Analysis
Attacks and Vulnerabilities
Control device security
Critical infrastructure
Features
Identity and Access Management (IAM)
Malware, Phishing & Ransomware
OT Network security
Perimeter security
Risk & Compliance
Secure Remote Access
Supply Chain Security
Technology & Solutions
Threat Landscape
Vulnerabilities

Growing need to shield food and agriculture sector from rising cybersecurity threats, amidst supply chain risks

May 22, 2022
Growing need to shield food and agriculture sector from rising cybersecurity threats, amidst supply chain risks

The food and agriculture sector faces a rise in cybersecurity threats, as ransomware hackers are more likely to attack food systems and their supply chain, leading to operational disruptions and financial losses. The warnings also extend to agricultural cooperatives during critical planting and harvest seasons, disrupting operations, causing financial loss, and negatively impacting the food supply chain. Moreover, these challenges are likely to be further challenged in the future with new disruptions, making it essential to assess and appropriately react to the current threat landscape in the food and beverage sector. 

The sector accounts for roughly one-fifth of the nation’s economic activity. It has critical dependencies across many other sectors, especially water and wastewater systems for clean irrigation and processed water, transportation systems for the movement of products and livestock, energy to power the equipment needed for agriculture production and food processing, and the chemical sector for fertilizers and pesticides used in the production of crops. 

Data released by industrial cybersecurity firm Dragos said that in 2021, ransomware was the number-one cause of compromise in the industrial sector, with manufacturing and food and beverage experiencing the highest volume of ransomware incidents. Several high-profile ransomware incidents victimized Global 2000 food and beverage companies, resulting in extended operational disruption and remediation costs. Furthermore, 100 percent of the food and beverage architectures that Dragos evaluated in 2021 had an external connection to operational technology (OT) from vendors, information technology (IT) networks, or the internet.

Industrial Cyber reached out to experts in the food and agriculture sector to draw up strategic measures that the food and agriculture players can adopt to build adaptive, responsive organizations to stay ahead of the evolving cybersecurity threat landscape.

Grant Geyer, chief product officer
Grant Geyer, chief product officer

“What’s become clear over the past year is that food and agriculture organizations play a critical role in the world’s supply chain, which makes them prime targets for cybercriminals. So many of these attacks are not sophisticated, but instead are straightforward attacks based on commonly exploitable vulnerabilities, or leveraging weak or obsolete user credentials,” Grant Geyer, chief product officer of Claroty, told Industrial Cyber. While the downside is that ransomware attacks continue to escalate, the upside is that a few simple measures can help address many cyber gaps that can lead to a compromise, he added.

Geyer also added that an accurate asset inventory is the first step toward proper vulnerability management to ensure critical systems are up to current patching levels and compensating controls are in place when appropriate. “Network segmentation is also a critical strategy to impede attackers’ lateral network movement. Most operational technology (OT) networks are no longer air-gapped, and network segmentation compensates for this by preventing attackers from using stolen credentials or compromising Active Directory and other identity infrastructure in order to move from system to system stealing data and-or dropping malware or exploits,” he added.

“Strategically, organizations should regularly test incident response plans, and conduct tabletop exercises to put those plans into motion without impacting production environments,” according to Geyer. Training and testing improve response and ensures business continuity, he added.

Claroty released data in March that detected over forty percent of food and beverage-sector respondents had their OT environment impacted by a ransomware attack in the past year. It also found that more than one-third of food and beverage-sector respondents say the revenue impact of operational disruption caused by a ransomware attack would be at least a million dollars per hour. Additionally, among food and beverage-sector respondents impacted by a ransomware attack, only 11 percent reported nonexistent or minimal disruption, while 51 percent reported substantial disruption.

