How bad actors could sabotage a COVID vaccine—and how that can be prevented
Dozens of companies have spent the past months working to develop an effective way to stop COVID-19—and thankfully, we’re starting to see some very promising results. With final phases of testing and trials underway, we must turn our concern to the next stage and consider the idea of a vaccine-related cyberattack.
It’s not unlikely that a bad actor could attempt to sabotage the availability of a vaccine by stalling or preventing its development, or even its distribution, through a targeted attack. Many people wonder how that would even happen, but there are actually quite a few ways that the process could be compromised. (My company Claroty works with manufacturing and pharmaceutical companies to keep their operations secure, so the recommendations that follow could have a positive impact on our business.)
Let’s start at the beginning.
While we’re still in the midst of vaccine development, it’s quite plausible that an attack could happen to stall the progress or run a vaccine trial off-course. The race to develop a vaccine has pushed pharma companies to work faster than ever and race through trial phases. The increased pressure here leaves them incredibly vulnerable to a cyberattack meant to put a stop to a vaccine’s development, similar to the Stuxnet malware discovered back in 2010. This software invaded the automated machine processes in Iran’s manufacturing operations in an attempt by the U.S. and Israel to thwart the country’s development of a nuclear weapon.
Another obvious way that a vaccine could be compromised through a cyberattack is at the manufacturing level. Picture this: After going through many months and different phases of trials, one of the pharmaceutical companies finally gets approval from the Food and Drug Administration to produce and distribute a vaccine. Right away, production will kick into gear.
A cyberattack of this style, specifically intended to tamper with the vaccine formula, would home in on the Internet-connected operational technology (OT) and industrial networks that help run manufacturing facilities. In a vaccine manufacturing facility, attackers would enter the IT systems, either through a virtual private network (VPN) connection or a user or vendor utilizing an insecure mode of remote access. From there, ransomware would be able to spread from the IT to the OT network.
Vaccines are highly complex materials, compiled of various proteins and in need of near-perfect chemical balance to maintain the properties that make them effective. With such a fine balance, any small changes to the formula would throw off the efficacy and accuracy of the vaccine. An attack of this style would be reminiscent of the cyberattacks on the Israeli Water Authority from earlier this year, which attempted to alter the chlorine levels of the country’s public water supply.
If a cyberattack were properly identified in time, the vaccine could be remanufactured, but it would result in a backup in its distribution. If not caught before distribution, there could be unknown consequences for the overall health of the recipients.
Now let’s assume all goes right regarding the vaccine’s production. At this point, the vaccines have to be stored somewhere until they get distributed—millions of doses don’t go straight from the factory to the doctor’s office overnight.
Given the delicate nature of the vaccine and its composition, it would likely need to be stored in a temperature-regulated facility to maintain stability and prolong its lifespan. According to the Centers for Disease Control and Prevention, the ideal temperature for refrigerated vaccine storage is between 36 and 46 degrees Fahrenheit.
Should a bad actor be interested in damaging vaccine distribution, they could stage an attack on the temperature control systems in place. By changing the climate of the warehouses or storage units, the potency of the vaccines could be greatly reduced, which would negatively affect the desired immune response.
Even if the vaccine doses remain fully intact and untampered with throughout the entire production and storage process, there are still plenty of opportunities for vaccination efforts to be compromised. The logistics of shipping and finally distributing a vaccine are prime for a cyberattack, given how often the product would have to change hands getting from the place of origin to the final destination.
This isn’t unlikely; it’s happened before. The 2017 attack on A.P. Møller-Maersk utilized NotPetya malware to completely cripple the shipping and logistics giant, ultimately costing it between $250 and $300 million.
In terms of vaccines, a ransomware attack could affect scheduling software, leading to delays in delivery and affecting the vaccine distribution schedule. Storage rooms could be locked down. Transportation could be rerouted. The connected systems that grant operators visibility into their systems could very well be the downfall of the operations.
Given the global exposure of the vaccine race as well as the monetary investments that have gone into the various companies working to develop them, a cyberattack wouldn’t be surprising.
At this point, you may be wondering what can be done to defend against such an attack. Thankfully, there are quite a few precautions that vaccine manufacturers and distributors can take.
Gaining full visibility into all systems in use, so that operators can notice immediately when anything out of the ordinary is going on in the systems, and continuous monitoring of the networks will both be key in proactively preventing or quickly responding to any attacks.
Apart from internal solutions, vaccine manufacturers should work in collaboration with external or third-party vendors to ensure that all manufacturers are enforcing the same cybersecurity standards.
Vaccine manufacturers should also consult the extensive list of specific recommendations in the alert issued by the National Security Agency (NSA) and Cybersecurity and Infrastructure Security Agency (CISA) on July 23, 2020, which indicates that Internet-accessible OT assets are becoming more prevalent across all 16 U.S. critical infrastructure sectors. The scenarios described cover multiple sectors—chemical, transportation, health care, and public health, and possibly more. The NSA and CISA’s recommendations include having a resilience plan for OT, a well-exercised response plan before an incident occurs, and reducing external exposure to OT networks as much as possible.
Lastly, there is no better time than now for cybersecurity leaders in these affected industries to build coalitions with fellow executives and board members for the vital work cybersecurity teams are performing to protect the company’s operations. Many board members have been very hands-on and involved at an operational level. They have seen how being prepared and having the right technologies and processes in place are essential for adapting to change and creating a more resilient business, so chief information security officers and other security leaders should be in a strong position to garner their support.
As security teams reassess what risk looks like now and develop plans for how to focus on resilience, strong buy-in at the top is essential.
Guilad Regev is senior vice president of global customer success at Claroty.