Frontiers in Bioengineering and Biotechnology
As part of the national critical infrastructure, there are over 200,000 biological safety level-2 (BSL-2), high containment (i.e., BSL-3) and maximum containment (i.e., BSL-4) laboratories in the U.S. conducting public and private research, biological production, and diagnostic services. While private sector vulnerabilities are ferreted away, government sector vulnerabilities or data breaches are rarely shared with the public.
Information about private sector infrastructure vulnerabilities or data breaches is protected from public release by the Protected Critical Infrastructure Information (PCII) Program if that information is voluntarily shared with the government for the purposes of homeland security. While private sector vulnerabilities are ferreted away, government sector vulnerabilities or data breaches are rarely shared with the public. For example, Title 42. US. Code 262a(h) specifically exempts some information held by the Select Agent program from the Freedom of Information Act. Therefore, while agencies of the federal government have developed awareness of vulnerabilities that exist in these labs, the public, and likely the many individuals who work in these labs, is not apprised of the significant safety and security vulnerabilities present in them. This also means that civilian safety and security solution providers cannot use the information that is known about their vulnerabilities to develop solutions.
In short, the footprint is large, the vulnerabilities are significant, and the consequences are high.
Read the full article: https://doi.org/10.3389/fbioe.2019.00182
May 2019 presentation by Randall Murch, PhD, Research Lead and Professor of Practice, Virginia Tech, IPA to the Defense Threat Reduction Agency / Cooperative Threat Reduction, Presentation to the NAS National Materials and Manufacturing Board
Some IS Vulnerabilities of Bioprocess Development and Biomanufacturing:
- Surreptitious monitoring of activities and information to steal intellectual property or provide “operational intelligence” for subsequent nefarious activities
- Compromise of IT systems that result in corrupted data or communication links for secondary objectives
- Corruption of key aspects of bioprocess development or biomanufacturing resulting in a suboptimal or compromised product
- Induction of failure of key infrastructure components which results in negative impacts to bioprocess development or biomanufacturing
- Alteration of biologic (i.e., genomic, proteomic) data or bioinformatics analysis of such data which is being communicated through IT systems resulting in unwanted or harmful outcomes or downstream effects
- Negative interventions in the Supply Chain which result in contaminated reagents and consumables, could be aided by surreptitious cyber monitoring of communications or transactions
Frontiers in Bioengineering and Biotechnology
Since 2011, the Consortium on Adventitious Agent Contamination in Biomanufacturing (CAACB), a biopharmaceutical industry consortium housed at the Massachusetts Institute of Technology’s Center for Biomedical Innovation, has worked to confidentially collect and anonymize data on virus contaminations in cell culture operations from Consortium-member companies. A similar approach could be taken to better understand and learn from cyberbiosecurity events across industry to move toward advanced manufacturing models in a united and safe way.
As the industry increasingly considers advanced manufacturing, especially for new therapeutic modalities, cyberbiosecurity needs to take a central role in in the design of digital strategies, business models, technologies, standards and regulations that ensure supply security.
I have sat in many meetings with leaders and decision makers listening to people debate the definition of cyberbiosecurity.
- Some people define it as all of the cyber vulnerabilities in a biomedical laboratory. However, if this was the definition then that is cybersecurity.
- Some people define it as the misuse of genomic information. However, if this was the definition then that is a security and privacy issue.
- More dangerously, some people define cyberbiosecurity as anything that has to do with computers, technology, and biology. That is such a broad definition that in-fact it doesn’t mean anything at that point.
Because there is no consensus, and because very few people have ever actually worked in both cybersecurity and biosecurity, then the term is confusing and misleading.