Food defense programs continue to evolve as the food industry deals with the requirements of the Food Safety Modernization Act (FSMA). Like any new regulatory rollout, there has been a learning curve for both government and industry, as the nuances and sometimes contrasting interpretations of requirements were tested in both directions (business and government) and then modified by the real-world realities that are inherent in the making of the food supply.
Lessons from COVID-19
The COVID-19 pandemic has substantially affected the food industry in ways not previously anticipated. Where planning assumed as a given that food safety or food defense personnel would always be present, the actualities were often found to be much more complex. Food companies of all sizes and product types have, and continue to experience, COVID-19 cases in real time and probably will be doing so beyond 2022, if the illness becomes seasonal.
Personnel became sick in the food plants across the U.S. and Canada. Sadly, in some cases, workers died. Government inspectors were not immune, and likewise fell victim to the pandemic. At times in 2020 and 2021, the food supply seemed very fragile, as panic buying and the need to adjust away from parts of retail food (i.e., restaurants) complicated an already complex situation. The situation ebbed and flowed, but still has not "gone back to normal" as of mid-2022. The supply chain has been fractured, and COVID-19 is still with us in fits and surges.
Nonetheless, we are learning from our global and national experiences with the pandemic. Lessons learned so far include how to manage in the midst of a major disruption. Today, the U.S. food industry is better prepared for future disruptions than it was before COVID-19. New lessons learned occur daily, even as new COVID-19 cases and hospitalizations continue to decrease, and numbers vaccinated across the U.S. continue to track upward. The optimistic view of these overall trends is that the COVID pandemic is slowly beginning to ease, at least in the U.S. The more realistic view is to recognize that there is a long way to go, despite the higher vaccination rates.
Antecedents to Future Challenges
In the midst of these pandemic-driven trends, two events with implications for food safety and food defense occurred as the U.S. remained distracted by the pandemic. In the first event, a nation-state targeted the U.S. This happens frequently, but what was unusual in this instance was the scale—unmeasured at first, because the attack remained undetected for several months. In the second event, a small municipal water system was hacked. Although a seemingly small incident, it was in fact a game-changer. Both of these events impacted food safety, as well as food defense in a secondary, but no less important manner.
As we examine what happened, we must keep in mind that both events occurred in the throes of the pandemic. That fact must not be lost, because it provides an example of "compounded threats," or what the military call "asymmetric effects." Although the term "asymmetric" was initially associated in the early 2000s with terrorism and insurgency in the Middle East, powers in the East have adapted the strategy and tactics over the last two decades to mean something different: maximized effect with minimized input. In this military/quasi-business sense, these Eastern powers are looking for the fastest military/economic return on investment (ROI) with minimal risk of attribution. Cyber is increasingly involved in these strategies. The shift to a cyberattack vector is likely to become the norm for the future.
Timing is everything in achieving asymmetric effects. The cyberattacks discuss here likely occurred when they did because the U.S. was experiencing the many frictions of COVID-19. The national security apparatus was distracted, and people's lives were significantly impacted and disrupted. A large number of employees (both in government and the private sector) were working remotely, creating new challenges and vulnerabilities.
Food safety and food defense professionals will need to become very familiar with the operational mode of adversarial nations, since those nations are actively probing government and business systems for weaknesses to exploit. The future may bring actual attacks with the intent of destruction. Food companies must become more robust and, in doing so, will make themselves less vulnerable to attack. Food companies will need to build this strength for themselves, rather than look to the government for rescue in times of trouble.
SolarWinds Corp. is the developer and owner of a platform called Orion and a suite of other products that monitor information technology (IT) network and server performance. These kinds of IT tools enable maximized network performance, so that when you send an email, input data, or make enquiries to a database, there is no delay when using the company Wi-Fi. In essence, this software helps cyber systems in government and business systems continue to work efficiently, at the speed of electrons.
Food defense and food safety professionals are likely to have never heard of the company. Given the almost ubiquitous use of the software, company IT professionals are probably familiar with the company, its products, and its services. Many food companies likely use Orion to monitor their networks. Without getting into the weeds, a basic principle is that network efficiency balances with network security. Monitoring agents like Orion often seek "domain admin," meaning unfettered access to every part of the system the software is supposed to monitor. In other words, the software seeks access to the "keys to the kingdom," which must be handed over by the network administrator. With that level of access, maximized network efficiency may occur; however, if done incorrectly, network security degrades. That is exactly what happened with Orion software—system efficiencies were gained at the expense of security.
The SolarWinds hack was exceedingly impactful to the U.S. and is perhaps one of the largest hacks in its history. The impacts to national security are massive. The hack initially targeted government systems, but it also spilled into non-government systems, including business. The technical details are beyond the scope of this article. Put simply, a backdoor was developed and distributed, using an update of the Orion software as the attack vector. The exact origin of the attack is moot in this discussion. The important element to note is that this is still not entirely public information; some details about the hack remain under government security. However, this attack provides a clearer picture of the kinds of cyber-borne threats that can and will be brought against U.S. critical infrastructures (including food and agriculture) in the future, from a highly sophisticated (i.e., nation-state) adversary. The Solar Winds hack came from a top-tier threat actor. Although the original target was government, a cybersecurity firm discovered the hack.
