Stakes of security especially high in the pharmaceutical industry to prevent cyber attacks.

Executive Summary

“As to diseases, make a habit of two things — to help, or at least, to do no harm.”
― Hippocrates

To paraphrase Hippocrates, hackers, criminals and nation states are looking to harm pharmaceutical companies and therefore negate important societal benefits. The need to protect the integrity and availability of treatments pharmaceutical companies develop and distribute cannot be overstated.

Industry Overview

Unfortunately, there has been a high level of cyber-attacks on the pharma industry. Pharma companies are prime targets given the high value of intellectual property. Previous attacks have yielded the attackers compound information including patented formulas and clinical trial data. The pharmaceutical and biotech industry is among the most targeted by cybercrime, according to a Detica report in partnership with the UK’s Office of Cyber Security and Information Assurance. The increasing complexity of the technology landscape and industry trends like new delivery methods and modernizations to the supply chain increases the threat surface. The collaborative model of the industry as exemplified by platforms like Exostar increase the opportunity for unauthorized access. Leveraging the cloud adds to the number of moving parts. As Larry Ponemon, chairman and founder of the Ponemon Institute, recently said, “We see most data breaches in pharma during the move to the cloud: More than half of incidents happen during this move. The knowledge to do this migration well is critically important, and many of these organizations don’t have the people to do this correctly, and that’s definitely an issue.”

Cyber-attacks targeting the pharma industry differ from attacks on banking or retail , where the objective is fraudulent financial transactions. Pharma attackers are looking to break in, move laterally, stay undiscovered for long periods of time, and eventually exfiltrate the crown jewels. Often times the attackers are relatively sophisticated being nation states versus script kiddies or criminal hacker organizations.

The first line of defense is to manage identities and credentials that can provide super user access to your data and network. Compromised privileged access credentials allow outsiders to appear as normal employees bypassing existing monitoring and auditing defenses. Compromised credentials allow for continued access to your infrastructure-on prem or in the cloud-and exfiltration through encrypted channels. So called Privileged Access Management (PAM) solutions provide a means to protect against the attacker leveraging forged credentials.

Let’s look at some of the pharmaceutical industry threats of the last few years:

NotPetya: In 2017, NotPetya ransomware spread quickly around the world, impacting more than 600 sites in 130 countries. Global costs are estimated at $1.2 billion,² with one multinational pharmaceutical company taking a $300+ million per quarter hit. In fact, June 27, 2017, was “the closest thing we’ve seen” to a cyber catastrophe, warns Marcello Antonucci, global cyber and technology claims team leader at the insurer Beazley PLC. “NotPetya was a wake-up call for everybody.” The $1.3 billion in losses that Merck claims includes expenses such as repairing its computer networks and the costs of business that was interrupted by the attack. Insurance companies are still arguing over who owes Merck.

• Winnti:Two major pharmaceutical players confirmed earlier this year that they were impacted by the Winnti cyberattack, thought to be supported by the Chinese government. Fortunately, both companies reported no loss of sensitive data.
• Unnamed Intruder:A biopharma company disclosed that a May 2019 attack harvested data from around 1% of its clients. The financial impact is not yet known.
•  

In summary, the pharma industry is:

• Highly exposed due to an expanded threat surface because of increased complexity
• Already on the radar of hackers and threat actors thanks to highly valuable IP data
• Lagging behind other industries in applying cyber security best practices

Industry Trends

Transition to the Cloud

Pharma companies are moving to the cloud although R&D functions may still be more tightly managed on prem. The drivers for cloud adoption include both cost reduction and increased efficiency driven by increased demands for mobility and business cycles.

Obstacle 1: Your Legacy IT Access Paradigm can be an Obstacle to Cloud Transformation

The Secure Shell protocol is the defacto method of remotely accessing Linux-based servers and transferring data securely between them. An SSH key is an access credential in the SSH protocol. Its function is similar to that of user names and passwords, but the keys are primarily used for automated processes and for implementing single sign-on by system administrators and power users. Based on our research, major enterprises might have millions of these keys in their environment. Some reasons:

• These keys can be self-provisioned by system administrators in minutes
• It is easier to create new keys than to delete existing ones without breaking anything on the network
• The keys can be shared without assigning an identity to them and they can exist outside your network if granted to 3^rd parties
• These can grant access that is invisible to established security controls, such as traditional Privileged Access Management (PAM), SIEM or DLP solutions.
• This is happening today with an encryption protocol that has existed for the last 20 years, quietly doing its’s work while spreading because of the growth of an open source distribution model. SSH uses encryption keys that have been largely forgotten yet provide the most critical form of access into your networks.

