The U.S. Department of Homeland Security defines 16 critical infrastructure sectors vital to the physical and economic security of the United States. Any destruction or disruption to one of these sectors would impart a massive, negative impact on U.S. national security. One of these 16 critical infrastructure sectors is the food and agricultural sector. Although not one of the first sectors to come to mind as “critical” to most people, this sector nonetheless touches the lives of all Americans. It is almost entirely privately owned yet accounts for one-fifth of the nation’s economic activity. It is composed of more than 2 million farms, more than 900,000 restaurants, and more than 200,000 food manufacturing, processing, and storage facilities.[1] In addition, this sector is closely linked with many other critical infrastructure sectors, including water and wastewater systems (for irrigation), transportation systems (for movement of food and animals), the energy sector (for powering the processing of food), and the chemical sector (for fertilizers and pesticides). Any disturbance to the food and agricultural sector will cause additional effects to the other critical infrastructure sectors. As such, it is of vital importance to protect food and agricultural operations in the U.S.
The COVID-19 pandemic brought about historic supply chain issues that most people had not yet seen in their lifetimes. Facility shutdowns, labor shortages, and energy problems all took a toll on the food industry in terms of both supply and demand, and American consumers felt and continue to feel the economic side effects. This issue has brought to light some of the vulnerabilities found within the food sector. Most importantly, in addition to disruptions within the supply chain, the U.S. has seen an increasing number of cyberattacks that target physical food processing operations. There are a multitude of existing and emerging vulnerabilities that make agricultural entities prime targets for cyberattack, especially attacks from Russia. This has become so noticeable in recent years that U.S. congressional representatives have begun introducing bills to help protect against cyberattacks in the food and agricultural sector. “American agriculture is extremely vulnerable, due to the outdated security, poor coordination among businesses, and lack of emphasis on cybersecurity within the industry,” Sen. Joni Ernst (R-Iowa) said on the Senate floor in November.[2]
In an age of rapidly advancing technology, cybersecurity will remain a critical component of all infrastructure sectors, but become extremely important to the food and agricultural sector. How well-poised is the United States to handle cyberattacks on the food and agricultural sector?
Historically, farmers frequently have to weather many disruptions to their operations such as changes to tax or tariff policies, natural disasters, etc., but just now citizens are beginning to pay more attention to the many facets of this critical sector. The COVID-19 pandemic brought to light some of its issues beginning with labor shortages in 2020 due to localized COVID outbreaks at meat processing plants, resulting in fewer workers on site and therefore emptier shelves and fears over availability of certain food items. In 2021, food prices began to rise to the point where consumers not only began to bear the brunt of the cost, but news stations finally began to cover the crisis from the perspective of the farmers, as well. In 2022, public attention is now on the supply chain and the fact that food availability and affordability is declining as consumers deal directly with the rapid rise in inflation.[3] Markets across the board are in high flux due to the pandemic, but for this sector there has been no greater time than the present to take note of all the vulnerabilities that come with it. As U.S. citizens have seen, it does not take much for a problem in the food industry to start tipping into other aspects of U.S. life.
In May 2021, during the ongoing pandemic, JBS, the world’s largest meat supplier, was the target of a ransomware attack by a Russian cybercriminal group. Ransomware is one of the most prolific forms of recent cyberattacks because it allows hackers to lock authorized users out of a system until a ransom is paid. This form of extortion is widely used by foreign actors and has become a U.S. national security issue of note. REvil, the ransomware hacker group who broke into JBS systems, came into power around 2019 and is now known as one of the most successful cybercriminal groups in the world.[4] The REvil attack swiftly impacted JBS and their supply chain: livestock slaughtering was taken offline and, soon after, shipments of meat to wholesale buyers increased by more than 1 percent.[5] In hindsight, the U.S. Department of Agriculture (USDA) warned other meatpacking companies to review their IT systems and supply chain infrastructure, but these warnings came too little too late. The federal government attempted to work with these companies to ensure price increases did not occur as a result of the attack, but ultimately consumers began to see the effects in both prices and in delays with their purchases. This cyberattack caused some plants to shut down entirely and for shifts to move or be canceled, impacting the bottom line for the meatpacking companies. This is just one example of how supply chains, logistics, and transportation systems are extremely vulnerable to ransomware attacks because even attacks on choke points have cascading effects past the point of attack. Updates to infrastructure take time to fix, but as consumers have seen these kinds of cyberattacks are becoming more and more frequent. The public is starting to wonder how secure private companies’ IT infrastructures are and whether they will be able to handle attacks like these in the future.
