Defending the COVID-19 vaccine rollout with best practices from the cybersecurity industry
Over the past year, pharmaceutical companies and healthcare organizations have rushed to develop a COVID-19 vaccine. It is a testament to the innovations of the medical industry that several companies around the globe have succeeded in creating and rolling out highly effective, life-saving vaccines in such a short period of time. However, the extremely high demand for COVID-19 vaccines makes them a tempting target for criminals seeking to make a quick buck.
All over the world, COVID-19 vaccines have created a complex nexus of converging social, economic, and cultural forces, resulting in the need to address multi-faceted threats. In this two-part series, we’ll examine the different types of security threats facing our global vaccination efforts and what our government and private industries can do to protect them, starting with cybersecurity.
How are cybercriminals threatening vaccine security?
The manufacturing, distribution, and administration of COVID-19 vaccines has a huge attack surface. Every part of the vaccination process is vulnerable to attack — from the supply chains and the manufacturing process to the distribution channels and facilities where people go to get vaccinated.
As a result, the spectrum of cyberthreats is incredibly broad: from simple emails to complicated malware and zero-day exploits, almost everything is on the table during these unprecedented times.
Here are a few of the most common types of cyberattacks we are seeing or expect to encounter in the coming months as people around the world continue to get vaccinated:
- Ransomware, that ever-present threat. Cybercriminals will leverage ransomware to target critical components of the supply chain, including factories, suppliers, hospitals and clinics. All of these are attractive targets for criminals looking to money or nation-states looking to cause disruption.
- Cyber-enabled extortion and disruption. This category includes identity theft, business email compromise or simply threatening radical transparency against a company or its employees or officers.
- Malicious manipulation of delivery orders, inventory management and control processes, or other aspects of logistical control. These kinds of attacks allow a threat actor to collect the vaccine supply from a member of the supply chain or prevent delivery to others. For example, a hacker could add false delivery orders to a drug store inventory management system, allowing a fake deliveryman to collect the vaccine.
- Cyber-accelerated disinformation campaigns utilizing automation like “bots” or informational software vulnerabilities that enable the injection of misinformation into vulnerable sources.
- The “last mile” distribution points, such as hospitals, drug stores, doctors’ offices, and so on, can be targeted by cyberattacks manipulating their inventory figures. The created ghost vials can then be stolen and resold elsewhere.
We have already seen a wide range of cyber operations used to target entities in the vaccine supply chain. For example, attacks against the European Commission Directorate-General for Taxation and Customs union used highly targeted spear-phishing emails.
As with many account takeover attacks we have seen during this period, these attacks were relatively simple in form but highly sophisticated in targeting and execution. The attackers identified, took over and ultimately leveraged the legitimate email account for a known, trusted party from a Chinese cold-chain supplier that was an active member of UNICEF’s CCEOP program.
Countering cyber-related vaccine threats
We already have tools that can mitigate some of these cyber threats. Many of the most significant attacks or breaches over the past decade have begun with simple starting points and human error, such as taking over existing identities or relying on users executing malicious code. Regardless of the scope and sophistication of the threat, proper execution of cybersecurity fundamentals remains the most effective means of defense.
Two critical steps to prevent these kinds of attacks are building strong digital identities and moving toward zero-trust architectures where no connection is assumed to be safe. For example, even if a supplier is vetted, we shouldn’t assume that the suppliers they work with can be trusted. If you take this approach a step further, it would be possible to make “lateral movement” between systems or organizations much more difficult. Preventing this kind of lateral movement will be key in eliminating massive supply chain attacks in the future.
A strong digital identity backed by cryptography for people, systems, and even organizations is a foundation on which the future of access can be built. Too much of our processes and technology rely on implicit trust in order to connect to each other. In the security community, we have known for decades that chains of trust are only as good as their weakest link. Relying on trust alone is not something we can afford to do any longer.
These preventive measures will help us build an environment hostile to vaccine cyberattacks. While on their own, zero trust and strong digital identities will not completely eliminate things like exploitation of vulnerable systems, these measures will take the low-hanging fruit involved in most major campaigns off the table.
Cybersecurity threats are only one piece of the puzzle. In part two of this series, we’ll discuss how highly motivated people and even governments are also finding ways to attack vaccine supply chains.