Is your Lab Secure? Exploring the New Cyberbiosecurity World
As someone who is involved in molecular biology research, how often do you think about cybersecurity? Occasionally? Never? Perhaps you only think about them when you receive an email from your IT department regarding a security breach or patch that needs to be installed on your computer?
If you are like most scientists, you probably leave those worries to your IT department. Unless your computer is affected by a virus or the network is down, your main concern with the computers you use is how they can make your work go faster.
When Scientific Data Were Secure
In the 90′ there were a lot fewer databases, with few centralized on remote servers “in the cloud.” Indeed, of the databases available, only a fraction was accessible by the internet. This was particularly true of science-based databases.
The first complete list of all existing molecular biology-related databases was published in Nucleic Acids Research in 1991, and consisted of only 53 databases, several of which were only available “via postal delivery of physical media such as floppy disks, CD-ROM, or even paper printout (Imker, 2018).” It is easy to understand, given the relative dearth of molecular biology information and the efforts necessary to obtain it, that the scientific community gave minimal thought to the security of their data.
The Need for Scientific Data Security
The Rise of WiFi-Enabled Labs
Anyone who works in molecular biology today, particularly in the biotechnology industry, realizes that the great advances in computer technology of the last two decades have led to a wide variety of WiFi-enabled devices in their labs. It is now possible for data to travel directly from lab equipment to almost any device one chooses, whether it be a cloud-based database or a smartphone. While good for scientific collaboration and more efficient workflow, these connected devices create millions of additional internet access points, or “nodes,” giving hackers more options to exploit.
Unfortunately, the biotechnology industry’s increasing dependence on computer-controlled instruments sets them up for cyberattacks (Peccoud et al), although, to date, internet-connected devices used in biotechnology have not been subject to cyberattacks. As the number of these devices increases, and the information they transfer becomes more valuable, their vulnerability to attack will almost certainly be exploited.
Cybersecurity Becomes Cyberbiosecurity
The amount of biological information uncovered in the last two decades is proving to be more valuable as time goes by, particularly with regard to the sequencing of macromolecules such as DNA and RNA. The number of molecular biology-related databases has increased from 53 in 1991 to 1,727 unique databases as of 2016 (Imker, 2018).
Among those databases are ones containing the now-completed human genome sequence, as well as genome sequence data for 3,300 other species. All this data is extremely useful for the biotechnology industry and is continuously leading to important discoveries, especially in the area of medicine.
As more discoveries are made, there will be more incentive for corporate espionage and corporate sabotage. It is therefore wise for the biotechnology community to increase awareness of the risks of the intersection of biotechnology and the internet, risks that have prompted a new term, “cyberbiosecurity.”
Cyberbiosecurity Prevents Cyberattacks that Exploit DNA
What is Cyberbiosecurity?
The term “cyberbiosecurity” incorporates the concept of biosecurity – security from unauthorized access, theft, misuse of biological material, and cybersecurity – protection from criminal or unauthorized use of electronic data.
Cyberbiosecurity adds a new layer of concern when using connected machines in the lab. As stated in Peccoud et al., “In the current environment, the biotechnology industry needs to develop an enhanced culture of security that considers the intricate relationships between the computational and experimental dimensions of product development workflows.”
DNA as the Next Virus
Now, in addition to familiar cybersecurity threats such as viruses, phishing scams, and malware, biotechnology labs need to be aware of new vulnerabilities that can disrupt or destroy their workflow. For instance, an article by Ney et al. from 2017 demonstrated, for the first time, “the synthesis of DNA which — when sequenced and processed— gives an attacker arbitrary remote code execution.” In other words, they designed a DNA molecule embedded with code to unleash a computer virus that allowed remote control of the targeted software.
Such a computer virus could be surreptitiously delivered via a contaminated DNA sample. In this same experiment, they also saw information leakage through sample bleeding, having used a multiplexed NGS machine to assess the risks of outsourcing DNA sequencing (Ney et al., 2017). The dangers posed by computer-virus encoded DNA molecules are multiple and require a plan for preventing such an attack.
