Beware of the cyber risks involved in the promised Covid-19 vaccines

Huge political and economic interests have given rise to widespread industrial espionage in connection with R&D labs and production plants for the new Covid-19 vaccines. This espionage is done mainly through cyberattacks. There are, however, ways of preventing it. 

The world is buzzing about news of the new Covid-19 vaccines developed by Pfizer and Moderna. While these vaccines wait for FDA approval, scientists continue to research and improve their effectiveness, as the global race for the long awaited vaccine continues. 

The competition to create a vaccine that may enable a return to normal life raises questions about cyber risks involved in the process.

Bear in mind, this is not just a public health concern. The competition between government and private research institutes creating the vaccine is primarily economic. The first to bring an effective vaccine to market will gain a large profit. We are talking about billions of dollars. No less, the competition is on a national scale too. The country to develop a vaccine first – its citizens will be first to benefit from the vaccine. Theoretically, such a country may decide not to share the vaccine with other countries or may choose with whom to share it, giving that country great power. This brings political interests into the equation. Most countries in the world are now devoting their best minds, instruments, and resources to this effort. 

When the competition is for economic and political power, industrial espionage immediately comes into play. Such espionage is now carried out almost entirely through cyberattacks. It is much easier to copy files of analyses and tests by remotely hacking into a computer system than it is to send someone to physically infiltrate an organization and try to copy its documents. 

We of course assume that research labs are aware of this issue and are protecting themselves from cyberattacks. Nevertheless, the more computers and equipment that have access to the internet, the more vulnerable the labs are to cyberattacks. 

Cyberattacks are not just intended for information theft. The attackers may also seek to disrupt and thwart a research institute’s workflow to buy time in the competition. 

In addition, cyber risks do not just disappear once an approved vaccine is achieved and proceeds to  production. Malicious organizations are constantly searching for ways to infiltrate systems and cause disruption or damage. Production systems and control networks are highly advanced systems. The more remotely accessible they are, the more vulnerable they are to cyberattacks slowing down production processes or causing the production of a defective vaccine.

Imagine a company that has succeeded in finding a vaccine, getting it approved, and its facilities are producing, at full capacity, hundreds of millions of vaccines to be shipped worldwide. If a hired hacker should succeed in halting production for a couple of weeks, or perhaps even causing serious disruption for a single day, this company could fail. While working more slowly and trying to recover from the cyber attack, the company’s competitors would start selling in its place. 

Remember the cyberattack on Israel’s water economy about six months ago? Fortunately, this attack was thwarted. According to articles and other indications though, the attackers’ aim was to disrupt the activity of the computer systems in charge of adding chlorine to the water. Their plan was to poison the population in Israel by increasing the amount of chlorine added. A vaccine production plant is exposed to precisely the same risk: one small malfunction in its production computers and the vaccine the plant produces could be deadly.

Pharmaceutical companies are not defense industries. Pharmaceutical companies are capable of protecting their information to a reasonable degree. Most of their efforts are invested in protection and compliance with safety regulation; in other words, dealing with potential non-malicious safety incidents that might impair product quality, such as undesirable temperature fluctuations. At present, these companies are in the eye of a global storm, drawing the attention of global leaders. These businesses now require cyber security that goes far beyond their normal level. Most of these companies have yet to realize that threat levels have escalated from the normal commercial to the levels of a world power struggle. 

Research institutes and pharmaceutical companies must take this into account. They need to view their cyber security plans from a totally new perspective and make sure that those plans are realistic, in light of the new threats. At present, these commercial bodies have risen to the same level of risk as defense industries and critical infrastructure. Regulation for the cyber protection of critical industries already exists but is still in early stages. Such regulations really should research institutes and pharmaceutical companies dealing in Covid-19 vaccines. 

When considering the tools that could assist in the solution, organizations at such a high level of risk must first consider how to prevent attacks, rather than focusing on detecting, locating or reacting to attacks. The key word is prevention because, when locating and handling an attacker who has already infiltrated the organization, production must generally be stopped to respond to the attack. This means the organization has already lost the war. When efforts are focused on preventing infiltration, the hacker is kept out, and the attacker loses. The focus for cybersecurity for these organizations is to deploy barrier technology to hermetically seal the organizational and production networks from infiltration. 

And we should not forget that we are talking about long-term competition. Even after an effective vaccine is on the market, there will continue to be risk of compromise. This is a gradual process: after the first vaccine, a better one will come. There will then be mutations of the disease, and they too will require vaccines. The first vaccines will be good for six months to a year. All this means that any new cyber security strategy must be based on long-term thinking. The threats, unfortunately, are not expected to disappear any time soon. 

Lior Frenkel
Newsletter Signup