How to improve COVID-19 supply chain cybersecurity

COVID-19 supply chains have gained the attention of the general public, but also that of cybercriminals. Such bad actors are getting more skilled at finding and exploiting every potential threat surface in these crucial logistics networks.

No one defensive tool will prove adequate to meeting the threats. What is needed is a wide, coordinated approach across supply chains that combines endpoint security, identity and access management (IAM), data-driven patch management, privileged access management (PAM), and zero trust frameworks.

Health care providers are integral to the success of COVID-19 vaccine supply chains globally, yet evidence shows they have the highest industry cost of a breach for 11 years running. That’s according to IBM’s Cost of a Data Breach Report 2021. The average cost of a health care breach increased from $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase, also according to IBM. Meanwhile, in the pharmaceutical industry, companies’ average cost of a breach is $5.04 million in 2021. Pharma supply chains and highly interconnected health care providers are popular targets for bad actors as their information is among the best-selling on the dark web.

A case study in spear-phishing

IBM security researchers discovered orchestrated attacks on COVID-19 supply chains beginning in 2020 and continuing into 2021. A stunning example is the case of Qingdao Haier Biomedical.

Bad actors using spear-phishing campaigns impersonated representatives of Qingdao Haier Biomedical Co., a Chinese-based company and leading provider of equipment to store and deliver materials at cold temperatures. Using precision targeting techniques as the basis of their spear-phishing strategy, the bad actors targeted 12 different personas or roles in companies actively participating in the COVID-19 supply chain. The primary targets of the spear-phishing attacks included the European Commission’s Directorate-General for Taxation and Customs Union.

Cyber criminals concentrated their spear-phishing efforts on global organizations headquartered in Germany, Italy, South Korea, the Czech Republic, greater Europe, and Taiwan. The U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), which tracks efforts to breach COVID-19 supply chains, issued an alert in 2020 that explained attempts to combine phishing, malware, social engineering, and other techniques to access the cold chain delivering vaccines globally.

Three endpoint vulnerabilities bad actors exploit

In many COVID-19 supply chains, it’s the endpoints that prove to be the most vulnerable to attack. From not having endpoint agents to having too many that conflict with each other, getting endpoint security right is a challenge.

Absolute’s 2021 Endpoint Risk Report found that 52% of endpoints have three or more endpoint management tools installed, and the greater the endpoint agent sprawl, the faster security controls collide and decay. Organizations need to overcome the tendency to overload endpoints because the more complex their configurations become, the more challenging they are to protect.

Cybersecurity Insider’s 2020 State of Enterprise Security Posture Report finds that 60% of organizations are aware of fewer than 75% of the devices on their network, and only 58% of organizations say they could identify every vulnerable asset within their organization 24 hours after a critical exploit. Nine percent estimate it would take them one week or more.

Bad actors are adept at finding the most vulnerable endpoints using various automated and socially engineered campaigns to gain access. Three areas where endpoint breach attempts are thriving today are the following:  

• Track-and-traceability that relies too much on manual updates.  Many health care providers’ supply networks rely on a mix of automated and manual supply chain workflows to get COVID-19 vaccines delivered to distribution points. Bad actors know the more manual the tracking and tracing of vaccine shipments, the greater the opportunity to redirect shipments, breach systems, and exfiltrate data. In addition, manual processes are prone to errors, slow, and lack audit history, all of which attract people looking for a vaccine supply chain to breach.
• Breach logistics providers with stolen privileged access credentials. Another favorite attack technique is impersonating logistics carriers with stolen privileged access credentials to redirect shipments and steal transaction data. As the COVID-19 vaccines were in development and pharma companies collaborated on shared intellectual property (IP), bad actors attempted to use a combination of social engineering, spear-phishing, ransomware, and other techniques to intercept privileged access credentials and steal valuable IP.
• Targeting the most vulnerable inbound logistics and distribution suppliers. Health care distribution networks and the suppliers they rely on have endpoint security gaps that make them soft targets. For example, ransomware attacks of supply chain companies occurred on average once every two months until 2020, at which time the rate of attacks tripled to two per month, according to a recent BlueVoyant survey.

Seven ways to improve supply chain cybersecurity

All organizations are doubling down on endpoint security and network access spending in 2021.  In recent conversations VentureBeat has had with CISOs of health care and pharma manufacturers, it is clear their priority is on upgrading endpoints for greater visibility, control, and compliance. What is needed is more innovation around endpoint resilience and self-healing endpoints.

