Bio-cybersecurity: Malware can target the production of synthetic DNA and produce dangerous toxins

0
84

The capability of terrorists to use hackers to attack industrials sites and uilities can also be a threat for the bio-cybersecurity – the actors can use malware to target Synthetic DNA Orders to modify DNA strings sequence.

A group of academic researchers from the Ben-Gurion University of the Negev and Israel’s Interdisciplinary Center Herzliya identified a new kind of cyberattack that allows attackers to target the security gaps in the DNA procurement process.

The article titled “Increased cyber-biosecurity for DNA synthesis” was published in Nature Biotechnology. Researchers write that threat actors can launch an end-to-end cyber-biological attack to target DNA researchers.

According to the report, this can allow attackers to deploy malware, trick biologists into creating dangerous toxins or pathogens, and alter synthetic DNA orders.

Previously it was assumed that an attacker must have physical access to a dangerous substance to produce and deliver it. However, Ben-Gurion researchers claim that by infecting a bioengineer’s computer with malware, it is possible to replace a short sub-string of the DNA, enabling them to mistakenly and unintentionally generate a toxin-producing sequence.

According to the BGU Complex Networks Analysis Lab head, Dr. Rumi Puzis,

“Most synthetic gene providers screen DNA orders which is currently the most effective line of defense against such attacks.”

“However, outside the state, bioterrorists can buy dangerous DNA, from companies that do not screen the orders. Unfortunately, the screening guidelines have not been adapted to reflect recent developments in synthetic biology and cyberwarfare.”

Puzis revealed a weakness in DNA providers’ guidelines from the U.S. Department of Health and Human Services (HHS). This weakness allows the circumvention of screening protocols using a generic obfuscation process. This process makes it difficult for screening software to identify toxin-generating DNA.

The researchers revealed that using the same technique, they identified that out of 50, 16 obfuscated DNA samples couldn’t be detected when screened as per the HHS’ Best-Match guidelines.

They also discovered that the automation and accessibility of the synthetic gene engineering workflow, when combined with inadequate cybersecurity, allows the malware to impact the lab’s biological processes. The loop will be closed after writing an exploit into a DNA molecule.

Malware attack can trick biologists into producing dangerous toxins
How it works (ImageL Ben-Gurion University of the Negev)

Researchers have shed light on a significant new threat utilizing malicious code to modify biological processes through the DNA injection attack. They demonstrated weaknesses at three bioengineering workflow stages- software, biosecurity screening, and biological protocols. This shows there is a need to apply cybersecurity measures in the context of gene coding and biosecurity.

“To address these threats, we propose an improved screening algorithm that takes into account in vivo gene editing. We hope this paper sets the stage for robust, adversary resilient DNA sequence screening and cybersecurity-hardened synthetic gene production services when biosecurity screening will be enforced by local regulations worldwide,” Puzis explained.

—————

The cyber–physical nature of bio- technology raises unprecedented security concerns. Computers can be compromised by encoding malware in DNA sequences, and bio- logical threats can be synthesized using publicly available data.

Trust within the biotechnology community creates vulnerabilities at the interface between cyberspace and biology. Awareness is a prerequi- site to managing these risks.

The frontier between biology and cyber- space is becoming increasingly blurry. Nothing better illustrates this trend than the recent use of DNA as a substrate to inject malware into a computer system [1].

In this case, computer scientists designed a DNA sample that, when sequenced, resulted in a data file that enabled a hacker to control the sequencing computer remotely.

Conversely, the DNA sequences available in bioinformatics resources can be used to create biological threats that do not exist in nature [2]. In the current environment, the biotechnology industry needs to develop an enhanced culture of security that considers the intricate relationships between the computational and experimental dimen- sions of product development workflows [3].

Cyberbiosecurity

Traditionally, security policies in the life sciences have fallen into two different categories: biosafety and biosecurity. Biosafety policies are designed to prevent unintentional exposure to pathogens or accidental release of biological agents from laboratories into the environment.

Protective clothing, sterilization procedures, and airlocks are all examples of biosafety measures.

Biosecurity policies, however, are generally associated with travel, supply chains, terrorist activities, and defense. These policies are designed to protect against the spread of agents that threaten health, food supplies, and other assets. Breaches of biosecurity can be accidental (such as a traveler bringing contaminated material from overseas) or intentional (bioterrorism).

