Cyberattack on food supply followed years of warnings

For the millions of food and agricultural companies that make up roughly one-fifth of the US economy, there are virtually no mandatory cybersecurity rules in place – there are only voluntary guidelines. The two federal agencies overseeing the sector include the USDA, which is part of the Criticism from Congress for securing your own data. And unlike other industries that have formed information-sharing collectives to coordinate their responses to potential cyber threats, the food industry is broke up his group 2008.

Now food manufacturers must face the fact that disruptive cyberattacks are part of what Agriculture Minister Tom Vilsack calls their “new reality”.

National security threats to the agricultural supply chain have not received enough attention across the federal government, argued Rep. Rick Crawford (R-Ark.), Who serves on both the House Intelligence Committee and the Agriculture Committee.

“Too often agriculture is dismissed with, ‘It’s important, but it’s not that big of a deal,'” Crawford said in an interview. “When you eat, you work in agriculture. We all need to realize that this is a vital industry, and this [incident] illustrates that. “

The North American Meat Institute, which represents meat packers, declined to comment on the state of the industry’s cybersecurity measures or any changes it might make after the hack.

The downside of “enormous technology”

The alarm call from the University of Minnesota Food Protection and Defense Institute came in the most humble packaging: as one of more than 180 official comments at the USDA in relation to a. submitted Order of the President to secure the country’s supply chains.

“Rapidly spreading ransomware attacks could simultaneously block operations in many more plants than were affected by the pandemic.” The institute warned in its May 18 filing, and noted that Covid-19 forced slaughterhouses to close last year, sparking fears over meat shortages and price spikes.

It was just the latest in a series of warnings from national security and law enforcement agencies, private cybersecurity companies, and academic researchers.

In November it is Cybersecurity firm CrowdStrike said in a report that its threat search service had seen a ten-fold increase in interactive – or hands-on-keyboard – intrusions into the agricultural industry in the past 10 months. Adam Meyers, the company’s senior vice president of intelligence, said that of the 160 hacker groups or gangs the company is tracking, 13 have been identified as targeting agriculture.

A Department of Homeland Security 2018 report investigated a range of cyber threats facing the industry with the adoption of digitized “precision agriculture,” while the FBI stated in April 2016 that agriculture was “increasingly vulnerable to cyberattacks Farmers are becoming more and more dependent on digitized data. “

The industry also has plenty of goals to offer: Since the Notice from the Cyber ​​Agency of the Department of Homeland Security, The agri-food sector includes “an estimated 2.1 million farms, 935,000 restaurants and more than 200,000 registered food manufacturing, processing and storage facilities,” almost all of which are privately owned.

For decades, however, most farmers and food manufacturers value productivity above all else, including safety – trying to make a profit in an industry with chronically tight profit margins and to meet growing global food demand. In search of efficiency, meat factories are increasing the speed of their processing lines and investing in robotics to cut carcasses faster. Farmers are adopting high-tech innovations such as drones, GPS mapping, ground sensors and autonomous tractors that are backed by huge amounts of data.

All of this connectivity and automation comes at a price.

“This is part of the downside of tremendous technology, enormous capacity to convert a lot of data and become more efficient,” said Vilsack. “There are risks associated with that.”

“No industry is taboo”

The disruption to JBS, which controls nearly a quarter of American beef processing, has mainly raised concerns about its impact on meat markets. USDA data shows that wholesale beef prices have steadily increased every day since the chop, with selections rising to over $ 341 per 100 pounds on Thursday morning.

Higher prices are just one of many possible consequences. Cyberattacks could also result in the sale of tainted food to the public, the financial ruin of producers, or even the injury and death of factory workers, according to the Food Protection and Defense Institute, a DHS-recognized group.

In its public comments to the USDA, the institute pointed to gaping gaps in industry preparation, including a general “lack of awareness across the sector” and insufficient guidance from state regulators. It also found that large swaths of the industry rely on decades-old, custom software that essentially cannot be updated, along with outdated operating systems like Windows 98.

