Welcome to the fourth in a series of articles discussing the importance of an Information Sharing and Analysis Center (ISAC) in the food and agriculture sector. In our first article,¹ we examined how security threats against the sector are increasing, and how cyber threats against the global supply system are on the rise. To raise awareness of these threats and to encourage a coordinated response in the event of a widespread incident, we recommended that an ISAC be formed for the sector. Our second article² reviewed the history of ISACs and discussed the importance of establishing one specifically for the food and agriculture industry. We also talked about the necessary steps to set up a broad ISAC for the sector. Our third article³ focused on threat information sharing and how it is encouraged between businesses that may otherwise be restricted by anti-competitive laws or regulations.

Shortly before our third article went to print, the Information Technology ISAC announced that its Food and Agriculture Special Interest Group (SIG) was renamed the Food and Ag-ISAC.⁴ The authors appreciate that initiative and support any effort to improve the sharing and analysis of threat information within the sector. A similar project, underway for over a year, is building a robust FA-ISAC capability to be anchored at several land grant institutions across the country. This consortium plans to bring together experts and students in a series of "teaching ISACs" that will educate future leaders, as well as provide warnings and guidance to thousands of small and mid-size organizations via the cooperative extension service offices located in nearly every county. We will provide updates as this project moves forward.

In this article, we will review the various types of common cyber threats faced by companies and organizations in the food and agriculture sector. We will also explore the potential consequences of these threats, including compromised food safety, disrupted supply chains, reputational damage, and legal or regulatory fines and penalties. As we have pointed out in the previous articles, the increasing digitization and interconnectedness of systems in the sector makes it an attractive target for cybercriminals. Other threat groups—such as military or intelligence organizations, or activists—may also target the sector to disrupt it or attempt to steal sensitive intellectual property.

Business consolidation and sourcing within the sector has led to increasing risks to company brands, where reputational damage can extend to the full variety of food products directly produced by the victim company, or as collateral damage where food products are sourced and marketed by others. An example of the latter would be labeled store brands, which are sourced from a supplier that was targeted in a cyber event.

Common Types of Cyber Threat Vectors

Malware and ransomware attacks from criminal groups involve malicious software that infiltrates computer systems, compromising data integrity and disrupting operations. These attacks can have severe consequences in the food and agriculture sector. For example, malware could infect control systems, leading to the compromise of critical infrastructure such as irrigation systems or food processing plants. Ransomware attacks can encrypt vital data, making it inaccessible until a ransom is paid. Notable examples include the NotPetya attack on the Danish shipping company Maersk in 2017, which disrupted global supply chains; and the LockerGoga ransomware attack on Norsk Hydro in 2019, one of the world's largest aluminum manufacturers. More recently, ransomware attacks against JBS (2021), Hood Dairy (2022), and Dole (2023) highlight the growing interest these criminal groups have with large companies in the sector.

Social engineering and phishing techniques exploit human vulnerabilities to gain unauthorized access to systems or obtain sensitive information. Typically, employees are targeted through fraudulent emails or phone calls, tricking them into divulging credentials or downloading malicious software. Other methods include distributing infected USB thumb drives at trade shows, or using a QR code to point to a website that hosts malicious software. Attackers can impersonate suppliers, regulators, or colleagues to gain trust and manipulate victims. These attacks can result in unauthorized access to critical systems or the theft of sensitive data. A notable instance is the 2019 phishing attack on the UK's Food Standards Agency, where employees were targeted with fake emails requesting login credentials.

Supply chain attacks target vulnerabilities in the interconnected network of suppliers, distributors, and service providers. These attacks can disrupt the entire supply chain, leading to compromised food safety or delays in delivery. Adversaries can compromise third-party vendors, introducing malicious code or tampering with products during transportation. Most infamously, the 2020 SolarWinds incident impacted over 18,000 businesses and government agencies around the world. The malicious code was delivered to victims via updates to SolarWinds products, which went undetected for nearly six months.

Denial of service (DoS) and distributed denial of service (DDoS) attacks overload networks or systems, rendering them unavailable to authorized users. In the past, these attacks primarily targeted online services such as websites or email, preventing customers from accessing resources or placing orders. As new technologies emerge, DoS or DDoS attacks against operational technology (OT) systems can impact critical infrastructure, such as sensor networks or equipment control systems. Precision agriculture tools dependent on sensors in farm fields connected by insecure wireless networks are prime targets for this type of attack.

Insider threats involve individuals within an organization who misuse their access privileges or exploit their position to compromise systems or steal sensitive information. Malicious insiders can compromise food safety, steal intellectual property, or sabotage critical operations. Insiders may be motivated by financial gain, disgruntlement, or coercion. Organizations must implement strict access controls, monitoring mechanisms, and employee awareness programs to mitigate this type of threat.

