This article is the third in a series discussing the importance of an Information Sharing and Analysis Center (ISAC) in the Food and Agriculture sector. In our first article,¹ we discussed how security threats against the sector are increasing, and how cyber threats against the global supply system are on the rise. To raise awareness of these threats and to encourage a coordinated response in the event of a wide-spread incident, we recommended that an ISAC be formed for the sector. Our second article² reviewed the history of ISACs and discussed the importance of establishing one specifically for the Food and Agriculture industry. We also talked about the necessary steps to set up an ISAC in the sector.

In this article, we will discuss the types of threat and vulnerability information that can be legally shared between companies and organizations. The rapid dissemination of threat information is crucial, and businesses are encouraged to share such information even if they may be restricted by anti-competitive laws or regulations.

Legal Concerns

Many corporate legal teams are concerned about anti-trust laws that restrict competitive companies from sharing sensitive internal information, particularly information related to cybersecurity threats and incidents. These concerns should have been reduced or eliminated when the Cybersecurity Information Sharing Act of 2015 (CISA 2015)³ was signed into law.

The aim of CISA 2015 was to create a voluntary system of sharing cybersecurity information between public and private sector organizations. The intention was also to encourage the sharing of cyber threat indicators and defensive measures with no antitrust restrictions, while protecting the privacy and civil liberties of individuals.

The specific language regarding the antitrust exemption for cybersecurity information sharing can be found in Section 104 of CISA 2015: "… it shall not be considered a violation of any provision of antitrust laws for 2 or more private entities to exchange or provide a cyber threat indicator or defensive measure, or assistance relating to the prevention, investigation, or mitigation of a cybersecurity threat, for cybersecurity purposes under this title." Both nonprofit and for-profit entities are eligible for this antitrust exemption if they engage in conduct that is necessary for participating in cybersecurity information sharing activities.

Furthermore, the same section of the Act states that, "…a cyber threat indicator or defensive measure shared with a State, tribal, or local government under this title shall not be used by any State, tribal, or local government to regulate, including an enforcement action, the lawful activity of any non-Federal entity or any activity taken by a non-Federal entity pursuant to mandatory standards, including an activity relating to monitoring, operating a defensive measure, or sharing of a cyber threat indicator."

The bottom line is that sharing cybersecurity information is exempt from the antitrust laws that normally prevent competing companies from discussing sensitive internal (or inside) information. There should be no reluctance from legal teams to support cyber threat information sharing with other companies, even if they are competitors; nor should they discourage their security teams from working with government agencies to establish two-way trust paths for information exchange.

Cyber Threat Indicators

A cyber threat indicator is a piece of information that suggests an organization is being targeted or compromised by a cyber threat, such as a hacker or a malicious actor. Cyber threat indicators can include a wide range of information, such as IP addresses, domain names, file names, file hashes, email addresses, and other data points associated with malicious activity. The sharing of cyber threat indicators between private and public sector entities can help improve situational awareness, enhance incident response capabilities, and enhance overall cybersecurity postures.

Examples of cyber threat indicators that should be shared between private and public sector entities include:

• Malicious reconnaissance, such as scanning and probing of networks or systems for vulnerabilities or weaknesses
• Unauthorized access or attempted access to systems or networks, including the use of stolen or fraudulently obtained credentials
• Indicators of compromise (IOCs), such as IP addresses, domains, file hashes, and signatures that are associated with malicious activity
• Suspicious network activity, such as unusual traffic patterns or unusual ports being used
• Malicious code samples, such as viruses, Trojans, and worms, as well as new or unknown malware
• Suspected or confirmed malicious insider activity, such as theft or unauthorized disclosure of sensitive information
• Security vulnerabilities in software or hardware, along with information on how to mitigate those vulnerabilities
• Phishing emails, social engineering tactics, and other forms of malicious activity aimed at tricking users into divulging sensitive information or compromising systems
• Threat intelligence reports that provide insights into the tactics, techniques, and procedures (TTPs) used by cyber threat actors.

CISA 2015 is designed to encourage the sharing of threat information between private and public sector entities, but it does not require an organization to share such information. The decision to share is left to the discretion of each individual organization and must be done in accordance with privacy and civil liberties protections, as well as any other applicable laws and regulations.