It now appears that at least 30% of the victims had no connection to SolarWinds software.1 This is where the cyber metastasis mentioned earlier came into play. Compromises to one node can lead to others. The result in this case was the compromise of business systems across the U.S., including Fortune 500 companies.2 The same attackers also targeted computer security companies and appear to have compromised multiple cloud-computing accounts, as well as multi-factor authentication systems and email accounts, potentially exposing people and their communications.
Implications for Food Safety and Defense
Assuming for a moment that a food corporation was a victim in the SolarWinds hack, what could this mean to the brand and the bottom line?
- Malware presence on a computer system gives the attacker user privilege that is extremely dangerous to systems and companies.
- Industrial control systems (ICS) are vulnerable to compromise. These systems are used in food product handling, production/processing, and distribution. They include supervisory control (e.g., process temperature monitoring/maintenance controls) and data acquisition systems (e.g., process temperature recording), as well as distributed systems (e.g., inter-/intra-plant processing controls) and programmable logic controllers for localized processes (e.g., food product movement on a belt to packaging). Adversaries could use these exploits to damage food safety and cause intentional damage to the brand through contamination, process deviation, or adulteration. These events could, in turn, create financial impact through costs borne of recalls or litigation.
- Trade secrets [e.g., processes, engineering information, formulas, research and development (R&D) information, cost and price calculations, etc.] are made vulnerable to compromise. Adversaries could use these exploits to gain competitive advantage in the marketplace, without making capital or R&D investments. Adversaries could duplicate formulas or set up duplicated, competing food processing plants in their own countries. China, for example, is known to regularly target trade secrets and is the strategy behind the requirement of systems access for companies wishing to work in that country. Many companies working in China assume that trade secret loss is a cost of business, necessary to gaining market access. Although a short-term strategy, the longer-term implications to the company may be more costly if the U.S. food company loses market access once the trade secrets are lost.
- Proprietary information (e.g., copyrighted material, patents, customer lists, management and customer relationship philosophies, and product marketing strategies). Adversaries could potentially use these exploits to gain further competitive advantage in global markets. When combined with trade secrets, the adversary gains advantage by knowing how a company operates, enabling unfettered access to decision-making processes and actual decisions before they are finalized. They may also gain access to information about new products before they are marketed and access to food safety and food defense programs as they are developed and modified.
- Personally identifiable information (PII) is made vulnerable to compromise. PII includes things like individuals' names, bank account numbers, Social Security Numbers, passwords, and identifying information about their family and friends. PII compromise enables the adversary to target the individual for further exploitation. Further exploitation could take the form of bribery, blackmail, or other forms of coercion.
- Adversarial control of systems could lead to those systems being temporarily or permanently inoperable (e.g., disabling or destroying system controllers, backup generators, water filtration systems, etc.).
- Adversarial control of systems could lead to injury or death (e.g., overriding of safety settings, causing the release of toxic gases, etc.). Although the accident at the Gainesville, Georgia Foundation Food Group plant3 that claimed six lives was an accident, imagine similar events at other companies that are not accidental.
Oldsmar Water System Hack
Oldsmar is a small city on the Gulf of Mexico side of West Central Florida. In February 2021, an attempt was made to modify the level of sodium hydroxide added to the municipal water supply by a person or persons, who remain unknown at the time of this writing. Sodium hydroxide, used in small amounts, balances the pH of the water. The hacker(s) gained access to a control software and took control of the system for approximately five minutes, during which time the chemical's concentration increased by a factor of 100 (from 100 ppm to 11,100 ppm). The remote user software utilized at the time enabled employees of the municipal water utility to work remotely, given the concerns of COVID-19. The problem was the poorly protected software access. Fortunately, an alert employee working remotely was monitoring the systems with the same software, immediately noticed the change, and adjusted it back to the correct concentration. Fortunately, no harm occurred.
Cyberattacks on water systems have occurred in other parts of the world, including Israel, which has experienced events far more serious. Although less common in the U.S., municipal water supplies are likely to become a target for adversaries in the future. As was learned from the SolarWinds hack, business must come to terms with the idea that the adversary is already present in the systems, including those associated with supply water. Many food processing companies depend on municipal water supplies—the infrastructure of which may not be in good shapedue to lack of investment, rising costs, and shifting populations.
Leslie Carhart, Principal Threat Analyst at Dragos, chillingly summarized the situation: "The foreign state hackers are there. They are in the water utilities, I promise you. But, they know better than to poke buttons today … They're going to wait until they've got a really good reason to poke buttons. They're there. We find them all the time."4
Implications for Food Safety and Defense
What are the implications to food companies of a cyberattack to a municipal water supply?
- Municipal water supply control systems may be compromised and then actually controlled by hackers, leading to potential significant problems in water quality that may affect ingredient or food product quality and safety, food processes (thermally processed foods, minimally processed foods, etc.), and sanitation.
