Cybersecurity Threats & Pharma

One unfortunate trend that the pharmaceutical industry is set to face is that of cybersecurity. There is no current government infrastructure in the US to protect individual organizations outside of the government at this time. As such, the pharma industry is on its own and must spearhead its own cybersecurity efforts.

In an interview with Pharm Exec, Lieutenant General (LTG) (retired) Ed Cardon recommends that all companies must think of cybersecurity in the following way: “It’s not if you’re going to get hacked, it’s when.” Everything can be hacked. It’s a matter of how much time and resources a hacker utilizes to do so.

General Cardon was the commanding general of the US Army Cyber Command. Since his retirement from the US Army, he has continued working with both government and commercial cybersecurity entities to better secure networks and data.

For the pharma and biotech industries, the three key threats when it comes to cybersecurity, according to General Cardon, are 1) advanced persistent threats (APTs), which are nation-state hackers; 2) ransomware, which is normally criminal in nature; and 3) insider threats, such as witting and unwitting insiders within an organization.

There are other threats, such as “hacktivists,” but they are currently not the primary threat. An important feature of cyber actors is that they are constantly evolving—the environment is dynamic, not static.

APTs are considered a serious threat because a country (or nation-state) has determined that hacking a particular network is important, such as stealing IP or data. They will look at an organization’s cybersecurity as a system—assessing information technology, suppliers/supply chain (such as third parties’ connections to a company’s information technology network), the facility itself, as well as analyzing the people and facilities, General Cardon explains.

The problem is: no matter what an organization does to protect itself, they are at a disadvantage. As General Cardon describes it, an APT can attempt to hack a network 10 million times, and they only have to be right once. On the flip side, an organization must be right 100% of the time.

“This is why I believe a company needs help against a nation-state,” says General Cardon. “There’s no way a company could defend itself against the nation-state long-term.”

For ransomware, on the other hand, the motivation isn’t to acquire IP, data, or other information. Instead, the motivation is money—and making it as fast as possible. If a target is too difficult to hack, the criminal will move to the next target, General Cardon notes.

One way to combat cyber threats is what he calls the “zero-trust principles,” which start with the premise that everything can be—and is assumed to be—hacked. General Cardon breaks down the principles further:

1. Authentication. This includes passwords, two-factor authentication, etc. to ensure everyone is who they say they are before having access to a network.
2. Segment the network. People should only have access to what they need within a network (e.g., not everyone needs access to clinical trial data or IP data).
3. Encryption. Even if hackers break into a network, they can’t get the data unless they have a supercomputer.
4. Monitoring. Sensor the network so the cybersecurity team can “see” the network in a way that allows anomalies to stand out.

Another idea is to build resilience, redundancy, and regeneration for the highest-value assets. First, make the network resilient through good “cyber hygiene.” An example is rapidly updating and patching software as soon as it is available. Second, if a process or data is critically important, ensure there is a redundant system. General Cardon explains that you shouldn’t have “all the crown jewels in one place” (i.e., important data and information in one sole location, network, or server). Finally, have a plan to regenerate the network when all else fails. This capability is accessible via most cloud technologies today.

It’s impossible to defend everything everywhere all the time. But General Cardon recommends companies consider the following strategies to more effectively limit the opportunities for potential threats.

• Utilize more than firewalls and endpoint security.
• Use threat-informed “maturity models,” which is the assumption that everything is hackable. Start with an analysis of what systems, processes, and/or data are of greatest value to a hacker and organizing cyber defenses accordingly.
• Put a monitoring system in place to detect anomalies, including computer behavior heuristics, for early detection of a potential problem.
• Use “white hat hackers” (cybersecurity professionals) for penetration testing to attack an organization’s network to identify vulnerabilities on a periodic basis.

Meg Rivers is Pharm Exec’s managing editor and can be reached at mrivers@mjhlifesciences.com.