The Dangerous Weak Link in the US Food Chain
The Dangerous Weak Link in the US Food Chain
Just-in-time logistics mean that even short-term cyberattacks can have serious consequences. Hacks that disrupt fertilizer or pesticide production can force farmers to sit out planting seasons. Breaches at meat-packing plants can cause destabilizing supply shortages. Tampering at a food processing firm can lead to deadly contamination. Already, ransomware attacks that have forced companies to shut down operations for a week have left schools without milk, juice, and eggs, according to Sachs.
“A major disruption in this sector leads to immediate public health and safety issues,” says Mark Montgomery, who served as executive director of the Cyberspace Solarium Commission.
Despite being increasingly vulnerable, Sachs says, the food and agriculture sector still “doesn’t really understand the threat mindset” as well as higher-profile sectors, like financial services and energy, do.
Today, food and agriculture is one of four critical infrastructure sectors (out of 16) without an ISAC, along with dams, government facilities, and nuclear reactors and materials.
The food and agriculture sector was one of the first to launch such a center, in 2002, but it disbanded in 2008 because few companies were sharing information through it. Members were afraid that such openness jeopardized their competitive advantages and exposed them to regulatory action. Now, Sachs says, businesses worry that exchanging information with each other could prompt antitrust lawsuits, even though such collaboration is legal.
Some companies participate in a Food and Agriculture Special Interest Group (SIG) housed inside the IT-ISAC, which gives them access to data and analysis from some of the world’s biggest tech companies, as well as resources like playbooks for confronting specific hacker groups.
“Our work with the industry has really expanded over the last three years or so,” says IT-ISAC executive director Scott Algeier. In that same time period, the IT-ISAC has recorded 300 ransomware attacks on the food and agriculture sector.
But the SIG’s offerings are limited, Sachs argues. It doesn’t hold regular large-scale exercises simulating attacks on food and agriculture firms, doesn’t staff a 24/7 watch center that constantly monitors these firms’ infrastructure (along with related events like severe weather and supply chain disruptions), and can’t automatically generate insights and alerts by comparing classified government intelligence with data from sensors inside that infrastructure. “I appreciate everything Scott is doing over there,” Sachs says. “It's a very good thing. But it's not an ISAC.”
Algeier says the IT-ISAC has hosted exercises focused on the food and agriculture sector and that “members can reach out to us 24/7 if needed.”
But the sector needs its own ISAC that can “analyze the threat and provide a true operational assessment,” says Brian Harrell, a former assistant director for infrastructure security at the US Cybersecurity and Infrastructure Security Agency (CISA).
Pfluger says, “Plenty of folks I’ve spoken with think there needs to be a dedicated ISAC.”
Companies also need more support from the federal government.
The US Department of Agriculture, the industry’s sector risk management agency, is “significantly less effective” than other SRMAs, Montgomery says. The USDA doesn’t even have dedicated funding for its security support, which includes biannual sector-wide meetings, weekly threat bulletins, and occasional town halls.