Several digital attacks against pharmaceutical companies have made news in the past few years. Back in 2017, for instance, Merck fell victim to NotPetya. The wiper malware spread to the pharmaceutical giant’s headquarters, rendered years of research inaccessible, affected various production facilities and caused $1.3 billion in damages, according to Bloomberg News. A couple of years later, European Pharmaceutical Review reported that Swiss multinational healthcare company Roche had suffered an attack at the hands of the Winnti malware group—just one year after Bayer confirmed an incident concerning the same attackers.
Attacks in the pharmaceutical industry haven’t slowed down since then. According to Help Net Security, organizations in the pharmaceutical and biotech sectors witnessed a 50% increase in digital attacks between 2019 and 2020. It appears that at least part of those attacks originated from nation-state actors who specifically sought to steal COVID-19 vaccine research. Beyond that aim, SCADAfence noted that nation-state actors commonly target organizations in those two sectors to steal intellectual property and gain a technological or commercial advantage for companies in their own countries.
There are lots of factors behind these attacks. One of the main ones is the ongoing convergence between Information Technology (IT) and Operational Technology (OT). Pharmaceutical organizations are turning to sensors and other IT devices as a means of optimizing their manufacturing processes. In doing so, however, they’re exposing their aging OT assets that weren’t designed with security in mind to the Internet—and, by extension, to digital attackers who would wish to tamper with their OT environments.
16 Sectors That Impact Us All
The IT-OT convergence doesn’t pose security challenges to only pharmaceutical organizations. After all, the pharmaceutical sector is just one of over a dozen industries where we find critical infrastructure.
When we look at critical infrastructure, the 16 sectors touch just about every aspect of our lives. In the past, attacks on critical infrastructure were very small and localized. For example, bank robbers would affect a single entity within the financial services sector, and the government would respond by building regulations to address these types of disruptions.
But with the introduction of networks and broad interconnections, attacks against critical infrastructure are much more threatening nowadays. As mentioned above, research facilities have been the targets of attacks as malicious actors have attempted to steal valuable research data pertaining to a COVID-19 vaccine. Once vaccines were developed, new attacks targeted the vaccine supply chain. This all points to reasons why pharmaceutical companies need to pay strict attention to cybersecurity.
In response to these threats, ISA Cybersecurity wrote that pharmaceutical companies should consider investing in a security awareness training program. Organizations can use those kinds of programs to educate their entire workforce about threats confronting the pharmaceutical sector, thereby helping to build a positive security culture. It’s also important that organizations classify their data so that they can implement proper data security controls and formulate an effective backup strategy as well as enact other security measures to help prevent malicious actors from moving laterally throughout the network.
These recommendations raise an important question: how can pharmaceutical organizations go about setting up these security controls if many of them don’t even know where to start?
A Good Luck Moment
OT security is often a long-term, strategic initiative. One such respected guidance that has been in use for many years is the Center for Internet Security (CIS) Critical Controls. I recall a story of a cybersecurity professional who was seen carrying a printed copy of the CIS Controls document on an airplane. Seeing this, a fellow passenger said, “Good luck.”
The reality is that many organizations have tried to manually incorporate the CIS Critical Controls into their environment and have realized that luck is not going to help them achieve that goal. Fortunately, Tripwire’s white paper, “Cybersecurity for Pharmaceutical Companies,” offers advice about how to protect the pharmaceutical industry from an Operational Technology (OT) perspective. It discusses how Tripwire’s full collection of products can help not only a pharmaceutical company but any organization that desires to bolster its OT security.
When we think of all the sectors of critical infrastructure that are tied to the simple concept of a pharmaceutical product, the overlap shows why each sector functions towards mutual support of other sectors. Pharmaceuticals are strongly tied to the chemical sector, which is also tied to the transportation and financial industries, which are also connected to commercial facilities and communications sectors. I think you get the point.
Tripwire Helps Pharmaceutical Companies
Tripwire offers foundational controls for a solid cybersecurity strategy to preempt cyber-attacks on IP-based systems. Whether it is a database of clinical trial data, drug formulas or a pharmaceutical industrial control system, Tripwire offers an assortment of security products to protect your critical systems.
To learn more, download your copy of Tripwire’s white paper today.