News & Knowledge

We’re your source for automation news. Keep up with the latest industry updates and E Tech employee spotlights, as well as tips and guidance from our manufacturing experts.  

E Tech Group and Germfree Collaborate to Design Cutting Edge Modular Cleanrooms

E Tech Group and Germfree are pioneering modular cleanroom design, combining advanced automation, critical management systems, and data-driven manufacturing insights to deliver exceptional results.

Author contributors: Director of Application Engineering Vivek Puthezath and Germfree Commercial Director Stephen Ondek

An ongoing collaborative project between E Tech Group and Germfree stands at the forefront of modular cleanroom design. The partnership incorporates state-of-the-art building automation and critical management systems with advanced data aggregation capabilities for manufacturing intelligence insights to deliver remarkable results to customers.

Project Description

In early 2024, Germfree, a company specializing in the design and manufacture of modular cleanrooms, approached E Tech Group to collaborate on modernizing their building management and critical monitoring systems. The goal of the partnership was two-fold: first, to meet current regulatory standards for environmental monitoring and data integrity, specifically complying with FDA’s 21 CFR Part 11 regulations governing electronic records and electronic signatures. Additionally, Germfree wanted their cleanrooms to employ advanced data storage and aggregation technologies so clients can readily use data analytics for manufacturing intelligence initiatives to optimize their process.

Germfree’s modular cleanrooms are typically employed for specialized applications including:

  • Cell and gene therapy production
  • Decentralized, on-demand pharmaceutical manufacturing
  • Early and preclinical stage drug manufacturing
  • Biopharmaceutical research and production
  • Specialized production of customized medication (hospitals and compounding pharmacies)

The modular cleanroom design incorporates several critical features required by this clientele. These include strict environmental control and monitoring capabilities to ensure the safety, efficacy, and compliance of the therapies produced. Each cleanroom can be customized to meet a client’s specific regulatory requirements including USP 795, 797, and 800 for pharmacies, biosafety levels 1 through 4, European grades B, C, and D environments for gene and cell therapies, as well as all relevant ISO standards. In addition, the cleanrooms can be customized to meet a client’s specific layout, materials, and integrated technology requirements.

Figure 1: Interior view of a Germfree cGMP compliant modular cleanroom.

The cleanrooms are designed with durability, scalability, and relocation capability in mind, including steel frames and ArcoPlast walls so that clients can easily adapt, expand, or even relocate their operation as needed. Germfree personnel manage all aspects of a cleanroom solution on behalf of their clients including design, construction, installation, commissioning, qualification, certification and maintenance. The modular cleanrooms can often be ready for use within a ten-month timeframe. Additionally, because many of Germfree’s clients are small-scale research laboratories, universities, and hospitals, the cleanrooms have been designed to be cost-competitive as budgets are often limited.

Figure 2: Germfree’s modular cleanrooms are designed for compliance with all regulatory requirements and are built with durable construction materials.

Overview of FDA’s 21 CFR Part 11 Regulation

The 21 CFR Part 11 regulation by the U.S. Food and Drug Administration (FDA) sets the standards for electronic records and electronic signatures in FDA-regulated industries. It establishes the criteria under which electronic records and signatures are considered trustworthy, reliable, and equivalent to paper records and handwritten signatures. The regulation ensures that electronic systems used in manufacturing processes maintain data integrity, security, and compliance so that the production of pharmaceutical products is safe and effective.

Cutting-Edge Customized Environmental Monitoring and Control

E Tech Group’s environmental monitoring system (EMS) provides precise control, continuous monitoring, and recording of environmental conditions to meet compliance requirements. The system was designed and implemented with the following fundamental priorities:

  • Full adaptability to comply with all relevant regulations and standards
  • Adherence to the 21 CFR Part 11 protocol
  • Full system scalability, ensuring seamless integration of any future additions to the cleanroom module
  • An intuitive user interface, such that new users can operate it without significant training
  • Maintaining cost-competitive pricing of the cleanroom

E Tech Group’s building management system (BMS) design fully controls all environmental equipment, including air handlers, exhaust fans, fan filter units and variable air volume (VAV) systems to maintain the desired conditions within the cleanroom. It not only provides trend data visualization for real-time system performance insights but also maintains a complete record of environmental conditions.