In 2019, the University of Minnesota published a report stating that cyberattacks are on the rise and they pose a significant threat to food production and safety. Historically, other critical infrastructure industries, such as the financial or energy sectors, have been more likely to be hit with cyberattacks than the food industry because they were more appealing or more obvious; therefore, those industries naturally became better prepared for such attacks. However, foreign malicious actors now recognize the food and agriculture industry as a prime target. This is because damage to the industrial control systems of a company will translate to consequences from public health to physical harm to workers, to damaged equipment, to environmental damage, to financial loss.[6] This makes the food industry an easier target as their defenses have typically been low against cyber actors. Additionally, many of their control systems were created before cybersecurity was important to the industry. In the University of Minnesota report, over 200 industrial control system vulnerabilities were identified, increasing in number every year from 2011 through 2016. The researchers attribute their findings mainly to the fact that many food companies do not typically understand how their industrial control systems and IT systems overlap and interact, and they also tend to have little insight into the actual level of cyberthreat.[7] The U.S. Intelligence Community widely agrees that many private-sector companies are not aware of the true degree of threat, and the food industry is not alone there. The University of Minnesota report concludes with recommendations on how the food and agriculture industry can bolster their operations and information technology systems, on how to educate their staffs in cyber risks, and how to begin incorporating a culture of cybersecurity. However, the report also acknowledges that the tools necessary for conducting malicious attacks of this nature and scale are becoming easier and easier to learn, requiring actors to have less skill.[8] It is critical for food industry companies, both small and large, to have an awareness of the threats they face and the vulnerabilities their companies have. If not, it will lead to devastating consequences for themselves and for their customers. It is just as important for them to address these issues with the care and urgency they give to the other areas of food safety.
Another vulnerability that the food industry is susceptible to is automation and the increasing interconnectedness of things. Agriculture uses technology to advance its mission just as the other critical infrastructure sectors do; that means using everything from GPS, control systems, sensors, robotics, drones, autonomous vehicles, automated soil sampling, automated hardware, telematics, and software. This automation has helped to streamline processes and deliver food to consumers more quickly, but there has been little federal oversight of the cybersecurity aspect. The increase in use of precision agriculture to remotely control systems and the resulting exploitation of these vulnerabilities now have an impact on every aspect of the process. Many computer systems and their software are old and outdated, the companies tend to use devices that are not secure, and they continue to use old operating systems. Reports have shown that even mid-level supervisors are able to access certain computer systems from the comfort of their own homes and control food processing equipment without the use of at least a virtual private network.[9] Some devices at meat processing plants have been shown to use hard-coded passwords, which are passwords written into the source code that can only be changed by the software’s author. These passwords can be easily discovered by an adversary.[10] Unfortunately, these old hardware systems lack basic security features that incorporate modern security modifications, such as authenticating the identity of the sender and receiver.
This becomes an even bigger concern for the public once they realize that certain parts of the food and agriculture industry are very concentrated to a select few companies. This means that any problem associated with one company takes up a larger share of the industry and will have a greater impact on consumers. In the meat processing industry, for example, there are four major companies: Cargill, Tyson Foods, National Beef Packing, and JBS. These four companies slaughter 85 percent of the United States’ share of cattle. When there is a disturbance to one of those companies at any point in the chain, the subsequent effects are usually larger and more unstable. The industry becomes less resilient to disruptions or damages.[11] The nation saw the effects of this unbalanced system firsthand during the COVID-19 pandemic. When COVID spread throughout the meatpacking plants, absenteeism grew from sickness, fear, and sadly death, so operations were suspended and consumers experienced temporary meat shortages. Decades ago, the food and agriculture sector was more regionalized and problems with one company would not have as drastic of an effect on the rest of the companies.[12] These days, however, issues with one company are felt to a greater depth and more quickly by customers simply because there are fewer companies to diversify amongst. Now considering cybersecurity within that framework, it has become just as easy for malicious cyber actors to impact not one but all companies within a sector. The fewer companies there are in charge, the fewer targets are required to cause massive disruptions to operations. Consumers are becoming increasingly aware of the potential for widescale interference by foreign actors and how that interference will affect them personally.