The Internet of Things (IoT) refers to interconnected devices that collect and exchange data. IoT devices play a crucial role in areas such as precision agriculture, crop monitoring, supply chain management, food processing, and food traceability. However, vulnerabilities in these devices can be exploited by threat groups to gain unauthorized access, disrupt operations, or tamper with data. For example, compromised IoT devices in agricultural settings could result in inaccurate data collection, leading to suboptimal crop management. Most IoT devices are small and have limited amounts of computing power. When connected in large "botnets" of compromised devices, they can be used as a distributed system for cracking passwords, mounting attacks against other systems, or spreading malware. IoT devices are not just fixed and stationary—drones used in agriculture are an emerging technology that will be targeted for exploitation if not properly secured.

Advanced persistent threats (APTs) are well-funded and highly skilled, state-sponsored adversaries that conduct sophisticated and targeted cyberattacks. APTs often involve a prolonged and stealthy infiltration of systems, with the objective of gaining persistent access and extracting valuable data or intellectual property. In the food and agriculture sector, APT groups target proprietary research and development data, sensitive customer information, or large databases of suppliers and business information. While sabotage of critical infrastructure is not a common APT objective, the recent war in Ukraine has demonstrated Russia's willingness to target growers and producers via computer networks.

SQL injection occurs when an attacker takes advantage of a vulnerable web server or system that does not validate user input prior to passing it to an internal structured query language (SQL) server for processing. If done properly, an attacker can force a vulnerable SQL server to send back private or sensitive information from the database, such as credit card numbers or account passwords.

Consequences of Cyber Threats in the Food and Agriculture Sector

One of the most significant consequences of cyber incidents in the food and agriculture sector is compromised food safety. Attackers can tamper with or manipulate data related to food quality, contamination testing, or traceability, leading to the distribution of unsafe or adulterated food products. This can pose significant risks to public health, result in product recalls, and damage the reputation of food producers and suppliers.

Cyber threats can also disrupt the supply chain of the sector. Attacks targeting suppliers, distributors, or logistics providers can lead to delays in product delivery, shortages, or the introduction of counterfeit products. Disruptions in the supply chain can have far-reaching consequences, affecting not only the profitability of companies but also impacting food availability and increasing prices for consumers.

Cyberattacks can have significant financial implications for businesses and organizations. The costs associated with incident response, recovery, and remediation can be substantial. Moreover, organizations may face financial losses due to disrupted operations, reduced productivity, legal liabilities, and potential fines or penalties resulting from non-compliance with data protection regulations.

A cyber incident can severely damage the reputation of companies and organizations in the sector. News of a data breach, compromised food safety, or a supply chain disruption can erode consumer trust, leading to a loss of customers and business opportunities. Rebuilding a damaged reputation can be a lengthy and challenging process, with long-term consequences for the affected organizations.

Even a minor cybersecurity incident could trigger legal and regulatory reporting. Companies may be subject to investigations, fines, or legal action if they are found to be negligent in safeguarding customer data, ensuring food safety, or complying with industry-specific regulations. Noncompliance with data protection regulations such as GDPR,⁵ PCI DSS,⁶ GLBA,⁷ COPPA,⁸ or HIPAA⁹ can result in significant financial penalties.

Mitigation Strategies and Best Practices

To effectively mitigate cyber threats, organizations should implement a comprehensive cybersecurity strategy. The following policies and best practices can help enhance the sector's cybersecurity posture.

Establish a cybersecurity culture that emphasizes the importance of security at all levels. This involves promoting employee awareness, training programs, and clear security policies and procedures. Employees should be educated about the potential risks, best practices for data protection, and the significance of reporting any suspicious activities. Clear and concise data protection policies should be available to all employees and reviewed at least annually.

Strong authentication and access controls, such as multi-factor authentication (MFA), should be implemented to secure access to critical systems and data. Access controls should be regularly reviewed and updated, granting privileges on a need-to-know basis. This helps minimize the risk of unauthorized access, both from external attackers and insider threats. System administrators and other users with elevated privileges should have two accounts—one for routine use and the other to perform administrative tasks that require the extra levels of access.

Continuous training and awareness programs are crucial for educating employees about emerging cyber threats, phishing techniques, and safe online practices. Employees should be encouraged to report suspicious emails, phone calls, or incidents promptly. Simulated phishing exercises can also be conducted to assess and improve employees' ability to identify and respond to phishing attempts.

Implement robust monitoring capabilities, such as intrusion detection systems (IDS) and security information and event management (SIEM) solutions, to detect and respond to cyber threats promptly. Incident response plans should be developed, tested, and regularly updated to ensure a swift and effective response in the event of a cybersecurity incident. Follow the NIST Cybersecurity Framework¹⁰ and NIST Incident Response Framework¹¹ for step-by-step guidance.

Secure software development lifecycle (SDLC) is mandatory for organizations that develop software or utilize custom applications. Incorporating secure coding practices is crucial if software is developed in-house. SDLC methodologies should be implemented that include threat modeling, code reviews, and vulnerability assessments. Regular patching and updates should also be prioritized to address known vulnerabilities.

