Integrated Laboratories Need Enhanced Cybersecurity

Over the past decade, scientific research labs have become more digitally connected. Lab equipment is more reliant on computers and web-based devices; international collaborations are now more commonplace; and technology advances have exponentially multiplied the amount of data to be analyzed and shared between labs.

These rapid changes in the way scientists work have left many research labs vulnerable to cybersecurity threats that they are not equipped to manage, particularly in the wake of the COVID-19 pandemic. For example, in 2021 a biochemistry lab at Oxford University was compromised when hackers tried to gain access to confidential data that could impact vaccine development. Additionally, in June 2022, the FDA issued a warning referencing cyberattacks focused on a next-generation sequencing platform that is extensively used in research and clinical laboratories, further highlighting these vulnerabilities.

Cybersecurity threats are influencing how researchers view lab security

Historically, lab security centered on locking the door. Now, lab security extends beyond the physical security of data and the digital lab environment—but getting buy-in is not easy.

Many research scientists do not realize the value of their data outside of their current research activities. They also tend to be concerned with any constraints that could get in the way of that research and will often find workarounds to keep their research moving forward. Therefore, cybersecurity controls can sometimes be viewed as hindrances to the research process. While this approach worked for many years, with the focus on basic wet lab techniques, it can no longer be the standard as science becomes more computational. Many new scientists, even in the biological sciences, have never set foot in a wet lab. In fact, often scientists do not get experience in wet labs because of the focus on analytical tools.

Changes in data are also leaving scientists more vulnerable to cybersecurity breaches than in the past. Advances in big data, AI, and genomic testing are providing a huge volume of scientific data and a more conceptual form of research. While this is leading to a shortened research lifecycle that allows for quicker innovation, the training on cyberthreats has not kept up, and these breaches will continue unless there are changes in the way research is conducted.

A zero-trust cybersecurity strategy is needed in today’s research labs

To reduce and restrict lateral movement within a federal system, the Biden administration issued Executive Order 14028, Improving the Nation’s Cybersecurity, which requires federal agencies to migrate to a zero-trust architecture. A zero-trust architecture focuses on a few key features:

1. Contextual authentication: Using all available information, including phishing-resistant multifactor authentication, device certificates, IP address, past-user history, etc.
2. Microsegmentation: Segmenting a network to require authentication prior to obtaining access to all applications or environments.
3. Monitoring the network: Using logging and monitoring tools to understand who and what is on a network.

Additionally, a zero-trust architecture works to harden environment and application controls to reduce back-door access to the network.
Because zero-trust eliminates unfettered lateral movement throughout a network, it is a significant change in how users operate within their systems. If collaboration is successful, the benefits will far outweigh the risks and will foster greater trust between scientists and cybersecurity professionals. New relationships will be formed between researchers and the IT security teams that have often been left out of the scientific conversation.

To comply with new zero-trust regulations, federal research labs must change their mindset with four key actions

1. Include cybersecurity representatives in the planning phases of new projects. This will ensure that the proper controls are set from the beginning.
2. Tie the inclusion of cyber principals to grant funding. This approach was successfully used in the past to ensure laboratory safety training for all recipients of government grants, and therefore changed the way all labs operate with minimal effort from the federal government.
3. Take a risk-based approach when granting access to external labs to determine how much access a partner lab could obtain, based on their cybersecurity posture. One way to mitigate the risk is to require external labs to obtain phishing-resistant credentials to obtain access to a federal research lab.
4. Understand that implementing and migrating to a zero-trust architecture is an IT modernization effort that affects more than technology—it also affects people and processes.

Zero-trust is not a one-size-fits-all effort

Zero-trust migration is a massive IT modernization effort that affects people, processes, and technology, and should be treated as such. With established relationships with leading vendors in identity and zero-trust strategies across the public and private sectors, Guidehouse has significant experience implementing zero-trust initiatives across small federal agencies, large departments, and healthcare and life sciences organizations.