“The agribusiness is likely to be lagging behind some other industries that are more vulnerable to cybercrime,” such as the financial sector, which has long been a prime target for criminals, said Michael Daniel, president and CEO of the Cyber ​​Threat Alliance. a non-profit organization.

However, the JBS hack, like the ransomware attack on the Colonial Pipeline in May and the resulting panic over gasoline buying, shows that “no industry is off-limits,” he added. Ransomware operators “will go anywhere they think they can scoop money.”

Daniel, a cyber coordinator under the Obama administration, said he would recommend industry executives to take basic steps like assessing their organizations’ digital readiness and reviewing federal security guidelines.

“What I would tell you is, you really need to think about how you manage your cybersecurity risk, just like you manage commodity price risk, just like you manage natural disaster risk, just like you manage legal risk,” said Daniel.

The White House advise all companies equally on Thursday to strengthen their defenses, including installing the latest software updates and requiring additional authentication for anyone who logs into their systems.

CrowdStrike’s Meyers said the seriousness with which cybersecurity is viewed “varies depending on who you speak to in the Ag industry.” He said multinational conglomerates who have intellectual property worth protecting would make this a priority, but “if you go down the food chain, so to speak, they are likely to think less seriously about it.”

The JBS hack “is the big wake up call for all of these small, medium and large businesses. You can’t bury your head in the sand and hope that doesn’t happen to you because it is, ”said Meyers. “You have to be prepared and prepare for the fight. Because if you don’t, you will pay a ransom and someone will eat your lunch. “

Calling Congress to Action

Congress may need to step in to correct the situation, said Crawford, the Arkansas House of Representatives, which reintroduced a law to establish an intelligence bureau within the USDA earlier this year. The office would serve as a conduit for the department to alert farmers to threats to their livelihoods, including espionage and cyber operations by malicious actors.

A major reason the industry is not prepared for dangers like ransomware is that U.S. intelligence agencies haven’t been paying as much attention to national security threats to agriculture as they should, argued Crawford.

He added that communication needs to be two-way: companies need to get their cyber experts to share what they see with their government counterparts. There are no such requirements for the food and agricultural industries.

“I would advise the private sector to be as proactive as possible about these things,” said Crawford, who is hosting a “Business Intelligence and Supply Chain Integrity” forum this summer bringing cybersecurity experts, government officials and representatives from the clandestine community to local businesses raise awareness of digital threats.

The USDA did not propose any major policy changes following the JBS attack, instead calling on food and agricultural companies to take voluntary steps to protect their IT and infrastructure from cyber threats. Vilsack on Thursday pointed out guidelines from the DHS cybersecurity and infrastructure security agency that businesses can adopt for their own protection.

There is no shortage of policy recommendations from experts in this field. Most proposals involve training industry leaders and employees, setting minimum standards for cybersecurity, or improving coordination between companies and authorities.

Another step recommended by the Food Protection and Defense Institute: USDA and DHS should work with industry to create a cyber threat clearinghouse known as “Information and analysis center”- Collaborate in investigating and managing digital risks.

Other critical industries, including electricity and finance, already have their own ISACs, but the food industry does not. Instead, some food and agribusiness companies have joined a broader information exchange group which covers the information technology industry, said Scott Algeier, executive director of IT-ISAC.

“You wanted to get in touch with other companies, but you didn’t have an ISAC. So they applied to us, ”said Algeier, whose organization also provides a forum for the exchange of threats to the election industry.

The nonprofit Internet Security Alliance has called for federal grants and other incentives for food companies to strengthen their cyber defenses.

“Increasing cybersecurity will cost money, and raising additional funding will not be easy for the sector as it is dominated by tight margins and faced with a highly competitive global market,” the group wrote on its website.

Helena Bottemiller Evich contributed to this report.

Leave a Comment