Masthead

Is your Lab Secure?  Exploring the New Cyberbiosecurity World

Masthead
Geoffrey Hummelke on May 30, 2022

As someone who is involved in molecular biology research, how often do you think about cybersecurity? Occasionally? Never? Perhaps you only think about them when you receive an email from your IT department regarding a security breach or patch that needs to be installed on your computer?

If you are like most scientists, you probably leave those worries to your IT department. Unless your computer is affected by a virus or the network is down, your main concern with the computers you use is how they can make your work go faster. That is what these machines are designed for, and that is what you expect of them – to fit into your workflow neatly and efficiently.

 When Scientific Data Were Secure

The workflow of scientific research has changed in recent years. Until the end of the 20th century, a typical workflow for molecular biology researchers involved mostly wet lab work. Relative to today’s research environment, little computer time was needed for anything other than writing, literature searches, or communicating with colleagues.

Computer-controlled machines during those years were becoming more common, expediting various tasks such as sequence analysis and oligonucleotide sequence design; however, very few of those machines were connected to the internet. The internet itself was still developing, and thoughts of securing data and information housed on the internet were still a new concern for all internet users, not just researchers. It was only near the end of the ’90s, as information on the internet began to be exploited for malicious purposes, that a need for “cybersecurity” was brought to computer users’ attention. 

Not only was the ability to access data remotely still developing in the ’90s, but there were also a lot fewer databases, with few centralized on remote servers “in the cloud.” Indeed, of the databases available, only a fraction was accessible by the internet. This was particularly true of science-based databases.

The first complete list of all existing molecular biology-related databases was published in Nucleic Acids Research in 1991, and consisted of only 53 databases, several of which were only available “via postal delivery of physical media such as floppy disks, CD-ROM, or even paper printout (Imker, 2018).” It is easy to understand, given the relative dearth of molecular biology information and the efforts necessary to obtain it, that the scientific community gave minimal thought to the security of their data.

 Efficient Data Exchange and Collaborations Triggers the Need for Scientific Data Security

Anyone who works in molecular biology today, particularly in the biotechnology industry, realizes that the great advances in computer technology of the last two decades have led to a wide variety of WiFi-enabled devices in their labs. It is now possible for data to travel directly from lab equipment to almost any device one chooses whether it be a cloud-based database or a smartphone. While good for scientific collaboration and more efficient workflow, these connected devices create millions of additional internet access points, or “nodes,” giving hackers more options to exploit.

Unfortunately, the biotechnology industry’s increasing dependence on computer-controlled instruments sets them up for cyberattacks (Peccoud et al); although, to date, internet-connected devices used in biotechnology have not been subject to cyberattacks. As the number of these devices increases, and the information they transfer becomes more valuable, their vulnerability to attack will almost certainly be exploited.

The amount of biological information uncovered in the last two decades is proving to be more valuable as time goes by, particularly with regard to the sequencing of macromolecules such as DNA and RNA. The number of molecular biology-related databases has increased from 53 in 1991 to 1,727 unique databases as of 2016 (Imker, 2018).

Among those databases are ones containing the now-completed human genome sequence, as well as genome sequence data for 3,300 other species. All this data is extremely useful for the biotechnology industry and is continuously leading to important discoveries, especially in the area of medicine. As more discoveries are made, there will be more incentive for corporate espionage and corporate sabotage. It is therefore wise for the biotechnology community to increase awareness of the risks of the intersection of biotechnology and the internet, risks that have prompted a new term, “cyberbiosecurity.”

Cyberbiosecurity Prevents Cyberattacks that Exploit DNA

Cyberbiosecurity adds a new layer of concern when using connected machines in the lab. As stated in Peccoud et al., “In the current environment, the biotechnology industry needs to develop an enhanced culture of security that considers the intricate relationships between the computational and experimental dimensions of product development workflows.”

Now, in addition to familiar cybersecurity threats such as viruses, phishing scams, and malware, biotechnology labs need to be aware of new vulnerabilities that can disrupt or destroy their workflow. For instance, an article by Ney et al. from 2017 demonstrated, for the first time, “the synthesis of DNA which — when sequenced and processed— gives an attacker arbitrary remote code execution.” In other words, they designed a DNA molecule embedded with code to unleash a computer virus that allowed remote control of the targeted software.

Such a computer virus could be surreptitiously delivered via a contaminated DNA sample. In this same experiment, they also saw information leakage through sample bleeding, having used a multiplexed NGS machine to assess the risks of outsourcing DNA sequencing (Ney et al., 2017). The dangers posed by computer-virus encoded DNA molecules are multiple, and require a plan for preventing such an attack (https://www.hhs.gov/sites/default/files/hph-cyberthreats-to-biotechnology.pdf).

