pfizer, BioNTech, and AstraZeneca, makers of two of the currently available COVID-19 vaccines, were attacked in 2020 by hackers. Other targets of hackers include Merck, Roche, and Dr. Reddy’s Laboratories. With the increasing concern of cyberattacks, TCR2 Therapeutics is taking steps to ensure that its planned 85,000 square foot state-of-the-art commercial cell therapy manufacturing facility in Rockville is as protected as possible.

Manufacturing firms, including those within the pharmaceutical industry, are increasingly becoming targets for cybercriminals. According to Trend Micro, 61% of companies have experienced a cybersecurity incident that has affected their factories, and three-quarters of those incidents caused production to be taken offline.

Manufacturing has been hard hit by cybersecurity concerns, particularly due to ransomware, which encrypts files and file systems on computer systems. That’s something that has to be taken a close look at by industry leaders, said Robert M. Lee, Founder and Chief Executive Officer of cybersecurity expert and Hanover, Maryland-based Dragos.

Aaron Vernon, TCR2’s vice president of Technical Operations, who was hired away from Autolus Therapeutics, a U.K.-based company that previously planned to establish a cell therapy manufacturing presence in Maryland, has been concerned about the potential threat the company could face, particularly with the backdrop of increasing cyberattacks associated with the ongoing Russian invasion of Ukraine. During a cybersecurity roundtable discussion hosted by the Maryland Department of Commerce, Vernon said design decisions regarding the Maryland facility have included stringent preparations against some kinds of cyberattack, such as a ransomware attack.

“We wanted to make sure that we designed our protections ahead of time so we don’t face that kind of reality,” Vernon said during the Cybersecurity and the Manufacturing Sector in Maryland: An Integrated Approach webinar.  

Vernon pointed to the 2017 cyberattack on Merck, which was believed to be part of the “Petya” attacks that crisscrossed the globe that year. Merck employees reported the discovery of a ransomware note on their computers, demanding a ransom to decrypt their information.

“Once that happened, people’s ears perked up and more and more people realized that cyber security was important. We don’t want cyber terrorists coming after us,” Vernon said.

As TCR2 has constructed its Maryland manufacturing facility, Vernon said the company has sought guidance from cybersecurity experts such as Dragos.

“You need people who know what they’re doing,” he quipped about the partnership with Dragos, who conducted an analysis and network assessment to help TCR2 drive design decisions on its Rockville site. Neither the company nor the patients it serves can afford to have its systems knocked out by cybercriminals, Vernon said.

TCR2 manufactures novel T cell therapies for solid tumors and hematological cancers. The company’s T cell receptor (TCR) Fusion Construct T cells (TRuC-T cells) recognize and kill cancer cells by leveraging signaling from the entire TCR. Patients who receive these therapies have already been through multiple rounds of treatments for their cancers and, in many cases, these therapies are their last option.

Cells are taken from the cancer patients and transported to the TCR2 labs where they are engineered before being taken back to the patient for treatment. It is a time-sensitive process and any type of manufacturing halt could be devastating for patients.

“I want to be able to sleep at night and treat patients,” Vernon said as he stated the importance of being able to protect the company’s manufacturing operations. “We know what we’re trying to protect. You can’t do nothing. There are liability, ethical, and moral considerations. You have to do something. If you don’t consider what could happen, it’s in the category of gross negligence.”

Kimberly Mentzell, Cyber Program Manager at the Maryland Department of Commerce agreed. She said it’s imperative for manufacturing companies in all industries, not just life sciences, to be “proactive, not reactive.”