Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/28/2020
02:00 PM
Nick Rossmann
Nick Rossmann
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Defending the COVID-19 Vaccine Supply Chain

We must treat this supply chain like a piece of our nation's critical infrastructure, just like the electrical grid or air traffic control system.

I've sat in front of computer screens for over 15 years in the intelligence community and private sector, facing off against foreign adversaries that I'll never get to look in the eye. But one thing I know to be true of an adversary is that no opportunity is missed — nor is any crisis off-limits.

During the past decade, cyber warfare has taken on many forms, from attempting to influence politics to disrupting critical infrastructure and targeting national defenses — and now, there is plenty of evidence that the historic race toward a cure for the novel coronavirus is being targeted by state-sponsored adversaries.

Related Content:

Potential Nation-State Actor Targets COVID-19 Vaccine Supply Chain

Building an Effective Cybersecurity Incident Response Team

Hypothesis: Cyberattackers are After Your Scientific Research

The COVID-19 vaccine supply chain is already under siege, and the more components of the supply chain that are activated, the more organizations that don't normally think about cybersecurity issues at this scale will find themselves at the epicenter of adversaries' interest. It's critical that we treat this supply chain as a piece of our nation's critical infrastructure, just like the electrical grid or air traffic control system.

You may be thinking, 'Why would a nation-state attempt to disrupt this supply chain? Every country needs a vaccine.'

Well, state-sponsored attacks serve geopolitical objectives — objectives that have evolved from collecting information about weapons, troops, and spies to the aggressive pursuit of economic interests and tech supremacy. These objectives are often carried out through cyber espionage, collecting information to provide host nations with a competitive edge — or, in the case of COVID-19, to help them achieve a first-to-market vaccine advantage.

Why does that matter? Because it would influence the next day of the global economy. Also, it would inadvertently dictate who the global suppliers of the COVID-19 vaccine are, and which nations get access to it — and which do not.

Since the pandemic's onset, pharmaceutical companies, medical manufacturers, and suppliers of ingredients used in COVID-19 vaccine research trials have been subject to cyberattacks — and that's not all. My team at IBM Security X-Force uncovered in October 2020 a global phishing campaign targeting the COVID-19 cold chain, a component of a vaccine supply chain charged with ensuring that vaccines are stored and transported in temperature-controlled environments to guarantee their safe preservation. We also uncovered earlier this summer more than 40 companies worldwide being targeted in a precision operation aimed at compromising a global COVID-19 supply chain in efforts to gain competitive insight on national strategies and resources to support COVID-19 response efforts.

While governments take steps that further underscore the need for mobilization to safeguard the COVID-19 vaccine supply chain, it's essential that organizations and defenders take proactive measures to defend the race for a cure. Just recently, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued a report raising awareness on security risks within the COVID-19 supply chain. It's critical that organizations that are part of this supply chain assess their third-party ecosystem and the risks introduced by their partners, and have actionable incident response plans in place to prevent, react to, and recover from a cyber event.

The Chain Is Only as Strong as Its Weakest Link
A vaccine's supply chain doesn't stop with the scientists, pharmaceutical companies, and manufacturers developing it. The chain encompasses suppliers, distributors, and storage facilities; it includes the research centers overseeing clinical trials; and it includes those tasked with building the equipment to administer the vaccine or creating the appropriate packaging and technologies required to store it or transport it. And, of course, the hospitals and medical centers that will administer the medicine are at the end of that supply chain.

Imagine a supply chain management company, one that manages the vaccine's deployment, experiencing a ransomware attack, rendering its logistic systems inoperable. Or a freight transportation company tasked with transporting the vaccine suffering a destructive attack.

These are not outlandish scenarios. These industries have been at the target of both nation-state adversaries and financially motivated cybercriminals in the past — I know this because my team has seen them and responded to them. We've already seen adversaries attempt to compromise organizations supplying the vaccine's cold chain — we mustn't let them succeed.

A Collective Response Is Mission-Critical
In all the years I've been briefing government officials and intelligence agencies about national security threats, both cyber and physical, I've learned there are two vital components to defending diverse targets of international significance. First: preparedness to collectively respond. And second: intelligence sharing.

The same must apply to the COVID-19 vaccine supply chain. A collective response to help this ecosystem of organizations prepare for cyber threats is mission critical.

This is why my team created early on a task force dedicated specifically to tracking down COVID-19 threats against organizations that are keeping the vaccine supply chain moving — a task force charged with finding the threats, before the threats reach their targets. We've been feeding this threat intelligence into the COVID-19 threat-sharing enclave that IBM, at the onset of the pandemic, made accessible to any organization in need of more eyes on cyber threats.

But this undertaking is far larger than a single team's resources. Warding off threats to a vaccine's supply chain and its various disparate parts requires a collective approach to threat intelligence sharing.

Why? Because threat sharing enables a coordinated defense strategy — and in the case of the COVID-19 vaccine supply chain, the collective experience and visibility of threat sharing will reduce risk, making it harder for adversaries to find a way in.

We in cybersecurity say that "it takes a village." Information sharing is that village.

We all have roles to play in the timely and successful delivery of a COVID-19 vaccine, and for the cross-sector threat intelligence community that role is clear: defend one of the most important supply chains of the century.

Nick Rossmann leads the threat intelligence teams that support clients and incident response at IBM. Prior to IBM, he held various roles in the private and public sectors, such as FireEye, where he managed its threat intelligence production, as well as  the US ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-30481
PUBLISHED: 2021-04-10
Valve Steam through 2021-04-10, when a Source engine game is installed, allows remote authenticated users to execute arbitrary code because of a buffer overflow that occurs for a Steam invite after one click.
CVE-2021-20020
PUBLISHED: 2021-04-10
A command execution vulnerability in SonicWall GMS 9.3 allows a remote unauthenticated attacker to locally escalate privilege to root.
CVE-2021-30480
PUBLISHED: 2021-04-09
Zoom Chat through 2021-04-09 on Windows and macOS allows certain remote authenticated attackers to execute arbitrary code without user interaction. An attacker must be within the same organization, or an external party who has been accepted as a contact. NOTE: this is specific to the Zoom Chat softw...
CVE-2021-21194
PUBLISHED: 2021-04-09
Use after free in screen sharing in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVE-2021-21195
PUBLISHED: 2021-04-09
Use after free in V8 in Google Chrome prior to 89.0.4389.114 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.