Manufacturers across the world, pharmaceutical companies included, are enduring a growing onslaught of cyber-attacks, which demands serious changes in their security infrastructure. In a recent report, the Department of Homeland Security states that manufacturers suffer from over 30 percent of all attacks against United States critical infrastructure and critical manufacturing.
This marks the first time the energy sector was not the most popular target among U.S. critical sites, as attackers have now made the manufacturing industry their main target. Moreover, according to IBM X-force’s 2016 Cyber Security Intelligence Index, manufacturers suffered from even more attacks than financial services.1
To make matters worse, cyber criminals are attacking manufacturers at a period of technological innovation and expansion that brings new risks, which most manufacturers are not prepared to handle. Especially for the pharmaceutical industry, where manufacturers’ lines of defense can be the difference between life and death, security measures must become a higher priority.
Hackers Focus in on the Pharma Industry
For the past few years, hackers have been sharpening their focus on pharmaceutical companies’ industrial environments, which have become their most vulnerable weak point—and, therefore, a prime target. Modern industrial environments are now connected to external environments and to the Internet, creating what has been dubbed the Industrial Internet of Things (IIoT), which represents largely unchartered territory for hackers and security professionals alike. Through this connectivity, pharmaceutical manufacturers drastically improve their profitability by increasing their efficiency and ability to respond to market demands, while also gaining remote access and valuable analytics. Likewise, these systems, also known as ICS/SCADA networks, are developed with an almost singular focus on availability and an insufficient focus on security. However, these SCADA or operational technology (OT) networks, in most cases, were not designed for environments with Internet connectivity.
In an attempt to guard these systems, pharmaceutical manufacturers are turning to traditional IT solutions, which are not built to secure OT equipment and inadequately address their weaknesses. Consequently, industrial environments are rife with risks and vulnerabilities that allow hackers to wreak havoc.
Although there have been a number of SCADA incidents, few are made available to the public because companies fear damaging their reputations by disclosing these attacks. The most notorious and widespread SCADA attack to take place against the pharmaceutical industry is known as Dragonfly, also called Havex, which sought to steal and corrupt data. The attack gave hackers the access necessary to replicate production methods or sabotage competitors. Giving particular cause for alarm, industry experts identified that the malware was developed specifically for the pharmaceutical industry. In this case, the criminals’ objective was to access information vis-a-vis cyber-spying, or cyber-extortion.
Additionally, there are parallel examples of what attacks on the pharmaceutical industry will look like in declassified attacks against other manufacturers and critical infrastructure sites that use similar SCADA systems. Last year, for example, hackers were able to install malware on a water company’s distribution system, sneak into the SCADA network, and change the chlorine levels of drinking water to possibly harmful levels.2
Months ago, reports were released providing some details of at attack on a German steel mill, where hackers took advantage of the SCADA systems’ external connectivity and weak separation between IT and OT to cause tremendous damage and a massive explosion. More recently, U.S. Steel was breached by hackers who stole the company’s methods of producing lightweight steel in an effort they believe to be backed by the Chinese government.3
These breaches reflect the three main threats that manufacturers and pharmaceutical companies face:
- Intellectual property theft
- Product manipulation
- Physical damage and downtime
By breaking into SCADA systems, hackers can find all the information necessary to precisely replicate and reproduce any drug. Worse, they could, without leaving a trail, turn life-saving medicine into poison. Finally, they could hold the entire industrial environment for ransom, cause a system-wide shut down, or inflict costly damage to manufacturing equipment.
How to Combat the Threat of Hackers
Pharmaceutical companies can help better defend themselves by understanding hackers’ motivation, which we can also gather from IT attacks. Earlier this year, hackers targeted an Indian pharmaceutical firm with a ransomware attack, demanding payment in bitcoins for the removal of malware that prevented the company’s computers from operating.
There are two important takeaways here. Firstly, it is a signal that the floodgates of attacks against the pharmaceutical industry are going to open—it is only a matter of how soon. Secondly, it highlights the financial incentive that provides cyber criminals with their motivation. While the people and the methods behind pharmaceutical attacks have been diverse, they often share a common cause. The desire for a high payoff has brought hackers to attack pharmaceutical manufacturing’s newest, most vulnerable frontier: industrial environments.
The question, of course, is “what can be done?” Unfortunately, as experience shows, even the protective IT solutions that are purported to be “the best” are failing to hold back SCADA-attacks, which grow in strength and frequency by the month. Pharmaceutical manufacturers need to directly focus on securing their IIoT environments with solutions that were designed specifically for their OT networks. Pharmaceutical manufacturers’ reliance on IT solutions has placed their companies and millions of people at critical risk. Particularly in the pharmaceutical industry, improving security is a matter of life and death, both for people and companies.
Furthermore, OT managers and IT security experts need to work together in a more concerted effort to understand their SCADA network and the security risks. If pharmaceutical manufactures do not understand what their weaknesses and vulnerabilities are, they will not be able to adequately protect themselves and their security measures will continue to fail. As SCADA attacks shift from the possible to the inevitable, pharmaceutical companies must find a strategy to protect themselves and their customers.
- Yasin, Rutrell. “Manufacturers Suffer Increase in Cyberattacks.” Dark Reading. April 2016. http://www.darkreading.com/vulnerabilities—threats/manufacturers-suffer-increase-in-cyberattacks/d/d-id/1325209.
- Russon, Mary-Ann. “Hackers hijacking water treatment plant controls shows how easily civilians could be poisoned.” International Business Times. March 2016. http://www.ibtimes.co.uk/hackers-hijacked-chemical-controls-water-treatment-plant-utility-company-was-using-1988-server-1551266.
- Miller, John W. “U.S. Steel Accuses China of Hacking.” The Wall Street Journal. April 2016. http://www.wsj.com/articles/u-s-steel-accuses-china-of-hacking-1461859201.