Combatting OpSec threats to our COVID-19 vaccination efforts: What can we do?

COVID-19 vaccines have been rolling out for a few months now, but the nature of the pandemic and the number of people impacted by it mean that demand for these vaccines is enormous. And those of us in the security field know that any time you see high demand for a scarce resource, attackers are going to take advantage.

In this two-part series, we are exploring the different types of security threats that put our vaccination efforts at risk. In the first article, we wrote about cybersecurity risks. In this one, we’ll dive into operations security threats to the supply chain. High demand for vaccines makes interference with the supply and their distribution excellent leverage for coercion and extortion.

How are people threatening the vaccine supply chain?

Transporting and storing the vaccine requires very specific conditions. Maintaining these conditions creates significant pressure that can be exploited to extort elements of the supply chain. For example, the Pfizer-BioNTech vaccine requires a cold temperature-controlled supply chain, which is more fragile and expensive than a refrigerated supply chain. AstraZeneca’s vaccine can be stored and transported in a normal refrigerator, making the logistics cheaper and more resilient (but not immune) to disruption.

Various elements of the supply chain also contain useful information, including who is getting the vaccine, when, and how much. These espionage targets attract nation-state threat actors, such as APT29 and Cozy Bear. These threat actors see the intelligence value represented by these relatively soft targets — intelligence value that can be had for a fraction of the cost of a typical information operation and with a fraction of the risk.

We have already seen threats to the logistics chain. Thankfully, they have been small in scale so far. However, when you look at them through the lens of attacks like the cold-chain attacks in December 2020 or the Florida Water treatment attack from January 2021, it becomes increasingly clear what could happen should an attacker gain access to key aspects of the supply chain. Attacks against resource supply like this are nothing new – we have been poisoning wells (literally and figuratively) since medieval times.

The most vulnerable aspects of the supply chain will be:

• Physical supplies of vaccines

  Wherever humans have direct or indirect access to the bulk storage of vaccines, it becomes possible for an attacker to destroy the supply. This can be combined with other effects such as contamination that cause secondary harm in order to pour gasoline on an information operation.

• The industrial means of vaccine production
  These types of attacks have been a well-known and understood threat since the very beginning of the industrial revolution. Wherever vaccines are produced or stored in bulk, it becomes possible for an attacker to contaminate or interfere with the vaccine. This vector is much more likely to have a serious effect than simple destruction because it can be a long time before it is uncovered and has secondary and tertiary impacts like the erosion of trust or amplification of fear.

  All systems have vulnerabilities. So consider that if it’s possible to dump sodium hydroxide into the water supply, it is also possible to attack the means of vaccine production in a similar fashion.

  Unfortunately, our supply chains and industrial facilities are horribly exposed and adequate defenses are going to take us time to get in place. Many of our supply chains and linked processes are built on implicit trust and we lack the visibility to adequately understand the complete picture of risk that exposes us to.

How can we prevent these operations security threats?

Our vaccine supply chains are exposed and disorganized. Information is the lifeblood of logistics and fragmentation hinders effective coordination. By ensuring that we have cohesive, top-down planning for vaccine logistics that is fueled by accurate, timely information we can dramatically improve the vaccine supply chain.

While the ultimate goal of a true digital records system anchored in digital identity is some ways away, we can start putting the necessary pieces into place, and we can build it by leveraging the lessons we are learning today. It is clear from the performance across nations that this is the trajectory we should all take. Those countries with digital records and effective information chains have fared much better logistically and therefore been much more successful in carrying out the goal of vaccinating as many people as possible as quickly as possible. On the flip side, the countries with antiquated record keeping and fragmented medical services are struggling.

Until we can move towards more secure, intelligent architectures, we need to focus on being aware of and tracking the risks. We need to come up with ways to understand how our supply chains are organized. We also need to stop relying on implied trust. Just because a supplier is vetted, we can’t assume that it is aware of and vetting all of its own suppliers. The modern supply chain has many layers of abstraction and therefore many weak links. If anything, the risk is far more serious than many people realize.

You can see clear proof of this if you look at the Shodan website to see the number of industrial control systems exposed directly to the internet. In order to adequately defend these vital systems, we need to start really looking at risk, and most importantly we need to have some honest and quite likely uncomfortable conversations with the companies and manufacturers we depend on. If you use open-source intelligence (OSINT) tools to look at your company or your suppliers, what will you find? The simple fact is that right now the criminals are better at assessing our risks than we are.

Protecting the vaccine supply chain from attacks should be one of the primary efforts of 2021. In the last few weeks, we have seen some of the greatest supply chain attacks ever recorded. There will be more. Now that criminals and hostile nation-states have seen the blueprint for how successful these attacks can be, it is virtually guaranteed that copycat attacks are underway.

Contributing authors:
Sara-Jayne Terp, founder of Bodacea Light Industries and disinformation expert
Dr. Pablo Breuer, cyber warfare and disinformation expert
The Grugq, an information security researcher