Nearly a year into the COVID-19 pandemic, which has infected more than 65 million worldwide and wrought economic turmoil worldwide, reports of multiple pharmaceutical companies and government entities approaching the end stages of vaccine development signify a light at the end of the tunnel for this ongoing public health crisis.
As a vaccine for COVID-19 comes closer to becoming a reality, we must prepare for the massive undertaking of efficiently manufacturing and distributing the vaccine safely across the globe. Given the unprecedented criticality of current circumstances, organizations involved at each step of the vaccine's supply chain must focus on operational security in order to ensure the reliability and safety of the product.
Last week, the U.S. Dept. of Homeland Security's Cybersecurity Infrastructure Security Agency (CISA) issued a warning prompted by IBM X-Force reports of unknown cyber-threat actors targeting the COVID-19 vaccine supply chain via phishing in an attempt to access critical systems in the "cold chain," an integral aspect of the supply chain tasked with storing the vaccine within a specified temperature range throughout the manufacturing and distribution process.
Given the potentially devastating impact of a cyber attack against vaccine production and distribution, let's consider the primary security concerns at hand with regards to operational technology (OT):
As multiple vaccines move quickly through the final stages of development, pharmaceutical research organizations must remain vigilant against cyber attacks aiming to disrupt this expedited process. Given the high-stakes race to bring a safe and effective COVID-19 vaccine to market, it's more crucial than ever vigilant about basic security hygiene, patching vulnerabilities, and locking down access to critical systems managing industrial processes.
Once the months-long, multi-phase process of vaccine trials gives way to authorization for mass production by the Food and Drug Administration and other public health agencies worldwide, the next big race will be to kick production into high gear as quickly as possible. Organizations need to be vigilant of threats to vaccine production such as ransomware. An attack that successfully manages to halt this production could lead to significant backup and delays in efforts to vaccinate the general population.
Supply chain providers and manufacturers must also lock down remote access to systems controlling vaccine production. An attack against the manufacturing process could potentially tamper with the delicate balance of the vaccine formula—rendering it ineffective or harmful. Such an attack would bear similarities to the cyber attacks against the Israeli Water Authority earlier this year, during which an attacker attempted to manipulate chlorine levels in the public water supply.
Production is only one aspect of the supply chain that must be secured. Cyber threats to distribution present another risk that must be managed. As we noted earlier, the delicate nature of the vaccine requires it be stored at cold temperatures. While the specific temperature requirements vary among the various vaccines under development, the threat of a cyber attack against the building management systems (BMS) that maintain the required temperature range could negate the potency of vaccine batches.
According to The New York Times, the aforementioned cyber attack targeting the vaccine cold chain may have been waged by nation-state adversaries. The exact motive behind this malicious activity is unclear. On one hand, nation-state actors may engage in an attempt to steal proprietary information related to technology for transporting mass quantities of the vaccine across large distances at low temperatures. But more concerningly, some experts suspect these adversaries may intend to wage a disruptive ransomware attack that attempts to hold the vaccine distribution process hostage.
Temperature is just one consideration when evaluating potential threats to vaccine distribution operations. The complex supply chain for vaccines requires the product to change hands many times when making its way from its point of origin to its final destination, thus requiring a tightly choreographed dance of coordinated logistics. And given the precedent of the 2017 NotPetya attack crippling shipping and logistics giant A.P. Møller-Maersk, the risk of a ransomware attack against scheduling software leading to a highly disruptive bottleneck must be accounted for and mitigated.
Fortunately, while concerns related to malicious activity targeting vaccine production and distribution may be numerous, implementation of the following industrial cybersecurity best practices can greatly reduce the likelihood of such threats coming to fruition:
Detailed Operational Visibility: By gaining detailed, real-time visibility into all operational systems involved with vaccine production and distribution, security teams can immediately detect, investigate, and remediate indicators of malware or suspicious activity. To achieve this visibility, organizations need a dedicated security solution capable of overcoming OT-specific challenges, which include a lack of standardized technology, the use of proprietary protocols, and a low tolerance for disruptions to critical processes.
Consistent Cybersecurity Standards: All organizations involved in the vaccine supply chain should heed the industry-specific recommendations detailed in the July 23 CISA alert, which can help mitigate increased cyber risk driven by growing connectivity of OT assets to the Internet across all 16 U.S. critical-infrastructure sectors. Furthermore, given the complexity of the vaccine supply chain, collaboration and coordination across all involved organizations is crucial to ensuring consistent defense measures and minimizing third-party risk.
Strengthened Cybersecurity Coalitions: Given the critical urgency of the current moment, many executives and board members have become attuned to operational concerns, and are therefore more aware of why having the right cyber defense technology and processes in place is essential for ensuring availability, reliability and safety. As such, there has never been a better time for CISOs and other security leaders to garner cross-functional buy-in for supporting present and future industrial cybersecurity initiatives.