COVID-19 vaccine supply chain has cyberthreats hidden in plain sight

Before a COVID-19 package reaches a patient’s arm, it makes its way through supply chains, a network of interested parties working with pharmaceutical companies. The one thing all partners have in common is cyber threats.

To cause disruption, attackers do not rely solely on access to intellectual property within the development of pharmaceuticals. From research to manufacturing to the cold chain – on which Moderna and Pfizer’s vaccines are based – there is an “intense series of intelligence problems” for the pharmaceutical sector, auprès de Duncan Greatwood, PDG de Xage.

The operational technology is trapped in the middle of the supply chain and the influence of security is misunderstood, leaving hidden vulnerabilities in plain sight. Outdated systems throughout Vaccine Distribution logistics lead to unprecedented cyber threats.

“These were problems before the arrival of COVID-19. And now, suddenly, we are almost completely dependent on OT, IoT, and transportation services – all of these industries that we know are poorly protected,” said Egon Rinderer, VP of technology and Federal CTO of Tanium. But the industry expects them to be “absolutely perfect and pristine”, that’s not “real, right?”

Last week, the EU drug regulator’s European medical agency (EMA) revealed a cyberattack, which resulted in malicious Rechtsanwälte accessing Pfizer and BioNtech’s COVID-19 data, according to BioNTech. The attack was leaked a week after IBM Security X-Force published research on a phishing campaign targeting organizations involved in the cold chain.

If OT is connected to the network when a phishing campaign occurs, the Malware can access part of the shared network.

Distribution is underway

The participation of the pharmaceutical industry in its supply chain will also have an impact on security risks.

According to Cybersecurity Dive’s sister publication Supply Chain Dive, the federal government has hired McKesson to lead the distribution of vaccines at Operation Warp Speed. Pfizer has chosen a “flexible” model that allows the vaccine vials to go directly from the factories to the recipient.

Supply chains take years to establish, but COVID-19 is accelerating the process. This means that he “didn’t really get a chance to fix the system from an operational standpoint,” said Daniel Hartnett, Kroll’s assistant general manager, Maintenance and Compliance Risk, during the webinar. This can create a risk later in the pipeline, as new players are under pressure.

The government and Pfizer are coordinating the destination of the first shipments, but expect some differences between the expected first recipients, including hospitals, ambulances, and pharmacies.

The challenge of the COVID-19 vaccine delivery model is a complex geopolitical landscape also known as vaccine nationalism. It’s “a real problem,” Hartnett said. Countries mobilize to help their citizens first or to sponsor a local vaccine as a “national champion.”

There are also “me first” agreements between vaccine manufacturers and national governments that could connect supply chains to some regions before they reach others. President Donald Trump signed an executive order last week ensuring that “the American people come first” when receiving vaccines made with taxpayer money. It’s unclear whether the Trump administration can guarantee access to Americans, but it could contribute to bottlenecks in global distribution.

For countries that cannot afford to develop their own medicine, “it is worth more money than you could get,” Rinderer said. There is not a single area in the COVID-19 vaccination supply chain that cybercriminals are not motivated to pursue.

There are different threats and motivations:

• Espionage: National actors often want vaccine formulas to steal or discredit the drug through misinformation. Spy threats are often hidden in phishing attempts.

• Criminals: Organized crime networks search for cash and intellectual property through malware, ransomware, or breaches.

• Hacktivism: individuals who hack for a social cause. In this case, a hacktivist may not agree with the actions or prices of a pharmaceutical product.

• Insiders – People who may accidentally or maliciously reveal valuable personal information.

“Vulnerabilities are not just about the state of your systems and their security. But it’s also the forward’s motivation” said Rinderer. The above attacks show that actors in North Korean nation-states tend to use ransomware, while actors in Russian nation-states prefer disruption. The actors of the Chinese nation-state attack intellectual property.

North Korea targeted Johnson & Johnson, Novavax, and AstraZeneca earlier this month, the Wall Street Journal reported. Forensic analyzes of the attacks show that the campaigns were similar to those used to attack the US State Department.

Understanding the M.O. of threats from nation-states is part of the defense. This is well known in the pharmaceutical industry.”If you have defenses that are strong and tested, you don’t have to learn [from] others’ failures,” said Marene Allison, VP of Information Security & Risk Management and CISO of J&J, told Cybersecurity Dive in October. In March 2010, when the nation-state actors in China targeted U.S. healthcare organizations, “we learned that we need to work together because it’s about healthcare for human beings, and saving lives.” 

