Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/28/2020
02:00 PM
Nick Rossmann
Nick Rossmann
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Defending the COVID-19 Vaccine Supply Chain

We must treat this supply chain like a piece of our nation's critical infrastructure, just like the electrical grid or air traffic control system.

I've sat in front of computer screens for over 15 years in the intelligence community and private sector, facing off against foreign adversaries that I'll never get to look in the eye. But one thing I know to be true of an adversary is that no opportunity is missed — nor is any crisis off-limits.

During the past decade, cyber warfare has taken on many forms, from attempting to influence politics to disrupting critical infrastructure and targeting national defenses — and now, there is plenty of evidence that the historic race toward a cure for the novel coronavirus is being targeted by state-sponsored adversaries.

Related Content:

Potential Nation-State Actor Targets COVID-19 Vaccine Supply Chain

Building an Effective Cybersecurity Incident Response Team

Hypothesis: Cyberattackers are After Your Scientific Research

The COVID-19 vaccine supply chain is already under siege, and the more components of the supply chain that are activated, the more organizations that don't normally think about cybersecurity issues at this scale will find themselves at the epicenter of adversaries' interest. It's critical that we treat this supply chain as a piece of our nation's critical infrastructure, just like the electrical grid or air traffic control system.

You may be thinking, 'Why would a nation-state attempt to disrupt this supply chain? Every country needs a vaccine.'

Well, state-sponsored attacks serve geopolitical objectives — objectives that have evolved from collecting information about weapons, troops, and spies to the aggressive pursuit of economic interests and tech supremacy. These objectives are often carried out through cyber espionage, collecting information to provide host nations with a competitive edge — or, in the case of COVID-19, to help them achieve a first-to-market vaccine advantage.

Why does that matter? Because it would influence the next day of the global economy. Also, it would inadvertently dictate who the global suppliers of the COVID-19 vaccine are, and which nations get access to it — and which do not.

Since the pandemic's onset, pharmaceutical companies, medical manufacturers, and suppliers of ingredients used in COVID-19 vaccine research trials have been subject to cyberattacks — and that's not all. My team at IBM Security X-Force uncovered in October 2020 a global phishing campaign targeting the COVID-19 cold chain, a component of a vaccine supply chain charged with ensuring that vaccines are stored and transported in temperature-controlled environments to guarantee their safe preservation. We also uncovered earlier this summer more than 40 companies worldwide being targeted in a precision operation aimed at compromising a global COVID-19 supply chain in efforts to gain competitive insight on national strategies and resources to support COVID-19 response efforts.

While governments take steps that further underscore the need for mobilization to safeguard the COVID-19 vaccine supply chain, it's essential that organizations and defenders take proactive measures to defend the race for a cure. Just recently, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued a report raising awareness on security risks within the COVID-19 supply chain. It's critical that organizations that are part of this supply chain assess their third-party ecosystem and the risks introduced by their partners, and have actionable incident response plans in place to prevent, react to, and recover from a cyber event.

The Chain Is Only as Strong as Its Weakest Link
A vaccine's supply chain doesn't stop with the scientists, pharmaceutical companies, and manufacturers developing it. The chain encompasses suppliers, distributors, and storage facilities; it includes the research centers overseeing clinical trials; and it includes those tasked with building the equipment to administer the vaccine or creating the appropriate packaging and technologies required to store it or transport it. And, of course, the hospitals and medical centers that will administer the medicine are at the end of that supply chain.

Imagine a supply chain management company, one that manages the vaccine's deployment, experiencing a ransomware attack, rendering its logistic systems inoperable. Or a freight transportation company tasked with transporting the vaccine suffering a destructive attack.

These are not outlandish scenarios. These industries have been at the target of both nation-state adversaries and financially motivated cybercriminals in the past — I know this because my team has seen them and responded to them. We've already seen adversaries attempt to compromise organizations supplying the vaccine's cold chain — we mustn't let them succeed.

A Collective Response Is Mission-Critical
In all the years I've been briefing government officials and intelligence agencies about national security threats, both cyber and physical, I've learned there are two vital components to defending diverse targets of international significance. First: preparedness to collectively respond. And second: intelligence sharing.

The same must apply to the COVID-19 vaccine supply chain. A collective response to help this ecosystem of organizations prepare for cyber threats is mission critical.

This is why my team created early on a task force dedicated specifically to tracking down COVID-19 threats against organizations that are keeping the vaccine supply chain moving — a task force charged with finding the threats, before the threats reach their targets. We've been feeding this threat intelligence into the COVID-19 threat-sharing enclave that IBM, at the onset of the pandemic, made accessible to any organization in need of more eyes on cyber threats.

But this undertaking is far larger than a single team's resources. Warding off threats to a vaccine's supply chain and its various disparate parts requires a collective approach to threat intelligence sharing.

Why? Because threat sharing enables a coordinated defense strategy — and in the case of the COVID-19 vaccine supply chain, the collective experience and visibility of threat sharing will reduce risk, making it harder for adversaries to find a way in.

We in cybersecurity say that "it takes a village." Information sharing is that village.

We all have roles to play in the timely and successful delivery of a COVID-19 vaccine, and for the cross-sector threat intelligence community that role is clear: defend one of the most important supply chains of the century.

Nick Rossmann leads the threat intelligence teams that support clients and incident response at IBM. Prior to IBM, he held various roles in the private and public sectors, such as FireEye, where he managed its threat intelligence production, as well as  the US ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36192
PUBLISHED: 2021-01-18
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php p...
CVE-2020-36193
PUBLISHED: 2021-01-18
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
CVE-2020-7343
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.
CVE-2020-28476
PUBLISHED: 2021-01-18
All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
CVE-2020-28473
PUBLISHED: 2021-01-18
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...