• Pharma supply chains need an industry-wide unified endpoint management (UEM) standard to close gaps between suppliers. Endpoints are the threat vector of choice for breach attempts, further underscoring the need for more consistent UEM standards across vaccine supply chains. Health care and pharma companies need to standardize on a specific UEM strategy that can scale across all devices, including mobile, as the most often overlooked threat surface. For example, look at Ivanti, whose acquisition of MobileIron further strengthens the company’s competitive position in mobile device management. Ivanti’s three strategic pillars of zero-trust security, unified endpoint management, and enterprise service management reflect the urgent needs health care and pharma supply chains have for an integrated approach to security. Additional UEM vendors with expertise in health care and pharma include Blackberry, Microsoft, and Citrix.
• Zero trust frameworks are foundational to pharma supply chains’ cybersecurity. Pharma manufacturers need to prioritize endpoint security as part of their zero trust framework. Least privileged access needs to extend beyond pharma manufacturers to suppliers and distribution partners, encompassing health care locations, logistics, and distribution centers. A zero-trust framework can compartmentalize supply chain breach attempts or attacks using microsegmentation. Leaders in this area with health care and pharma expertise include Akamai, Blackberry, Duo Beyond, Ericom Software, ForcePoint, Google BeyondCorp Enterprise, Illumio, Microsoft, Palo Alto Networks, Okta, and ProofPoint.
• Patch management needs to progress beyond inventory management. Managing endpoints across health care and pharma supply chains with an inventory-based approach to patch management still leaves them vulnerable. As the BlueVoyant study showed, the rate of attacks on supply chain and logistics providers has soared to two a month this year. By taking a more data-driven approach to patch management, health care and pharma supply chains reduce the risk of a breach. Adaptive intelligence based on bots that prioritize endpoints by risk level and perform patch updates automatically can help health care and pharma supply chains scale security more efficiently than any inventory-based approach. Ivanti’s acquisition of RiskSense reflects the future of a more adaptively intelligent and contextual approach to patch management.
• Track-and-traceability needs to be digital-first to protect supply chains. Health care and pharma supply chains have long used track-and-traceability to improve supply chain visibility and performance. Automated techniques that include digital tracking have been providing lot-level traceability for decades. Lot serialization is a long-standing requirement in the pharma industry, made more urgent by the need to distribute the SARS-CoV-2 vaccine securely on a global scale. FedEx’s sensor tracking technology, SenseAware ID, is designed to streamline track-and-traceability in the health care industry. SenseAwareID launched in November 2020 and has since been implemented in the cold chain, thermal blanket, and temperature-controlled logistics environments.
• Adding greater security to identities is a must-have across the entire pharma supply chain. Extending IAM beyond the four walls of pharma suppliers to each member of the supply chains and distribution networks needs to be a prerequisite for doing business in 2021 and beyond. For example, the spear-phishing campaign where bad actors impersonated Qingdao Haier Biomedical Company representatives could have led to stolen privileged access credentials for multiple systems across supply chains, placing hundreds of millions of dollars in supplies, vaccines, and IP at risk.
• Health care and pharma supply chains need to make multi-factor authentication (MFA) a requirement of doing business. Leading pharma vaccine suppliers need to supplement their existing cybersecurity practices by requiring MFA to be enabled across their supply chains and distribution networks. It’s especially important on mobile devices as bad actors attempt to steal laptops, tablets, and secure mobile phones to access shipment, pricing, and logistics data. Since last year, Russia, China, Iran, and North Korea have continued espionage, spying, and hacking efforts to steal vaccine-related IP. Throughout this year, North Korea continues to escalate its efforts to hack into Pfizer’s supply chain and R&D centers to steal COVID-19 vaccine and treatment technology, according to The Washington Post. Without MFA, least-privileged access, and zero trust security frameworks protecting the vaccines and related IP, it could have easily turned into a breach-driven nightmare.
• Gaining access to privileged access credentials is a hacker’s primary goal, so this must be prevented. The U.S. Department of Homeland Security’s CISA alerts warn pharma suppliers of multiple attempts to steal privilege access credentials using phishing-based multi-vector attack strategies. Pharma suppliers need to define a PAM framework with which all supply chain and distribution channel trading partners comply.

If CISOs and the companies they work for can attain real-time monitoring of every endpoint and tracking of each device’s configuration and activity, that will go a long way to solving asset management and compliance needs at scale. And that will mean a safer, more secure supply chain for vaccine supplies in particular and health care in general.