Kroll's Security Concepts Podcast

Stacy Scott is a managing director in Kroll's Cyber Risk practice based in Texas. Stacy was the CSO for one of the largest healthcare companies in Texas and has guided several organizations' cyber security programs as a virtual CSO before leading cyber risk strategy for Kroll, focusing on effective ways to improve clients' cyber resilience.

Richard Dailly is a managing director in Kroll's Business Intelligence and Investigations practice in Hong Kong. He recently relocated from Kroll's Singapore office, prior to which he established Kroll's office in Mumbai. In 2013, following the collapse of the Rana Plaza building in Bangladesh, Richard established Kroll's interest in modern slavery and human trafficking within corporate supply chains.

Nick Doyle is a managing director and EMEA leader of the Security Risk Management practice. He has managed over 600 projects in 70 countries during his time at Kroll. Nick holds a master's degree in security management and had a distinct career in the military and law enforcement. He specializes in helping companies mitigate security risk and has worked on many crisis management and supply chain risk management cases for our clients.

Passages from the Episode

Physical Security Challenges Facing Pharmaceutical Supply Chains

“What are the top issues facing pharmaceutical supply chains in the development and distribution of vaccines today?” – Jeff Kernohan

“Pharmaceutical supply chains are a growing concern due to COVID-19 vaccine development and its eventual distribution. Capacity is going to be the issue though—capacity around distribution, capacity around temperature control containers. Governments and industry are going to have to work collectively together and plan. That's the key word, plan. Businesses are used to moving a lot of products, but the size of the distribution required will be unprecedented. We saw an indication of this around the distribution of personal protective equipment, which is still ongoing now. Security must be end-to-end because any breach could shake confidence. The success of a vaccine is partly because of the medical effects and partially because of public confidence. And security does support public confidence. Planning and assessing potential weak links in what might be a hurried and wide-scale rollout should be a priority for companies.” – Nick Doyle

We've seen in the front page of the newspapers in the UK, when a pharmaceutical company moved to a new warehouse, which led to a very significant drop in processing capability. This could impact COVID testing, alongside tests for cancer and heart disease. Where companies are looking to expand or move or streamline their business operations and capacity building, this may cause issues where businesses have moved to ill prepared sites. Even though situations may be fast moving, companies will still need to look ahead to try and anticipate issues. So again, planning is the key focus for companies at this time.” – Nick Doyle

Cyber Security Challenges Facing Pharmaceutical Supply Chains

“Stacy, when you see the cyber side of this, what issues are you seeing in that supply chain for the vaccines that might be coming out in the very near future?” – Jeff Kernohan

“We're seeing a lot of attention obviously paid to the full supply chain. And even before distribution, we're seeing it in research and development and getting it out of manufacturing and developing of a formula for these vaccines. Everybody wants to be the first to develop this global vaccine that's likely going to be needed in mass quantity or at least to be prepared in mass quantity. We're seeing attacks on manufacturing and logistics within companies to try and get information, to race against the clock and raced against each other to be the first one to hit the market with it.” – Stacy Scott

“With that, we expect to see attacks on logistics like you're talking about. If we can't beat you to the formula and get our vaccine out before yours, whether it's a company or a government, we are likely to see attacks on, ‘well, let's disrupt their distribution so we can at least beat them to that punch as well." With PPE, we already saw this as well. It was, ‘who can get us what we need now? Who can get us the hand sanitizer? Who can get us these N95s the fastest because we just need them now?’ And I think the vaccine is going to follow suit in that way.” – Stacy Scott

“The attacks are on all the systems, all the data used to communicate, used to develop, used to follow the process, the workflow of any kind of supply chain; where is my truck, what's on the truck, how many vaccines are on the truck, where is it going, is it going to the right place, have we received payment. We're seeing attacks on all of those types of systems, and folks just fishing around for more information on corporate networks, but also in those supply chain systems in monitoring.” – Stacy Scott

“A lot of that is cloud-based now, and when you get to logistics, there's a lot of IoT on those trucks that monitors where they are and tracks on a geo map where they're located and where they're headed. And we're seeing a lot of attacks on those types of things. Folks are looking to not only rush to get the information and the vaccine developed and out and distributed, they're looking to put in the protections and really detections to see if anything is going wrong or is disrupted and respond to it as quickly as possible.” – Stacy Scott

Increase Vaccine Supply Chain Risks Due to COVID-19

“Are the challenges directly based on COVID-19 and this vaccine that everybody's waiting for? Are we seeing an increase in this based on COVID-19?” – Jeff Kernohan

“I think COVID has definitely intensified and increase the quantity. There are different reasons, different motivations for these attacks. Obviously there's the economic gain. If we get to market faster and we have control, we can sell more vaccines and make more financial gain. There are also social reasons as well—maybe they disagree, maybe it's someone just trying to disrupt someone they disagree with socially. The pandemic has, like most things, intensified and allowed us to focus on some of these things. It's the biggest thing happening and it's global, right? Everybody potentially needs a vaccine. Is it the right vaccine? It has upped the number of attacks we're seeing, the number of simple phishing emails to get more information, the number of malware and ransomware attacks that are going on different companies in these industries.” – Stacy Scott