Defensive Measures

A "defensive measure" is defined in CISA 2015 as an action, device, procedure, signature, technique, or other measure applied to an information system or information that is stored on, processed by, or transiting such a system that detects, prevents, or mitigates a known or suspected cybersecurity threat or security vulnerability.

Those are a lot of legal words, so here are some common examples:

• Intrusion detection and prevention systems (IDPS) are security tools that monitor network traffic for signs of malicious activity, such as unusual patterns of data transfer, suspicious IP addresses, or known malware signatures. IDPS can be configured to block or quarantine malicious traffic automatically.
• Firewalls are network security devices that monitor and control incoming and outgoing network traffic based on predetermined security rules. Firewalls can be used to block known malicious IP addresses, restrict access to vulnerable network services, or prevent the spread of malware.
• Antivirus and anti-malware software are software tools that scan for and remove known malware and other malicious code from endpoints, servers, and other devices. They can be used to prevent or mitigate the effects of malware infections, such as ransomware attacks.
• Threat intelligence feeds provide real-time information about known or suspected cyber threats, including indicators of compromise (IOCs) and other relevant data. Sharing threat intelligence feeds between organizations can help improve situational awareness and enhance incident response capabilities.
• Security information and event management (SIEM) tools collect and analyze security data from various sources, such as logs and network traffic, to detect and respond to security incidents. SIEM tools can be used to identify patterns of suspicious activity, prioritize alerts, and provide forensic data for incident investigation.

An ISAC in the Food and Agriculture sector can play a critical role in coordinating the use of defensive measures to protect against cyber threats in this sector. An ISAC can serve as a platform for sharing cyber threat indicators and defensive measure techniques between members, then providing anonymized sector information to government partners. The flow of information to the government would not expose the identity of any particular company, but would provide government agencies with a better view of the threats targeting the sector.

An example of this type of information sharing can be found in the Electricity ISAC's Cyber Risk Information Sharing Program (CRISP).⁴ Participating power companies automatically send threat information via the E-ISAC to the U.S. Department of Energy, which in turn has access to classified threat information from other government agencies. This sharing arrangement allows for the government to quickly notify a private sector entity (via the sector's ISAC) if it is being impacted by a significant foreign cyber threat. Local, state, and federal utility regulators have no access to this system, thus keeping the flow of cyber threat information away from potential regulatory enforcement actions.

In the event of a cyberattack or a security incident, an ISAC can assist with the coordination of incident response efforts between affected organizations and relevant government agencies. This can help minimize the impact of the incident and reduce the risk of future attacks. It can also provide accurate information to other members of the ISAC that may not have been directly impacted by the incident. Often, media and news services will sensationalize the reporting. An ISAC will stick to the facts and can provide more precise technical details about the incident.

Based on information shared with the ISAC and between its members, an ISAC can develop and promote best practices for cybersecurity in the sector. In many existing ISACs, these best practices are drafted and reviewed by experts from member companies. These best practices and guidance documents cover a range of topics including information on risk management, incident response, vulnerability management, supply chain security, and threat intelligence sharing.

While ISACs can also advocate for policy changes that promote cybersecurity in the sector, they should not be viewed as a lobbying organization. Testifying as an expert before legislative or regulatory bodies, or even reviewing proposed legislation or regulations are appropriate activities for an ISAC. Due to their intimate knowledge of the types of threats and vulnerabilities faced by the sector, they can provide a balanced and technical point of view to create a more favorable environment for cybersecurity and information sharing.

An ISAC can certainly play a critical role in coordinating the use of defensive measures to protect against cyber threats in the Food and Agriculture sector. By facilitating information sharing, coordinating incident response, providing threat intelligence, developing best practices, and advocating for policy changes, ISACs can help improve the overall cybersecurity posture of the sector and reduce the risk of cyberattacks.

Final Thoughts

The importance of cyber information sharing in the Food and Agriculture sector cannot be overstated. Cyberattacks on the sector are becoming more frequent and sophisticated, and no organization can defend against these attacks by itself. By sharing information about cyber threats and attacks, organizations can learn from each other's experiences, develop more effective defenses, and ultimately reduce the likelihood and impact of successful cyberattacks.

