Home Interviews “My biggest concern is sabotage of the vaccine either through propaganda or...

“My biggest concern is sabotage of the vaccine either through propaganda or manipulation”

Heath Renfrow, CISO at Conversant Group, discusses new threat vectors affecting COVID-19 vaccine supply chains and espionage around vaccine-related organizations.

Heath Renfrow

Cyberattacks on the health care sector are the ugly reality of today. And the pandemic may have only enhanced it. If the attack on vaccine development from state-sponsored actors was what made major headlines in late 2020, this year it is on the vaccine supply chain. The common denominator here is the vaccine. Several cyber-espionage attempts were also leveled as precisely targeted phishing campaigns against the companies. Even on the dark web, several malicious actors and scammers are often found discussing the vaccine market. In fact, the battle for the vaccine market has already begun, and we can expect espionage around vaccine-related organizations to grow further.

To understand this new threat vector even deeper, Augustin Kurian from CISO MAG caught up with Heath Renfrow, the CISO at Conversant Group. Renfrow was also the former CISO of United States Army Healthcare. He has more than two decades of experience as a high-level information security specialist, much of it as a CISO in the United States Department of Defense, where he addressed some of the nation’s most significant cyber challenges. In 2017, he was named Global CISO of the Year by the ECCouncil. In this brief interview, Renfrow explains the vaccine supply chain attacks, GPS Spoofing, prevention methods organizations can adopt, and some alarming trends.

Edited excerpts from the interview follow:

Hackers have begun targeting the vaccine cold chain – the systems and organizations involved in their necessary sub-zero storage and transport. The transport boxes for the vaccines have been equipped with GPS trackers, which could be vulnerable. What are the necessary steps that need to be adopted to ensure the supply chain is not the weakest link?

GPS Spoofing is not something new, in fact, the Department of Defense (DoD) put heavy emphasis on these flaws back as early as the 2006 timeframe. Today we see threat actors and terrorist organizations using cyberattacks to spoof military drones to merchant ships’ GPS to hijack cargo. In the case of this particular supply chain, I would engage a firm to conduct tests for spoofing. Outside of the cargo in transit, it is imperative that these organizations have dedicated information security personnel, routine penetration testing, the latest EDR technology, incident response plan and playbooks, and cyber insurance as a mitigation control.

Several experts have more confidence in the integrity of the vaccine approval process than in the security of the control systems used for the tracking. How can federal bodies be leveraged more on this front?

I am not sure how confident I am in the security process as a whole around the vaccines, not just the tracking of the vaccines. These vaccines are being produced in operational technology (OT) environments, and the manufacturers of these products are a huge target for threat actors and even cyber terrorism. Cybercriminals will want to steal data, sell it, or even ransom the environment and make a ton of money. Terrorists could look to sabotage the production, or even manipulate the vaccines where they cause harm, not good. The tracking of these vaccines is one thing, but the overall security around these organizations should be a concern and should be heavily ramped up in the age we are living in now (COVID-19). As far as government stepping in, Operation Warp Speed here in the United States is a partnership between private and public sectors, including military logistics and transportation.

Organizations securing the data of patients receiving COVID-19 vaccine shots will be vulnerable and public trust in the vaccine effort is at risk. What are the best practices for cyber-immunity for these organizations? And majorly, what can the public do?

Cybersecurity foundational pieces should be in place no matter the type or size of an organization. The best practice would be to follow a known cybersecurity framework, invest in cyber maturity steps, and have dedicated resources to those efforts. I do not see that COVID-19 has increased the threat of sensitive information being exposed or specific targeting of organizations giving the vaccines. The threat actors would however target those organizations to possibly deploy malware, encrypt (ransom) their environment, and shut down operations. This would have a huge effect on the distribution of vaccines and continue to put the world at risk…To read the full interview, subscribe to CISO MAG.

This interview first appeared in the April 2021 issue of CISO MAG.

Augustin KurianAbout the Interviewer

Augustin Kurian is the Assistant Editor of CISO MAG. He writes interviews and features.