A CMS in Compliance with 21 CFR Part 11 and cGMP Regulations

The critical monitoring system (CMS) implemented by E Tech Group provides verification and documentation that the cleanroom conditions remain within specified limits, as required for compliance with regulatory standards and supporting quality assurance. In compliance with 21 CFR Part 11 regulations, the CMS incorporates secure login processes, electronic signature capabilities, and detailed audit trails, so that every action is traceable, securely recorded, and verifiable. This level of monitoring and record keeping is important for maintaining the integrity of critical environments where precise control over environmental parameters like temperature, absolute and differential pressure, humidity, and particle count is necessary for sensitive processes.

Additionally, the CMS monitors and records environmental conditions within relevant process equipment such as autoclaves and incubators. This provides a comprehensive record that products are manufactured and stored under the ideal conditions required by regulatory standards, including current Good Manufacturing Practice (cGMP) regulations.

Intuitive User Interface, Web Browser Accessibility

E Tech Group designed the user interface to be highly intuitive, allowing new users to operate it without significant training, while also maintaining cost-competitiveness. The interface is built using Ignition (by Inductive Automation), allowing users web browser access to easily make adjustments to temperature, pressure, humidity, and other environmental parameters.

Germfree: Expert Guidance on Regulatory Requirements for Specialized Applications

Germfree’s engineering team possesses extensive knowledge and expertise to advise clients on the regulatory requirements relevant to their particular application. Their engineers determine necessary air changes, room classifications, pressure cascades, and other specifications.

Clients can focus on their core science while relying on Germfree expertise for cleanroom design, and the cleanroom’s capabilities to maintain compliance and product integrity during production. 

What is Manufacturing Intelligence?

The field of manufacturing intelligence integrates aspects of computer science, data analytics, and systems engineering to optimize manufacturing processes, and it is one of E Tech Group’s core capabilities. At a high level, its goal is to collect and aggregate data from diverse sources within the manufacturing process, including equipment performance metrics, environmental data, sensors, production lines, and product quality results into a singular platform. Advanced analytics, machine learning, and data visualization tools can then readily analyze this data, providing valuable insights that can increase productivity, optimize and predict maintenance needs, improve product quality, and reduce costs.

Digital SME: One Platform to Consolidate Data from Diverse Vendors

E Tech Group incorporated a singular data aggregation platform into the cleanroom’s design so that clients can readily employ data analytics and other manufacturing intelligence initiatives to optimize their process.

Cleanrooms typically employ different vendors’ specialized process equipment including, but not limited to spectrometers, bioreactors, and chromatographs.  It is common for each piece of equipment to utilize differing communication protocols and data formats, which made full data integration a challenging endeavor.

E Tech Group collaborated with equipment vendors to standardize communication protocols, encouraging their adoption of the industry-standard OPC UA to simplify data transfer to a single data aggregation platform within the cleanroom. In addition, E Tech Group identified equipment-specific datasets that are particularly valuable for end-user analytics and collaborated with vendors to extract this needed data.

Figure 3: E Tech Group incorporated a data aggregation platform into their design, providing clients the capability of employing manufacturing intelligence initiatives to their process.

Golden Batch Analysis – The Power of Data Analytics

A powerful example illustrating the benefits of manufacturing intelligence involves golden batch analysis. When an ideal production batch (the “golden batch”) is created, all critical process parameters are trended that led to its creation. This set of parameters then serves as the gold standard for optimal production conditions of the batch.

With these parameters known, every subsequent batch in production can be monitored in real time to see how it’s trending in comparison to the golden batch parameters. Manufacturing intelligence uses data analytics and machine learning to compare real-time production data against the golden batch, identifying deviations and even suggesting real-time process parameter adjustments. The result is better product quality and consistency, reduced waste, and therefore improved efficiency.