Biosafety and biosecurity policies were designed to handle a limited number of well-characterized biological threats such as regulated pathogens, but they do not protect against threats resulting from the intricate relationships between computational and experimental workflows.

Software tools can now be used to design DNA sequences with new properties. Gene synthesis technologies could conceptually be used to develop biological weapons derived from the genomic sequences of regulated pathogens.

The latter observation led the federal govern- ment to develop screening guidelines for providers of gene synthesis services [4]. More recently, government officials have expressed concerns about the possible nefarious use of genome editing technologies [5].

In addition to the inherent risks associated with the manipulation of DNA sequences in cyberspace or in biological space, the biotechnology industry increasingly depends on computer-controlled instruments that are themselves vulnerable to cyberattacks (Figure 1).

Compromising the integrity of this rela- tionship creates a whole new category of risks. Cyberbiosecurity aims at understanding the new risks emerging at the frontier between cyberspace and biology in order to develop policies to manage them.

Current Exchanges in the Life Sciences Are Often Based on Naïve Trust

It is not uncommon for scientists to share data and samples without taking any pre- cautions to ensure the intended use is benign or the shared material is as expected. Consider the following scenario.

After reading an article in a high-impact journal, a faculty member contacts the author to request the plasmids described. The plasmids arrive in the mail, and a student immediately starts measuring the expression of the genes encoded on the plasmid.

After 6 months of unsuccessful attempts to reproduce the published data, they decide to sequence the plasmids. They observe major discrepancies that explain the failure of their experiments.

These plasmids came from a reputable laboratory and the data had been scrutinized by a rigorous peer-review process. Yet, the integrity of the relationship between the biological samples and the data describing these physical samples (the published sequences) was somehow compromised, resulting in a financial loss corresponding to 6 months of effort by a graduate student.

This loss could have been prevented by spending US$100 to sequence the plasmids and waiting a few days before using them. This all too common scenario exemplifies shortcomings in the life sciences community’s tendency to naively trust that physical sequences match the digital sequences theoretically associated with them.

Several hypotheses can be considered to explain the situation. It is possible that the plasmids were incorrectly labeled in an electronic database, so the wrong plasmids were sent. Another possibility is that the published sequences were fabricated.

Or, it might even be possible that someone in the source laboratory deliberately sent faulty plasmids to delay the efforts of a potential competitor. In any case, the situation could have been pre- vented if the laboratory receiving the plasmids was more cautious.

The impact of this hypothetical scenario is minimal, but it is not difficult to imagine more dramatic scenarios. Instead of getting a benignly faulty plasmid, for example, the recipient might have received a sample containing a gene designed to produce a harmful product.

Cultivating a New Culture of Cyberbiosecurity Awareness

There is a broad spectrum of potential risks, ranging from low-probability doomsday scenarios with national security implications to fairly high-probability risks with a moderate to low impact.

There are risks at every step of the bio-technology workflow, as described in Fig- ure 1 and Box 1.

Despite the many potential risks, there is a surprising level of naiveness among partners in the bio- technology supply chain. This natural trust is partly associated with the per- ceived reputation of academic institutions or biotech companies. However, limited exposure to cyberbiosecurity incidents also shapes the perception of these risks [6].

Figure 1. Biotechnology Workflows Are Cyber–Physical Processes, Illustrated Here with a Biomanufacturing Process. The design of a strain expressing a recombinant protein relies on software and databases to generate the DNA sequence of an expression vector. These sequences are communicated to a fabrication facility that will use this information to synthesize new DNA molecules and cell lines. The cell lines are grown in computer-controlled fermenters. The fermentation products are characterized by collecting data, which are stored in databases. The cyber part of these processes is represented in the upper half of the figure, while the biological part is located in the bottom half of the figure. Green arrows illustrate the cyber–bio interface. Red boxes indicate different points of attack in the cyberspace, in the physical space, and at the interface between cyberspace and physical space. Examples of potential cyberbiosecurity breaches are detailed in Box 1.

Consider how attitudes have changed toward cybersecurity as incidences of hacking have become more mainstream. A few decades ago, it was possible to use many computer systems without having to type a password. It was not uncommon for several employees of a company to share one computer. Computer secu- rity was reserved to specialists managing corporate or governmental information systems.

Today, most people have at least some notion of cybersecurity: passwords, two-factor authentication, firewalls, and biometric sensors are now embedded in many consumer products.