- Adversarial control of systems could lead to contaminated food products.
- Hackers may use water supply control system access to destroy potable water purification and distribution equipment and systems.
- Adversarial control of systems could destroy pumps or open valves, or cause upstream comingling of treated and untreated water.
- Adversarial control of systems could over-or under-apply water treatment chemicals (e.g., too much/too little chlorine, etc.).
- Adversarial control of systems could release chemicals that damage water distribution infrastructure (i.e., pipes).
- Hackers may target multiple critical infrastructures in a manner that causes cascading effects and multiple system failures.
- Adversarial control of other critical infrastructure systems could cause cascading malign effects into other critical infrastructures (e.g., a computer hack leads to an attack on the power grid, which causes a failure in a municipal water system, which causes a failure in food processing).
- Hackers may target water-related systems (e.g., dams, reservoirs, irrigation) to cause flooding, release water supplies, or damage crops and livestock.
Resiliency is the Goal
The bad news is that highly sophisticated threat actors may already be inside of your systems and processes, waiting for the right time to attack. Solutions are possible, but speed is of the essence. There is no guarantee that your company's security situation will remain intact. To become less vulnerable and more resilient will require investment, as well as the development and implementation of new food safety and defense strategies and tactics.
Cyber is the backbone for food and agriculture defense. Adversaries have the means, opportunity, and motivation to break the cyber backbone at will. Just because they have not done so, does not mean they will not in the future. If or when adversaries carry out an attack of large magnitude, the result could be a massive compromise of food safety, food defense, and food security. To avoid that dark scenario, agriculture and food companies must properly prepare for a different kind of assault. The place to start is with their own cyber defense systems. The inevitable visit from the FBI, after a cyberattack has occurred, does the victim company no good when trying to pick up the pieces and salvage the brand and the bottom line.
Ask yourself, "If we knew that our systems were compromised today, what would we do differently today?" Assuming that the compromise is a real and present danger will help develop contingencies that will make your company more resilient. Government can only do so much to help. The Cybersecurity and Infrastructure Security Agency (CISA)—which is not a regulatory agency—can provide assistance. Beyond working with CISA, however, it is important to realize that you are on your own. In many respects, that is how it should be. If you do not have the expertise, make the investment and hire it. The simple answer when the inevitable ROI question arises is, "Company survival." Yes, it is that serious!
We as a nation do not want to go the route of nationalization, where the government becomes business. Rather, business must remain autonomous, meaning that government advice and guidelines should be used as a baseline to make independent business decisions. Discover the kinds of decisions that are right for your business model. The advice here is to invest rapidly in cybersecurity professional help from the highest grade of cybersecurity professional services you can afford. Beyond that, look at all of your processes and planning, including the continuity of business plans that you likely already have in place. Modify as necessary, again assuming that adversaries are already inside your systems. This is a very different business strategy, but also a necessary one given the military, diplomatic, economic, and trade challenges our nation is likely to face over the next few years. Your company cannot only "operate to survive"; it can actually thrive in the midst of these challenges. The first step is to realize that the problem is also an opportunity to plan better and build stronger.
Support for Robert A. Norton, Ph.D., and the production of this article was provided by the Alabama Agricultural Experiment Station and the Hatch program of the National Institute of Food and Agriculture at the U.S. Department of Agriculture. The article represents the personal opinion of Robert A. Norton, Ph.D., and does not reflect the official policy or statutory-related opinion of the federal government, the National Institute of Food and Agriculture, and/or the U.S. Department of Agriculture.
- McMillan, Robert and Dustin Volz. "Suspected Russian Hack Extends Far Beyond SolarWinds Software, Investigators Say." Wall Street Journal. January 29, 2021. https://www.wsj.com/articles/suspected-russian-hack-extends-far-beyond-solarwinds-software-investigators-say-11611921601.
- Jankowicz, Mia and Charles R. Davis. "These big firms and US agencies all use software from the company breached in a massive hack being blamed on Russia." Business Insider. December 14, 2020. https://www.businessinsider.com/list-of-companies-agencies-at-risk-after-solarwinds-hack-2020-12.
- Diaz, Haclyn. "6 Killed In Liquid Nitrogen Leak At Georgia Poultry Plant." NPR. January 29, 2021. https://www.npr.org/2021/01/29/961923732/6-killed-after-liquid-nitrogen-leak-at-georgia-poultry-plant
- Collier, Kevin. "Lye-poisoning attack in Florida shows cybersecurity gaps in water systems." NBC News. February 9, 2021. https://www.nbcnews.com/tech/security/lye-poisoning-attack-florida-shows-cybersecurity-gaps-water-systems-n1257173
Robert A. Norton, Ph.D., is Chair of the Auburn University Food System Institute's Food and Water Defense Working Group. He is a longtime consultant to the U.S. military and federal and state law enforcement agencies.
N.C. Simmons is a National Security Specialist and Researcher based in Montgomery, Alabama.