Just-in-time logistics mean that even a short-term cyber attack can have serious consequences. A hack that disrupts fertilizer or pesticide production could force farmers to end their planting season. Irregularities at meatpacking plants could lead to precarious supply shortages. Tampering by food processing companies can lead to deadly contamination. According to Sachs, the ransomware attack has already forced companies to shut down operations for a week, leaving schools without milk, juice and eggs.
“Significant disruptions to the industry cause immediate public health and safety concerns,” said Mark Montgomery, who previously served as executive director of the Cyberspace Solarium Council.
Despite growing vulnerability, the food and agriculture sector still “doesn’t really understand the threat mindset,” while higher-profile sectors such as financial services and energy do, Sachs said.
Mission critical, limited support
Today, food and agriculture is one of four critical infrastructure sectors (out of 16) that do not have an ISAC, the others being dams, government facilities, nuclear reactors and materials.
The food and agriculture sector was one of the first to launch such a hub in 2002, but it was disbanded in 2008 because few companies shared information through it. Members worry that such openness could hurt their competitive advantage and expose them to regulatory action. Companies now worry that exchanging information with each other could lead to antitrust lawsuits, even if the cooperation is legal, Sachs said.
Some companies participate in the Food and Agriculture Special Interest Group (SIG) within IT-ISAC, which gives them access to data and analytics from some of the world’s largest tech companies, as well as resources such as playbooks used to fight specific hacker groups.
“Over the last three years or so, our engagement with the industry has really expanded,” said Scott Algeier, executive director of IT-ISAC. During the same period, IT-ISAC recorded 300 incidents of ransomware targeting the food and agriculture sector attack.
However, Sachs believes that SIG’s offerings are limited. It does not hold regular large-scale exercises to simulate attacks on food and agriculture companies, does not have a 24/7 monitoring center to continuously monitor the infrastructure of these companies (and related events such as severe weather and supply chain disruptions), and cannot pass Compare classified government intelligence with data from sensors within that infrastructure to automatically generate insights and alerts. “I’m grateful for what Scott did there,” Sachs said. “It’s a very good thing. But it’s not ISAC.”
Algeier said IT-ISAC held exercises focused on the food and agriculture sector and “members can contact us 24/7 if needed.”
But the industry needs its own ISAC, which can “analyze threats and provide a real operational assessment,” said Brian Harrell, former assistant director for infrastructure security at the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
“A lot of people I’ve talked to think there needs to be a dedicated ISAC,” Pfluger said.
Companies also need more support from the federal government.
The USDA, the industry’s sectoral risk management agency, is “significantly less effective” than other SRMAs, Montgomery said. The USDA doesn’t even earmark money for its security support, which includes biannual industry-wide meetings, weekly threat bulletins and the occasional town hall.