Ransomware attacks launched this month against farm co-ops NEW Cooperative and Crystal Valley highlighted the need among organizations within the food and agriculture industry for additional representation among the threat-sharing community.
In 2002, the Food Marketing Institute created the Food Industry Information Sharing and Analysis Center, but this threat intel organization was later dissolved in 2008. But all was not lost: the IT-ISAC now currently operates a Food and Agriculture Special Interest Group, which according to the parent organization serves an “ISAC-like function for companies in the food and agriculture industry while also enabling companies to receive the full benefits of IT-ISAC membership.”
Indeed, the IT-ISAC’s Food and Agriculture SIG has been monitoring recent ransomware events affecting its vertical, including the co-op intrusions and the June ransomware attack against meat processing company JBS.
“The cyber threat, in general, is too complex, and actors are too sophisticated for companies to go it alone. The IT-ISAC Food and Agriculture SIG provides a cost-effective force-multiplier for companies to engage with peers facing the same challenges,” said Scott Alegeier, executive director of the IT-ISAC. “The food and agriculture companies we engage with are highly informed about the threats facing their enterprises and are actively engaging with each other to manage them.”
This is certainly helpful, but is there perhaps still room for a standalone food supply chain ISAC to bring even more experience and insight to the table?
“Food and agriculture should definitely have a dedicated information-sharing community where members can work together to help each other detect, prevent and respond to cyberattacks,” said William Nelson, chair and CEO of the Global Resilience Federation, an organization that helps stand up ISAC and ISAO bodies — including the Operational Technology Information Sharing and Analysis Center (OT-ISAC), where Nelson serves as director. “The protection of the nation’s food supply is too important not to have an independent Information Sharing & Analysis Center devoted to this critical infrastructure.”
“ISACs enable their members to implement a force multiplier effect to defend their enterprises and supply chains,” Nelson continued. “By sharing threat information and best practices, ISAC members can prevent attacks and the costs and losses that result. The return on investment in belonging to an ISAC for individual sectors has unquestionably been proven by ISAC participants. In addition, there are significant benefits from sharing and receiving information from other sectors and the U.S. government as well as having dedicated analysts at the ISAC level devoted to one sector.”
Curtis Simpson, CISO at Armis and former vice president and global CISO at food distributor Sysco, said that smaller and mid-size companies that contribute to the food supply chain would particularly benefit from additional industry cooperation and intelligence, since it’s really larger enterprises that have the resources needed to sustain focus on security risk management.
“Many smaller operations often have an extremely limited number of technologists on staff and an underfunded security program overall, particularly when compared to the rapidly growing risks facing such organizations,” Simpson explained. “Most businesses in this sector operate on very low margins and, in turn, if revenues are not significant it can be a challenge for smaller operations to stomach the spend required to protect operations against the threats of today.”
But a full-fledged food ISAC “could help operations of all sizes within the sector rapidly understand, baseline and respond with a resilience-based approach to what should be considered one of the top business risks facing the supply chain and corresponding operations,” Simpson continued.
With that said, launching a brand-new ISAC from scratch has its share of challenges.
“It can be quite expensive and take several years to build an operational capability,” said Alegeier at the IT-ISAC. “One advantage our Food and Agriculture SIG provides companies is that we already have an established, robust capability, built over 20 years, that companies can plug into immediately. They get access to all IT-ISAC member capabilities and products, can engage with leading technology companies, and have a private forum to collaborate with companies in the food and agriculture industry who are experiencing the same challenges and seeing the same threats.”
Whether it’s through the IT-ISAC’s SIG or a future standalone organization, it’s important that the food industry addresses these threats head on. After all, cyberattacks can have major downstream impacts on “availability, safety, and profitability” across the supply chain — especially when you consider that a cooperative is a “supply chain within supply chain,” noted Simpson.
“Many members are reliant on other members for the storage, drying, marketing, distribution, and other services related to ultimately selling their grain/feed,” said Simpson. “It truly depends on what elements have been impacted overall, but… an attack could lead to anything from loss of contracts due to product availability issues, [to] delay of an ability to pay members, to even grain rotting on fields and being unable to benefit the farmer, cooperative or supply chain in turn.
The impact affects consumers, as well. “Your favorite dish at a nearby restaurant or cut of meat at the butcher counter may simply be unavailable for some time or, much, much more expensive if it remains or becomes available again in the future,” said Simpson. “Product shortages as a whole can and have recently resulted in rushes by consumers to buy what they can of a product experiencing shortage issues before it's no longer available. This further exacerbates the overall supply challenges and raises prices for everyone across the board.”
The agriculture industry is well aware of the stakes. “AFBF is concerned about cybersecurity as a matter of national security especially after the Colonial Pipeline attack and the JBS attack, and now the attack in Iowa,” said Emily Buckman, congressional relations director with the American Farm Bureau Federation. “We know from the COVID-19 pandemic that our food supply chain is resilient, but we are always looking for solutions to minimize the risks of disruptions. We have had positive discussions with the FBI about cybersecurity in the food and agriculture sector and will remain engaged with key stakeholders to highlight the importance of ensuring our food supply is secure.”