Cyber threats emanating from Russia, China and North Korea aimed at the West can affect biotech companies in very real ways, either directly or as collateral damage.
For the biopharma industry, “the situation is pretty bad, and by ‘bad’ I mean absolutely horrific,” Charles Fracchia, co-founder, BIO-ISAC, an international organization that addresses threats to the bio-economy, told BioSpace. Throughout the pharmaceutical industry, “we already are seeing the same problem that took down the Colonial Pipeline last May.”
The biotech industry should prepare for a cybersecurity event on the scale of the Colonial Pipeline hack, Fracchia suggested. That attack shut down oil transport to the East Coast for five days and was enabled by a single password breach on an unused account on a virtual private network (VPN).
“Typically, your adversary is trying to steal your stuff, but also, potentially, tank your company,” Fracchia pointed out.
“The level of automation in pharmaceuticals makes it a prime environment for attacks. These environments are complex and they haven’t been built to defend against nation-state attacks,” Chris Grove, a security strategist at Nozomi Networks, told BioSpace.
“The battlefield is changing. It’s different today than it was a few weeks ago. At this stage, everyone is an attractive target, and no one is going to get out unscathed,” Grove said. “There’s a lot going at the nation-state level, and also underneath the surface among different hacker groups and others that are waging open warfare in cyberspace on critical infrastructure in each other’s countries. Some attacks don’t stay within the boundaries very well.”
A May 2021 report from Black Kite, a cyber-risk monitoring company founded by an ethical hacker for the North Atlantic Treaty Organization (NATO), reported that:
Nearly 10% of pharmaceutical manufacturers are highly susceptible to a ransomware attack
More than 12% of pharmaceutical industry vendors are likely to incur a ransomware attack
Almost half of all pharmaceutical companies have more than 1,000 leaked employee credentials exposed on the deep web
Now, companies should expect wiper attacks – ransomware that wipes out content rather than holding it hostage, Grove said. Wipers can lurk in the background for a long time, so setting recent restore points can’t undo the damage.
“In the long term, the amount of attention we’re focusing on (geopolitics) distracts from the daily cybersecurity issues,” he added. Consequently, security patches may not be installed, or firewalls updated, which expands companies’ risks.
“Everyone in industrial computing thought, at some point, that they were air-gapped, so the systems they built were insecure. The industrial controls, for instance, are defenseless. They don’t have login screens, password authentication, virus protection…they have no defenses at all,” Grove said. Digital panels to control manufacturing equipment are in a similar situation. “Some of them are still running Windows 3.1 from the 1990s.”
Since then, interconnectivity has increased the risks. So did the pandemic. The work-from-home mandates during the pandemic occurred so suddenly that IT and lab managers had no time to upgrade security and, in the intervening two years, people were just trying to keep their businesses operating. “A lot of security standards were tossed aside to work our way through COVID-19,” Grove said.
Companies should also put tighter controls on remote access, install two-factor authentication, update their disaster recovery plans and run tabletop recovery exercises. And, ideally, “Manufacturing should be on its own IT island,” Fracchia recommended.
First and foremost, however, companies need visibility into their bio-IT environments, Grove insisted.
“Half of the issue in dealing with cyber attacks is being able to see what happened or is happening, knowing when the attack happened, being able to set a restore point, being able to service your bio-IT forensics team to access traffic that occurred a month ago, and being able to know when and how the breach occurred,” he said. “[Dealing with cyber-attacks] is very complex. Having the tools in place today is critical to being able to answer those questions tomorrow.”
It’s also important to be cognizant of the data coming from your own facilities or partners in targeted countries. With so many trials based in Russia and Ukraine, as well as manufacturing, data integrity may be compromised even if the facilities appear unharmed.
“That may be a reason to worry, if the conflict and the confusion results in equipment and office access being lost to rogue actors,” Purandar Das, CEO and co-founder at the data security company Sotero, told BioSpace.
Even if pharma companies aren’t directly targeted, their operations can be affected if hackers damage the electrical grid, water supply, transportation or other local infrastructure. That hasn’t happened yet, but cybersecurity analysts urge caution as the Russia/Ukraine war slogs on.
The government and cyber security experts take the current cyber threats emanating from the Russia/Ukraine conflict seriously. On March 15th, the Cybersecurity & Infrastructure Security Agency and the U.S. Federal Bureau of Investigation (FBI) issued an advisory, titled, “Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and ‘PrintNightmare’ Vulnerability.” Behind the unwieldy title, the document provides detailed information to spot compromised networks and strategies to mitigate them.
Recently released information from Cisco Talos details a variety of malware tools used by Russian hackers. One uses spam emails that steal information while purportedly collecting donations to help Ukrainian refugees or to support the Ukrainian war efforts. Another scours the systems it infects for crypto wallets, which it can use to fund Russian war efforts.
These malware exploits affect biotech because many of the industry’s employees still work from home and remote-in to the corporate networks, which dramatically expands the potential attack vectors aimed at the company.
It’s easy to dismiss cyberthreats because so few seem to have affected the biopharma industry. A recent review by Constella Intelligence, for example, revealed several in the past two years. They are rarely made public, Fracchia, explained, because companies fear a loss of trust from regulators and the public.