It’s hard to think of a more critical economic sector than agriculture. It is an industry that directly affects the lives of everyone worldwide.
The future of the food and agriculture industry will increasingly see the application of scientifically precise and automated farming techniques. Automated ‘agro-bots’ will monitor, treat, and work the land, using high-tech tools designed to help maximize yields and minimize disease.
The advances in agriculture-related technology have brought along with them an increase in cyber threats. Before the rise of multinational consolidated agribusinesses, much of the world’s food was produced by small farmers and ranchers serving a local community. Today the same economies of scale that have fueled the rise of large corporations in other sectors are applied to food production and distribution. These economies of scale are dependent on automation.
Historically the food/ag sector has not been a notable target for cybercriminals. Today, however, threat actors see the world’s dependence on a well-established food supply chain as an opportunity to use malware, such as ransomware, as leverage to achieve their nefarious aims.
These aims are commonly financial gain but also include acts of political terrorism and social hacktivism. There is still work to be done in areas where the food/ag sector has been lax in its cyber protection policies and procedures.
Cybersecurity issues in the food/ag industry
The food and agriculture industry covers a broad spectrum of companies that provide a variety of products and services. Large farms and ranches use automated and connected systems for everything from tractor autosteer systems to crop moisture testing to automated distribution warehouses.
Many of the companies that make up the nation’s food supply chain are interdependent. A stoppage or slow down during harvest season, for example, can reverberate throughout the entire industry as food processing plants and distribution networks feel the effects of events that may have happened weeks or months earlier. Retail stores and restaurants need an easily accessible and reliable source for food products. Any disruption can result in price spikes or shortages that affect people’s lives.
As seen in the examples of previous cyberattacks in this sector, the world’s food supply chain is fragile and dominated by a relatively small number of large food companies. Because cyber threat actors aim to shut down production, thereby threatening people’s lives, food production networks and food company business networks are at risk.
Shutting down any massive food production or distribution business creates an intolerable condition that provides the cybercriminal with an insurmountable advantage. Companies and authorities know that they must resolve the situation quickly to avoid societal turmoil. The need for the victim to act soon works to the criminal’s advantage.
Notable food/ag industry attacks
JFC International: In March 2021, JFC International revealed that it had been hit by a ransomware attack that disrupted several of its IT systems. JFC is a major distributor and wholesaler of Asian food products and serves the European and US markets. The company said the attacks impacted JFC International’s Europe Group. They were able to resume normal operations soon after notifying law enforcement, employees, and business partners about the incident.
Loaves & Fishes: Nonprofit food provider Loaves & Fishes offers nutritionally balanced groceries to individuals and families experiencing a short-term crisis through a network of mobile “drive-through” style food distribution sites. In August 2020, they announced that sensitive customer information was exfiltrated during the more widespread Blackbaud attack. Blackbaud, a provider of software and cloud hosting solutions, stopped a ransomware attack from encrypting files but still paid a ransom demand to keep the hackers from publishing protected information about their clients – one of whom was Loaves & Fishes. Blackbaud said they have no evidence that the data was sold online, but the potential exists for that to happen at any time.
Home Chef: Owned by Kroger Foods, Home Chef is a startup that provides food ingredients, meal kits, and recipes to its customers. Security researchers said in May 2020 that they found usernames and passwords belonging to Home Chef users for sale on the dark web. Soon after, the Chicago-based company said a security incident had resulted in the compromise of information about an undisclosed number of its customers. This type of security event poses no danger to the food supply but is a risk to consumers of these services.
Harvest Sherwood Food Distributors: In May 2020, data that surfaced on a Tor hidden service called the Happy Blog indicated that hackers deploying REvil ransomware attacked Harvest Sherwood Food Distributors. The attackers stole critical data from the company and threatened to disclose it publicly. REvil is the same ransomware that is later used against JBS Meats. The attackers managed to steal around 2,600 files from the food distributor. The stolen data included cash-flow analysis, distributor data, business insurance content, and vendor information. There were also scanned images of driver’s licenses of people in the Harvest Sherwood distribution network.
Case Study: Meatpacker, JBS
Over the Memorial Day weekend 2021, the world’s largest meat company, JBS, was the victim of a ransomware attack that originated from a criminal group based in Russia. The attack crippled a large portion of the meat supply chain, sending shock waves across the entire food industry.
The FBI confirmed that the REvil ransomware was used in the cyberattack. The attack stopped operations at thirteen meat plants, including JBS facilities in Colorado, Iowa, Minnesota, Pennsylvania, Nebraska, and Texas. This type of ransomware has been linked to GOLD SOUTHFIELD, a financially motivated group that operates a “Ransomware as a service” criminal enterprise. The group distributes ransomware using exploit kits, scan-and-exploit techniques, RDP servers, and backdoor-ed software installers.
The JBS hack set off a domino effect that quickly spread across the entire country. Wholesale meat prices soared as the balance between supply and demand immediately became out of whack. Farms and ranches could not get their animals to market, and the resulting oversupply drove wholesale prices down. Restaurants and resellers could not get processed and packaged meat. The corresponding scarcity drove consumer prices skyward.
