COVID-19 vaccine supply chain has cyberthreats hidden in plain sight

Before a COVID-19 vaccine reaches the arm of a patient it makes its way through multiple supply chains, a network of stakeholders working with pharmaceutical companies. The one thing all partners have in common is cyberthreats. 

To cause disruption, malicious actors don’t solely rely on access to intellectual property inside pharmaceuticals development. From research to manufacturing to the cold chain — upon which vaccines from Moderna and Pfizer rely — there’s an “intense set of intellectual problems” for pharmas, said Duncan Greatwood, CEO of Xage. 

Operation technology is caught in the middle of the supply chain and security’s influence is misunderstood leaving vulnerabilities hidden in plain sight. Outdated systems throughout vaccine distribution logistics carry unprecedented cyberthreats. 

“These were problems before COVID[-19] hit. And now all of a sudden, we are almost wholly reliant on OT, IoT and transportation services — all these industries that we know are poorly protected,” said Egon Rinderer, global VP of Technology and Federal CTO of Tanium. But industry expects them to be “absolutely perfect and pristine,” it’s “not realistic, right?” 

Last week the EU’s drug regulator European Medicines Agency (EMA) disclosed a cyberattack, resulting in malicious actors accessing COVID-19 vaccine data from Pfizer and BioNtech, according to BioNTech. The attack was disclosed about a week after IBM Security X-Force released research on a phishing campaign targeting organizations involved in the cold chain. 

If OT is connected to the network when a phishing campaign strikes, the malware can gain access to third parties sharing a network. 

“What people are starting to look at more and more is what has to be segmented off of a primary network,” said Liz Mann, EY Americas Health and Life Sciences Cybersecurity leader. The healthcare industry has regulations guiding legacy manufacturing environment operations, but the systems stay outdated because of delays in manufacturer approvals. 

“If something’s working it doesn’t always get upgraded just because it can be,” said Mann. 

Threats remain unaddressed because OT visibility and control is not administered by a single tool. For example, security cameras or weight sensors on trucks can remain unpatched. 

“There’s sort of this unwritten agreement that we will kind of collectively pretend that none of our OT is connected to enterprise networks,” said Rinderer. But OT, including IoT and industrial control systems (ICS), are connected to the internet, especially devices built in the last decade. 

It’s unmanageable and unrealistic to assume otherwise, Rinderer said.  

Distribution is underway

How pharma engages with its supply chain will also impact security risks. 

The federal government tapped McKesson to lead vaccine distribution in Operation Warp Speed, according to Cybersecurity Dive’s sister publication Supply Chain Dive. Pfizer opted for a “flexible” model allowing for vaccine vials to go directly from its plants to the recipient.  

Supply chains take years to establish, but COVID-19 is expediting the process. That means “you haven’t really had the chance to actually work through any kinks in the system from an operational perspective,” said Daniel Hartnett, associate managing director of Compliance Risk and Diligence at Kroll, during the webinar. It can introduce risks later down the pipeline as new players are added under pressure. 

The government and Pfizer are coordinating where the first shipments will go, though they expect some variations among the expected initial recipients, which include hospitals, outpatient clinics and pharmacies. 

Challenges of the COVID-19 vaccine distribution model is a complex geopolitical landscape, also called vaccine nationalism. It’s “a real issue,” said Hartnett. Countries are throwing their weight around to help their citizens first or sponsoring a homegrown vaccine as their “national champion.”

There are also “me first” agreements between vaccine producers and national governments that could bind the supply chains to certain regions before reaching others. President Donald Trump signed an executive order last week that ensures “the American people are first in line” to receive vaccinations produced with taxpayer funding. Whether the Trump administration can guarantee access for Americans is unknown, but it could contribute to bottlenecks in global distribution. 

For countries without the means to develop their own drug, “this is worth more money than you could ever attach to it,” said Rinderer. There isn’t one area of the COVID-19 vaccination supply chains cybercriminals aren’t motivated to pursue. 

There are several threats and motivations: 

  • Espionage: Often nation-state actors want vaccine formulas to steal or discredit the drug through disinformation. Espionage threats are usually hidden in phishing attempts. 
  • Criminals: Organized crime rings seeking monetary gain and IP through malware, ransomware or breaches. 
  • Hacktivism: Individuals hacking for a social cause. In this case, a hacktivist might disagree with a pharma’s actions or pricing. 
  • Insiders: Accidental or malicious, individuals could leak valuable IP. 

“Vulnerability is not just the state of your systems and how well secured they are. But it’s also the motivation on the part of the attacker,” said Rinderer. Past attacks show North Korean nation-state actors tend to use ransomware whereas Russian nation-state actors favor disruption. Chinese nation-state actors go after IP.

North Korea targeted Johnson & Johnson, Novavax, AstraZeneca earlier this month, reported The Wall Street Journal. Forensics of the attacks indicate they were similar campaigns used to target the U.S. State Department. 

Understanding the M.O. of nation-state threats is one piece of the defense. This is known in the pharma industry. 

