by Anastasios Arampatzis
In our previous article we discussed the repercussions of cyber-attacks, affecting the targeted organizations, the health and safety of employees and local communities, as well as the environment. A sector that makes the news headlines for all the right reasons is the pharmaceutical industry.
Pharmaceutical companies are responsible for producing and distributing vaccines to mitigate the coronavirus pandemic, but they are also the target of increased cyber-attacks. These attacks against the coronavirus vaccine cold chain and the potential dangers to human life if the production process is disrupted prove the necessity of building a robust and effective cybersecurity posture. In addition to concerns of health and safety, effective cybersecurity can enable pharmaceuticals to experience maximum uptime and availability.
Cybersecurity is essential in the pharmaceutical industry because any delays to the development and delivery of medicines and treatments could compromise public health. The urgent need to develop vaccines to combat the COVID-19 pandemic underlines the importance for pharma facilities to ensure that manufacturing is uninterrupted.
Cyber-attacks are increasing
The pharmaceutical sector was a lucrative target for adversaries even before the COVID-19, with the biotech and pharmaceutical industries experiencing a 50% increase in cyber-attacks from 2019 to 2020. The production and distribution of coronavirus vaccines spiraled these attacks.
According to the Wall Street Journal, criminals manipulated data stolen from the European Medicines Agency (EMA) related to coronavirus vaccines before publishing it on the dark web. The attack was seen as part of a disinformation campaign to spread mistrust and confusion to the public.
Additionally, malicious actors have already tried to disrupt the coronavirus vaccine cold chain, the mechanism for their necessary sub-zero storage and transport. According to a report from IBM, the international vaccine supply chain has been targeted by a cyber-espionage campaign. The actors impersonated an executive at a legitimate Chinese company involved in the process, and then sent phishing emails to organizations that provided transportation, which contained malicious code and asked for people’s log in credentials.
Pharmaceutical cybersecurity challenges
Adversaries target pharmaceutical companies for various reasons. A recent report by F5 Labs identified the following vectors behind the recent attacks targeting the pharma industry:
- Cyber espionage to steal vaccine data.
- Sabotage the vaccine pipeline.
- Use compromised data for disinformation.
- Hack the vaccine appointment system.
Such attacks can have real life and death consequences, hence pharmaceutical cybersecurity measures must become a higher priority. When designing and implementing cybersecurity controls to protect against cyber threats, the following challenges need to be addressed:
Data privacy and security
Pharmaceuticals need to protect the privacy, integrity and confidentiality of Intellectual Property (IP), proprietary R&D, and personal data involved in vaccines and treatments development. Such data fall under the scope of GDPR and need to afford adequate protection to ensure compliance. During clinical trials and pharmacovigilance procedures, pharmaceuticals are required to store and process a huge amount of critical and sensitive data that play a crucial role in the reliability, effectiveness and safety of drugs and vaccines. Pharma companies are required to take appropriate measures against unauthorized or unlawful processing of personal data and against accidental loss, destruction or damage.
Supply chain cybersecurity
The industry is highly dependent on complex supply chains, both for the production of drugs and vaccines and for their distribution. The use of sensors to track the distribution pipeline creates new risks and vulnerabilities that malicious actors are eager to exploit.
Pharmaceutical companies are transforming their production lines to meet regulatory compliance and enhance productivity by harnessing data from the factory floor. This digital transformation has connected previously siloed, air-gapped, legacy, and sensitive systems to public facing networks. Companies need to protect their increasingly interconnected production systems against cyber threats to avoid any disruptions caused by unauthorized intrusions.
Currently, most pharmaceutical companies realize the considerable impact of a cyber-attack against them
says Vasileios Margaritis, PhD, Senior Lecturer in Public Health Doctoral Programs, Walden University, USA. This attack can result in the loss of valuable intellectual property, such as the development process of an original drug, and the design and methods of in vitro and clinical trials of vaccines and therapeutics. Besides the direct damage from lost data, which can also cause regulatory fines, cyber-attacks can significantly damage their reputation and consumer trust. But when a major pharmaceutical company is under attack and pressure, this can also have a large effect on society; medical, demographic, or other sensitive personal data of previous or current participants in clinical trials can fall into the wrong hands, making these participants vulnerable to a variety of threats,” comments Margaritis.
Another challenge that often goes below the radar is the fact that cyber-attacks against OT systems are not covered by insurance programs.
It is interesting to note that the preventive security controls need to be enforced in pharmaceutical OT systems at a security level equal to that of the IT environment, because OT systems are not included in cybersecurity insurance,
explains Panagiota Lagou, Senior Manager, Cybersecurity Consulting Services at ADACOM. “This means that in case a cybersecurity incident occurs in OT systems there will be no compensating control to mitigate the financial loss as it exists for IT. Therefore, the impact and relative risk level of a data breach or security violation in OT systems is significantly higher than in IT environment,” adds Lagou.
How to effectively secure pharmaceuticals
To address the expanded threat landscape and mitigate the new threats, the US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert encouraging organizations associated with the storage and transport of a vaccine to be on guard to detect and protect against attacks targeting the vaccine delivery chain.
Besides protecting the distribution pipeline, the industry should also safeguard their production lines. The foundation of these security controls is the implementation of OT Security Assessment to capture the current state of potential risks and threats, identify vulnerabilities and assets. Based on the results of the assessment, ADACOM suggests moving gradually to a risk-based implementation of security controls that provide:
- Visibility, so that the organization can identify all OT assets and behaviors in corporate networks.
- Detection of cyber threats, vulnerabilities, risks, and anomalies.
- Analysis and Evaluation of identified risks.
- Prioritization of proposed remediation controls.
- Unification of monitoring and protection against advanced and targeted OT related attacks.
The above objectives can be meet through a combination the most appropriate solutions focusing on:
- Identification, classification and prioritization of OT assets
- Dynamic segmentation of the network and segregation of IT from OT
- Deep analysis and protection of the traffic and the environment for threats and vulnerabilities, specialized to ICS/SCADA protocols
- Enforcement of access security controls for users and devices, both wired and wireless.
- Protection mechanisms such as encryption.
- Use of certificate-based digital identities to streamline the security and integrity of IoT devices and offer superb user experience by eliminating insecure passwords.
Finally, it is crucial to build a work culture to support effective implementation of cybersecurity measures. Pharmaceuticals staff need to be educated on cyber hygiene best practices and imminent cyber threats, while business executives should be fully supportive of the need to address vulnerabilities and ensure that all components are protected from cyber threats.
To learn how ADACOM can support you, contact our experts.