IBM Security X-Force’s COVID-19 threat intelligence task force discovered a massive phishing campaign earlier this month aimed at organizations within the vaccine distribution cold chain.
Caleb Barlow, president and CEO of healthcare cybersecurity firm CynergisTek, said that part of the supply chain, which ensures vaccines are stored at the proper temperature, is especially vital for the Pfizer-BioNTech vaccine, the first vaccine approved for emergency use by the U.S. and which, according to the CDC, needs to be stored at between -112 degrees and -76 degrees Fahrenheit.
“The producers of dry ice, the producers of thermal insulation, the producers of the various refrigeration and freezers involved in the cold chain, it’s not like they’ve ever been on an adversary’s top 10 list,” Barlow said. “So it’s probably reasonable to assume that the overall security maturity there is relatively low. That’s where I think security professionals are really paying attention to and it is the most likely place we would see something disruptive.”
But phishing campaigns are not the only threat to COVID-19 vaccine distribution. Supply chain organizations will have to ensure vaccines are not compromised in transit, that they’ve put secure systems in place to keep track of vaccine distribution and that they are prepared to combat a threat they still don’t know well — the spread of misinformation. Supply chain and security experts said that measures such as compromise assessments and penetration testing could lead to greater confidence in vaccine distribution.
Caleb BarlowPresident and CEO, CynergisTek
Threats facing COVID-19 vaccine distribution
In the phishing attack uncovered by IBM Security X-Force, a threat actor sent emails that appeared to be from an executive of a company within the cold chain. The aim of the attack was to harvest credentials to potentially gain unauthorized access to information related to vaccine distribution, according to the task force’s report. The Cybersecurity and Infrastructure Security Agency issued an alert to supply chain organizations as a result.
“We’re seeing anything involved around COVID-19 attracting both nation-states as well as organized crime actors,” Barlow said. “Nation-state actors are particularly interested in anything that may cause disruption as well as anything on the research side of things. Organized crime gets more interested in the disruptive side because the thought process there is anything that disrupts the distribution, you might be able to extort that in some way for money, influence or profit.”
Michael Bruemmer, vice president of data breach resolution and consumer protection at Experian, echoed the point, saying attackers may not be after data but may be looking to hold part of the cold chain hostage for financial gain. He said threat actors could do this by hacking into temperature controls and monitors, as well as GPS tracking systems, and causing or threatening to cause disruption.
“All those systems could potentially be hacked into to disrupt that supply chain,” he said.
Indeed, organizations up and down the COVID-19 vaccine supply chain, including vaccine manufacturers, logistics providers, government agencies and healthcare facilities, must implement systems and practices to ensure that the vaccines are not compromised as they move from manufacturer to destination, said Anne Robinson, chief strategy officer of Kinaxis, which develops supply chain planning software and is based in Ottawa, Ont.
The prime area of concern is making sure the product that arrives at its destination is the same one that was shipped from the manufacturer, Robinson said. However, there’s an extra layer of complexity that needs to be addressed. Because the vaccines that have been approved for emergency use in the U.S. require two doses to be most effective, organizations will need secure systems to not only track what vaccine goes where but who takes what and when.
“I’m not concerned about that for the first crunch of days going out there,” she said. “But you also want to make sure the IT systems are secure and that they accurately track when the first and second doses are given. Any misalignment of that information could make those vaccines just not work.”
Compromise assessment and crisis communication
The COVID-19 vaccine supply chain may be secure, at least in the early stages of the vaccine rollout, agreed Stephen Meyer, research director at Gartner.
Logistics providers, including delivery heavyweights UPS and FedEx, are confident that they can handle the job securely, he said. But the scale and scope of the COVID-19 vaccine distribution is unlike anything before it, which makes it attractive to threat actors and opens itself up to vulnerability.
“You will hear about theft, diversion and counterfeiting,” he said. “The question just becomes, how rampant is it? Does it get to the point where it undermines the confidence in the ability to get the actual vaccine out there?”
Barlow said companies involved in the supply chain, particularly the cold chain, should take the time now to ensure their security strategies are in good working order.
He recommended that they conduct an assessment to find any signs of compromise in the IT environment and an assessment of the controls and measures put in place to defend against cyberattacks. Organizations should also perform penetration testing, or simulated cyberattacks, to make sure the security environment responds appropriately to a phishing or ransomware attack.
Along with social engineering, the spread of misinformation could be a threat against vaccine distribution, Barlow and Bruemmer said.
According to Experian’s 2021 Data Breach Industry Forecast published earlier this month, cyber attackers could spread false or misleading information on social media about the COVID-19 vaccine with the aim of causing disruption and manufacturing panic.
Indeed, Barlow said misinformation is new threat for the vaccine supply chain community, which in many cases is not ready for managing such campaigns.
“We all got a good dose of what this looks like during the election cycle and how quickly it can get amplified,” he said. “This is something the security community is not well prepared for. Most people do not have the tools, the techniques, the methodologies to deal with misinformation built into their crisis response plan, built into their run books.”
Untruths are likely to get amplified quickly by an adversary with the goal of creating confusion, he said. Still, organizations can rely on a crisis communication plan to guide their response, according to Barlow.
“The biggest mistake people make in this is not to respond, to wait, to be quiet,” Barlow said. “Unfortunately, in a crisis scenario, not acting is often the very worst course of action.”
High demand, low supply create vulnerability
The risks to the COVID-19 vaccine supply chain are real, said Dana Gardner, president and principal analyst at Interarbor Solutions, an enterprise industry analysis firm based in Gilford, N.H.
But the fact that the rollout is happening with high visibility will provide valuable lessons on how to handle large and complex supply chain problems.
“This is not something that’s happening behind closed doors in some manufacturing plant where if there’s a mistake you may be able to sweep it under the rug,” he said. “This is going to be for the whole world to see, and that’s why it’s a great learning opportunity.”
In fact, it’s those extremely high stakes that increases the vulnerability of the COVID-19 vaccine supply chain, Gartner’s Meyer said. Having a vaccinated population is the key to a country being able to fully reopen its economy, and the demand for the vaccine far exceeds the supply for now, which means there are going to be haves and have-nots.
Adding to the supply and demand vulnerability is the fact that U.S.-based companies are not allowed to sell to certain countries — including Iran and North Korea — for a variety of reasons, including being identified as sponsors of global terrorism.
“The pandemic is a global crisis, so how do those countries get vaccines?” Meyer said. “Even if you are allowed to sell to those countries there are going to be people that are willing to pay more money on a black or gray market type situation. Unfortunately, there is human nature involved that will try to take advantage of situations.”