Pharmaceutical companies need to secure their information technology (IT) and operational technology (OT) environments. The latest uptick of cyber-attacks against the coronavirus vaccine cold chain proves the criticality of establishing a robust cybersecurity regime, especially considering the potential dangers to human life that could occur if elements of the manufacturing process are tampered with. In addition to safety concerns, OT cybersecurity also helps by enabling systems to experience maximum uptime and availability.
In the pharmaceutical industry, cybersecurity is of vital importance as any delay to the development and delivery of life-saving medicines and treatments could compromise public health. The urgent need to develop vaccines and treatments to combat the COVID-19 pandemic only underlines the importance for pharma facilities to ensure that manufacturing is uninterrupted.
Cyber-attacks are rising
The pharmaceutical sector was a lucrative target for criminals even before COVID-19. Τhe biotech and pharmaceutical industries experienced a staggering 50% increase in cyber-attacks from 2019 to 2020.
According to the Wall Street Journal, criminals manipulated data related to coronavirus vaccines and stolen from the European Medicines Agency (EMA) before publishing it on the dark web. The attack was seen as part of a disinformation campaign to spread mistrust and confusion to the public. Additionally, malicious actors have already tried to disrupt the coronavirus vaccine cold chain, the necessary sub-zero storage and transport mechanism.
Τhe numerous steps involved with the distribution process and the urgency around that process have also presented a big target for bad actors. According to a report from IBM, the international vaccine supply chain has been targeted by a cyber-espionage campaign. The actors impersonated an executive at a legitimate Chinese company involved in the process. They then sent phishing emails to organizations that provided transportation, which contained malicious code and asked for people’s login credentials.
Pharmaceutical cybersecurity challenges
Adversaries target pharmaceutical companies for industrial espionage motives. They may look for valuable and sensitive data like formulas and compounds. Attackers can also seek to disrupt manufacturing processes based on industrial control systems such as SCADA or PLC to compromise a drug going to market. Such an attack can have real life and death consequences; hence pharmaceutical cybersecurity measures must become a higher priority.
When designing and implementing cybersecurity controls to protect against cyber threats, the following challenges need to be addressed:
- Data Integrity and Security: Malicious actors are targeting the pharmaceutical industry seeking to breach or compromise Intellectual Property (IP) and proprietary R&D. In addition to financial and reputational implications, compromised data can be used to manipulate and disrupt operational processes, placing consumers at risk.
- Supply chain cybersecurity: The industry is highly dependent on complex supply chains – both the production of drugs and vaccines and their distribution. The use of sensors to track the distribution pipeline creates new risks and vulnerabilities that malicious actors are eager to exploit.
- Architectural cybersecurity: Pharmaceutical companies are transforming their production lines to meet regulatory compliance and enhance productivity by harnessing data from the factory floor. This digital transformation has connected previously air-gapped systems to online networks. Companies need to ensure that their increasingly interconnected production systems remain secure from cyber threats.
- Operational continuity: As pharmaceutical companies make their operations streamlined and interconnected, there is a need to connect legacy, sensitive manufacturing systems to the supply chain. To safeguard these regulated systems, OT cybersecurity measures must be introduced to support archaic equipment, old operating systems, and obsolete protocols. These controls must be planned carefully to avoid any disruptions to monitor and detect unauthorized intrusions.
Threats to pharmaceutical industries
F5 Labs recently published a list of potential cyber threats to the pharma industry. This list is intended to inform security teams on the various attack vectors and their potential impact on the confidentiality, integrity, availability and reliability of the pharma manufacturing processes and data.
The list includes the following vectors:
- Cyber espionage to steal vaccine data: The goal is to gain unauthorized access to vaccine information. A vaccine that is capable of working successfully is worth a great deal of money as a piece of intellectual property. Beyond the pharmaceutical formula itself, data on testing and drug trials can be valuable to an organization working to develop its own drug.
- Sabotage the vaccine pipeline: Highly motivated threat actors will seek to slow down the vaccine distribution pipeline by either targeting the sensors controlling the temperature of the storage areas or by deploying stealthy ransomware to deny access to data and computing resources.
- Use compromised data for disinformation: The target is to break the trust people put in the vaccines. This is done by manipulating stolen vaccine data breaching their confidentiality and integrity. They can then use the rogue data to sway people’s opinions and promote the anti-vax movement.
- Hack the vaccine appointment system: Although not as lucrative as the previous vectors, criminals may seek to disrupt the vaccination process by either disabling the systems handling the appointments or by making unauthorized modifications on the waiting list.
How to cyber secure the pharma industry
The complex supply chain behind making and delivering drugs and vaccines is creating a plethora of opportunities for bad actors. Both criminals motivated by financial incentives or nation-states looking to cause economic and civil disruption are the initiators of such attacks.
To address the expanded threat landscape and mitigate the new threats, the Biden administration directed the Office of the Director of National Intelligence to assess “ongoing cyber threats and foreign interference campaigns targeting COVID-19 vaccines and related public health efforts.” At the same time, the Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert encouraging organizations associated with the storage and transport of a vaccine to be on guard to detect and protect against attacks targeting the vaccine delivery chain.
The above countermeasures primarily target the distribution pipeline. The industry should also safeguard its production lines. An industry best practice is that before any new technology solutions are introduced to a legacy environment, a comprehensive, high-level HAZOP assessment of the facility should be conducted. This process will capture the current state of potential risks and threats, identify vulnerabilities and assets.
For legacy systems, where there is potential for greater vulnerability to attacks, preserving data integrity can also prove to be especially challenging. Implementation of the ISA/IEC-62443 requirements supports data integrity and compliance with these regulations. For example, the security target level 4 requirements for authentication and identification mandates the implementation of multifactor authentication for all users.
Finally, and crucially, there must be a change within the work culture to support the effective implementation of cybersecurity measures. The staff that work in legacy environments need to be educated so that they do not work with outdated operating systems, while facility owners must be fully supportive of the need to address vulnerabilities and ensure that legacy systems are protected from cyber-threats.
How ORIGNIX helps
Boards need to continuously assess their effectiveness in addressing cybersecurity, both in terms of their own fiduciary responsibility as well as their oversight of management’s activities. Our cyber Process Risk Analysis (cyberPRA) and cyber Operations Resilience Management (cyberORM) services work together and can be scaled to meet the custom needs of critical infrastructure clients.
ORIGNIX delivers bespoke cybersecurity engineering services for inherently safer design and operation of industrial processes. We utilize systematic cyber and operational risk assessment using well-established techniques and templates. Our cyberPRA methodology identifies potential gaps, hazards, vulnerabilities, and independent protection layers associated with engineered industrial processes at plant facilities. Our cyber Hazard and Operability (cyberHAZOP) study is a component within cyberPRA that helps clients systematically identify and qualify the risks on their cyber-physical systems’ (CPS) availability and reliability. Our cyberORM system framework can help you fast-track and achieve the desired functional and strategic risk tolerance level of your CPS. Our methods are based on recognized and generally accepted good engineering practices (RAGAGEP), including internationally recognized industry standards ISO 27001/2, ISA/IEC 62443, ISA/IEC 61511, and NIST 800-82.
For more information, click here.
Authors note: This blog was co-authored between Saif Shariff and Anastasios Arampatzis.