Who uses SSH in your organization? More people than you probably realize…

• IT administrators use the SSH protocol to remotely access operating systems, application databases and network devices.
• Developers accessing systems, moving code between systems and into cloud environments.
• Applications on autopilot securely moving data between applications, both on premise and to the cloud.
• Supply chain vendors and outsourced managed service providers that support and maintain corporate networks.

This creates an incredibly complex web of connections and critical access credentials that is impossible to keep track of manually. Moving to the cloud without solving this problem means that your business loses the efficiency and agility gains promised by the cloud.

Obstacle 2: Unmanaged SSH Keys

• The threat surface is increasing because of larger and more complex networks. This is only likely to continue with the massive rise in cloud platforms, sophisticated mobile stacks and the advent of Enterprise-present IOT and embedded systems.
• The bad guys are getting more sophisticated, sharing exploits and malware through the dark web.
• Third party and supply chain risk increase exposure as more outsourcing takes place and more complex and global business ecosystems emerge.
• Insider threats stemming from the dark web, which has been reaching out to insiders to buy their SSH login credentials.

Perhaps the most worrisome application of the SSH protocol comes from hackers and malicious insiders; it is their preferred method to move laterally throughout our networks. In many pharma institutions, accountability, manageability, governance and even knowledge of these keys is unclear, opening the door to compliance violations. At the heart of the issue is access control. It’s all about protecting the data. It doesn’t matter whether access is being requested by a machine, admin or business user. Recently ISACA issued guidance to the compliance and audit community on how to leverage SSH key management best practices titled “SSH: Practitioner Considerations.”

https://www.ssh.com/compliance/isaca/

In a specific customer case, 10,000 Unix/Linux hosts, lacked strong SSH key management that equated to 1.5 million application keys granting access and 70,000 keys each for database administrator and system admin. There can be up to one billion authentications per year granting access. The majority of the access available via these keys is obsolete, having been assigned to employees or third parties who no longer work with or for the organization.

Obstacle 3: Compliance

The pharmaceutical industry is one of the most heavily regulated-especially by the FDA and other agencies.  Recent data breaches have only increased scrutiny of the pharma industry. Trust relationships between consumers of medicine and pharma companies must be protected by utilizing best practices as defined by compliance regimes.

Regulatory pressure and market dynamics have made compliance a key function in managing risk-especially as it relates to cybersecurity across the enterprise. Specifically, data protection laws, data breach reporting, and the increased use of outsourced providers all relate to the ubiquitous and unmanaged use of SSH across the estate. Proactive management of SSH reduces costs and lowers cyber risk and therefore limits audit findings or regulatory scrutiny.

Solutions

Fix the legacy: Discover, manage and automate your entire SSH key environment

Before moving your infrastructure to the cloud, control and monitor encrypted channels enabled by SSH. This ensures that you don’t replicate the problem in the cloud, have a better security posture to make the move and mitigate existing risks at the same time. With our Universal SSH Key Manager®, you will:

• Gain full visibility into how critical servers are accessed and by whom on the network: define trust relationships across your infrastructure
• Eliminate the SSH keys that no longer should exist, for example, if they are obsolete or in violation of your security policies
• Prevent backdoor access and find the keys created outside your PAM software
• Grant server specific access with limited privilege for tasks that do not require admin or root-level access
• Gain compliance with regulations and face an audit with confidence

Build the future: agile and lean access at scale

Your move to the cloud should reduce cost and reduce time to market. Back your cloud strategies while delivering a more cost effective and secure solution that is PrivX®. Compared to legacy PAMs (privileged access management), PrivX helps you to:

• Fortify your cloud deployments by controlling access to your AWS, GCP and Azure-host servers
• Cut the costs of credentials lifecycle management and vaulting by instead granting short-lived authentication to users only when they need it.
• Strengthen your security posture; eliminating credentials also reduces your threat surface.
• Economize on deployment and maintenance efforts by avoiding the use of agents, commonly required by PAMs, on your client workstations and hosts.

How to get started with your secure could transformation?

SSH.COM offers pharma institutions:

• a Risk Assessment https://www.ssh.com/products/ssh-risk-assessment/that delivers a detailed analysis of risks around SSH mismanagement. 
• a workshop on SSH key management best practices
• Universal SSH Key Manager®-a product offering that addresses SSH key management issues
• PrivX®-access gateway for dynamic and multi cloud provider environments
• COM is committed to partnering with you to provide clear sailing and prevent the factors that could conspire to threaten your organization. Taking advantage of disruptive technologies, protecting your infrastructure, while increasing governance is a winning formula for continued growth in the pharmaceutical industry.

Further Reading

NIST IR 7966: Guidance on SSH Keys: https://www.ssh.com/compliance/nist-7966/

ISACA SSH Audit: Practitioner Considerations Guidance https://www.ssh.com/compliance/isaca/