We have also adopted security measures to mitigate risks in our personal lives. The cost people are willing to incur depends on the value of the assets they want to protect and their perception of the risk.

For example, most people tend to lock their car to protect this asset from being stolen. The inconvenience of carrying keys and pressing the remote is small compared with the probability of having an unlocked car stolen.

Similarly, people who value their privacy, protect their smartphone with a passphrase rather than a four-digit code that is easier for a third party to memorize. Availability of biometric authentication limits the incon- venience of the policy because typing the entire passphrase is only necessary after restarting the phone.

Cyberbiosecurity policies and practices will also have financial and convenience costs that evolve as new technologies for managing cyberbiosecurity are devel- oped. Increasing awareness about threats and vulnerabilities will help put those costs into perspective.

It is possible to build more secure and resilient life sciences organizations and processes in three stages. First, employee training can greatly increase an organiza- tion’s general awareness of these new risks. Just as employee training is a key component of biosafety policies, training programs to make employees aware of cyber–biological risks should be developed.

Cyberbiosecurity awareness extends to an array of vulnerabilities that exist within the cyber, cyber–physical, and infrastructure dimensions, and at the interfaces with the biological process and sup- ply chain components.

This greater awareness also prepares employees for the second step of the process, in which an organization performs a systematic analysis of its exposure to cyberbiosecurity risks not covered by existing biosafety and biosecurity policies.

This ‘blue-sky thinking’ exercise encourages participants to review their workflows and identify their vulnerabilities. A broad range of scenarios should be considered at this stage, irrespective of their likelihood and impact.

After the risks have been identified, it is possible to prioritize them by evaluating their potential impact and probability of occurrence.

Finally, the third step would be to develop new policies aimed at preventing and detecting security incidents that may compromise life sciences assets. The federal guidelines on synthetic DNA tar- geted companies that provide DNA synthesis services.

Therefore, a life sciences organization could decide to analyze the synthetic DNA orders placed by its employees to increase its ability to detect activities that may call for further investigations.

Similarly, an organization may put in place policies to sequence genetic material it receives from vendors and col- laborators. This would include developing a database of reference sequences [7] and deploying software to streamline the comparison of a sample’s physical and theoretical sequences [8,9].

Ultimately, the development of a security policy is an economic decision that pri- oritizes risks based on their likelihood and potential impact [10].


Box 1. Examples of Cyberbiosecurity Risks

Bioinformatics databases could be corrupted by altering sequences or annotations. These changes could delay a research program or result in the uncontrolled production of toxic products or infectious agents.

Tampering electronic orders or interception of shipments could result in the injection of nefarious products that compromise the operation of a facility.

Computer-controlled processes are vulnerable to discrepancies between the physical parameters of the process and the data reported to the operator.

Discrepancies between the physical characteristic of the product and test data could delay a research program or regulatory approval.


Concluding Remarks

The life sciences community has tradition- ally operated under an insecure system that expects participants to self-regulate and often does not monitor for security threats. Now that DNA sequencing, synthesis, manipulation, and storage are increasingly digitized, there are more ways than ever for nefarious agents both inside and outside of the community to compromise security.

To mitigate these risks, the culture of the life sciences community needs to shift from one of blind trust to one of heightened awareness. Those focused on biological processes and production need to develop a broader perspective, which includes a detailed understanding of cyber-physical threats.

Once individuals within the community are aware of cyberbiosecurity risks, they can begin to implement safe- guards within their own work environ- ments and work with regulators to develop policies to prevent cyberbiosecurity breaches.

Reference

  1. Department of Chemical and Biological Engineering, Colorado State University, Fort Collins, CO 80523, USA
  2. Research and Development Team, National Capital Region, Virginia Tech, Blacksburg, VA 24061, USA
  3. Biological Process Development Facility, University of Nebraska–Lincoln, Lincoln, NE 68588, USA
  4. Department of Electrical and Computer Engineering and Office of the Vice President, National Capital Region, Virginia Tech, Blacksburg, VA 24061, USA
  5. Group website: www.peccoud.org
  6. https://www.peccoud.org
  7. https://escapingthebench.wordpress.com/
  8. https://ncr.vt.edu/discovery/research_development_team.html
  9. https://engineering.unl.edu/bpdf/ @Twitters: @peccoud, @foodbeerscience

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.