Cyberattacks are a growing danger for biopharma, according to experts who are calling on industry to do more to secure technologies in the era of biopharma 4.0. In 2017, hackers used a malware program called NotPetya to paralyze Merck & Co.’s computer systems. In an SEC filing, Merck said the attack disrupted “worldwide operations, including manufacturing, research, and sales.” The filing also stated that Merck had to “borrow doses of Gardasil 9 from the CDC Pediatric Vaccine Stockpile… in part by the temporary shutdown resulting from the cyberattack.”
Swiss drug firm Roche has also been hit by hackers. A spokeswoman told GEN, “Roche has been targeted by various attackers in the past, including the group known as Winnti. “These attacks were detected and remediated. Roche hasn’t lost any sensitive personal data of our employees, patients, customers, or business partners.” She added that the firm continues to work with law enforcement and intelligence services in the United States, EU, and Switzerland regarding cybersecurity threats. “Roche actively collaborates with other companies, both within the pharmaceutical sector and other industries to share information about ongoing threats.”
More recently German firm Bayer was hacked according to various reports. It seems clear hackers are looking for vulnerabilities in drug industry IT systems.
Unprotected bioprocessing technologies are points of attack for hackers, said Cevn Vibert, an industrial cybersecurity consultant at Vibert Solutions. “All manufacturing systems with any form of programmable intelligence in them are hackable. The generic names for such networked devices are PES (Programmable Electronic Device) or IED (Intelligent Electronic Device).
“Hacks can be direct via network connections or via local, USB, or file injection methods,” he added, citing growing industry use of internet-ready and Wi-Fi-enabled production systems as a major challenge.
“No manufacturing systems should be on the internet. More and more systems are now being connected on factory networks and if there is an easy path to the internet then often they are all connected!”
Stefan Liversidge, technical sales engineer at Nozomi Networks, has similar concerns about the risks posed by greater connectivity. “It is reasonable to assume that for almost any biomanufacturing system, there would be a number of vulnerabilities that have publicly available exploits, as such would be determined as hackable by an attacker with a low level of skill,” Liversidge said. And the risk of attack is exacerbated by automation and connectivity, he added. “With increased interconnectivity comes increased impact, where multiple systems become infected. The biggest potential for impact is where such connectivity affords the ability to jump across multiple facilities, affecting global operations… the key with cyberattacks is that they can scale very easily and rapidly, causing disruption on a scale not possible with physical attacks.”
Increasingly, the biopharma industry is focused on personalized therapies. The logistics involved gives hackers another point of entry, Liversidge said. “Where materials are harvested from patients, these procedures, currently, are often more manual, with the real risks residing around ensuring rigorous tracking of the sample material. In some of these advanced procedures, we see equipment owned by the process owner, being installed into hospital networks without a clear definition of whose responsibility it is to provide security reassurance. Security reassurance in such circumstances would rely on a level of network security and a level of device security. Given that we can never guarantee device or network security, we rely on a reasonable level of security in both of these spheres to provide a defense in depth approach, minimizing the impact due to a single point of failure.”
Working with law enforcement and intelligence services to address threats is key. Firms should also adopt industry standard security procedures, according to Vibert. “We always advise network segregation as per best practice guidelines such as IEC62443, NIST, NIS-D, OG86, ANSSI, etc. We also recommend JumpBox Remote Access segregations. We advise patches/firm to be downloaded on separate networks, AV tested to death, installed on TestBeds, and only when everyone is happy, to be deployed incrementally out to production systems.”