There are virtually no mandatory cybersecurity rules that govern the millions of food and agricultural enterprises that make up about one-fifth of the US economy – there are only voluntary guidelines. The two federal agencies that control the sector include the USDA, which has faced criticism from Congress for providing its own data. And unlike other industries that have formed information exchange teams to coordinate their responses to potential cyber threats, the food industry disbanded his group in 2008
Food producers now have to face the fact that destructive cyberattacks are part of what Agriculture Minister Tom Wilsac calls their “new reality.”
National security threats to the agricultural supply chain have not received enough attention across the federal government, said Rick Crawford (R-Ark.), A member of the Intelligence and Agriculture Committee.
“Too often, agriculture is dismissed as ‘It’s important, but it’s not that big a job,'” Crawford said in an interview. “If you eat, you are engaged in agriculture. We all have to recognize that this is a vital industry and that [incident] illustrates this. “
The North American Meat Institute, which represents the meat plant, declined to comment on the state of the cybersecurity measures in the industry or the potential changes since the hack.
The disadvantage of “huge technology”
The alarming cry from the Institute of Defense and Defense at the University of Minnesota arrived in the most unpretentious packages: one of over 180 official comments filed with the USDA related to a a presidential order to secure the nation’s supply chains.
“Rapidly spreading ransomware attacks can simultaneously block operations in many more plants than have been affected by the pandemic.” the institute warned in a May 18 declaration, noting that Covid-19 imposed a slaughterhouse shutdown last year, raising concerns about meat shortages and price spikes.
This was just the latest in a series of warnings from national security services and law enforcement, private cybersecurity companies and academic researchers.
In November, cybersecurity company CrowdStrike said in a report that its menacing service has witnessed a tenfold increase in interactive – or “practically on the keyboard” – intrusions affecting the agricultural industry in the last 10 months. Adam Myers, senior vice president of intelligence for the company, said that of the 160 hacker groups or gangs the company tracks, 13 have been identified when targeting agriculture.
A Report for 2018 from the Ministry of Internal Security addressed a number of cyber threats facing the industry as it adopts digital “precision farming”, while the FBI stated in April 2016 that agriculture was “increasingly vulnerable to cyberattacks as farmers become more reliant on digitized data. “
The industry also offers plenty of goals: Since The cyber agency of the Ministry of National Security notes, the agricultural and food sector includes “approximately 2.1 million farms, 935,000 restaurants and over 200,000 registered food production, processing and storage facilities”, almost all privately owned.
For decades, however, most farmers and food producers have valued productivity above all else, including security – in an attempt to profit from an industry with chronically narrow margins and to meet growing global food demand. In their quest for efficiency, meat processors are increasing the speed of their production lines and investing in robotics to carve carcasses faster. Farmers are embracing high-tech innovations such as drones, GPS mapping, soil sensors and autonomous tractors, with huge data behind it all.
All this connectivity and automation is worth it.
“It’s part of the disadvantage of having huge technology, a huge capacity to turn a lot of data and become more efficient,” Wilsac said. “There are risks involved.”
“No industry is beyond borders”
The disruption of JBS, which controls nearly a quarter of America’s livestock processing, has raised concerns mainly about the impact on meat markets. USDA figures show that wholesale beef prices are steadily rising every day after the hack, with election cuts rising above $ 341 a hundred pounds since Thursday morning.
Higher prices are just one of the many potential consequences. Cyberattacks can also lead to the sale of contaminated food to the public, financial ruin for producers or even injury and death to plant workers, according to the Institute for Food and Defense, recognized by the DHS group.
In its public comments to the USDA, the institute highlighted gaps in industry preparedness, including a general “sector-wide lack of information” and meager guidance from government regulators. He also noted that large sections of the industry rely on decades of custom-written software that is essentially impossible to update, along with outdated operating systems such as Windows 98.
The agricultural industry is likely to lag behind some other industries that are more affected by cybercrime, such as the financial sector, which has long been a major target for criminals, said Michael Daniel, president and CEO of the Cyber Threat Alliance, a nonprofit .
However, the JBS hack, just like the ransomware attack on Colonial Pipeline in May and the ensuing panic over the purchase of petrol, shows that “no industry is out of bounds,” he added. Ransomware operators “will go wherever they think they can make money.”
Daniel, a cyber coordinator during the Obama administration, said he would recommend industry leaders take basic steps such as assessing the digital readiness of their companies and reviewing federal security guidelines.
“What I would tell them is, You really need to think about how you manage cybersecurity risk, just as you manage commodity price risk, just as you manage natural disaster risk, just as you manage legal risk,” Daniel said.
The White House in the same way advises all companies on Thursday to solidify their security, including by installing the latest software updates and requiring additional authentication for anyone who enters their systems.
Myers of CrowdStrike said the seriousness with which cybersecurity is considered varies “depending on who you talk to in the agricultural industry.” He said multinational conglomerates, whose intellectual property deserves to be protected, make it a priority, but “as you go down the food chain, so to speak, they probably think less seriously.”
The JBS hack is the big wake-up call for all these small, medium and large businesses. “You can’t put your head in the sand and hope it doesn’t happen to you because it does,” Myers said. “You have to be prepared and you have to prepare for battle. Because if you don’t, you will pay a ransom and someone will eat your lunch. “
A call to Congress to act
Congress may need to intervene to help rectify the situation, said Crawford, a member of the Arkansas Chamber of Commerce who introduced legislation earlier this year that would create a intelligence service in the USDA. The service will serve as a guide for the department to inform farmers of threats to their livelihood, including espionage and cyber operations by malicious participants.
A key reason the industry is not prepared for dangers like ransomware is that the US intelligence community has not considered national security threats to agriculture as much as it should, Crawford said.
He added that communication should go in both directions: companies should get their cyber experts to share what they see with their government counterparts. There are no such requirements for the food industry.
“What I would advise the private sector is to be as proactive about these things as possible,” said Crawford, who is organizing a forum on “business intelligence and supply chain integrity” this summer, which will bring together experts on cybersecurity, government officials and members of the secret community to train local businesses on digital threats.
The USDA did not propose significant policy changes after the JBS attack, but instead asked food and agricultural companies to take voluntary steps to protect their IT and infrastructure from cyber threats. Vilsack cited guidelines from the DHS Cyber Security and Infrastructure Security Agency on Thursday, which companies can accept as their own protection.
There is no lack of political recommendations from experts in the field. Most proposals include training industry leaders and employees, setting minimum cyber security standards, or improving coordination between companies and agencies.
Another step recommended by the Food Protection Institute: The USDA and DHS must work with industry to set up a cyber threat information house – known as the “Information Exchange and Analysis Center” – to collaborate on the study and tackling digital risks.
Other critical industries, including the electricity and financial sectors, already have their own ISACs, but the food industry does not. Instead, some food companies have joined a broader information exchange group that spans the information technology industry, said Scott Algheer, chief executive of IT-ISAC.
“They wanted to engage with other companies, but they didn’t have ISAC. So they turned to us, “said Algheer, whose organization also provides a forum for sharing threats to the electoral industry.
The nonprofit Internet Security Alliance has called for federal grants and other incentives for food companies to step up their cybersecurity.
“Increasing cybersecurity will cost money and finding additional funding will not be easy for the sector, as it is run by narrow margins and faces a highly competitive global market,” the group wrote on its website.
Helena Botmiler Evic contributed to this report.