Equipment Selection

To balance cutting edge capability with cost-effectiveness, the modular cleanroom design incorporates the following platforms:

  • PLC: A Rockwell Automation PLC was selected to automate and integrate the control of all critical systems, ensuring robust operation and compliance with regulations including 21 CFR Part 11.
  • User Interface: The system’s user interface was implemented using Inductive Automation’s Ignition to support the project’s budgetary goals while also providing easy accessibility via web browser.
  • Historian:  A Canary Labs historian was selected based on its high level of functionality and cost-effectiveness.
  • Isolator (Optional Addition): The cleanroom’s isolator is integrated with AST’s (Advanced Sterilization Technologies) automated fill-finish systems for sterile manufacturing.
  • Smart Hood (Optional Addition): Designed by Germfree, the smart hood incorporates label printing and weighing scales that enhance IV compounding efficiency.

Closing Remarks

At Germfree and E Tech Group, we take great pride in our contribution to therapy research, and supporting the accessibility of rare and novel drugs for those who need them most. We deeply understand the significance of this effort and have diligently worked to align our solutions with clients’ budget constraints so that vital research and treatment can continue.

The collaboration between Germfree and E Tech Group has significantly advanced modular cleanroom technology. By integrating modern building management and critical monitoring systems tailored to meet the stringent demands of the pharmaceutical and biotechnological industries, clients can be confident that the necessary conditions for producing safe and effective therapies are met.

Learn More about Our Life Sciences Expertise

Contact Us For Column

Reach out to us here and someone will respond within 24 hours.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

Cybersecurity Best Practices Save Critical Infrastructure

When a food and beverage manufacturer experienced a cyberattack, E Tech Group’s prior IT/OT assessment and network improvements protected the facility, ensuring operational continuity and minimizing damage to the enterprise network.

Author contributor: Solutions Architect, Kevin Romer

When a food and beverage industry manufacturer faced a cyberattack, the previously implemented best practices for network architecture minimized the damage. E Tech Group had conducted a thorough IT/OT assessment for the company, based on which they also designed and installed essential network improvements. Consequently, all OT assets remained inaccessible to the attacker. The facility continued operating at full capacity while mitigating the limited damage to the enterprise network.

E Tech Group Cybersecurity Measures Protect Critical Assets from Cyberattack

An E Tech Group food and beverage client recently had a successful breach of their enterprise network. However, because this manufacturer had previously worked with E Tech Group associates to complete recommendations stemming from an IT/OT assessment, the scope of the attack was limited to the IT side of the network and was caught early. As a result, critical assets remained out of reach and production was not impacted.

This article discusses the networking strategies that were implemented by this client well ahead of the cyberattack. It then presents the timeline of events that occurred due to the attack, the consequences, as well as the potential consequences had the network not been properly configured and secured. Finally, it should be stated that a great deal of network security best practices involves some amount of hidden information, about both a network’s structure, as well as the security tools that guard it. As a result, the brands of equipment installed within this facility are not identified.

The Decision to Implement OT Network Best Practices

A predominant high-level characteristic of the management team within this company was their forward-thinking and proactive approach. As a team, this group thrived on learning about how new technology and trends within the industry could benefit their facility, including those surrounding security.

In 2018, an E Tech Group associate assessed the facility’s network, uncovering significant vulnerabilities in its architecture. Of particular concern was the lack of proper isolation between the IT and OT networks, which posed a serious risk of allowing attackers to breach the IT network and gain access to critical infrastructure in the OT network. In response to these findings, management adopted recommended security measures, specifically implementing a demilitarized zone (DMZ) architecture as part of their proactive approach to network security.

Foundational DMZ Architecture Strategies

The following list outlines some of the basic strategies for industrial network security. These strategies include the following:

  • A firewall with restricted access control lists is positioned at the edge of the enterprise network, connecting to the internet.
  • An additional firewall, serving as the DMZ zone, is implemented to block all network connections between the IT and OT networks.
  • Servers and a jump box are essential within the DMZ to facilitate secure data connections.
  • Separate domain controllers are established for the IT and OT networks.

This design helps to ensure that in the event of a breach in the outer layer, the supplementary layers will remain effective in safeguarding the OT network including the industrial control systems and the critical infrastructure dependent on it. This particular manufacturer further strengthened their security posture by implementing a network threat detection engine.