Collaborative partnerships and information sharing, such as joining and actively participating in an ISAC, can help identify and mitigate emerging cyber threats. Companies, industry associations, and government agencies should establish partnerships to share threat intelligence, best practices, and lessons learned from cybersecurity incidents. This collective effort can enhance the overall security posture of the sector.

Comply with industry standards and regulations related to data protection, food safety, and supply chain security. Adhering to frameworks such as ISO 27001 (information security management) and implementing guidelines such as the U.S. Food and Drug Administration's (FDA's) Food Safety Modernization Act (FSMA) can help organizations establish a strong cybersecurity foundation.

Final Thoughts

The integration of technology and interconnected systems in the sector has made it vulnerable to various types of cyber threats, including malware and ransomware attacks, social engineering and phishing, supply chain attacks, DoS and DDoS attacks, insider threats, IoT exploitation, and APTs. These cyber threats pose significant consequences for the food and agriculture sector, such as compromised food safety, disrupted supply chains, financial losses, reputational damage, and legal and regulatory ramifications. The impact of these threats extends beyond individual organizations, affecting the overall food supply chain and consumer trust.

To mitigate these risks, organizations in the food and agriculture sector must prioritize cybersecurity. Implementing strategies and best practices such as establishing a cybersecurity culture, implementing strong authentication and access controls, conducting regular training and awareness programs, monitoring and incident response, following secure software development practices, fostering collaborative partnerships and information sharing, and ensuring compliance with industry standards and regulations are vital steps for enhancing the sector's cybersecurity posture.

Cybersecurity is an ongoing and evolving challenge. It requires continuous efforts, adaptation to emerging threats, and collaboration between organizations, industry associations, and government entities. As we have advised in our previous articles, one of the best ways to get ahead of cyber threats is to join and stay active in one or more information sharing and analysis groups. Whether it is a formal, sector-wide ISAC or a group of peer organizations with similar equipment and vulnerabilities, collaboration and collective response is essential for effective cybersecurity defense and resilience.

By pooling resources, sharing threat intelligence, and coordinating efforts, organizations can significantly enhance their ability to detect, prevent, and respond to cyber threats. Collaboration facilitates a broader understanding of evolving attack techniques, enables proactive measures, and promotes the development of effective countermeasures. Moreover, a collective response fosters a unified front against cyber adversaries, creating a more robust and resilient cybersecurity ecosystem. Ultimately, the strength of the collective is far greater than that of any individual organization, making collaboration an indispensable aspect of modern cybersecurity practices.

References

1. Sachs, M. and R. Norton. " An Information Sharing and Analysis Center for the Food and Agriculture Sector." Food Safety Magazine February/March 2023. https://www.food-safety.com/articles/8325-an-information-sharing-and-analysis-center-for-the-food-and-agriculture-sector.
2. Sachs, M. and R. Norton. "Cybersecurity and Food Defense: Establishing an ISAC for the Food and Agriculture Sector." Food Safety Magazine April/May 2023. https://www.food-safety.com/articles/8488-cybersecurity-and-food-defense-establishing-an-isac-for-the-food-and-agriculture-sector.
3. Sachs, M. and R. Norton. "What Exactly is 'Information Sharing?'" Food Safety Magazine June/July 2023. https://www.food-safety.com/articles/8670-what-exactly-is-information-sharing.
4. Food and Ag-ISAC. 2023. https://www.foodandag-isac.org/.
5. Intersoft Consulting. "General Data Protection Regulation: GDPR." https://gdpr-info.eu/.
6. Goodspeed, L. "PCI DSS v4.0 Resource Hub." Security Standards Council. March 31, 2022. https://blog.pcisecuritystandards.org/pci-dss-v4-0-resource-hub.
7. Federal Trade Commission. "Gramm-Leach-Bliley Act." https://www.ftc.gov/business-guidance/privacy-security/gramm-leach-bliley-act.
8. Federal Trade Commission. "Children's Online Privacy Protection Rule ('COPPA')." https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa.
9. U.S. Department of Health and Human Services. "Health Information Privacy." https://www.hhs.gov/hipaa/index.html.
10. U.S. Department of Commerce. National Institute of Standards and Technology. "Cybersecurity Framework." https://www.nist.gov/cyberframework.
11. U.S. Department of Commerce. National Institute of Standards and Technology. "Computer Security Incident Handling Guide." Special Publication 800-61, Revision 2. August 2012. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf.

Robert A. Norton, Ph.D., is a Professor and National Security Liaison in the Office of the Vice President of Research and Economic Development at Auburn University. He specializes in national security matters and open-source intelligence, and coordinates research efforts related to food, agriculture, and veterinary defense.

Marcus H. Sachs, P.E., is the Deputy Director for Research at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security. He has deep experience in establishing and operating sharing and analysis centers including the Defense Department's Joint Task Force for Computer Network Defense, the SANS Institute's Internet Storm Center, the Communications ISAC, and the Electricity ISAC.