Food is a ubiquitous part of the human experience. Cultures revolve around food; it’s the glue that brings families together at holidays, and it’s essential to survival. Humans must find food, shelter, and water according to Maslow’s Hierarchy of Needs before they can begin thinking about fulfillment and exploring what makes them happy. For something so universal, for a sector that makes up one-fifth of the whole US economy, you would think that the agriculture industry, food processing plants, and restaurants would have a purpose-built system for keeping their propriety data, operation systems, software systems, and client information safe.
When people think of critical infrastructure, they often think of roads, bridges, trains, oil & gas pipelines--sectors like food and agriculture get overlooked. There are sixteen crucial sectors of infrastructure that make up the whole scope of essential services in the US, with food and agriculture being one of the largest. Attacks on agriculture businesses may not result in power outages or poisoned water, but tainting or tampering with food business operations could make thousands of people sick.
According to the Food System Infrastructure Work Group Report, food system infrastructure covers everything needed in the agri-food supply chain of activity between the consumer and the producer. These supply chains include:
Production (e.g., seeds, equipment)
Processing (e.g., canning, washing, freezing food)
Aggregation and distribution (e.g., storage facilities and delivery trucks)
Retailing (e.g., grocery stores, restaurants)
Marketing (e.g., promotional materials including billboards and commercials)
Capital (includes financial, natural, human, and social capital)
If we look at incidents like the JBS catastrophe--the ransomware attack shuttered JBS beef plants for weeks--the incident came after years of warnings that food and agriculture operations weren’t keeping up with cybersecurity, even as the industry relies more heavily on internet technology and automation.
When all was said and done, JBS paid $11 million USD in ransomware to the attackers. The White House was not pleased with this development. “Private companies should not pay ransom,” a White House National Security Council spokesperson said without directly mentioning JBS. “It encourages and enriches these malicious actors, continues the cycle of these attacks, and there is no guarantee companies get their data back.”
The current administration is correct, there is no guarantee that even after paying the ransom, the companies will be able to regain control of their systems, data, or operational technology. Attacks that takedown major energy or food supply infrastructure can instill panic into Americans since they’re unable to buy key commodities at reasonable prices. Critical infrastructure in this sector is falling woefully behind in risk management and security practices to the detriment of all. Governance, risk, and compliance regulations in food and agriculture are practically nonexistent. The sector has a limited number of cybersecurity practices in place, and approaches like integrated risk management are rarely seen.
Many food processing and manufacturing companies updated their operating systems in the late ’90s and early 2000s with the latest cutting-edge technology but have done little since to keep up with the expansion of automation and digital transformation throughout the world.
You’ll find that many are still stuck with their legacy systems. Trying to make their governance, risk, and compliance (GRC) platforms work in an increasingly digital world. GRC solutions lack the flexibility and scalability that enterprises need for robust cyber and IT risk management. Gold standard frameworks like the NIST Cybersecurity Framework (CSF) offer a guiding hand in enterprise risk management, with multiple available integrated risk management (IRM) solutions. Some IRM platforms even offer real-time insights into regulatory compliance, like CyberStrong.
It’s concerning that the methods required to exploit many of the vulnerabilities in plants and manufacturers in the critical infrastructure sector of food and agriculture are straightforward and easy to deduce. For example, some devices have hard-coded passwords—that is, passwords that are written in the device’s source code, which can only be changed by the software’s author. These passwords are easily discoverable by hackers, and knowing them can give malicious entities complete control over the devices or the manufacturing plants.
Many manufacturers use outdated operating systems like Windows 98 or early Linux. These systems don’t have the same security measures integrated into them as modern operating systems do. This, in tandem with the hard-coded passwords, is akin to building a house without locks because you haven’t been robbed before. In 2021, this lack of foresight is not only reckless, but it’s irresponsible.
Attacks like what happened to JBS could be the writing on the wall for other food manufacturers and other critical infrastructure sectors. Dealing with this new reality needs to be at the forefront of everyone’s minds as we continue into the second half of 2021. These systems and security practices need to be updated ASAP because cyberattacks on food systems could have more significant ramifications than just rising grocery prices--tainted food, significant financial losses for companies, or injury or death of workers due to attacks on processing equipment are all very real possibilities.
Along with technology and security updates, there needs to be better cybersecurity education among company leaders and employees. Federal subsidies to help critical infrastructure sectors update their out-of-date systems could also be helpful.
Companies often focus on the “before” or “after” of cyberattacks but the food and agriculture sector isn’t focusing on either. There needs to be a holistic strategy that looks at the entire enterprise across production, IT, OT, engineering, etc., that results in a tactical approach to establish a common ground and standard practices across departments. The cybersecurity approach to systems shouldn’t be modular and siloed across machines or teams.
This is a fundamental issue sector-wide. The communication gap between operational technology (OT) employees and information technology (IT) is vast. OT teams' needs and concerns aren’t addressed or understood by IT teams, and the same could be said about the IT team’s concerns with OT teams.
Additionally, communication issues exist between employees and managers with C-level and board executives. The key to reforming outdated systems and effectively managing the increasing risks in this industry is to share information company-wide and to go even further by sharing risk data between companies, whether they’re competitors or not. The US can be cut-throat in its competition to be on the top, but being cut-throat and hoarding knowledge in cases like this only serves to hinder progress across all sectors. Working in isolation only allows malicious actors to exploit weaknesses across multiple industries and companies, not just yours.
Senior executives and stakeholders need to be more cognizant of the cyber risks that face them on a day-to-day basis. They also need to be aware that their security teams may already be stretched thin, without the resources to accomplish a complete overhaul of an OT or IT system. Automation and better, proactive risk assessment tools could go a long way in decreasing vulnerabilities and keeping your employees from burnout.
Companies that share data, strategies, and incidents across the whole sector could improve the view of risk and cyber strategy of every enterprise within the sector. Putting the incident information into a government-wide or sector-wide database would allow for more efficient threat detection, better risk mitigation, and better security practices for every company underneath the umbrella of the food and agriculture critical infrastructure sector. It could create a culture that fosters growth and better safety practices that would be beneficial to all.
If a vulnerability exists, it will be exploited. It’s impossible to predict every threat or vulnerability in a global market, but taking a risk-first approach to cybersecurity and taking part in a sector-wide cyberattack information database can go a long way in mitigating further agriculture cyber attacks. There needs to be more attention to updating practically ancient OT and IT systems to avoid other attacks like what happened with JBS and to ensure food security.
To learn more about the effects the Colonial Pipeline and JBS attacks will have on the future and CMMC, check out our webinar. To see how CyberStrong can help you take your risk management and compliance process to the next level, contact us.