The current state of cyber security across the United States food and agriculture sector is worrisome for many reasons. Even with the long history of computer hacking, intellectual property theft, and even outright extortion over the past two decades, few private sector firms within our national food supply chains have taken the steps needed to harden their systems and build in resilience against such attacks. Although cyber risks within food processing operations can very easily become food safety risks, most firms do not invest in cyber hardening the same way they invest in food safety.
This may be because there are almost no regulations on cyber hygiene for food and agriculture firms today. Few firms share cyber defense technology or actions with their supply chain partners, as they do for food safety issues. Some companies who were quick to claim tight cyber security over the past few years have recently experienced humbling and costly cyber attacks. Why is this the case? The answers are both simple and complex.
Simply put, most cyber defenses in place across the food and agriculture sector are not configured to mitigate the most prevalent attacks today. The truth is that our vulnerability to cyber attacks in the food and agriculture sector results from two problems: The first is the extensive use of legacy technologies in food processing; the second is the integrated nature and interdependencies within our critical infrastructures and throughout our supply chain relationships themselves. Countless successful attacks have already leveraged these very vulnerabilities.
Unless your firm is utterly isolated from the Internet and allows no external connections of any kind to any of your networks, you are at risk. When cyber criminals mount attacks today, they cast a wide net to detect and penetrate every network that may have an Internet connection. If you are connected, you are at risk.
The primary attack modality today is not the same as it was 10 or even five years ago. Today’s cybercriminals are far more sophisticated and much better equipped. They target money and valuable intellectual property (IP), and they do not want to be detected … until they’re ready. They need time to explore your network connections undetected to learn your networks, find your IP, and then insert their malware. They may gain entry via phishing by targeting your employee’s email accounts, or they may find a security hole in a networked device in your operational technology (OT). They might find a security hole in a network operated by one of your suppliers or customers, which may offer a connection to you.
When a cyber criminal does find a connection pathway or entry point, they explore your networks and seek data pathways they can exploit in your suppliers’ or customers’ networks. They can be in your systems for months, undetected. Then, when they are ready, they lock your systems, and often those of your suppliers and customers, and demand enormous ransom payments in exchange for releasing your data and your systems.
The Cascade Effect
You might think that these cybercrooks need substantial resources and extensive IT infrastructure to do what they do. They do not. The real key for their success is the available computer power and the bandwidth now deployed across the globe. The computing power available in high-end gaming computers is astonishing. That power means that a well-trained cybercrook can operate 24/7 to execute millions of probes against thousands of network infrastructures or millions of email accounts, trying to find a network to exploit.
The current advantage is with the cyber attacker. They only need to be right once when attacking your networks, while you must be right every time, 24/7, to protect against them. You may even face cascading impacts from attacks on firms in other infrastructures, such as energy, transportation, or water. These providers are often connected to your firm’s IT infrastructure in some manner to facilitate transactions and services.