“If they have not done so already, they should perform a tabletop exercise with their key stakeholders and decision-makers – executive leadership, C-Suite, risk, IT & OT,” Dino Busalachi, chief technology officer and co-founder at Velta Technology, told Industrial Cyber. He also called upon operators to choose a cybersecurity framework methodology that best suits organizational requirements, such as the MITRE ATT&CK, IEC 62443, and NIST-800-xxx

Dino Busalachi, chief technology officer and co-founder at Velta Technology
Dino Busalachi, chief technology officer and co-founder at Velta Technology

“There are others, but avoid strictly following frameworks and vendors specific to IT toolsets only. In fact, IT should NOT be leading the OT cyber initiative – they lack fundamental knowledge of process integrity requirements related to Industrial Control/Process Automation Systems (ICS/PAS) and the necessary steps to mitigate and remediate vulnerabilities associated with ICS/PAS,” Busalachi said. “IT does have an important role, but they cannot be the champion, or they cannot be the ONLY thought leader. IT’s role should be supportive, accommodating, and collaborative, helping the entire organization understand the nuances between Digital Safety and traditional IT cybersecurity efforts,” he added. 

Busalachi said, “You want them on the bus, just not driving the bus!” 

He also recommended implementing continuous threat monitoring solution toolsets for OT Digital Safety (Secure and Protect) for their ICS/PAS vulnerability management system. He also suggested developing a network segmentation strategy to logically separate OT assets from IT assets, and network monitoring of ICS/PAS networks not just at levels 5 to 3.0/3.5 of the ISA-95/Purdue model (Levels 2 – 0) PLC to PLC, interlocks, and I/O, many of which are Ethernet/IP networks. 

Furthermore, Busalachi also advised reassessing remote access of ICS/PAS, as the correct remote access tool should provide audit capabilities of activities (ICS/PAS) and evaluation of the Software Bill of Materials (SBOM) on SCADA systems, including removing any and all unnecessary applications and software installed within the ICS/PAS environments.

“The food and agriculture players can join an ISAC (or even better establish one exclusively focused and tailored to their sector) or an information-sharing organization that promotes exchanges of existing cybersecurity practices that are working and warnings of potential threats,” Frank J. Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security, told Industrial Cyber. 

Frank J. Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security
Frank J. Cilluffo, director of Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security

“These entities can also engage with agencies like CISA and FBI, taking advantage of their numerous resources: e.g., the SCRM task force, critical infrastructure training, and ransomware guidance/readiness programs,” according to Cilluffo. “Companies at all levels need to ensure they have a CISO in place and that she/he is empowered to do their job enterprise-wide,” he added. 

Since 2021, multiple agricultural cooperatives have been impacted by several ransomware variants. Assessing how the food and agriculture sector copes with such incidents, given the low cybersecurity awareness and differences in culture, especially among safety and operations personnel, Busalachi suggested developing an “OT Digital Safety team (combination of OT, IT, and risk). Start a budgeting process specifically for protection and securing the OT environment, ‘THINK DIGITAL SAFETY.’ Broaden the scope of the OT participants to include OT vendors, automation technology vendors, OEMs, and System Integrators (SIs). These organizations are improving their cyber awareness understanding,” he added.

“All Cybersecurity frameworks require the ability to Identify, Detect, Protect, Respond and Recover,” according to Busalachi. “Determine where your organization is regarding these cybersecurity basic pillars,” he added.

“While many agricultural cooperatives have been impacted by ransomware over the past couple of years, we’ve also seen increasing awareness among food and beverage manufacturers that cyber-attacks represent a significant risk to their operations,” according to Geyer. “Organizations that cope more effectively recognize that they need to treat cyber security risks the same way that they think about other risks to the business – such as liquidity risk, market risk, and supply chain risk. When analyzed through that lens, addressing cyber challenges are then assessed and treated in a more systematic and purposeful manner,” he added.

Cilluffo said that this largely has to do with training and readiness. “Again, taking CISA’s ransomware readiness tests and learning usable skills to combat threats is instrumental to longevity. An information-sharing network would innately bring awareness to cyber issues and get folks in this sphere talking about protection and resilience,” he added. 

“Being prepared and having plans for ransomware attacks will enable survivability,” according to Cilluffo. “A crisis is not the time to recognize the importance of cybersecurity. To paraphrase legendary basketball coach John Wooten, ‘failing to prepare is preparing to fail,’” he added. 

