Cyber-physical attacks against pharma supply chains are growing because attackers have figured out how to penetrate endpoint gaps between operations technology (OT) and IT systems. What makes these attacks so lethal is how they compromise the physical security of targets and immediately put the health of employees and patients at risk. Universal Healthcare Services says a malware attack in September 2020 has cost the chain $67 million and forced its hospitals to turn away ambulances and critical care patients.
The recent study Playing with Lives: Cyberattacks on Healthcare are attacks on People by the CyberPeace Institute provides insights into why and how cyber-physical attacks happen in pharma manufacturing, supply chains, and health care. One of the more severe recent attacks has been to Dr. Reddy’s Laboratories, a leading vaccine developer in India. A ransomware attack forced the developer to temporarily shut operations at its key plants in the United States, U.K., Brazil, India, and Russia due to suspected data leakage shortly after approval of the COVID-19 vaccine trial. Not having the COVID-19 vaccine available for millions of Indians has an incalculable cost in lives.
Logistics, freight forwarding, and warehouse partners are invaluable links in pharma supply chains. Their unprotected systems that have direct access to pharma manufacturing systems and data are the most dangerous in pharma supply chains today. The NotPetya attack in 2017, which hit Merck through an infected app in a branch office in Ukraine, cost the pharma giant $410 million and delayed the development of new vaccines. These endpoints are the weakest link in pharma supply chains, exacerbated by the U.S.’s dependence on imports for a wide range of pharmaceutical products and active pharmaceutical ingredients (API).
The U.S. remains critically dependent on foreign suppliers for APIs and other key ingredients for generic drugs, representing 90% of all prescriptions filled domestically. In addition, 87% of all API production facilities are located offshore, further increasing the unprotected number of endpoints and risks of a supply chain-wide breach.
Ransomware aims for the supply chain
Bad actors, including state-sponsored cybercriminal organizations like the one in North Korea, are targeting pharma supply chains to steal and divert intellectual property, such as COVID-19 vaccine shipment and intellectual property data from Pfizer. What’s motivating bad actors to prioritize their attacks on pharma supply chains are three key factors. First, stealing drugs in short supply, including cardiovascular medicines, and reselling them on the Dark Web command the highest prices. Second, it is commonplace to divert drugs from one market to another in a 3rd world country and secretly sell them to distributors at high price premiums. Finally, counterfeiting drugs and using cyber-physical attacks to distribute and sell them through pharma supply chains illegally has escalated quickly. According to the World Health Organization (WHO), there is $83B worth of counterfeit drugs sold annually, and one in ten medical products sold in developing nations is counterfeit.
Ransomware is the preferred attack strategy bad actors and state-sponsored cybercriminal organizations use to gain access. Fine-tuning attack tactics to include email phishing to capture privileged access credentials, identifying endpoint gaps, and attacking Remote Desktop Protocol (RDP) ports are preferred attack strategies. Nearly 10% of pharmaceutical manufacturers are highly susceptible to a ransomware attack. More than 12% of pharmaceutical industry vendors are likely to incur a ransomware attack, according to the 2021 Ransomware Risk Pulse: Pharmaceutical Manufacturing by Black Kite.
The report also found that pharmaceutical companies’ annual cyberattack risk averages $31.1 million. Medium-sized pharmaceutical companies have the highest susceptibility to ransomware given the lack of budget many have for endpoint protection and cybersecurity. In addition, credential Management and Patch Management are creating the greatest levels of cyber risk today in pharmaceutical companies, according to Black Kite’s latest Ransomware Risk Pulse report.
How to protect pharma supply chains
Instead of piling on more endpoint agents or one more detection suite, pharma manufacturers need to prioritize closing the gaps between operations and IT systems now using the core concepts of zero-trust security. Unfortunately, operational technology systems tend to get ignored and have a lower priority for cybersecurity budgeting. That’s why operations systems often have the greatest number of unprotected endpoints. That needs to change if pharma supply chains are going to be more secure.
The following are seven ways pharma supply chains can be better protected in 2022:
1. Unify operations, IT, and cybersecurity tech stacks with zero-trust security frameworks.
Pharma manufacturers excel at cybersecurity tech stacks within their organizations because the business case for buying them can also be tied to compliance. But achieving exceptional compliance doesn’t guarantee exceptional cybersecurity. The operations technology tech stack needs to be a higher priority for cybersecurity investment.
Building a zero-trust security framework, tailored to unique business needs, that encompasses OT, IT, and cybersecurity tech stacks must be prioritized in 2022. The goal is to close the gaps between tech stacks to the endpoint with least-privileged access and identity and access management (IAM), using microsegmentation to protect supply chain access further. The cornerstone of a successful zero-trust security framework is getting IAM right from the first planning sessions.
Leading vendors experienced with zero trust frameworks include Absolute Software, following its acquisition of NetMotion, as well as Akamai, Fortinet, Ericom, Ivanti, and Palo Alto Networks. Ericom’s ZTEdge platform is designed to scale for mid-tier pharmaceutical manufacturers who need to get up and running with an integrated zero-trust network architecture (ZTNA) platform that includes IAM, microsegmentation, and secure web gateway (SWG) with remote browser isolation (RBI). Ivanti Neurons for Zero Trust Access has a proven track record helping pharmaceutical manufacturers mature as they grow their zero-trust frameworks, scale their cloud services, and improve business agility, all while delivering secure user experiences according to recent discussions with their customers.
2. Strengthen zero-trust frameworks with supply-chain-wide traceability.
Bad actors capitalize on the lack of visibility and control across pharma supply chains and rely on it for counterfeiting to succeed. Shutting down that revenue source for bad actors and cybercriminals starts with real-time traceability across pharma supply chains that include serialization to the lot level.