“If you have defenses that are strong and tested, you don’t have to learn [from] others’ failures,” said Marene Allison, VP of Information Security & Risk Management and CISO of J&J, told Cybersecurity Dive in October. In March 2010, when the nation-state actors in China targeted U.S. healthcare organizations, “we learned that we need to work together because it’s about healthcare for human beings, and saving lives.” 

OT hurdles

This year the pharma industry became the most vulnerable sector to cyberattacks, according to research by Claroty. Companies reacted by reevaluating their concerns and the interconnectedness of technology environments. Three-quarters of IT/OT security professionals expect their IT and OT environments to converge as a result of the pandemic, according to the survey. 

When employees were sent home in March, companies accelerated their digital transformation efforts, at the expense of a widening attack surface. Most machines in a production network lack passwords and instead are protected by a firewall. If a partner needs access, they need to come into the facility, which creates a hole in that protection, said Greatwood. If the user unknowingly connects a malware-infected device, there are no additional safeguards to question a user’s right to be there. 

The Purdue Model, the framework for segmenting industrial control systems, calls for “a measure of isolation for the pieces of the operation,” said Greatwood. But the challenge in industries reliant on OT, including pharma, are attackers can chip away at the layers of defense in depth

It doesn’t mean the Purdue Model is ineffective, there are just some inefficiencies, said Greatwood. “Because once you get inside the operation, you kind of have a freefall at that point. You can literally go and reprogram any controller that you like.”

The pandemic wasn’t the catalyst for combining IT and OT in pharma, but it’s expediting the process. For years companies have calculated potential impact or risk to their mission following a cyber incident. Those designated boundaries were tested this year with a flooded healthcare system and mass remote work. “Even [pharmas] will have varying degrees of maturity in their plants,” said Mann. The “normal” baseline for security changed this year and “you had to start setting new normals again.”

In the interim, companies are struggling to outline what partners can access. 

“The ability to understand threats, and the ability to look at data protection, and supply chain resiliency are all things that someone learns over the course of a career in security. And they’re all put to bear for good at this point in time,” said Allison. 

At the same time companies are wrestling with OT threats in the supply chain, the healthcare industry expects real-time information sharing. The COVID-19 vaccines have been co-developed with partners, so the information originating in a vaccine’s initial operations trickles through the partner ecosystem. And the originator of the data can’t lose control of it, said Greatwood. 

Go phish  

The pharma supply chain consists of research and development, regulators, manufacturing, distribution, storage and vaccination points. Depending on how many vaccines are approved, the more supply chains companies will navigate and insight into partner security can be rather opaque. 

“You hope that everybody understands their responsibility from a security perspective,” said Mann. 

IBM’s research proved the IP on the floor of the plant isn’t always the direct target. 

“The quickest and easiest way to disrupt something, because we rely so much on technology, is to disrupt the technology,” said Stacy Scott, managing director of Cyber Risk at Kroll, during a webinar last week. Supply chain IP comes in the form of: 

  • Vaccine formulations
  • Data regarding who receives shipping first, so a competitor can ship to other regions first
  • Vendor rates

The transportation and trucking piece of the supply chain is particularly vulnerable, according to Cybersecurity Dive’s sister publication Transport Dive. The margins of transport companies will not support the cost of replacing automated weights or legacy industrial control systems. 

The transport industry ranked first in having security training programs in place, though it only accounted for 4% of those surveyed, according to this year’s Phishing Benchmark Global Report, produced by Terranova Security and Microsoft. Healthcare and education were ranked the lowest, with 14% having that “ideal combination” of training, including awareness educational modules and phishing simulations. 

Despite the transport industry’s relatively high ranking for phishing training, “ransomware infections tend to be a little more complex to test as a phishing email is the delivery mechanism,” said Theo Zafirakos, CISO at Terranova Security. “Infection relies on other factors that are often beyond the clicker’s control,” including antivirus, patching, access control and recovery. 

The healthcare industry opened a malicious email below the average of 19.8%. The transport industry had a 24.7% click rate and users submitted their credentials 17.5% of the time, also above the average. 

Samantha Ann Schwartz/Cybersecurity Dive, data from Terranova Security and Microsoft

High user click rates aren’t always an indicator of security failure because “one clicker is enough to bring the ransomware into the organization,” said Zafirakos. 

The benchmark is a simulation to analyze human behaviors. When a user opened a phishing email, and was “faced with the password request page and had a decision to make, a significant number submitted their credentials,” said Zafirakos. Industries on the frontline, where remote work did not play a role may have contributed to the industries with lower click rates. 

While corporate IT network access is more regimented, it’s often not closely regulated on manufacturing floors and drug development operations. 

“The analogy would be, get on the network and you can read anybody’s email, you can act as any machine, and you can call any piece of data,” said Greatwood. 

Isolation techniques and access control within OT need updating, which are dependent on vendors issuing updates. “The tradition is absolute uniqueness and absolute lock into vendors,” said Rinderer. It’s what keeps OT environments outdated. 

Just like IT, zero trust is floated as the prime successor for authorized access to mitigate supply chain risks in OT. However, the environment is rooted in legacy and zero trust feels like another distant goal. “It’s a pipe dream,” said Rinderer. “The evidence says no way that’s happening anytime soon.”