Each component of the DMZ architecture and the threat detection engine is discussed in more detail below.

OT Network Firewall

The OT network firewall is designed specifically to protect critical infrastructure and will typically include:

  • Enhanced access control: Access control configurations restrict access to sensitive areas of the building network, allowing only necessary communications to pass through.
  • Protocol filtering: The firewall can be configured to filter communication protocols specific to the OT network, such as industrial protocols (MODBUS, PROFIBUS, OPC UA, Ethernet/IP, etc.), and block unauthorized protocols.
  • Segmentation and zoning: The firewall segments the OT network into security zones based on function or security requirements, enforcing distinct policies and access controls for each zone to mitigate the risk of breaches spreading across the network.
  • Monitoring and logging: The firewall offers advanced monitoring and logging capabilities, enabling detailed diagnostics of OT network issues and early detection of potential security incidents.

Separate Domains for the IT and OT Networks

By segregating the facility’s network into distinct IT and OT domains, unique access policies can be enforced through separate domain controllers. In this specific instance, despite an attacker compromising the enterprise network, access to the OT network was effectively prevented because it operated independently within its own domain and required completely separate login credentials.

Cyberattack Timeline: Sequence of Events

The following list outlines the sequence of events that occurred during the cyberattack at the food and beverage facility:

  • Initially, a suspicious log entry flagged by the threat detection engine was overlooked, as it did not impact operations.
  • A few days later, another anomaly was detected close to 2 am. This time, the network engineer investigated upon arriving at 6 am.
  • The investigation revealed unexpected traffic between the IT domain controller and the backup system, a common target in ransomware attacks to disable systems and pressure victims to pay ransom.
  • The network administrator responded by changing the administrator password, only to find it changed back automatically, indicating full network access by the attacker.
  • Realizing the severity, the administrator promptly disconnected the IT network to contain the breach.
  • An independent Incident Response Team was called for immediate assistance in identifying the breach scope and guiding remediation.
  • The remediation of the IT network took several days. The process involves containment of the cyberattack by isolating affected systems and preventing further access to the network by the attacker. Once contained, recovery efforts can be undertaken with the goal of restoring normal operations and repairing any damage caused by the attack.
  • Crucially, due to proactive measures in the OT network—such as the use of a jump box, separate IT/OT domains with domain controllers, and a DMZ firewall—the cyberattack was contained within the IT network. This ensured uninterrupted manufacturing operations while the IT network was restored.

These measures prevented the attack from spreading to critical OT infrastructure, highlighting the effectiveness of preemptive cybersecurity strategies in maintaining operational continuity during security incidents.

Worst Case Scenario: What Could Have Been

Had this facility not prioritized implementing OT networking best practices, the outcome of this cyberattack would likely have been much worse. 

Without the separation of the IT and OT domains and distinct domain controllers, the facility would have been governed by a singular domain. Upon obtaining access to it, the threat actor would have easily been able to traverse the entire network of the facility, including into the OT network. Some consequences within the OT network may have included:

  • Deleting rights for some of the servers: The attacker could have altered or deleted legitimate users or administrators of the servers.
  • Shutting down HMI servers: Access to the control system would have allowed the hacker to halt control and monitoring of the process.
  • Control of PLCs: Gaining control of the PLC would allow the attacker to directly alter the automated process.
  • Compromising the data servers: In this facility, the batch system was dependent on the data servers. If the attackers had compromised or disabled them, they could have disrupted the batch system and consequently the entire manufacturing process. Note that this dire consequence can be achieved without directly interfacing with the PLCs.
  • Use of RDP sessions: had the attackers used RDP sessions to remotely control other servers on the OT network, they would have been able to continue further damage within the system.

Identifying the Attack Vector

The analysis completed during the remediation process revealed that the threat actor had entered the enterprise network through an incorrectly configured cloud-based server that had access to the enterprise. They had obtained a valid username and password, allowing them to access the network. Once they had access, they began gathering information about the network and its vulnerabilities.