The vast amount of DNA sequence information now available in databases also makes it possible for malicious parties to obtain harmful sequences which can be synthesized and introduced into the environment (Peccoud et al.). With over 3,300 species genomes already sequenced and plans to sequence all 1.8 million known eukaryotic genomes, the potential number of harmful sequences available in databases continues to increase. The biotechnology community will have to formulate a plan to prevent a biological attack of this nature.
Cyberbiosecurity By Design
National Security Makes the Case for Increasing Cyberbiosecurity
As awareness of these risks spreads through the biotechnology world, it is incumbent upon researchers using connected lab equipment and the “internet of things” to actively look for ways to prevent potential attacks. Indeed, the head of the Biological Countermeasures Unit (BCU) at the FBI, Supervisory Special Agent (SSA) Edward You, has said that he hopes “the (scientific) community will…develop security solutions based on their expertise (You and Kozminski, 2015).” The U.S. Department of Health and Human Services (HHS) has also expressed the need for the biotech community to pre-plan protective measures for biosecurity by analyzing susceptible attack points of workflow prior to implementation, allowing for preparation of strategies for preventing cyberattacks, and failing that, allowing for expedited remediation of a cyberattack (https://www.hhs.gov/sites/default/files/hph-cyberthreats-to-biotechnology.pdf).
Going forward, companies designing and using internet-connected lab equipment will have new things to consider, such as how to build software capable of analyzing sample sequence data files to identify embedded computer viruses and prevent them from executing. The Federal Trade Commission (FTC) calls this “security by design”, suggesting that companies should implement it along with considering “security features upfront during product development instead of trying to secure products as an afterthought (Foley and Lardner, LLP, 2017).” Planning for prevention of vulnerabilities during the design phase will save companies millions of dollars down the road.
Cyberbiosecurity Updates From Life Sciences
At NanoString®, we are designing and updating our machines that use best practices for cyberbiosecurity. For instance, our latest version of the nCounter® Analysis System, the nCounter® Pro has an upgraded operating system (Windows 10 IoT), hard drive encryption (TPM 2.0), and data encryption (AES-256 and SHA-256) that help enable parts of a 21 CFR Part 11 environment, particularly important for the biopharmaceutical industry and contract research organizations.
Hard drive encryption ensures that data is secure from unauthorized access or theft. Audit reports for tracking and reporting needs are easily available, as well as rules for uploading and downloading data from a USB stick, FTPS, and email establish controlled access. An updated operating system ensures that networked file transfers between the nCounter and another networked system are secure.
There is one thing, though, about the nCounter Pro that has not changed: the same simple and reliable digital barcoding chemistry that customers have relied on since 2008 gets you expression profiling data on 800+ genes in less than 24 hours with 15 mins hands-on time. Paired with the ROSALIND® Platform in the cloud, you can analyze your data within minutes and collaborate with colleagues around the globe.
For more information on data security and the nCounter Pro, check out our webinar ‘Is your Lab Secure? Data Security in Life Sciences.’
Foley and Lardner, LLP, 2017 https://www.foley.com/-/media/files/insights/publications/2017/03/cybersecurity-in-the-pharma-biotech-and-medical-de/files/cybersecurity-in-the-pharma-biotech-and-medical-de/fileattachment/17mc3955cybersecuritywp.pdf
Imker HJ, 25 Years of Molecular Biology Databases: A Study of Proliferation, Impact, and Maintenance. Front. Res. Metr. Anal., 29 May 2018 | https://doi.org/10.3389/frma.2018.00018
Ney P, Koscher K, Organick L, Ceze L, Kohno T, 2017, Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More. https://dnasec.cs.washington.edu/dna-sequencing-security/dnasec.pdf
Peccoud J, Gallegos JE, Murch R, Buchholz WG, Raman S, Cybersecurity: From Naive Trust to Risk Awareness. Trends in Biotechnology, January 2018, Vol. 36, No. 1
You, E. and Kozminski, K.G. (2015) Biosecurity in the age of Big Data: a conversation with the FBI. Mol. Biol. Cell 26, 3894–3897