There is no shortage of risks in the global environment these days. The Barcelona Centre for International Affairs (CIDOB), an independent think tank, has documented the top issues that it believes will shape the international agenda in 2018. One of these issues concerns connectivity and the world order. This connectivity includes control over the means of transporting goods and information, which is a strategic priority for many nations. However, the potential for crisis related to this control appears to be increasing. One of the contributing factors to this crisis, according to the CIDOB, is digital vulnerability. With the tensions mounting between many countries including the U.S., Russia, China, and the Korean Peninsula, this vulnerability could translate into real incidents of cyberterrorism.
Perhaps it is beneficial to start with an understanding of cyberterrorism. As stated by the U.S. Federal Bureau of Investigation, cyberterrorism is any “premeditated, politically motivated attack against information, computer systems, computer programs, and data that results in violence against non-combatant targets by sub-national groups or clandestine agents.” Similarly, according to the Cambridge Dictionary, cyberterrorism constitutes “the use of the Internet to damage or destroy computer systems for political or other reasons.”
Of course, cyberterrorism can involve any information system in any industry and it might be argued that a greater crisis would result from sabotaging highly sensitive information systems, such as those used for air traffic control. So what would inspire cyberterrorists to focus on the systems that are part of the food chain?
As it turns out, these systems are actually very attractive targets for a cyberterrorist attack. An attack of this nature could certainly be far-reaching—the food chain is an entity that unites the world population and touches everyone in some way. The National Cybersecurity Institute at Excelsior College, a center dedicated to the challenges in cybersecurity policy, technology, and education, states that the “Department of Homeland Security [in the U.S.] has labeled the Food and Agriculture industry as one of the 16 national critical infrastructures.”
Potential Threats
According to the World Health Organization, 420,000 people die every year from food-related illnesses and the Food and Agriculture Organization of the United Nations says that more than 1.3 billion tons of food is wasted due to spoilage. An act of cyberterrorism in the food industry (also known as agroterrorism) could increase these numbers exponentially. There are a number of different avenues that agroterrorism could take:
- Disruption of delivery;
- Alteration of formulations;
- Interception of confidential information; and
- Threat of tampering.
How could these avenues unfold? Let’s discuss each one in some detail.
Disruption of delivery would affect the transportation system that moves goods from place to place, potentially cutting off vital supplies to vulnerable communities.
Alteration of formulations could occur at a food manufacturing facility through the takeover of important pieces of equipment. These days, nearly every step of the food supply chain involves a smart device or sensor that connects to a centralized control system. These devices are known as programmable logic controllers, or PLCs. The programming that makes up a PLC is only as “smart” as the individual who created it. PLCs can’t be relied on to make the distinction between a benevolent programmer and a malevolent individual with the goal of causing harm. PLCs could potentially be accessed remotely with any number of undesirable to disastrous results.
Researchers have already been successful in modeling the takeover of PLCs in a water plant. By using ransomware, they were able to change the monitoring systems, including altering chlorine levels. PLCs can control very significant parts of the manufacturing process. Taking control of PLCs involved in the manufacturing process of a product destined for a highly susceptible population, like infant formula, could result in major changes to the calibrated delivery of the various nutrients that are part of the formulation. The ultimate result is the sickening (or worse) of the youngest segment of the population.
Accessing confidential information is an ongoing favorite of cyberterrorists generally. Look no further than the recent Facebook scandal, where Cambridge Analytica was able to harvest over 50 million user profiles, simply by building a quiz app that collected data not only from the individuals taking the quiz, but also from the friends of these individuals—people who had no connection with the quiz. In another angle, a joint study released by the antivirus software specialist McAfee and the technology services provider Science Applications International Corp. showed that hackers are now looking to gather trade secrets and marketing plans and use that intellectual property to their own advantage.
The threat of tampering might be a method used by cyberterrorists. An example of this can be seen in the subset of cyberterrorists known as cyberactivists. Cyberactivists are those who may disagree with a company’s product or the method the company uses to produce the product. These individuals may threaten initially to use hacking to attack a company’s reputation, disrupt its operations, or maliciously modify its automated processes and then, depending on the response of the company, go on to launch the damage. Criminals may also use the threat of lost profits, caused by the disruption of equipment or transportation, to extort money.
