Before a COVID-19 vaccine reaches the arm of a patient it makes its way through multiple supply chains, a network of stakeholders working with pharmaceutical companies. The one thing all partners have in common is cyberthreats.
To cause disruption, malicious actors don't solely rely on access to intellectual property inside pharmaceuticals development. From research to manufacturing to the cold chain — upon which vaccines from Moderna and Pfizer rely — there's an "intense set of intellectual problems" for pharmas, said Duncan Greatwood, CEO of Xage.
Operational technology is caught in the middle of the supply chain and security's influence is misunderstood, leaving vulnerabilities hidden in plain sight. Outdated systems throughout vaccine distribution logistics carry unprecedented cyberthreats.
"These were problems before [COVID-19] hit. And now all of a sudden, we are almost wholly reliant on OT, IoT and transportation services — all these industries that we know are poorly protected," said Egon Rinderer, global vice president of technology and federal chief technology officer of Tanium. But industry expects them to be "absolutely perfect and pristine," it's "not realistic, right?"
Last week the EU's drug regulator European Medicines Agency (EMA) disclosed a cyberattack, resulting in malicious actors accessing COVID-19 vaccine data from Pfizer and BioNtech, according to BioNTech. The attack was disclosed about a week after IBM Security X-Force released research on a phishing campaign targeting organizations involved in the cold chain.
"There's sort of this unwritten agreement that we will kind of collectively pretend that none of our OT is connected to enterprise networks."
Egon Rinderer
Gobal VP of technology and federal CTO at Tanium
If OT is connected to the network when a phishing campaign strikes, the malware can gain access to third parties sharing a network.
"What people are starting to look at more and more is what has to be segmented off of a primary network," said Liz Mann, EY Americas Health and Life Sciences Cybersecurity leader. The healthcare industry has regulations guiding legacy manufacturing environment operations, but the systems stay outdated because of delays in manufacturer approvals.
"If something's working it doesn't always get upgraded just because it can be," said Mann.
Threats remain unaddressed because OT visibility and control is not administered by a single tool. For example, security cameras or weight sensors on trucks can remain unpatched.
"There's sort of this unwritten agreement that we will kind of collectively pretend that none of our OT is connected to enterprise networks," said Rinderer. But OT, including IoT and industrial control systems (ICS), are connected to the internet, especially devices built in the last decade.
It's unmanageable and unrealistic to assume otherwise, Rinderer said.
How pharma engages with its supply chain will also impact security risks.
The federal government tapped McKesson to lead vaccine distribution, but Pfizer opted for a "flexible" model allowing for vaccine vials to go directly from its plants to the recipient.
Supply chains take years to establish, but COVID-19 is expediting the process. That means "you haven't really had the chance to actually work through any kinks in the system from an operational perspective," said Daniel Hartnett, associate managing director of Compliance Risk and Diligence at Kroll, during a webinar last week. It can introduce risks later down the pipeline as new players are added under pressure.
OT hurdles
This year the pharma industry became the most vulnerable sector to cyberattacks, according to research by Claroty. Companies reacted by reevaluating their concerns and the interconnectedness of technology environments. Three-quarters of IT/OT security professionals expect their IT and OT environments to converge as a result of the pandemic, according to the survey.
When employees were sent home in March, companies accelerated their digital transformation efforts, at the expense of a widening attack surface. Most machines in a production network lack passwords and instead are protected by a firewall. If a partner needs access, they need to come into the facility, which creates a hole in that protection, said Greatwood. If the user unknowingly connects a malware-infected device, there are no additional safeguards to question a user's right to be there.
The Purdue Model, the framework for segmenting industrial control systems, calls for "a measure of isolation for the pieces of the operation," said Greatwood. But the challenge in industries reliant on OT, including pharma, are attackers can chip away at the layers of defense in depth.
"The ability to understand threats, and the ability to look at data protection, and supply chain resiliency are all things that someone learns over the course of a career in security. And they're all put to bear for good at this point in time."
Marene Allison
VP of Information Security & Risk Management and CISO at Johnson & Johnson
It doesn't mean the Purdue Model is ineffective, there are just some inefficiencies, said Greatwood. "Because once you get inside the operation, you kind of have a freefall at that point. You can literally go and reprogram any controller that you like."
The pandemic wasn't the catalyst for combining IT and OT in pharma, but it's expediting the process. For years companies have calculated potential impact or risk to their mission following a cyber incident. Those designated boundaries were tested this year with a flooded healthcare system and mass remote work. "Even [pharmas] will have varying degrees of maturity in their plants," said Mann. The "normal" baseline for security changed this year and "you had to start setting new normals again."
In the interim, companies are struggling to outline what partners can access.
"The ability to understand threats, and the ability to look at data protection, and supply chain resiliency are all things that someone learns over the course of a career in security. And they're all put to bear for good at this point in time," Marene Allison, VP of Information Security & Risk Management and CISO of Johnson & Johnson, told Cybersecurity Dive in October.
At the same time companies are wrestling with OT threats in the supply chain, the healthcare industry expects real-time information sharing. The COVID-19 vaccines have been co-developed with partners, so the information originating in a vaccine's initial operations trickles through the partner ecosystem. And the originator of the data can't lose control of it, said Greatwood.
"If you have defenses that are strong and tested, you don't have to learn [from] others' failures," said Allison. In March 2010, when the nation-state actors in China targeted U.S. healthcare organizations, "we learned that we need to work together because it's about healthcare for human beings, and saving lives."
Go phish
IBM's research proved the IP on the floor of the plant isn't always the direct target.
"The quickest and easiest way to disrupt something, because we rely so much on technology, is to disrupt the technology," said Stacy Scott, managing director of Cyber Risk at Kroll, during the webinar. Supply chain IP comes in the form of:
- Vaccine formulations.
- Data regarding who receives shipping first, so a competitor can ship to other regions first.
- Vendor rates.
The transportation and trucking piece of the supply chain is particularly vulnerable, according to Transport Dive. The margins of transport companies will not support the cost of replacing automated weights or legacy industrial control systems.
The transport industry ranked first in having security training programs in place, though it only accounted for 4% of those surveyed, according to this year's Phishing Benchmark Global Report, produced by Terranova Security and Microsoft. Healthcare and education were ranked the lowest, with 14% having that "ideal combination" of training, including awareness educational modules and phishing simulations.
Despite the transport industry's relatively high ranking for phishing training, "ransomware infections tend to be a little more complex to test as a phishing email is the delivery mechanism," said Theo Zafirakos, CISO at Terranova Security. "Infection relies on other factors that are often beyond the clicker’s control," including antivirus, patching, access control and recovery.
The healthcare industry opened a malicious email below the average of 19.8%. The transport industry had a 24.7% click rate and users submitted their credentials 17.5% of the time, also above the average.
High user click rates aren't always an indicator of security failure because "one clicker is enough to bring the ransomware into the organization," said Zafirakos.
While corporate IT network access is more regimented, it's often not closely regulated on manufacturing floors and drug development operations.
"The analogy would be, get on the network and you can read anybody's email, you can act as any machine, and you can call any piece of data," said Greatwood.
Isolation techniques and access control within OT need updating, which are dependent on vendors issuing updates. "The tradition is absolute uniqueness and absolute lock into vendors," said Rinderer. It's what keeps OT environments outdated.