Sizing Up Synthetic DNA Hacking RisksStudy Describes How a Supply Chain Attack Might Work
Could hackers inject malicious code that compromises the synthetic DNA supply chain and ultimately tricks bioengineers into inadvertently developing dangerous viruses or toxins? A new research report says that's a growing concern and calls for robust security measures.
The study - Cyberbiosecurity: Remote DNA Injection Threat in Synthetic Biology - by security researchers at Ben-Gurion University of the Negev in Israel sizes up the cyberthreats facing the emerging synthetic bioengineering segment of the healthcare sector.
"It is currently believed that a criminal needs to have physical contact with a dangerous substance to produce and deliver it," the Ben-Gurion University report states. "However, malware could easily replace a short sub-string of the DNA on a bioengineer's computer so that they unintentionally create a toxin-producing sequence."
DNA synthesis companies, which produce and ship the DNA sequences provided by their clients, are an important element of the growing synthetic biology market, the researchers write. "Synthetic DNA is available in multiple ready-to-use forms," they note.
"Currently, the software stack used to develop synthetic genes is loosely secured, allowing the injection of rogue genetic information into biological systems by a cybercriminal with an electronic foothold within an organization's premises," the researchers write. "Many bioengineering tools are now easily accessible by biohackers and do-it-yourself biology enthusiasts. Online interaction between bioengineers and DNA synthesis companies serve as an additional attack vector, through which rogue genetic information can be injected into a biological system."
Security Controls Needed
Because of the many dangers of synthetic biology, rigorous security controls are required, the researchers write.
One such control is the U.S. Department of Health and Human Services' Screening Framework Guidance for Providers of Synthetic Double-Stranded DNA, which was released in 2010, the paper notes.
"Unfortunately, these and similar guidelines have not been adapted to reflect recent developments in synthetic biology and cyberwarfare," according to the report. "Biosecurity researchers agree that an improved DNA screening methodology is required to prevent bioterrorists and careless enthusiasts from generating dangerous substances in their labs."
Remote DNA Injection Attack
In their study, the Ben-Gurion researchers focus on a potential cyberattack involving "remote DNA injection" that exploits several vulnerabilities. Those include "insufficient integrity controls" at the software level, weakness of the HHS guidelines at the biosecurity level and other factors.
A remote DNA injection attack could potentially trick a victim who is using synthetic DNA from a supplier "into producing a dangerous substance in the victim's lab, without the victim's knowledge or physical interaction between the attacker and the lab components," the report says.
In a statement provided to Information Security Media Group, an HHS spokesperson says: "The HHS Screening Framework Guidance for Providers of Synthetic Double-Stranded DNA provides guidance to companies that supply scientists with synthetic DNA. In complying with this HHS guidance, suppliers run synthetic DNA sequences and material through screening mechanisms and those mechanisms would identify malicious codes before the sequences or material were released to researchers and product developers."
The HHS spokesperson adds: "Cybersecurity for healthcare facilities and equipment manufacturers is a separate subject; HHS has worked with other federal agencies and the private sector on guidance and on information sharing mechanisms for growing cyberthreats, such as from ransomware."
Rami Puzis, head of the Ben-Gurion University Complex Networks Analysis Lab and a co-author of the study, tells ISMG that the researchers decided to examine potential cybersecurity issues involving the synthetic bioengineering supply chain for a number of reasons.
"As with any new technology, the digital tools supporting synthetic biology are developed with effectiveness and ease of use as the primary considerations," he says. "Cybersecurity considerations usually come in much later when the technology is mature and is already being exploited by adversaries. We knew that there must be security gaps in the synthetic biology pipeline. They just need to be identified and closed."
"You don't have to be a statistician nor a cybersecurity expert to understand that the threat is very real."
—David Finn, CynergisTek
The attack scenario described by the study underscores the need to harden the synthetic DNA supply chain with protections against cyber biological threats, Puzis says.
"To address these threats, we propose an improved screening algorithm that takes into account in vivo gene editing. We hope this paper sets the stage for robust, adversary resilient DNA sequence screening and cybersecurity-hardened synthetic gene production services when biosecurity screening will be enforced by local regulations worldwide."
Puzis acknowledges that biosecurity regulations are already in place "and some of them do concern the production of synthetic DNA" - including certain regulations in California.
Supply Chain Threats
Former healthcare CIO David Finn, an executive vice president at privacy and security consulting firm CynergisTek, says the threat of "biohacking" is a growing worry.
"You don't have to be a statistician nor a cybersecurity expert to understand that the threat is very real," he says. "You take what we are seeing happening in terms of attacks, targets and vulnerabilities and the staggering risks involved - this is a major concern for the synthetic DNA supply chain."
Meanwhile, as potential cyberthreats to the synthetic bioengineering segment of the healthcare sector evolve, hackers also continue to threaten pharmaceutical firms involved with COVID-19 vaccine and treatment research and development (see: APT Groups Target Firms Working on COVID-19 Vaccines).
Reuters reported Friday that suspected North Korean hackers unsuccessfully tried to break into the systems of AstraZeneca in recent weeks as the U.K.-based drugmaker races to deploy its COVID-19 vaccine.
The hackers posed as recruiters on networking site LinkedIn and WhatsApp to lure AstraZeneca staff with fake job descriptions in documents containing malware, Reuters reports.
Attempts to hack pharmaceutical and bioengineering firms - as well as their supply chains - will continue to surge and morph, Finn says.
"Many predicted the shift in attacks from healthcare researchers and providers to the supply chain some time ago as it looked like [COVID-19] vaccines would really begin [to ship] this year," he says.
"The threats will grow and evolve through the [COVID-19] surge and the extended distribution period for these two-part vaccines. The patterns of transport will become known, storage areas will be identified and anyone along that supply chain had better be taking all known precautions - from a cyberthreat perspective. Why attack a research lab when all you have to do is cut off the power and let the vaccines spoil?"
More Attention Needed
Finn suggests that the healthcare sector needs to intensify its attention to shoring up supply chain cybersecurity.
The National Institute of Standards and Technology's cybersecurity framework version 1.1, which incorporated the supply chain, "was released in the first half of 2018 and is still one of the lowest-scored areas we see across the healthcare sector," Finn notes.
"We have seen the federal government get serious about supply chain with their Cybersecurity Maturity Model rolling out this year. It is a unified standard for implementing cybersecurity across the defense industrial base. That includes more than 300,000 companies in the Department of Defense's supply chain - so it can be done to scale."
Sectorwide cooperation is needed to avoid "some horrendous event," Finn says. "Seems like it is up to the healthcare sector to act or suffer the consequences."
ISMG executive news editor Tony Morbin contributed to this article.