Regardless of the motive, what is universally frightening is that any of these avenues could easily be initiated by cyberterrorists located anywhere in the world. There is certainly no requirement for the person perpetrating a cyberterrorist act to even set foot in the facility that is affected.
Limiting Exposure to Harm
With all of this in mind, it might be surmised that the food industry is arming itself heavily to prevent cyberterrorist acts. Unfortunately, that assumption might not be as accurate as would be desired. A number of factors are behind the fact that the food industry is not the most up to date in tightening its cybersecurity. One is a lack of awareness. Since breaching a company’s computerized systems is not as obvious as a piece of equipment that is not working, or a patch of flooring that requires repair, dedicating the resources to protecting those computerized systems is not the first priority. Those resources, of course, are tied into available money. Many food manufacturers look to their budgets first to improve food safety and quality, as well as productivity, before focusing on cybersecurity, especially if they never had an issue (at least not one that they are aware of). That lack of focus on cybersecurity can result in unnoticed system vulnerabilities. These vulnerable areas could include firewalls that go out of date, remote access portals that are insecure, operating systems that can be more easily corrupted, and staff that is poorly trained and/or unaware of the risks.
Even companies that have realized the importance of having a defense prepared against cyberterrorist attacks will often focus on the protection of their database systems. However, what is frequently overlooked is that professional hackers will use indirect and innovative methods to bypass the gates of even those systems that the companies believe to be secure. One example of a fairly simple way that a hacker can gain access is through the deployment of a large volume of phishing emails, all sent to personnel employed by the company that they are targeting. This technique is akin to the practice of ringing the doorbells of everyone that lives in the same apartment building. While most apartment dwellers won’t allow an individual who they don’t know into the building, the likelihood that one person will allow access increases the more doorbells are rung. And that is all that is needed—just one person—to let the hacker in.
Another method that cyberterrorists might employ is gaining access through a third-party contractor that a food manufacturer uses. As computer programming and software development requires a very specific technical skillset, many food manufacturing companies will not have this expertise in-house and will outsource to a contractor to help build their computer networking. However, this very act of bringing in outside expertise can expose the food manufacturing company to additional risks. Many of the high-profile cybersecurity incidents that have occurred were a result of hackers accessing the systems of the third-party contractors, which then allowed them a gateway to their true target—the food manufacturing company.
Ultimately, it is key that food manufacturing companies recognize the risks of cyberterrorism to their businesses and the greater food system that they are part of. From there, it is essential to implement a comprehensive cybersecurity program that is actively managed and maintained. Installing an antivirus software that is not updated regularly, with firewalls that are not closely watched, will not stop the highly skilled individuals that either are getting past those walls because they have their own agenda, or because they have been hired by others who are motivated to do harm. Companies must have a more far-reaching approach, where the antivirus software and firewalls are supported by policies, procedures, proper staff training, and regular updating.
Companies should approach cybersecurity in the way that they approach a food safety plan, with a comprehensive risk analysis using a team that is made up of individuals with the appropriate process and technical knowledge necessary in order to develop an effective cybersecurity plan. There must be a plan of defense documented and implemented to manage the risks identified in the analysis. Active management of the plan and regular reviews of the system ensure it remains up to date with the ever-changing landscape of information technology.
Organizations also need to consider innovative ways to stay one step ahead of a cyberterrorist attack. One approach to consider, which is gaining popularity, is the use of “white hat” hackers, who are computer security specialists who break into protected systems and networks to test and assess their security by exposing vulnerabilities before malicious hackers can do so. One of the truly beneficial aspects of utilizing this type of approach is that it goes right to the heart of prevention, instead of reaction.
Food manufacturing organizations, like companies across a broad spectrum of industries, recognize the importance of looking at preventing disaster, as opposed to responding to a disaster that has already happened. As John Ridpath, head of product at the technology educator Decoded, suggests, “The best form of defense is to be proactive and try to breach your own systems.” In the end, food manufacturing facilities that take this suggestion to heart are those that can take control of their cybersecurity, and that can be a huge competitive advantage in a global environment where connectivity is king.
James is a technical scheme manager in supply chain food safety at NSF International. Reach her at nkeresztes@nsf.org.
Leave a Reply