What Can Biosecurity Learn from Cybersecurity?

Cybersecurity is all about protecting the equipment you rely on.

We’ve all learned that any computer connected to the internet - wireless or not - can be hacked. The same is true of the scientific equipment you rely on to build DNA sequences for your customers. Clearly, it’s imperative to keep hackers from penetrating your equipment. It’s also clear that hackers are gonna hack, but cybersecurity has been largely effective for decades. What lessons can we in biosecurity learn from cyber experts?

1. Make a thorough assessment of potential areas of vulnerability. Take the time to think through the various ways that a bad actor might hack your equipment. How would you do it? What are the points of entry into the system? What sort of information is required to log in? What are the ways to get around any security built into the equipment?

2. Partner with security partners. With your initial inventory complete, it’s a good idea to speak with security professionals who can tell you what you might have missed. They can also tell you what to do about the areas you’ve recognized. Security professionals like those from Battelle’s Cybersecurity or Medical Device Security services have a depth of experience in protecting technology from hacks. They also have a depth of experience in the sorts of attempts that will be made on your equipment. Rather than start from scratch, working with experienced professionals allows you to put your financial resources to best use while protecting your technological resources.

3. Be sure to keep your biosecurity program updated with the times. Who doesn’t find it annoying when a pop-up reminds you there’s a new version or fix for your software. Would you like to install it now, it asks, or bring it down and have it installed later, or just postpone the inevitable. In a hectic workplace, the urge to put it off until a better time that rarely comes is pretty hard to resist. Security protocols that are well-run mandate that updates take place on a timely basis. The best way to ensure this is to tie updates with performance goals. Better yet, appoint one person in each department or the IT function to be responsible for updates, along with the authority to back it up.

4. Maintain a log of any unusual events. Early detection of a threat often makes the difference between a successful intrusion into your systems and a thwarted attempt. Requiring those using the equipment in your facility to enter and code out-of-the-ordinary events is one way to make patterns visible. By using coding that lets those reviewing the logs spot patterns as they emerge, those responding to the potential threat have an opportunity to be involved from the very start.

5. Put the hackers to work for your company. If there’s a way in, we’ve learned from the bad experiences of cybersecurity programs that a determined hacker will find it. Your best defense is to be proactive. Create a red team. Invite white hat hackers to do their best to defeat your system. Better yet, hire some hackers of your own. It’s best to have those who find breaking into a security system an irresistible challenge on your team.

It’s a regrettable fact that the current scientific equipment you rely on can be penetrated and reprogrammed. That is, the unprotected technology you depend on. By taking steps to protect your technology that are similar to the steps taken by stakeholders in cybersecurity, you can increase your confidence in the security of your technology by decreasing the likelihood that bad actors will successfully take control for their own purposes.