Home Illumina Faces Severe Cybersecurity Vulnerabilities in Multiple Sequencing Platforms, Prompting FDA and CISA Alerts

Illumina Faces Severe Cybersecurity Vulnerabilities in Multiple Sequencing Platforms, Prompting FDA and CISA Alerts

Jun 11, 2022 15:41 CST Updated Jun 09, 17:31
Illumina

Diagnostic Product Developer

FDA

U.S. Food and Drug Administration


June 2nd update: The U.S. CISA (Cybersecurity and Infrastructure Security Agency under the Department of Homeland Security) released an Industrial Control Systems Advisory (ICSA), detailing multiple vulnerabilities found in several devices from Illumina, a leading American gene sequencing company. These vulnerabilities were rated 10 on the CVSS v3.0 scoring system, indicating the highest severity level.


On the same day, the U.S. FDA (Food and Drug Administration) also issued a safety alert specifically regarding this matter.


As of now, no public response from Illumina regarding this matter has been seen. The day after the safety alert was issued, Illumina's stock price fell by 6.26%.



Illumina has targeted thisThe defect has released a related fix patch.


Before the FDA and ICSA issued warnings, Illumina had already sent notifications to some customers on May 3rd, informing them of the vulnerability and releasing a related patch for the defect. Now, with both CISA and the FDA issuing announcements, users of these sequencers are once again advised to install the corresponding patch software as soon as possible.



The reason for this may be due to Illumina's significant position in the global gene sequencing field. The company's sequencing products account for approximately 83.9% of the global market share. This security vulnerability involves several of Illumina's major sequencers, which will have a substantial impact on the security of global genetic information. If not addressed promptly, data breaches could occur at any time, leading to unimaginable and severe consequences for global genomic data.


In the CISA announcement, it was disclosed in detail that multiple sequencing instruments' software, including Illumina NextSeq 550Dx, MiSeqDx, NextSeq 500, NextSeq 550, MiSeq, iSeq, and MiniSeq, have cybersecurity vulnerabilities. CISA stated that once these vulnerabilities are exploited by unauthenticated malicious actors, they can remotely upload and execute code through the operating system to alter settings, configurations, software, or access sensitive data of the affected products. Additionally, any file type can be viewed and uploaded, including executable code that allows for remote code exploitation, which can then be used to remotely control servers, as well as inject, replay, modify, or intercept sensitive data.


Will the security vulnerability incident affect relevant institutions in China?


The vast majority of countries around the world prohibit the outflow of genetic materials, including human genome, genes, and other genetic substances, as well as organs, tissues, and cells. In March this year, China's Ministry of Science and Technology issued the "Implementation Rules of the Regulations on the Administration of Human Genetic Resources," which clearly stipulates that overseas organizations and institutions are not allowed to collect China's human genetic resources. Without permission, relevant enterprises in China are prohibited from providing China's human genetic resources to overseas entities. It firmly prevents the outward flow of China’s genetic resources and protects the security of Chinese citizens' genetic data.


It is reported that the FDA is collaborating with Illumina and coordinating with CISA to identify, communicate, and prevent adverse events caused by this cybersecurity vulnerability. Since many institutions in China also use Illumina's equipment, industry insiders are concerned that this incident may affect numerous domestic gene testing companies. According to media reports, it is possible that relevant departments in China may also intervene in the investigation.