Gauging the capability of organizations within the food and agriculture sector to carry out the list of recommendations provided by the FBI, Geyer said that ‘like any industry, the food and agriculture industry has leaders and laggards in terms of their ability to operationalize recommendations. Not surprisingly, we tend to see that the larger entities are better resourced, have more effective corporate governance, and therefore can operationalize security recommendations more effectively,” he added. 

Given the criticality of the food and agriculture sector to a functioning economy, this is a key sector that needs government support and engagement to mitigate cyber risk, Geyer added.

Busalachi had a simple question: “Are we exercising the same amount of due diligence to secure and protect our ICS / PAS as we do for the ‘Enterprise’? If not, why not? All the same, steps to protect and secure the enterprise need to be applied to the ICS/PAS (resources, budget, expertise, experience, knowledge toolsets (not necessarily IT toolsets).” 

He also said to work with CISA, as they have free tools and services. He, however, cautioned that “when it comes to free, you also get what you pay for!” 

Busalachi also pointed to the need to “re-evaluate the infrastructure outsourcing support model. If your organization has chosen to allow, foreign entities full onboard access to support the company’s infrastructure, networks, systems, and applications. Time to rethink the strategy, if you’re a global company you may need to determine how to make your country’s laws applicable to breaches,” he added.

“The FBI reach is limited in other parts of the world,” Busalachi said. “We have seen joint ventures end because of political winds and other countries’ refusal to allow protective measures for safe and secure operations, leaving gaping holes in cybersecurity between countries and their corporate enterprise,” he added.

“Most of the recommendations listed – having multistep authentication, strong passwords, updated anti-malware software, disabling hyperlinks in email, cybersecurity training, and so on – are all processes that the food and agricultural sectors can do now,” Cilluffo said. “Some of the list’s recommendations do require a bit more work but will prevent an attack and mitigate the damage if an attack were to take place: identifying critical functions to have a manual option and having a recovery plan,” he added.

Addressing the fact that there are no existing industry-specific regulations for the food and agriculture sector that covers cybersecurity, and if regulations in the sector could be expected any time soon, Geyer said that the overarching challenge in the U.S. economy is that the food and agriculture sector is owned and operated by private entities who own their own cyber investment decisions. 

“Although the U.S. Government has been conducting 100-day sprints to improve the cybersecurity of the nation’s electric, pipeline, and water sectors, it remains to be seen whether there will be any regulation or sprint focused on the food and agriculture sector,” according to Geyer.

Cilluffo said he “would imagine there would be an increase in regulations given the current state of the threat environment. There, however, needs to be a push for change within the community and a willingness to train workers on these issues.” 

“Also worth noting that critical infrastructure sectors need to instill a mindset and culture that prioritizes cyber hygiene and best practices because these sectors are not only important unto themselves – but feed into and support other sectors and national critical functions as well,” Cilluffo said. “Achieving this requires leadership at the top and exercising regularly throughout the organization so that frontline personnel understands the range of threats and how to maintain resilience in the face of them,” he highlighted. 

The pandemic has underscored just how essential this sector is and has spurred a sense of urgency to address this challenge, according to Cilluffo. “Whether regulation comes to pass is an open question but the need to take action is clear,” he added.

“Not until shortages become impacting to communities and nations and rationing begins. Regardless of the reason (recall, supply chain) for the shortage, companies will need to demonstrate they are doing everything in their power to keep their products safe and can trace a bad batch from POS back to the origin,” Busalachi said. “The importance of food safety and reporting controls up to even the highest levels of corporate governance = ‘Digital Safety.’ The future of the food and AG industry is seeing growth related to continuous process improvement, automation, scientifically precise farming techniques,” he added.

Agri-bot, monitoring, treating, and working the land designed to maximize yields and minimize disease, all of which are susceptible to cyber-attacks, Busalachi said. “The farm to fork track, trace audit is becoming common practice, and food supply will need to be protected. So do I believe regulations will shape the Digital Safety (OT cybersecurity) landscape? The answer is yes,” he concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
European Commission makes €112 million investment in AI, quantum research under Horizon Europe program
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems