Hardly any mandatory cybersecurity rule governs the millions of food and beverage companies that make up about a fifth of the U.S. economy – there are only voluntary guidelines. The two federal agencies that oversee the sector include the USDA, which has faced criticism of Congress for the way it secures its own data. And unlike other industries that have formed information sharing collectives to coordinate their responses to potential cyber threats, the food industry dissolves his group in 2008.
Now food producers face the fact that disruptive cyber attacks are part of what Agriculture Secretary Tom Vilsack calls their “new reality.”
National security threats to the agricultural supply chain have not received enough attention across the federal government, argued Representative Rick Crawford (R-Ark.), Who sits on both House Intelligence and Agriculture committees.
“Too often agriculture is dismissed as, ‘It’s important but it’s not that big,'” Crawford said in an interview. “If you eat, you are farming. We must all recognize that this is a vital industry and that this [incident] illustrates this.
The North American Meat Institute, which represents meat packers, declined to comment on the state of the industry’s cybersecurity measures or potential changes as a result of the hack.
The downside of “huge technology”
The wake-up call from the Food Protection and Defense Institute at the University of Minnesota arrived in the most modest of packaging: as one of over 180 official comments filed with the USDA for a presidential decree on securing the country’s supply chains.
“Rapidly spreading ransomware attacks could simultaneously block operations in many more factories than those affected by the pandemic,” the institute warned in its file of May 18, noting that Covid-19 last year forced the closure of slaughterhouses, raising fears of a meat shortage and soaring prices.
It was just the latest in a string of warnings from national security and law enforcement agencies, private cybersecurity firms and university researchers.
In November, the cybersecurity firm CrowdStrike said in a report that its threat research service had seen a ten-fold increase in interactive intrusions – or “hands-on-keyboard” – affecting the agriculture industry in the past 10 months. Adam Meyers, the company’s senior vice president of intelligence, said that of the 160 hacking groups or gangs the company is tracking down, 13 have been identified targeting agriculture.
A 2018 report of the Ministry of Homeland Security examined a range of cyber threats the industry faces as it embraces digitized “precision farming”, while the FBI said in April 2016 that farming is “increasingly vulnerable to cyber attacks as farmers increasingly depend on digitized data.
The industry also offers many targets: Department of Homeland Security Cyber Agency Notes, the agriculture and food sector comprises “approximately 2.1 million farms, 935,000 restaurants and over 200,000 registered food manufacturing, processing and storage facilities”, almost all of which are privately owned.
For decades, however, most farmers and food manufacturers have prioritized productivity over everything else, including safety, trying to make profits in an industry with chronically narrow margins and meet demand. growing global demand for food. In their quest for efficiency, meat processing plants are increasing the speed of their processing lines and investing in robotics to cut carcasses faster. Farmers are embracing high-tech innovations like drones, GPS mapping, soil sensors, and autonomous tractors, with vast data behind it all.
All of this connectivity and automation comes at a cost.
“That’s part of the downsides of having a huge technology, a huge ability to transform a lot of data and become more efficient,” Vilsack said. “There are risks associated with this. “
“No industry is prohibited”
The disruption of JBS, which controls nearly a quarter of livestock processing in the United States, has raised concerns primarily about the impact on meat markets. USDA data shows wholesale beef prices have risen steadily every day since the hack, with prime cuts exceeding $ 341 per hundred pounds on Thursday morning.
Higher prices are just one of the many potential consequences. According to the Food Protection and Defense Institute, a group recognized by DHS, cyber attacks could also result in the sale of contaminated food to the public, financial ruin for producers, and even the injury and death of factory workers.
In its public comments to the USDA, the institute highlighted gaping gaps in industry preparedness, including a “widespread lack of awareness across the industry” and lack of guidance from government regulators. . He also noted that much of the industry relies on decades-old custom-written software that is essentially impossible to update, as well as outdated operating systems like Windows 98.
“The agriculture industry is probably lagging behind some of the other industries that have been hit hardest by cybercrime,” such as the financial sector, which has long been a prime target for criminals, said Michael Daniel, president and CEO of the Cyber Threat Alliance, a non-profit organization.
However, the JBS hack, like the ransomware attack on Colonial Pipeline in May and the gasoline-buying panic that followed, shows that “no industry is banned,” he added. . Ransomware operators “are going to go where they think they can extract the money.”
Daniel, a cyber coordinator under the Obama administration, said he would recommend that industry executives take basic steps, such as assessing their company’s digital readiness and reviewing federal guidelines for security.
“What I would tell them is: you have to really think about how you manage your cybersecurity risk, just like you manage commodity price risk, just like you manage natural disaster risk, just like you manage the legal risk, ”said Daniel.
The White House advised in the same way to all companies Thursday to strengthen their defenses, including installing the latest software updates and requiring additional authentication for anyone logging into their systems.
Meyers, of CrowdStrike, said the seriousness with which cybersecurity is viewed varies “depending on who you talk to in the agriculture industry.” He said multinational conglomerates whose intellectual property is worth protecting make it a priority, but “as you move down the food chain, so to speak, they probably think less seriously about it.”
The JBS hack “is the big red flag for all these small, medium and large businesses. You can’t put your head in the sand and hope it doesn’t happen to you because it does, ”Meyers said. “You have to be prepared and you have to prepare to fight. Because if you don’t, you are going to pay a ransom and someone is going to eat your lunch.
A call to Congress to act
Congress may have to step in to help resolve the situation, said Crawford, the member of the House of Commons from Arkansas, who reintroduced legislation earlier this year that would establish an intelligence bureau within the USDA. The office would serve as a channel for the department to keep farmers informed of threats to their livelihoods, including espionage and cyber operations by malicious actors.
One of the main reasons the industry is unprepared for dangers like ransomware is that the U.S. intelligence community has failed to consider national security threats to agriculture as much as it does. it should, Crawford argued.
He added that communication needs to go both ways: Businesses need to get their cyber experts to share what they see with their government counterparts. No such requirement exists for the food industry.
“What I would advise the private sector to do is be proactive on these things as much as possible,” said Crawford, who is hosting a forum this summer on “Business Intelligence and Chain Integrity. procurement “which will bring together cybersecurity experts, representatives of the underground community to educate local businesses on digital threats.
The USDA has not proposed any significant policy changes in the wake of the JBS attack, instead asking food companies to take voluntary steps to protect their IT and infrastructure from cyber threats. Vilsack highlighted on Thursday DHS Cyber and Infrastructure Security Agency guidelines that businesses can adopt for their own protection.
There is no shortage of policy recommendations from experts in the field. Most of the proposals involve training industry leaders and employees, setting minimum standards for cybersecurity, or improving coordination between companies and agencies.
Another step recommended by the Food Protection and Defense Institute: USDA and DHS should work with industry to create a cyber threat clearinghouse – known as “information sharing and analysis center»- to collaborate in the study and management of digital risks.
Other critical industries, notably the electricity and finance sectors, already have their own ISACs, but the food industry does not. Instead, some food companies have joins a larger information sharing group which covers the information technology industry, said Scott Algeier, executive director of IT-ISAC.
“They wanted to engage with other companies but didn’t have ISAC. So they applied to us, ”said Algiers, whose organization also provides a threat-sharing forum for the electoral industry.
The nonprofit Internet Security Alliance has called for federal grants and other incentives for food companies to step up their cyber defenses.
“The increase in cybersecurity will cost money, and finding additional funding will not be easy for the sector as it is governed by tight margins and faces a very competitive global market,” the group wrote on its website.
Helena Bottemiller Evich contributed to this report.