The deleterious effects of this attack on only one portion of the global food supply chain illustrate how fragile our food supply is. Restaurant owners were already hard-pressed to find reliable meat sources as the world opened up after the Coronavirus pandemic.
With the stakes high because of the need to maintain a stable food supply, JBS felt it necessary to acquiesce to the hacker’s demand and pay the ransom. After negotiating with the hackers, JBS paid the criminals $11 million in bitcoin.
Many would argue that meeting the demands of ransomware hackers only exacerbates the problem for everyone going forward. But, because of JBS’s quick action, in the end, they “lost less than one day’s worth of production, and that its rate of filling customer orders was only 3% below the normal level, less than the impact the company might see from a severe storm,” according to a WSJ report.
What makes cybersecurity challenging within the food/ag industry?
One of the main reasons Americans think little about threats to and the fragility of the food supply chain is because it ordinarily runs so smoothly. As a result, even though the nation’s food supply chain is one of the 16 critical infrastructure sectors designated by the Department of Homeland Security, it receives comparatively little attention from security professionals compared to other sectors like airline security or the power grid.
The food and agriculture industry is highly dependent on automation to keep prices low and distribution running smoothly. The systems that enable automation are often thought to be at a lower risk for cyber-attack because they can be insulated from the internet with dedicated or segmented networks.
This perception that an air gap exists between automated food processing systems and the internet is a red herring argument. Rarely are these systems completely isolated, and even when they are, there is always a need to update the operating system and production software. Vulnerabilities can be introduced during the update process, as happened during last year’s Solar Winds attack. A false sense of security increases the risk of attack.
Even if the automated systems that power food production factories were isolated entirely from the internet hypothetically, attackers do not need to access these systems to stop production. As the JBS Meat ransomware attack illustrates, by shutting down the business operations of a food provider, their ability to continue production ceases.
The food/ag sector has embraced production automation technology and digital business systems faster than they have modernized their cybersecurity operations. Some experts theorize that this is because, until the recent proliferation of ransomware that makes any business a likely target, the food/ag industry has largely evaded attention from cybercriminals.
Cybersecurity solutions for the food/ag industry
As mentioned above, the food/ag industry may, generally speaking, need to make up some ground related to cybersecurity. There are steps that many companies in this sector can take to protect themselves from threats.
Similar to any business that produces, stores, or processes sensitive data, here are some important ways that food/ag companies can shore up their cyber defenses:
Cybersecurity training: Possibly the most effective measure that food/ag businesses can take to protect themselves from cyber-attacks is to provide cybersecurity training for their employees. The vast majority of attacks begin with an element of social engineering — usually an email. Modern phishing emails can be very difficult to distinguish from legitimate emails. By training employees to be ever-vigilant in recognizing the telltale signs of a phishing email, users can act as a practical first level of defense.
Backup data: Ransomware in the food/ag industry depends on the ability of threat actors to plant malware designed to deny organizations access to their critical data. By locking food producers out of their business systems, attackers can throttle their ability to operate. Having a current backup is the most practical mitigation strategy to prevent ransomware criminals. Backed-up data should be isolated from the original files to deter attackers from encrypting or exfiltrating both the original and backup copies.
Network segmentation: By segmenting production from business networks and dividing them into smaller parts, food/ag IT managers can increase security. Logically divided, portions of a company’s infrastructure can be isolated if suspicious behavior is detected on another part of the network. As mentioned above, even segmented infrastructure is vulnerable to malware introduced to a portion of the network, for example, when updating programs. Segmenting, however, can prevent malicious software from spreading throughout the entire business.
Endpoint anti-malware software: Malware is intended to cause damage, steal data, encrypt files, or gain unlawful access into digital systems. Because of the critical nature of the food/ag sector, it is the cyber threat faced most often by these organizations. Malware describes numerous malicious software variants, such as trojans, worms, and ransomware.
Anti-malware software applies signature detection, behavioral analysis, and, in some cases, artificial intelligence to remediate an attack by disabling malware. It is crucial to have anti-malware software installed on every digital endpoint of a network. In today’s world of BYOD (bring your own device) workplaces, ensuring that updated anti-malware is properly installed across all devices with access to the network can be challenging.
Routine patching and software updates: When vulnerabilities are identified in computer systems and software, vendors regularly provide patches and updates to protect their customers. Because users neglect to update their systems, hackers often exploit vulnerabilities for which patches are generally available. Regularly updating and patching systems can mitigate many malicious threats.
Like healthcare, energy, transportation, and financial services, millions of people depend on the food and agriculture industry for their lives and livelihoods. As these critical sectors rely more and more on digital systems to conduct business, the threat of a significant cyber-attack carries more weight.
Deploying modern cyber defenses to protect the world’s food supply chain is essential. Additionally, as new automation systems are designed, it must be done with cyber protection at the forefront.
The fragile and interdependent nature of the food supply requires that the entire industry be protected with the most advanced and effective tools and policies. Because, in the end, we all need to eat first and foremost.