The vast amount of DNA sequence information now available in databases also make it possible for malicious parties to obtain harmful sequences which can be synthesized and introduced into the environment (Peccoud et al.). With over 3,300 species genomes already sequenced, and plans to sequence all 1.8 million known eukaryotic genomes (https://phys.org/news/2022-01-huge-underway-sequence-genome-complex.html), the potential number of harmful sequences available in databases continues to increase. The biotechnology community will have to formulate a plan to prevent a biological attack of this nature.

Cyberbiosecurity By Design

As awareness of these risks spreads through the biotechnology world, it is incumbent upon researchers using connected lab equipment and the “internet of things” to actively look for ways to prevent potential attacks. Indeed, the head of the Biological Countermeasures Unit (BCU) at the FBI, Supervisory Special Agent (SSA) Edward You has said that he hopes, “the (scientific) community will…develop security solutions based on their expertise (You and Kozminski, 2015).”  The U.S. Department of Health and Human Services (HHS) has also expressed the need for the biotech community to pre-plan protective measures for biosecurity by analyzing susceptible attack points of workflow prior to implementation, allowing for preparation of strategies for preventing cyberattacks, and failing that, allowing for expedited remediation of a cyberattack (https://www.hhs.gov/sites/default/files/hph-cyberthreats-to-biotechnology.pdf).

Going forward, companies designing and using internet-connected lab equipment will have new things to consider, such as how to build software capable of analyzing sample sequence data files to identify embedded computer viruses and prevent them from executing. The Federal Trade Commission (FTC) calls this “security by design”, suggesting that companies should implement it along with considering “security features upfront during product development instead of trying to secure products as an afterthought (Foley and Lardner, LLP, 2017).” Planning for prevention of vulnerabilities during the design phase will save companies millions of dollars down the road.     

At NanoString®, we are designing and updating our machines that use best practices for cyberbiosecurity. For instance, our latest version of the nCounter® Analysis System, the nCounter® Pro has an upgraded operating system (Windows 10 IoT), hard drive encryption (TPM 2.0), and data encryption (AES-256 and SHA-256) that help enable parts of a 21 CFR Part 11 environment, particularly important for the biopharmaceutical industry and contract research organizations.

Hard drive encryption ensures that data is secure from unauthorized access or theft, audit reports for tracking and reporting needs are easily available, rules for uploading and downloading data from a USB stick, FTPS, and email establish controlled access, and an updated operating system ensures that networked file transfer between the nCounter and another networked system are secure.

There is one thing though about the nCounter Pro that hasn’t changed: the same simple and reliable digital barcoding chemistry that customers have relied on since 2008 gets you expression profiling data on 800+ genes in less than 24 hours with 15 mins hands-on time.  Paired with the ROSALIND® Platform in the cloud, you can analyze your data within minutes and collaborate with colleagues around the globe.

For more information on data security and the nCounter Pro, check out our webinar ‘Is your Lab Secure?  Data Security in Life Sciences.’

____

References:

Foley and Lardner, LLP, 2017 https://www.foley.com/-/media/files/insights/publications/2017/03/cybersecurity-in-the-pharma-biotech-and-medical-de/files/cybersecurity-in-the-pharma-biotech-and-medical-de/fileattachment/17mc3955cybersecuritywp.pdf

Imker HJ, 25 Years of Molecular Biology Databases: A Study of Proliferation, Impact, and Maintenance. Front. Res. Metr. Anal., 29 May 2018 | https://doi.org/10.3389/frma.2018.00018

Ney P, Koscher K, Organick L, Ceze L, Kohno T, 2017, Computer Security, Privacy, and DNA Sequencing: Compromising Computers with Synthesized DNA, Privacy Leaks, and More. https://dnasec.cs.washington.edu/dna-sequencing-security/dnasec.pdf

Peccoud J, Gallegos JE, Murch R, Buchholz WG, Raman S, Cybersecurity: From Naive Trust to Risk Awareness. Trends in Biotechnology, January 2018, Vol. 36, No. 1

You, E. and Kozminski, K.G. (2015) Biosecurity in the age of Big Data: a conversation with the FBI. Mol. Biol. Cell 26, 3894–3897

https://www.hhs.gov/sites/default/files/hph-cyberthreats-to-biotechnology.pdfhttps://phys.org/news/2022-01-huge-underway-sequence-genome-complex.html

Post by Geoffrey Hummelke