Data security susceptibilities are exploited almost daily in commercial and industrial enterprises, spawning widespread social and economic uneasiness. As awareness increases, the stream of devastating cyberattacks that started just more than a decade ago are now broadly seen as more aggressive and far-reaching. And while national headlines focus on political, financial, privacy, clinical, and industrial data breaches, laboratory data have become prime targets.
The Verizon Data Breach Investigations Report for 2018 showed 53,000 incidents, resulting in 2,216 data breaches in the United States. Gartner estimated global expenditures on information security at $114 billion in 2018 and projected a spending increase of 8.7 percent to $129 billion in 2019. In 2015, Juniper Research projected that worldwide cybercrime will cost businesses a total of $2.1 trillion in 2019.
Carol Jones, chief information officer at Sandia National Laboratories, says that cyberattacks have several drivers but happen fundamentally because the cost of entry to commit cybercrimes is minimal, cyberattacks are hard to detect, and consequences are largely absent even when bad actors get caught. “The risk-reward factor weighs heavily on the side of the attacker. For these reasons, cyberattacks are increasing and will continue to increase until additional measures are enacted,” she says.
“The internet and email remain the attack vectors of choice for the bad guys. Information systems and networks connected to the internet are under constant external attack. The attacks have not changed, but the public is now more aware due to increased disclosure regulations. New laws that require companies to disclose when they lose personally identifiable information is one example of the public’s increased awareness,” she says.
“The domain of cyber threats has grown exponentially in recent years,” says Long Cheng, assistant professor, School of Computing at Clemson University (Clemson, SC). He notes that cyber intrusions today access more personal user data than ever before, and he attributes the rise in cyberattacks to the increasing use of networked devices, such as smartphones and IoT (internet of things) devices, and an increasing dependence on digital technologies like cyber networks.
“More devices and digitalization mean more opportunities for maliciously-minded individuals. Also, speed of development has caused problems. Many companies release devices and services which have not been properly tested and secured,” says Cheng.
Joel Cardella, director of product and software security at Thermo Fisher Scientific, is responsible for ensuring that products and software sold by the company have appropriate, built-in security. He says that lab staff will be well advised to turn off everything on a device, especially those acquired without added security layers, beyond what is needed for its intended job. The goal, he says, is to “try to minimize the risk profile of devices.”
“Our security operation centers keep abreast of the ever-changing threat landscape to make sure we are prepared to defend against them,” Cardella says. His team looks for hacktivism, actions of hackers with a cause, as well as spearfishing, where bad actors with a profit motive in mind target individuals in a company. He says they look for botnets or large collections of computers that are sourced together for their computing power to conduct data gathering or execute denial of service attacks or bitcoin mining, plus any number of other bad acts.
“The other thing that we do is we put security best practices inside our products. We are constantly monitoring best practices and ensuring that we are building products that are fundamentally secure themselves, independent of how they are deployed in the customer network,” says Brian Stewart, senior director, digital engineering, Thermo Fisher Scientific. “In addition, we sign up for penetration testing and ask other vendors to analyze what we have done as part of a validation network to do it properly. And then for customers who host some of the solutions that they will be using in their labs, we have standards and components that we need in our environment. We scan our systems and heavily protect our hosting environment to protect the IP of our customers, which is their data, actually,” says Stewart.
Cardella says, “When we sell a product or software that is really a closed system, those are unique items that we are giving to a customer that they are absorbing into their network—versus when you have another component that you are adding as part of a larger ecosystem.
“So we look at it in two ways—we take the item itself and examine what can be done to make its risk profile as small as possible, and we also look at the customer’s network—because it becomes a component of that network—and assess what a customer can do to ensure that it is operating in the lowestrisk environment as possible. We can provide the customer with guidance that will help them with their overall cybersecurity in the context of how they deploy our products. Overall, it ends up being greater guidance about cybersecurity,” he says.
By any measure, cyberattacks are more driven by the profit motive than ever before, and the public is more aware. Cheng says, “The mischievous cyber threat will likely always be around, but like any other environment, when a malicious actor realizes there is profit in a particular criminal vector, they will seek it out and exploit it.
“That is what has happened in today’s world. That profit, of course, could be direct monetary rewards, indirect monetary rewards as payment for a particular action, or even the realization of a political goal,” Cheng says. Focusing on laboratories specifically, Cheng adds, “Threats aimed at laboratories usually target data such as intellectual property. These threats can be used for data gathering. Also, threats can be aimed at data corruption or service disruption. Threats centered on data collection and corruption are more specific to laboratories or research facilities. Corrupting data can stifle innovation and set research ventures back many years.
“Laboratories and other facilities carrying out sensitive research could be at higher risk. In recent years, the most vulnerable areas of any organization have been the antiquated and unpatched terminals still connected to the network. Default passwords, unpatched security vulnerabilities, and configuration issues are common in network-connected appliances,” says Cheng.
Tess McCarthy, senior manager, cybersecurity resilience and culture, Thermo Fisher Scientific, says that laboratories were once able to operate as closed systems. “Their strategy was to just isolate the laboratory, but that is quickly becoming a thing of the past, because they now have to collaborate with a range of outside organizations to leverage technology and access more data, increasing their exposure and vulnerability.”
Stewart adds that awareness is much higher now and laboratories are paying more attention to the IT side of implementing connected solutions that are driving activities like lab monitoring, lab analysis, and data gathering from lab equipment for scientific purposes.
Commenting on why laboratories and other organizations must strive to stay ahead of bad actors, Jones says, “Every business relies on electronic information infrastructure to conduct its operations. Organizations that support data development and collection and share utilizing hardware and software that gather and deliver analytical data across multiple points of intersection can be especially vulnerable. The threat is real, and the adversary is continually evolving, driven by varying motivations. They are outpacing us. They have the capability to emulate our employees. They have a database of known vulnerabilities to exploit. They don’t play by any rules.”
On the question of labs defending against attacks, Cheng says, “Data security seems to be a problem which organizations prefer to fix after the fact. Large-scale data breaches occur on a regular basis. Usually, the attack is pulled off by accessing some obscure part of a network. Humans are the weakest link in the information security chain. In some cases, it is an employee who initiates the attack.”
McCarthy says, “Lab managers must make sure they remain security-minded in everything they do. When interacting with emails, they need to think through the request they received and understand and evaluate its validity. They must have a process in place to counteract the request—either by deleting it or subjecting it to investigation while taking the time to consider their actions.
“Don’t just plug in that thumb drive from a webinar before seriously evaluating the risks,” she cautions.
Jones concurs. “The same principles that have been used to protect your company from cyberattacks can be used to defend yourself against both operational technology (OT) and supply chain threats. These principles include developing a cyber-ready workforce and developing cyber defenses.
“Cybersecurity is not just a technology problem; it is a people, process, and knowledge problem. Everyone in the company needs to be cyber aware and adopt and implement sound cybersecurity practices. This includes training the workforce, as they are the first line of defense. Moreover, IT and cyber[security] must make it easy for employees to do the right thing,” she says.
Turning to key strategies that laboratories must implement to stay ahead of bad actors, Jones says, “Lab organizations must develop a plan to continually maintain IT environmental integrity, keeping up with new, high-quality products and services that address current and emerging threats. Vulnerabilities can be identified and patched, and credentials can be protected by employing multifactor authentication. Future operational technologies will have differing provisioning, security, monitoring, and management requirements. However, the same principles put in place for other cyber risks will help to secure the current information technology environment, including OT.”