OT hurdles

According to a Claroty study, the pharmaceutical industry is the most vulnerable to cyberattacks this year. Companies responded by reassessing their concerns and the interdependence of technology environments. According to the survey, three-quarters of IT / OT security professionals expect their IT and OT environments to converge as a result of the pandemic.

When employees were sent home in March, companies accelerated their digital transformation efforts at the expense of a growing attack surface. Most computers on a production network do not have passwords and are instead protected by a firewall. If a partner needs access, he has to enter the facility, creating a hole in that shelter, Greatwood said. If the user unknowingly accesses a malware-infected device, there is no additional protection available to compromise the user’s right to be there.

The Purdue model, the framework for segmenting industrial control systems, requires “measurement of isolation by parts of the operation,” Greatwood said. However, the challenge in OT-dependent industries, including pharmaceuticals, is allowing attackers to analyze defense levels in depth.

That doesn’t mean the Purdue model is inefficient – there are few inefficiencies, Greatwood said. “Because once you’re up and running, at that point you have a free fall. You can literally reprogram any controller you want.”

The pandemic was not the catalyst for the combination of information technology and occupational therapy in the pharmaceutical industry, but it is accelerating the process. For years, companies have been calculating the impact of potential risk on their mission after a cyber incident. These established limits were tested this year with a flooded healthcare system and massive remote work. “[Pharmacies] will also have different levels of maturity in their factories,” Mann said. The “normal” security baseline has changed this year and “we had to set new standards again.”

Meanwhile, companies struggle to define which partners can be accessed.

“The ability to understand threats and investigate privacy and supply chain resilience are all things someone learns in a career in the security industry. And at this point, they are all in place forever,” Allison says.

At the same time, as companies address OT threats in the supply chain, the healthcare industry hopes to share information in real-time. COVID-19 vaccines were developed in collaboration with partners to allow information from the first few operations of a vaccine to flow through the partner ecosystem. And the author of the data cannot lose control, Greatwood said.

Go phish  

The pharmaceutical supply chain includes research and development, regulators, manufacturing, distribution, storage, and vaccination centers. Depending on the number of vaccines approved, more companies in the supply chain will navigate and partner safety information can be quite opaque.

“He hopes everyone understands their responsibility from a safety point of view,” said Mann.

IBM research has shown that intellectual property in the factory is not always the direct target.

“The fastest, easiest way to disrupt something because we’re so dependent on technology is to disrupt technology,” Stacy Scott, Managing Director of Cyber   Risk at Kroll, said in a webinar last week. Supply chain intellectual property comes in the form of:

• Vaccine formulations

• Data on who will receive the shipment first so that a competitor can ship to other regions first.

• Supplier prices

According to Cybersecurity Dive’s sister publication, Transport Dive, trucking and trucking are particularly vulnerable in the supply chain. Shipping company margins will not bear the cost of replacing automated weights or older industrial control systems.

The transportation industry ranked first in security education programs, although it only accounts for 4% of respondents according to this year’s Global Phishing Benchmark Report by Terranova Security and Microsoft. Healthcare and education ranked lowest, with 14% having this ‘ideal mix’ of training, including phishing awareness education modules and simulations.

Despite the transportation industry’s relatively high ranking for phishing training, “Ransomware infections are generally a bit more complex to test because phishing emails are the delivery mechanism,” said Theo Zafirakos, RSSI of Terranova Security. “The infection is based on other factors which are often beyond the user’s control”, such as B. Antivirus, patches, access control, and recovery.

The transportation industry saw a click-through rate of 24.7% and users submitted their credentials 17.5% of the time, which is also above average.

High user click-through rates are not always an indicator of security vulnerabilities, as “one click is enough to introduce ransomware into the enterprise,” Zafirakos said.

The benchmark is a simulation to analyze human behavior. When a user opened a phishing email and “faced the password request page and had to make a decision, a significant number of them submitted their credentials,” said Zafirakos. Frontline industries where remote working was not an issue may have contributed to industries with lower click-through rates.

While access to the company’s computer network is more regulated, it is often not strictly regulated in drug production and development facilities.

“The analogy would be to go online and read everyone’s emails, act like any machine and get all the data,” Greatwood said.

Isolation techniques and access control in OT need to be updated, depending on whether vendors are issuing updates or not. “Tradition is uniqueness and an absolute block for suppliers,” said Rinderer. This is what goes beyond OT environments.

As with IT, zero trusts are touted as the primary successor to Authorized Access to mitigate supply chain risk in OT. However, the environment is ingrained and no trust seems like another distant goal. “It’s a pipe dream,” says Rinderer. “The evidence indicates that there is no way this is happening anytime soon.”