Table 2. Probability and impact assessment of representative cyber attack vectors.
| Attack vector | Method | Possible impact | Impact scale | Required access | Mitigating factors | Impact | Probability | Score |
|---|---|---|---|---|---|---|---|---|
| Biological processing | Synthesis of malicious biomatter that would compromise device or sequencing software | From false results to full system compromise | Devices sequencing malicious biomatter | Access to biological samples to be sequenced by device | Chain of custody as biomatter is handled; software protections in sequencer | 5 | 1 | 5 |
| Signal processing | Flash malicious bitstream/hardware replacement | Misdetection of bases, false results | Single device | Physical access | Binding and tamper-proofing sequencer, signing and authenticating field upgrades | 4 | 3 | 12 |
| Proprietary hardware components | Flash malicious firmware on hardware subsystem | Misdetection of bases, false results | Single device | Access to a PC connected to the sequencer | 4 | 3 | 12 | |
| Feed sequencing software with false results | False-negative or false-positive result | Possibly accomplishable remotely | Authenticate device-PC communications | 5 | 4 | 20 | ||
| Attack sequencing PC | Malicious code running on PC | Single device; possible propagation/ escalation vector | Standard practices for protecting PCs | 5 | 5 | 25 | ||
| Sequencing/bio-informatics software | Flash malicious firmware on subsystem | Misdetection of bases, false results | All devices in contact with malicious PC; possible propagation/ escalation vector | Access to a PC connected to the sequencer; possibly accomplishable remotely | Authenticate device-PC communications | 5 | 3 | 15 |
| Display false sequencing results | False-negative or false-positive on detection of disease | Standard practices for protecting PCs | 5 | 3 | 15 | |||
| Sequencer and related equipment (e.g. PC) | Infect PC with targeted malware to interfere with sequencing software operations | False-negative or false-positive detection of disease; Ability to infect other devices and PCs |
All devices and PCs on the same network as the malicious PC; network propagation/ escalation vector | Access to a PC connected to the sequencer; possibly accomplishable remotely | Restrict and regulate interface between PC and sequencer | 5 | 2 | 10 |
| Propagate malware using sequencer as an infection vector | PCs in proximity of sequencer infected with malware | All PCs in contact with infected sequencer | Restrict and regulate interface between PC and sequencer | 4 | 4 | 16 | ||
| Leak of sensitive personal data | Leak of sensitive personal data | Owner of sample/data | Standard practices for protecting PCs | 2 | 5 | 10 | ||
| Report false data to the sequencer cloud | False data accumulated at scale, false global information | Commercial/public data repositories | Authenticate PC-cloud communications | 2 | 1 | 2 | ||
| Cloud services | Deliver malicious sequencer firmware or sequencing software at worldwide scale | Malicious software deployed at scale | All user base of a cloud, network propagation/escalation vector allows arbitrarily large infection scale | Remote | Standard practices for protecting cloud services | 5 | 1 | 5 |
PC: personal computer.
Impact scale: 1 – minimal public health impact; 2 – local or limited consequences; 3 – moderate or severe local consequences; 4 – national consequences; 5 – severe national or international consequences.
Probability scale: 1 – minimal feasibility; 2 – limited feasibility and/or incentive; 3 – moderate feasibility and/or incentive; 4 – high feasibility and/or incentive; 5 – high feasibility, imminent.