This learning phase of a cyberattack is known as reconnaissance. It is a very common strategy used by cyber attackers to maximize the amount of damage they deliver to the victim. By maximizing damages, the victim is highly compelled to pay exorbitant ransom fees to reestablish their business. 

The Threat Detection Engine Identified the Threat Actor

In this breach, the network threat detection engine detected traffic that the threat actor was initiating to gather information about the backup system. This traffic, deviating from expected patterns, was flagged as an anomaly by the engine. Without the threat detection engine monitoring the network, the attackers could have remained unnoticed for a much longer period. This delay would have allowed them to gather extensive knowledge about the facility’s operations before executing a full-scale attack.

E Tech Group’s IT/OT Remediation Prevents a Hostage Situation

In conclusion, although this food and beverage manufacturer faced the challenge of a cyberattack, their proactive cybersecurity posture significantly limited the breach’s impact. By adhering to the recommendations from an IT/OT assessment, they ensured the OT network remained secure and operational, preventing any disruption to their critical infrastructure.

This case exemplifies the importance of forward-thinking security strategies in protecting vital industrial operations and maintaining business continuity amidst cyber threats. E Tech Group can identify your vulnerabilities with a thorough IT/OT risk assessment, after which we recommend, and can also perform, remediations to ensure your next experience with a cyberattack is containable and your assets are protected.

Learn More About Our IT/OT Security Services

Below are helpful industry definitions and information to provide additional context and a deeper understanding of complexities of a cybersecurity protection.

What is a domain controller?

A domain controller is a server in a Windows Active Directory domain that manages network security and enforces security policies for a network. It authenticates users, stores their account information, and controls their access to network resources such as files, printers and applications. Domain controllers play a crucial role in centralized network management, ensuring secure access and efficient administration of user accounts and permissions within an organization’s network infrastructure.

What is a firewall?

A firewall acts as the first line of defense for a network, effectively creating a barrier between an external untrusted network (such as the internet) and an internal network. It monitors and filters incoming and outgoing network traffic based on pre-determined rules to control what traffic can enter or leave the network.

In comparison to a traditional firewall, a Next Generation Firewall (NGFW) adds advanced monitoring capabilities including:

  • Deep packet inspection (DPI): Network traffic is partitioned into portions known as packets. Each packet includes a header and a data (or payload) component. Traditional firewalls typically only monitor the contents of the packet’s header, including source and destination IP addresses and port numbers, and protocol type. NGFWs go further by monitoring the entire contents of the packet, known as deep packet inspection (DPI). DPI allows the firewall to detect and block far more sophisticated threats. One particularly troublesome threat that stands a better likelihood of detection using DPI is known as a zero-day exploit – a type of cyberattack that targets a previously unknown software or hardware vulnerability on the same day it is discovered, thus leaving no time for a vendor to create and release a patch.
  • Application Awareness: Unlike traditional firewalls, NGFWs can identify and control specific applications or services that access the network, regardless of the port used. This capability allows it to block potentially harmful traffic originating from risky applications that may be known for spreading malware, or involved in phishing.
  • Intrusion prevention: This capability involves real-time detection and prevention of malicious activity. By continuously monitoring network traffic and performing DPI, NGFWs are able to detect anomaly behavior on the network. In addition, they typically access databases identifying specific features of known threats, called signature-based detection, to further identify and stop malicious activity.
  • Advanced threat protection: This capability combines the lower-level detection techniques described above with data analytics such as machine learning. It helps the NGFW identify and respond to highly sophisticated cyber-threats in real time.
  • SSL/TLS inspection: these protocols encrypt data, providing greater security and privacy. NGFWs decrypt, inspect, and then re-encrypt this traffic, allowing for threat detection that may have been embedded within encrypted communication.
  • Integration with threat intelligence services: This integration improves security efficacy by detecting and mitigating threats from known malicious sources.

Overall, NGFWs provide robust network protection and visibility, empowering organizations to secure their networks from a wide range of cyber threats while maintaining control over application usage and network access.  

WhaWhat is an OT threat detection engine?