What will the next big attacks on the food and agriculture sector look like? Many of the industrial control systems in use now were created before cybersecurity was a concern, so it is likely that attacks of a similar nature will simply continue. The industry also may continue seeing attacks using sophisticated malware tools and ransomware because malicious actors are adept at using them.[13] The barriers to entry for cybercriminals are falling as people become more skillful at using this technology. “Malware-as-a-service” has become a lucrative business for criminals, so fewer skills are required to launch a cyberattack when one can just purchase a service. Other attacks may look like targeting through malicious emails. In the U.S., 74 percent of food companies had fewer than 20 employees and 97 percent had fewer than 500. Small businesses tend to be targeted at least as often, if not more, than large businesses by malicious email. Fewer employees mean the greater the chances of a successful hack.[14] Additionally, many small companies tend to outsource IT system management to third-party managed service providers (MSPs), which are tasked to take care of smaller administrative tasks for a company so the company can focus on its core mission. However, MSPs are known to be prime targets for cyber actors because they handle the data of many companies; a one-time hack into an MSP provides a wealth of information on multiple vendors. As technology continues to advance, the food and agriculture industry will be up against constantly evolving threats and will have to address their many vulnerabilities.
Who are the main cyber actors Americans should be concerned about? Of course, there are many state and non-state criminal hacking groups based out of Russia. In the first half of 2021 alone, there were three major cyberattacks on the United States tied to Russia (the third being the JBS attack). Later in the same year, Russian hackers again conducted a ransomware attack, this time on an Iowa state farming co-op. The hackers demanded almost $6 million in exchange for unlocking the computer systems used to keep feeding schedules on track for chicken, pigs, and cattle.[15] The group behind the attack is said to be a new version of an old, notorious Russian hacking cell that disbanded earlier last year (experts had warned that the group would probably reappear). The current presidential administration is so concerned about Russian hacking groups that it has been publicly putting sanctions-threat pressure on Russia to be more aggressive toward non-state cybercriminals housed there. In September 2021, the Federal Bureau of Investigation (FBI) published a Private Industry Notification (PIN) warning the food and agriculture industry of all the cybercriminal threats in general. Although the PIN does not explicitly state that Russia is behind these threats, the FBI does acknowledge within the PIN the names of multiple hacking groups with known ties to Russia. The federal government is aware of these threats, the extent of damages that may occur from them, and the likelihood of them occurring again in the future. U.S. citizens are now aware that the primary threat of cyberattacks is and will continue to be groups out of Russia.
What may be the impacts resulting from future cyberattacks on the food and agriculture sector if actions are not taken now? Companies and consumers alike will see higher financial costs, not only from paying ransomware expenses but also for lost productivity hours, damage to equipment, or payouts to workers who may become injured. Employee and consumer personally identifiable information may be targeted through direct access to the servers, or through indirect access via MSPs. Many food companies also have intellectual property in the form of recipes and the parameters in which they operate their industrial control systems, which then become vulnerable to theft.[16] However, administrative data is not the only thing vulnerable to attacks. In the Iowa state co-op example, the Russian hacking group targeted crop irrigation, livestock feeding schedules, and inventory distribution. Impacts to each of these parts of the supply chain process affect feeding the livestock that will eventually be sent to slaughter and packaging. This in turn affects the stock on grocery store shelves for consumers.[17] Even more direly impacting consumers is the threat of attacking food safety. Cyber groups can remotely target the industrial control systems of a company and intentionally cause food products to become unsafe for consumption. People may not even notice the differences until food hits the shelves and citizens’ homes.[18] The opportunities for exploitation are endless.
