Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/28/2020
02:00 PM
Nick Rossmann
Nick Rossmann
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Defending the COVID-19 Vaccine Supply Chain

We must treat this supply chain like a piece of our nation's critical infrastructure, just like the electrical grid or air traffic control system.

I've sat in front of computer screens for over 15 years in the intelligence community and private sector, facing off against foreign adversaries that I'll never get to look in the eye. But one thing I know to be true of an adversary is that no opportunity is missed — nor is any crisis off-limits.

During the past decade, cyber warfare has taken on many forms, from attempting to influence politics to disrupting critical infrastructure and targeting national defenses — and now, there is plenty of evidence that the historic race toward a cure for the novel coronavirus is being targeted by state-sponsored adversaries.

Related Content:

Potential Nation-State Actor Targets COVID-19 Vaccine Supply Chain

Building an Effective Cybersecurity Incident Response Team

Hypothesis: Cyberattackers are After Your Scientific Research

The COVID-19 vaccine supply chain is already under siege, and the more components of the supply chain that are activated, the more organizations that don't normally think about cybersecurity issues at this scale will find themselves at the epicenter of adversaries' interest. It's critical that we treat this supply chain as a piece of our nation's critical infrastructure, just like the electrical grid or air traffic control system.

You may be thinking, 'Why would a nation-state attempt to disrupt this supply chain? Every country needs a vaccine.'

Well, state-sponsored attacks serve geopolitical objectives — objectives that have evolved from collecting information about weapons, troops, and spies to the aggressive pursuit of economic interests and tech supremacy. These objectives are often carried out through cyber espionage, collecting information to provide host nations with a competitive edge — or, in the case of COVID-19, to help them achieve a first-to-market vaccine advantage.

Why does that matter? Because it would influence the next day of the global economy. Also, it would inadvertently dictate who the global suppliers of the COVID-19 vaccine are, and which nations get access to it — and which do not.

Since the pandemic's onset, pharmaceutical companies, medical manufacturers, and suppliers of ingredients used in COVID-19 vaccine research trials have been subject to cyberattacks — and that's not all. My team at IBM Security X-Force uncovered in October 2020 a global phishing campaign targeting the COVID-19 cold chain, a component of a vaccine supply chain charged with ensuring that vaccines are stored and transported in temperature-controlled environments to guarantee their safe preservation. We also uncovered earlier this summer more than 40 companies worldwide being targeted in a precision operation aimed at compromising a global COVID-19 supply chain in efforts to gain competitive insight on national strategies and resources to support COVID-19 response efforts.

While governments take steps that further underscore the need for mobilization to safeguard the COVID-19 vaccine supply chain, it's essential that organizations and defenders take proactive measures to defend the race for a cure. Just recently, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued a report raising awareness on security risks within the COVID-19 supply chain. It's critical that organizations that are part of this supply chain assess their third-party ecosystem and the risks introduced by their partners, and have actionable incident response plans in place to prevent, react to, and recover from a cyber event.

The Chain Is Only as Strong as Its Weakest Link
A vaccine's supply chain doesn't stop with the scientists, pharmaceutical companies, and manufacturers developing it. The chain encompasses suppliers, distributors, and storage facilities; it includes the research centers overseeing clinical trials; and it includes those tasked with building the equipment to administer the vaccine or creating the appropriate packaging and technologies required to store it or transport it. And, of course, the hospitals and medical centers that will administer the medicine are at the end of that supply chain.

Imagine a supply chain management company, one that manages the vaccine's deployment, experiencing a ransomware attack, rendering its logistic systems inoperable. Or a freight transportation company tasked with transporting the vaccine suffering a destructive attack.

These are not outlandish scenarios. These industries have been at the target of both nation-state adversaries and financially motivated cybercriminals in the past — I know this because my team has seen them and responded to them. We've already seen adversaries attempt to compromise organizations supplying the vaccine's cold chain — we mustn't let them succeed.

A Collective Response Is Mission-Critical
In all the years I've been briefing government officials and intelligence agencies about national security threats, both cyber and physical, I've learned there are two vital components to defending diverse targets of international significance. First: preparedness to collectively respond. And second: intelligence sharing.

The same must apply to the COVID-19 vaccine supply chain. A collective response to help this ecosystem of organizations prepare for cyber threats is mission critical.

This is why my team created early on a task force dedicated specifically to tracking down COVID-19 threats against organizations that are keeping the vaccine supply chain moving — a task force charged with finding the threats, before the threats reach their targets. We've been feeding this threat intelligence into the COVID-19 threat-sharing enclave that IBM, at the onset of the pandemic, made accessible to any organization in need of more eyes on cyber threats.

But this undertaking is far larger than a single team's resources. Warding off threats to a vaccine's supply chain and its various disparate parts requires a collective approach to threat intelligence sharing.

Why? Because threat sharing enables a coordinated defense strategy — and in the case of the COVID-19 vaccine supply chain, the collective experience and visibility of threat sharing will reduce risk, making it harder for adversaries to find a way in.

We in cybersecurity say that "it takes a village." Information sharing is that village.

We all have roles to play in the timely and successful delivery of a COVID-19 vaccine, and for the cross-sector threat intelligence community that role is clear: defend one of the most important supply chains of the century.

Nick Rossmann leads the threat intelligence teams that support clients and incident response at IBM. Prior to IBM, he held various roles in the private and public sectors, such as FireEye, where he managed its threat intelligence production, as well as  the US ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.