How will farms and food producers protect themselves from the next cyberattack?
Recent cyberattacks on the food and agriculture sector—including ransomware infections that shut down operations at JBS, one of the world’s largest meat suppliers, at the beginning of the summer and midwestern grain cooperatives this autumn—put a spotlight on risks to the systems that help feed people around the world.
One of attacks on grain cooperatives also hit a related precision data company, raising further concerns about how to protect the increasingly automated systems that are now key to many farm and food operations.
The Record reached out to the Information Technology-Information Sharing and Analysis Center (or IT-ISAC), a threat intelligence sharing organization around since 2000, for help putting these new risks in context. IT-SAC operates a Special Interest Group focused on food and agriculture and its board includes four major companies from the sector.
In an email interview, IT-ISAC Executive Director Scott Algeier discussed the scale of automation already in use by farms and food production facilities, threats those operations face, and how intelligence-sharing can help companies respond. This exchange has been lightly edited for length and clarity.
Andrea Peterson: How has automation increased the attack surfaces we see across the agricultural sector?
Scott Algeier: Industrial control systems and operational technology components which were historically air-gapped are now being connected to corporate networks. Connecting these networks gives organizations more visibility into their operational capabilities and allows them to remotely monitor and interact with production environments. This connection improves automation and productivity but introduces security risks. Any time you add a device to the Internet, you are increasing the attack surface.
AP: Where does the Internet of Things fit into the security landscape of farmers and other stops along the food supply chain?
SA: Food and Agriculture is becoming increasingly reliant on Internet of Things devices, smart switches, sensors, irrigation systems etc. For example, tractors and farm equipment now are Wi-Fi connected, and animals are fitted with devices that monitor their activities. While these advancements improve production, they come with security risks. For large scale operations there may be hundreds or thousands of devices, so tracking and patching vulnerabilities can be a challenge. This is especially true if the devices are deployed across vast areas of farmland.
AP: How do elements of the agricultural sector’s security risks intersect with the physical world? Obviously, there are national security concerns raised by attacks directly on the food industry because we all need to eat, but how else?
SA: The Food and Agriculture industry typically operates just in time supply chains. As such, any disruptions to the supply chain can quickly become a national security incident and can even cause disruptions globally. This makes the food and agriculture sector a target, but the companies we work with also understand this and are actively managing these risks and have developed incident response plans to recover from incidents.
AP: What do we know about attackers in the food sector and how they operate?
SA: In many ways, the threats to the food and agriculture sector are the same as those faced in other industries. There’s a common set of attacks that enterprises face, regardless of sector, just by virtue of being connected to the Internet. Food and agriculture companies use some of the same software and tools other enterprises use. They face the same threats other enterprises do. Ransomware is a threat to every enterprise, for example. But the industry does use some technology in unique and important ways, and it has unique technology that is used only in the sector.
There certainly are actors who are targeting the food and agriculture industry for various reasons and understanding these actors are key. This is why the industry monitors and shares information on attackers. Since actors reuse methods that have been proven to work, food and agriculture companies apply lessons learned from attacks elsewhere. So, by understanding the adversary—what their motives are, what their target is, and what methods they deploy—companies can reduce their risk.
AP: Have defense postures changed since the JBS attack? How?
SA: The defense posture is always changing as we learn about attacks and the attackers. Companies change their posture based on high profile attacks, as well as attacks, incidents or vulnerabilities that do not get as much publicity.
AP: How does consolidation in the agricultural sector and the often thin margins of farming operations play into the impact of attacks on the food supply chain?
SA: Every organization, no matter the industry, is resource constrained. There’s a limit on money and talent. This is the reality in every industry. Which makes forums such as the IT-ISAC Food and Agriculture Special Interest Group (SIG) so important and effective. It serves as a cost-effective force multiplier to enhance internal security teams.
AP: How does intellectual property play into the security risks facing the sector?
SA: Adversaries are always trying to gain access to intellectual property. We saw this most recently within the healthcare industry, as countries tried to gain access to vaccine related research and development. It is not surprising then that securing intellectual property is a priority for companies in the food and agriculture industry.
It can take 10 years and hundreds of millions—or even billions—of dollars for a scientific discovery to become a product on the shelf. If an adversary nation can steal this research, it could result in a huge benefit to the adversary, and huge costs for the victim company.
AP: What are some of the privacy and competition issues raised by the data collection involved in precision agriculture?
AS: There are a range of privacy and competitive issues within the industry that impact companies, farmers, product, and customers. This is a reality of modern farming.
The complexity of the supply chain and diversity of the industry makes securing this information challenging. A small family farm may not understand the risks in the same way a company might. But there also is a lot of cooperative engagement and collaboration within the industry to secure this information and a desire to promote cybersecurity throughout the supply chain.
Andrea Peterson (they/them) is a longtime cybersecurity journalist who cut their teeth covering technology policy at ThinkProgress (RIP) and The Washington Post before doing deep-dive public records investigations at the Project on Government Oversight and American Oversight.