President Biden’s recent Executive Order 14017 requires pharma supply chains to track production by facility, track API sourcing, and identify API and finished dosage form sources on labeling for all pharmaceuticals sold in the United States. Achieving traceability is table stakes for gaining end-to-end visibility of pharma supply chains and enforcing zero trust.
3. Continually rank suppliers by security readiness and cyber-risk.
How much cyber risk does a given supplier create? Unfortunately, the majority of pharma manufacturers can’t answer that question today. Yet, arguably that’s a most important question, and it needs to be asked continually.
By relying on the zero-trust framework to define least-privileged access to the endpoint level for hardware, software, communication, and storage systems on-premises and in the cloud, pharma manufacturers can help close the large gaps between OT and IT systems in the supply chain. The following image shows a framework from the Healthcare and Public Health Sector Coordinating Council (HSCC), a coalition of private-sector, critical healthcare infrastructure entities organized under Presidential Policy Directive 21 and the National Infrastructure Protection Plan.
Differentiating suppliers by risk level includes continuously evaluating the consistency of their security practices and approaches, having greater visibility and control over contracts and their specific compliance requirements, and having an automated approach to identifying any potential anomalies or factors outside cybersecurity compliance guidelines.
4. Launch a unified endpoint management (UEM) standard for global pharma suppliers.
What makes pharma supply chains particularly challenging to protect is how globally distributed they are. In addition, the U.S. relies upon foreign suppliers for the majority of its active pharmaceutical ingredients, further increasing the potential for a breach. Therefore, pharma manufacturers need to take the first step and define a UEM standard for their suppliers, down to the device level.
Immediate benefits of doing this include enabling device management regardless of the connection, streamlining continuous OS updates across multiple mobile platforms, and having an architecture capable of supporting a wide range of devices and operating systems. Pharma manufacturers and their suppliers will also benefit from automating internet-based patching, policy, and configuration management.
Leading vendors in this area include Absolute Software’s Resilience, which claims to be the industry’s first self-healing zero trust platform; it’s noteworthy for its device and application control, asset management and endpoint intelligence, incident reporting, and compliance, according to G2 Crowds’ crowdsourced ratings. Additional vendors rated highly by G2 Crowd include CrowdStrike Falcon, Ivanti Neurons for UEM, VMWare Workspace ONE, and several others.
5. Improve endpoint security analytics by providing asset management and real-time cyber risk assessment.
Not having a business case for endpoint security makes it a challenge for mid-tier pharma manufacturers to gain funding. Rampant ransomware attacks this year underscore that inventing in cybersecurity is a business decision first. More than 90% of corporate executives recently admitted that they can’t read a cybersecurity report and are unprepared to handle a major cybersecurity attack, according to a Center for Strategic and International Studies survey that polled 1,530 non-executive directors and C-level executives from U.S., U.K., Germany, Japan, and Nordic countries. In addition, 98% of the most vulnerable have little confidence in their company’s ability to monitor devices/users on their systems, and the burden falls on the IT department, according to research compiled in Foley & Lardner LLP’s Guidebook: Cybersecurity in the Pharma, Biotech, and Medical Device Industries.
Often it’s left to the InfoSec technical leaders to interpret and translate advanced cybersecurity reports for senior management. Thus senior management and board members desperately need to become more conversant in cybersecurity risk assessment analysis techniques. It needs to have the same urgency as learning how to define a business case.
Leading vendors providing real-time endpoint security data to the asset level include Akamai, Absolute’s Resilience Platform, CrowdStrike Falcon, FireEye Endpoint Security, Ivanti Neurons for Patch Intelligence, SentinelOne’s Singularity platform, and several others.
6. Implement multifactor authentication (MFA) for every endpoint in a pharma supply chain.
Pharma manufacturers need to define MFA as table stakes for any supplier to do business with them in 2022. MFA is based on two or more factors that can authenticate who you are based on something you know (passwords, PINs, code works), something you have (a smartphone, tokens devices that produce pins or pre-defined pins), or something you are (biometrics, facial recognition, fingerprints, iris, and face scans). For example, Google’s Chrome browser enables anyone using it to configure MFA access control and run security checks to see how many times they have used the same password on accounts accessed via the browser.
7. Have all pharma suppliers adopt unified endpoint security (UES) for self-healing endpoints.
It’s encouraging to hear how chief information security officers (CISOs) at pharma manufacturers require suppliers to adopt their UES standards. That is core to implementing a zero-trust security framework because it provides the endpoint analytics and tools needed to create more resilient, self-healing endpoints.
Identifying which endpoints can self-heal is essential if pharma supply chains are going to become more secure. Ideally, there needs to be a permanent, undeletable digital tether that originates in an endpoint devices’ firmware that can enable the device, its operating system, endpoint agents, and applications to self-heal. Leaders in this area include Absolute Software’s Resilience Platform, Ivanti Neurons, and Microsoft Defender 365, which relies on behavior-based detections.
Exposed endpoints in pharma increase attacks
Cyber-physical attacks are increasing because endpoints are exposed across pharma manufacturing and distribution OT systems and IT stacks. Closing those gaps needs to start with a zero-trust security framework designed to encompass the entire supply chain. In addition, pharma manufacturers need to be more vigilant about assessing suppliers’ cyber risk levels, too.
Defining a consistent strategy across pharma supply chains using zero-trust security will reduce the potential for breaches and protect shipments, intellectual property, and the quality of pharmaceutical drugs sold globally.