The Next Big Target for Cyberattack: Agriculture and the Supply Chain
After a tragic outbreak of E. Coli in 2007, the produce industry in California came together to put public health first and created the California Leafy Green Product Handler Marketing Association (LGMA). The organization has had significant success in its mission to assure safe leafy greens and restore confidence in the state’s food safety programs.
Now, the food and agriculture industries are faced with another threat: cyberattacks.
The U.S. Department of Homeland Security named agriculture as one of the top areas of critical infrastructure that are at risk in today’s threat landscape—and now we can see why. Just a few months ago, a ransomware attack on JBS Foods, a food production company that is the world’s largest processor of fresh beef and pork, targeted operations in Australia, Canada, and the United States. It caused 13 plants to close temporarily, significantly reducing supply.
Our food supply will continue to be a target.
Just like the Colonial Pipeline hack that caused operators to shut down systems that supply 45 percent of the Eastern Seaboard, cyberattacks on the supply chain like JBS, cause prices to soar, demand to increase, and supply to wane. And our food supply will continue to be a target.
Technology, the Supply Chain, and Agribusinesses
Today, every company is a technology company. And when it comes to agribusinesses, such as fresh produce growers, processors, storage operations, and transportation (and many more), technology plays a key role in being able to meet contractual demands.
The cyberattack on JBS was a wake-up call for the agriculture industry. The attack prompted the U.S. Department of Agriculture (USDA) to release the following statement:
“USDA will continue to encourage food and agriculture companies with operations in the United States to take necessary steps to protect their IT and supply chain infrastructure so that it is more durable, distributed and better able to withstand modern challenges, including cybersecurity threats and disruptions.”
It's safe to say that the U.S. government is getting more involved in cybersecurity. The attention recent high-profile attacks received is an indication that the risk to the supply chain is evolving and growing.
Best Practices for Strengthening Your Business
There are ways that the agriculture industry—and almost all businesses—can begin to protect themselves from cyberattacks by implementing minimum best practices across the organization, including:
Security standards. Following the Colonial Pipeline and JBS attacks earlier this year, the White House distributed a letter that outlined a range of information technology (IT) security practices that companies should adopt. These form the basis of a robust, defensive security posture that every enterprise should follow, including the implementation of multi-factor authentication (MFA), which is a process that authenticates the identify of a person through multiple methods before allowing access to certain applications. Adhering to the baseline security protocols outlined in the letter can be a solid starting point for protecting your business from outside attack.
Focus on recovery. When a cyberattack hits, recovery must begin immediately. But what happens if the attackers gain access to and destroy your backups? The results can be detrimental, which is why organizations need to take a hard look at advanced storage options that can provide snapshots the enable almost instantaneous recovery. Without this focus, it may be days, weeks, or even months before you’re back up and running to your full potential.
Formalize your response plan. Each organization—no matter the size—should prioritize looking forward to determine how they will operate in the event of an attack. This should answer the question, “How will we recover should disaster strike?” If an attack occurs, the preparation of an incident response (IR) plan will help determine how the attack is communicated to both internal and external stakeholders, whether a ransom will be paid because of ransomware being installed, and how employees will communicate when internal systems are down.
In tandem, a business continuity plan should also be in place from a business perspective so that you can continue to meet the demands of your customers. Physical security vendors will still need to be able to manufacture and distribute hardware like surveillance cameras and door readers, but they aren’t living in what we call a “perishable reality.” Agribusinesses dealing with perishable commodities depend on technology to ensure shipments can be made. So, in this case, business continuity planning must include how all of this will be done effectively without the systems being operational.
In both an IR and business continuity plan, there are multiple departments within an organization that need to be at the table and understand what’s at play.
Assess your supply chain and vendors. You’re only as strong as your weakest link, whether it’s the technology you use, the training you offer to employees, or the security of your suppliers. Since every company is a technology company, this means that third-party systems are used across multiple areas of the business—from procurement to security to logistics to more tangible assets, such as packaging used for processing meat or fresh produce. If one supplier goes down because of a cyberattack, the reality is that you might not be able to meet the demand you have from customers. This is why supply chain technology risk should be assessed, monitored, and managed regularly and proactively (and you should have a back-up plan for how to bridge the gap if there’s a disruption).
Keep watching. Vigilance is key. With each piece of technology that’s added to a business’ network, there’s a risk involved. Proactively managing updates to hardware and software, vulnerability testing, maintaining technology investments to avoid technical debt, and establishing best practices for engaging with third parties can help ensure that your business is protected.
It is easy to predict that there will be certain problems that agriculture will face in the future. In the past, examples of these problems were the shortage of labor or water. Today, a new potential problem has been added: the ever-present cyberattack. And it’s integral to the nation’s food supply that organizations address the risk to not only their own business but their supply chain, as well.
Greg Gatzke is the president of ZAG Technical Services, an award-winning IT consulting firm and managed services provider based in San Jose and Salinas, Calif, and Boise, Idaho. Gatzke founded ZAG 22 years ago, an organization dedicated to providing technology strategies and solutions that are a competitive advantage for its customers.