How can the U.S. government and private food and agriculture companies best prepare themselves for inevitable future attacks? The first step is to work closely together. Information technology and cyber personnel within the companies must work with their government counterparts. Currently, there is no requirement for this to happen.[19] The government must set guidelines and regulations for enforcing computer security standards. Cybersecurity must become part of the industry’s culture: it must integrate cybersecurity expertise in all steps of the process from procurement to operating the industrial control systems, to packaging and processing on the service line.[20] Fostering communication between IT professionals and operations personnel will be critical for bridging the gap between the two historically unconnected worlds. The FBI and the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency recommend proactive, basic security measures, such as the use of strong passwords, updated operating systems, multifactor authentication, and keeping antivirus software up to date.[21] Conducting regular risk assessments is another good place to start, within both the information and operational technology departments. Hacking groups get to know their targets better than the targets know themselves, so food industry companies must first begin with audits of their own process controls.[22] The Food Protection and Defense Institute recommends that DHS and USDA work with private food and agriculture companies to create an “information sharing and analysis center” in order to collaborate with other companies on threats and digital risks. This framework is currently utilized by other critical infrastructure sectors, but not within the food and agriculture sector.[23] Finally, congressional representatives have begun introducing legislation to establish an intelligence component within the USDA. The purpose of this office would be to keep farmers and private food companies up to date on threats such as insider espionage or cyber operations.[24]
Rep. Rick Crawford (R-Ark.) of the House Intelligence and Agriculture committees has gone on record stating that “national security threats to the agricultural supply chain have not received enough attention. Too often, agriculture is dismissed as: ‘It’s important but it’s not that big a deal.’”[25] However, if one eats, then one is involved in it, thus making this a vital industry to U.S. national security. As farmers become more and more reliant on technology and data to perform their missions, they become more and more of an easy target for a malicious adversary. The food and agriculture sector was never considered significant enough to target, but no industry is off-limits anymore, especially being a sector that touches the lives of every person in the United States. Food and agriculture companies must extend their core mission to not only food safety, but to food defense and cybersecurity of their operations. Just as they incorporate food safety into their workflow, they must incorporate cyber safety into their operations. It is no longer enough to be ignorant to the growing number of cyberthreats. The industry must be prepared to defend and to fight, because these attacks are risks to the livelihoods of farmers and they affect the national and global supply chain, and the food supply chain is a crucial part of national security.[26] The world is increasingly connected and foreign investment in America’s food and agriculture systems must be closely scrutinized by the U.S. government. For such a critical infrastructure industry, it must receive more robust support.[27]
The author is responsible for the content of this article. The views expressed do not reflect the official policy or position of the National Intelligence University, the Department of Defense, the U.S. Intelligence Community, or the U.S. Government.
Bibliography
Bogage, Jacob, and Laura Reiley. “Russian Hackers Target Iowa Grain Co-Op in $5.9 Million Ransomware Attack.” The Washington Post. September 21, 2021. https://www.washingtonpost.com/business/2021/09/21/new-cooperative-hack-ransomware/.
Charles, Dan. “The Food Industry May Be Finally Paying Attention to Its Weakness to Cyberattacks.” NPR. July 5, 2021. https://www.npr.org/2021/07/05/1011700976/the-food-industry-may-be-finally-paying-attention-to-its-weakness-to-cyberattack.
Ernst, Joni. “Food Security Is National Security.” November 02, 2021. https://www.ernst.senate.gov/public/index.cfm/2021/11/ernst-food-security-is-national-security.
Federal Bureau of Investigation. “Cyber Criminal Actors Targeting the Food and Agriculture Sector with Ransomware Attacks.” September 1, 2021. https://s3.documentcloud.org/documents/21053966/fbi-bc-cyber-criminal-actors-targeting-the-food-and-agriculture-sector-with-ransomware-attacks.pdf.
Food Protection and Defense Institute. “Adulterating More Than Food: The Cyber Risk to Food Processing and Manufacturing.” September 11, 2019. https://conservancy.umn.edu/bitstream/handle/11299/217703/FPDI-Food-ICS-Cybersecurity-White-Paper.pdf.
Johansson, Robert. “America’s Farmers: Resilient Throughout the Covid Pandemic.” U.S. Department of Agriculture. July 29, 2021. https://www.usda.gov/media/blog/2020/09/24/americas-farmers-resilient-throughout-covid-pandemic.
McCrimmon, Ryan, and Martin Matishak. “Cyberattack On Food Supply Followed Years of Warnings.” Politico. June 5, 2021. https://www.politico.com/news/2021/06/05/how-ransomware-hackers-came-for-americans-beef-491936.
Polansek, Tom, and Jeff Mason. “U.S. Says Ransomware Attack On Meatpacker JBS Likely from Russia.” Reuters. June 1, 2021. https://www.reuters.com/world/us/some-us-meat-plants-stop-operating-after-jbs-cyber-attack-2021-06-01/.
United States Department of Homeland Security. “Food and Agriculture Sector.” Accessed February 1, 2022. https://www.cisa.gov/food-and-agriculture-sector.
University of Minnesota. “University of Minnesota Report Reveals Growing Threat of Cyberattacks to Food Safety.” September 10, 2019. https://twin-cities.umn.edu/news-events/university-minnesota-report-reveals-growing-threat-cyberattacks-food-safety.