For example, an agribusiness company might share information with other companies in the sector about a cyberattack it experienced, including details about the attack vector, indicators of compromise, and defensive measures that were effective in mitigating the attack. Similarly, a trade association representing farmers might share information about a new threat actor targeting its members and recommend specific security controls to protect against the threat.

The CISA 2015 provides a legal framework for the sharing of cyber threat indicators and defensive measures between private and public sector entities. This legislation encourages the sharing of information that could help identify and mitigate cyber threats to the Food and Agriculture sector. The development of an ISAC for the sector would provide a centralized hub for information sharing, and enable stakeholders to coordinate their defensive efforts.

Under the CISA 2015, cyber threat indicators can include a wide range of information, such as IP addresses, domain names, file names, file hashes, email addresses, and other data points that are associated with malicious activity. Defensive measures can include activities such as intrusion detection and prevention, secure configuration management, and information security assessments. By implementing these measures and sharing information about them, organizations in the Food and Agriculture sector can strengthen their cybersecurity posture and reduce the likelihood of successful cyberattacks.

An ISAC for the Food and Agriculture sector would also facilitate the development of best practices for cybersecurity. By collaborating with other stakeholders in the sector, organizations can identify and adopt best practices that have proven to be effective. This would not only improve the cybersecurity posture of individual organizations, but also the sector as a whole.

Finally, it is worth noting that information sharing in the Food and Agriculture sector must be done carefully to protect privacy and civil liberties. The CISA 2015 provides specific guidelines to ensure that personally identifiable information is protected and that information is shared in a manner that respects individual privacy and civil liberties.

In summary, the Food and Agriculture sector must prioritize cybersecurity and information sharing to protect against cyber threats. By sharing cyber threat indicators and defensive measures, developing best practices, and collaborating through an ISAC, stakeholders can improve situational awareness, enhance incident response capabilities, and mitigate the effects of cyberattacks. The CISA 2015 provides the legal framework to enable this collaboration, and organizations should take advantage of this opportunity to strengthen their cybersecurity posture.

In future articles, we will look at some of the common cyber threats that impact the Food and Agriculture sector and how an ISAC can reduce the impact of these incidents. We will also offer an idea about where to house a future, robust FA-ISAC that can serve the tens of thousands of organizations in the sector, from small- and medium-sized operations all the way to multinational corporations. A hint: how about anchoring it in a consortium of universities that are educating future leaders in Food and Agriculture businesses? Those students will learn about current issues; can collaborate with professors, experts, and other students; and can deliver a service to the nation that would be very different from what other sector ISACs provide.

Editor's Note

The IT-ISAC's SIG for Food and Agriculture recently renamed itself the Food and Agriculture ISAC, but the group has not been formally recognized by the federal government as the sector's official ISAC.

References

1. Norton, Robert A. and Marcus Sachs. "An Information Sharing and Analysis Center for the Food and Agriculture Sector." Food Safety Magazine February/March 2023. https://www.food-safety.com/articles/8325-an-information-sharing-and-analysis-center-for-the-food-and-agriculture-sector.
2. Norton, Robert A. and Marcus Sachs. "Cybersecurity and Food Defense: Establishing an ISAC for the Food and Agriculture Sector." Food Safety Magazine April/May 2023. https://www.food-safety.com/articles/8488-cybersecurity-and-food-defense-establishing-an-isac-for-the-food-and-agriculture-sector.
3. 114th Congress. "Public Law 114-113-Dec. 18, 2015: Consolidated Appropriations Act, 2016." December 18, 2015. https://www.govinfo.gov/content/pkg/PLAW-114publ113/pdf/PLAW-114publ113.pdf.
4. E-ISAC. "Cybersecurity Risk Information Sharing Program (CRISP)." 2023. https://www.eisac.com/s/crisp.

Robert A. Norton, Ph.D., is a Professor and National Security Liaison in the Office of the Vice President of Research and Economic Development at Auburn University. He specializes in national security matters and open-source intelligence, and coordinates research efforts related to food, agriculture, and veterinary defense.

Marcus H. Sachs, P.E., is the Deputy Director for Research at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security. He has deep experience in establishing and operating sharing and analysis centers including the Defense Department's Joint Task Force for Computer Network Defense, the SANS Institute's Internet Storm Center, the Communications ISAC, and the Electricity ISAC.