“Time pressure and public scrutiny. Time pressure is the nemesis of planning. The public is unforgiving of even small areas that can be whipped up by a media that doesn't necessarily understand the issues or implications. Essentially a small public blunder can be heavily punished due to media scrutiny. The point is, as a company, now is not the time to have a gaff or a blunder, like in the question I answered previously, especially when it impacts the medical supply chain. You need to look ahead, you need to think, ‘Am I moving to a new distribution depot? What do I need to do to anticipate issues that I may not normally worry about?’ To minimize or reduce potential impacts of a potentially reputation damaging story because of a failure of planning. I think my key message continually throughout this podcast, is for pharmaceutical companies and people within the pharmaceutical supply chain is plan, plan, plan.” – Nick Doyle

Physical and Cyber Security Advice for Pharmaceutical Companies

“When we talk about all these things and all of the threats that are there, what are we advising our pharmaceutical clients to do to try to protect themselves from both a physical and a cyber security element?” – Jeff Kernohan

“I think pharmaceutical companies need to have an aligned media strategy to ensure that the locations they operate out of are secure and not susceptible to breaches and or intrusion. People can't walk into the front door because the access control system is poor, or perimeter fences are inadequate or monitoring systems such as CCTV are not effective.” – Nick Doyle

“What are the practical organization approaches to protecting data and technology supporting these functions of supply chain from a cyber security perspective?” – Jeff Kernohan

“I think what organizations practically need to focus on, because there's a lack of time, is detection. How do we detect if something is a malicious or being disrupted or even potentially suspicious, and respond as quickly as possible. You'd ideally want to put protections in place, lock things down, there likely already are some protections in place. Review those and look throughout each function and process and phase of the supply chain and distribution network. Review your third parties.” – Stacy Scott

“While you're looking at those protections, make sure you have good monitoring in place to understand where things are at all times and when those alerts may come up and who's looking at those and do they know when to alert and who to alert if something does go wrong, and how are you going to respond? How do you get a hold of your third parties if you've outsourced any part of this, which you likely have. How do they respond as quickly as you'd like them to as well? I think having that plan together is what companies need to be looking at.” – Stacy Scott

Trends in Vaccine Development

“Do you guys have any thoughts on what's happening there in the vaccine development world and intelligence agencies tracking what's happening? Do we see any issues or trends in that particular environment?” – Jeff Kernohan

“I think we have to realize that we don't live in a cozy liberal world and that the nation states are increasingly fractionalized. Even before COVID became an issue, states were becoming more focused on their own sovereignty and protective of their own direct environments and closest allies. We must realize that issue which presents an opportunity for world powers to increase their influence, their power around the world, that they will take. The reality is that COVID does present a threat to all countries in the world, be that directly to the populations or be that secondary to the economies of those countries. We have to realize that intelligence agencies, defense agencies around the world, are going to be looking at supply chains because they're going to be first of all, wanting to protect their own countries. Secondly, where they can, to influence and potentially weaken conscious that they perceive as being hostile, maybe not just nation states either, but non state actors as well. We have to recognize this as a real possibility.” – Richard Dailly

“What could they do? What might they do? I mean, the newspapers have been saying this week that there's a possibility that nations will be literally spying on each other for intelligence around the vaccines themselves and the chemical makeup of the vaccines themselves. There's the real possibility that larger states will coerce smaller states, will coerce satellite states. They will be significant debt issues in the future, in the post-COVID world, there'll be future debt issues, which a large world power will be able to leverage and manipulate smaller countries. I can see the term new lines, if you like, of alliances could well emerge.” – Richard Dailly

“Finally, on this issue, I think we need to think back to the recent examples in the U.S. and Europe of disinformation. If I was a hostile intelligence agency thinking about how I might disrupt the supply chain, I would consider using social media, other ways of informing population through basically what we now call fake news, that perhaps those supply chains have been compromised and that the real vaccine is not getting through and that it's something which is not effective or is in fact dangerous, to put people off taking it. All of these things potentially could weaken nation states, they're aggressive actions by other countries. I think it's a real threat, and it may require some new thinking by countries as to how they deal with it.” – Richard Dailly

The New Era in Vaccine Distribution

“What I'm hearing from your answers is that there are going to be alliances forged through the vaccine supply chain, as people get this vaccine around the world, and that could have a long-term impact on world events and previous notations of globalization. What do you guys have to say about that?” – Jeff Kernohan

“I've said this before in other formats, other presentations, I think we could be moving into a completely new era. Nick brought this up in one of his previous answers about industry and states working together and that's clearly going to have to happen. The infrastructure which supports nation states is going to have to help and work closely with industry in numerous ways, particularly in supply chains. It's going to mean really that defense agencies and intelligence agencies are going to have to really take on board the requirements of pharmaceutical firms in order to help their own populations, as it were. I certainly could foresee a future, which could be extremely complicated to untangle, where countries form alliances through who are deemed to be their supporters, alliances, suppliers, within vaccine distribution and vaccine supply chains. It would be a slightly frightening new way of looking at the world. I think we have to start thinking in those ways.” – Richard Dailly

Talk to a Kroll Expert

Kroll is ready to help, 24/7. Use the links on this page to explore our services further or speak to a Kroll security risk management expert today via our contact page.