Whitlock, Jennifer. “Ag, Food Industries Should Prepare for Cyberattacks.” Texas Farm Bureau.
November 17, 2021. https://texasfarmbureau.org/ag-food-industries-should-prepare-for-cyberattacks/.
[1] “Food and Agriculture Sector,” United States Department of Homeland Security, accessed February 1, 2022, https://www.cisa.gov/food-and-agriculture-sector.
[2] “Food Security Is National Security,” Joni Ernst, November 02, 2021, https://www.ernst.senate.gov/public/index.cfm/2021/11/ernst-food-security-is-national-security.
[3] Robert Johansson, “America’s Farmers: Resilient Throughout the Covid Pandemic,” U.S. Department of Agriculture, July 29, 2021, https://www.usda.gov/media/blog/2020/09/24/americas-farmers-resilient-throughout-covid-pandemic.
[4] Tom Polansek and Jeff Mason, “U.S. Says Ransomware Attack On Meatpacker JBS Likely from Russia,” Reuters, June 1, 2021, https://www.reuters.com/world/us/some-us-meat-plants-stop-operating-after-jbs-cyber-attack-2021-06-01/.
[5] Tom Polansek and Jeff Mason.
[6] “University of Minnesota Report Reveals Growing Threat of Cyberattacks to Food Safety,” University of Minnesota, September 10, 2019, https://twin-cities.umn.edu/news-events/university-minnesota-report-reveals-growing-threat-cyberattacks-food-safety.
[7] “University of Minnesota Report Reveals Growing Threat of Cyberattacks to Food Safety.”
[8] “University of Minnesota Report Reveals Growing Threat of Cyberattacks to Food Safety.”
[9] Dan Charles, “The Food Industry May Be Finally Paying Attention to Its Weakness to Cyberattacks,” NPR, July 5, 2021, https://www.npr.org/2021/07/05/1011700976/the-food-industry-may-be-finally-paying-attention-to-its-weakness-to-cyberattack.
[10] “Adulterating More Than Food: The Cyber Risk to Food Processing and Manufacturing,” Food Protection and Defense Institute, September 11, 2019, https://conservancy.umn.edu/bitstream/handle/11299/217703/FPDI-Food-ICS-Cybersecurity-White-Paper.pdf.
[11] Dan Charles.
[12] Dan Charles.
[13] “Adulterating More Than Food: The Cyber Risk to Food Processing and Manufacturing.”
[14] “Adulterating More Than Food: The Cyber Risk to Food Processing and Manufacturing.”
[15] Jacob Bogage and Laura Reiley, “Russian Hackers Target Iowa Grain Co-Op in $5.9 Million Ransomware Attack,” The Washington Post, September 21, 2021, https://www.washingtonpost.com/business/2021/09/21/new-cooperative-hack-ransomware/.
[16] “Adulterating More Than Food: The Cyber Risk to Food Processing and Manufacturing.”
[17] Jennifer Whitlock, “Ag, Food Industries Should Prepare for Cyberattacks,” Texas Farm Bureau, November 17, 2021, https://texasfarmbureau.org/ag-food-industries-should-prepare-for-cyberattacks/.
[18] “Adulterating More Than Food: The Cyber Risk to Food Processing and Manufacturing.”
[19] Ryan McCrimmon and Martin Matishak, “Cyberattack On Food Supply Followed Years of Warnings,” Politico, June 5, 2021, https://www.politico.com/news/2021/06/05/how-ransomware-hackers-came-for-americans-beef-491936.
[20] “Adulterating More Than Food: The Cyber Risk to Food Processing and Manufacturing.”
[21] Jennifer Whitlock.
[22] “Adulterating More Than Food: The Cyber Risk to Food Processing and Manufacturing.”
[23] Ryan McCrimmon and Martin Matishak.
[24] Ryan McCrimmon and Martin Matishak.
[25] Ryan McCrimmon and Martin Matishak.
[26] “Food Security Is National Security.”
[27] “Cyber Criminal Actors Targeting the Food and Agriculture Sector with Ransomware Attacks,” The Federal Bureau of Investigation, September 1, 2021, https://s3.documentcloud.org/documents/21053966/fbi-bc-cyber-criminal-actors-targeting-the-food-and-agriculture-sector-with-ransomware-attacks.pdf.