An OT threat detection engine is a specialized tool used in industries like manufacturing and utilities to actively search for and detect potential security threats in Operational Technology (OT) networks. It monitors network traffic for unusual activity, focusing on how OT devices communicate to identify unauthorized access or malicious actions. By leveraging databases of known threats, it enhances its ability to prevent issues before they impact operations. Real-time alerts enable prompt action by teams to safeguard industrial systems, ensuring they operate securely and without disruption.

Unlike a network firewall, which primarily acts as a barrier to prevent unauthorized access, an OT threat detection engine operates deeper within the OT network. It can monitor and analyze network traffic that a firewall may not see, searching for unusual or suspicious activity. While a firewall enforces access rules at the network perimeter, a threat detection engine monitors internal traffic, capable of detecting threats that slip through the firewall or originate internally.

Threat detection engines utilize advanced data analytics and machine learning algorithms to model traffic patterns and effectively identify anomalies. Unlike firewalls that rely on static rules, threat detection engines adapt based on evolving threat intelligence, enhancing their ability to detect emerging threats. They generate alerts and provide detailed information to support the mitigation process during an attack, ensuring proactive defense measures can be implemented swiftly.

What is a jump box?

In IT/OT networking, a jump box is a secure computer acting as the sole entry point into the isolated OT network. Users must connect to the jump box first before accessing critical infrastructure within the OT network. Access to the jump box is tightly regulated using advanced security measures including multi-factor authentication and strict access controls. Authorized users who successfully authenticate through the jump box are granted access to manage and interact with devices and servers on the OT network. By serving as the exclusive gateway, the jump box minimizes the risk of successful cyberattacks entering the highly sensitive OT network.

Examples of unusual, suspicious transactions between the domain controller and back-up system may include:

  • Excessive data transfer outside of regularly scheduled backup times. This action may indicate an attempt to exfiltrate data.
  • Off-schedule backup attempts. May suggest an unauthorized user attempting to create a backup.
  • Access attempts from unexpected, atypical IP addresses. May suggest that an attacker has gained access to administrative credentials and is attempting to access the backup system.
  • Backup configuration changes, such as to the destination folder, compression settings, or type of data to store. Suggests that an attempt to manipulate backup data is occurring.
  • Unexpected file types such as an executable file, may indicate that there is an attempt to use the backup system to spread malware.

What is exfiltration of data?

During a ransomware attack, it’s common for data from the system to be exfiltrated. The process of exfiltration involves the transfer of sensitive or confidential information or data off the network to a location under the control of the threat actor. This data breach can have wide reaching impact, including the loss of:

  • Proprietary information
  • Personal information
  • Intellectual property
  • Recipes and other trade secrets

Cyber Attackers Want to Maximize Damage, IT/OT Remediation Will Minimize Damage

A modern cyberattack will typically go through distinct phases as the attacker moves from reconnaissance to gaining access and then to full-scale execution of the attack. It may be several months before the actual attack occurs, as the threat actor will spend this time learning everything they can about the company, their operation, their process, and their network structure.

During each phase, an attacker may use a variety of network analysis tools to better understand the victim’s facility, associated vulnerabilities, location of sensitive data, and best means of data exfiltration. The learning phase allows an attacker to strategize the best approach to disrupting a facility.

In a previous article, we argued the importance of cybersecurity to manufacturers as process automation becomes more integral to success and cyberattacks become more and more common. It included alarming data about the rising frequency of attacks on critical infrastructure and the large costs associated with them.

Manufacturers must continue to evaluate, manage, and secure their networks and consequently, their vital assets, even as they strive to reap the benefits of digitalization, and an IT/OT assessment of your facility’s assets is the perfect place to start.

Learn More about Our IT/OT Assessments

Contact Us For Column

Reach out to us here and someone will respond within 24 hours.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.
|

Cost-Saving Ignition-Based Design: Meeting ISA–88 Standards for Batch Control

E Tech Group is currently in the final stages of developing a design that interfaces with Inductive Automation’s Ignition, to support batch control while meeting ISA-88 standards. The resulting design will give batch control manufacturers access to Ignition’s open architecture, cross-platform compatibility, user-friendly development environment and flexible licensing model while meeting the strict ISA-88 standard.

Read More

E Tech Group © 2025 | All Rights Reserved.