Abstract
High-containment laboratories (HCLs) conduct critical research on
infectious diseases, provide diagnostic services, and produce vaccines
for the world’s most dangerous pathogens, often called high-consequence
pathogens (HCPs). The modernization of HCLs has led to an increasingly
cyber-connected laboratory infrastructure. The unique cyberphysical
elements of these laboratories and the critical data they generate pose
cybersecurity concerns specific to these laboratories. Cyberbiosecurity,
the discipline devoted to the study of cybersecurity risks in
conjunction with biological risks, is a relatively new field for which
few approaches have been developed to identify, assess, and mitigate
cyber risks in biological research and diagnostic environments. This
study provides a novel approach for cybersecurity risk assessment and
identification of risk mitigation measures by applying an asset-impact
analysis to the unique environment of HCLs. First, we identified the
common cyber and cyberphysical systems in HCLs, summarizing the typical
cyber-workflow. We then analyzed the potential adverse outcomes arising
from a compromise of these cyber and cyberphysical systems, broadly
categorizing potential consequences as relevant to scientific
advancement, public health, worker safety, security, and the financial
well-being of these laboratories. Finally, we discussed potential risk
mitigation strategies, leaning heavily on the cybersecurity materials
produced by the Center for Internet Security (CIS), including the CIS
Controls®, that can serve as a guide for HCL operators to begin the
process of implementing risk mitigation measures to reduce their
cyberbiorisk and considering the integration of cyber risk management
into existing biorisk management practices. This paper provides a
discussion to raise awareness among laboratory decision-makers of these
critical risks to safety and security within HCLs. Furthermore, this
paper can serve as a guide for evaluating cyberbiorisks specific to a
laboratory by identifying cyber-connected assets and the impacts
associated with a compromise of those assets.