Home / US / Cyber-attack on food supply meets years of warnings

Cyber-attack on food supply meets years of warnings

There are virtually no cybersecurity rules that govern the millions of food and agriculture businesses that account for about one-fifth of the U.S. economy. Only voluntary guidelines are available. Two of the federal agencies that oversee the sector, the USDA, have been criticized by Congress for how they secure their own data. And unlike other industries, it brings together data sharing groups to coordinate responses to potential cyber threats. food industry collapse group in 2008.

Food producers are now faced with the fact that disruptive cyberattacks are part of what Agriculture Secretary Tom Vilsack calls “a slew of neglect.”

; “New reality”

National security threats to agricultural supply chains haven’t received enough attention across the federal government, said Rep. Rick Crawford (R-Ark.), who serves on both the Council and Agriculture’s Intelligence Committee.

“Agriculture is often neglected because: ‘It’s important, but it’s not a big deal,'” Crawford said in an interview. We all have to realize that it is an important industry and this [incident] show that”

North American Meat Institute, representing meat packers It declined to comment on the industry’s cybersecurity measures or potential changes after the hack.

Disadvantages of ‘huge technology’

An alarm from the University of Minnesota Food Protection and Prevention Institute arrives in the most unusual package: One of more than 180 official comments. file with the USDA in connection with a Presidential directives on maintaining the nation’s supply chain.

“Fast-spreading ransomware attacks can block factory operations. than those affected by the outbreak simultaneously.” The Institute warned in the May 18 filing.It said last year that COVID-19 forced the closure of slaughterhouses. This has raised fears of a shortage of meat and soaring prices.

It’s just the latest warning from national security and law enforcement agencies. Private Cyber ​​Security Company and academic researchers

in november Cybersecurity firm CrowdStrike said in the report. Threat hunting services have seen an interactive invasion or “The use of keyboards on hands has increased tenfold – an invasion that has affected the agriculture industry in the past 10 months,” said Adam Meyers, the company’s senior vice president of intelligence, of 160 hacking groups. The c, or gangs the company follows, have 13 groups identified as targeting agriculture.

Ah! 2018 Annual Report from the Ministry of Homeland Security It examines the cyber threats the industry is facing while using it. Digital “precise agriculture”, while the FBI said in April 2016 that agriculture is “More vulnerable to cyber attacks As farmers increasingly rely on digital data.”

The industry also has many goals: as a Department of Homeland Security cyber agency memoThe agriculture and food sector comprises “approximately 2.1 million farms, 935,000 restaurants and more than 200,000 registered food processing and storage facilities,” almost all under private ownership.

For decades, however, most farmers and food producers have placed productivity above all else. including security It seeks to profit in an industry with chronically narrow margins. and meet the growing global demand for food. in pursuit of efficiency Meat factories are speeding up production lines and investing in robots to carve carcasses faster. Farmers are adopting high-tech innovations such as drones, GPS mapping, soil sensors and automated tractors. with a lot of information behind the scenes

All connections and automation are free.

“This is part of the downside of having massive technology. Massive ability to change large amounts of data and more effective,” Wilsack said. “There are risks involved with that.”

‘No industry is restricted’

The disruption of JBS, which controls nearly a quarter of America’s cattle processing. This has primarily raised concerns about its impact on the meat market. USDA data shows that wholesale beef prices have been steadily rising daily since the hack. By cutting options rose above $341 per hundred pounds on Thursday morning.

Higher prices are just one of the many potential consequences. Cyber ​​attacks could lead to the sale of contaminated food to the public. financial damage for producers or even the injuries and deaths of factory workers. According to the Food Protection and Prevention Institute which is a group recognized by DHS

In public opinion to the USDA, the institute highlighted vulnerabilities in industry preparedness, including a general “lack of sector-wide awareness” and little advice from government regulators. This also states that much of the industry relies on software that is decades old and written in-house. which is impossible to update Compatible with outdated operating systems such as Windows 98.

Michael Daniel, chairman and chief executive of the Cyber ​​Threat Alliance, said: “Agriculture may lag behind other industries. that have been increasingly affected by cybercrime” such as the financial sector, which has long been a primary target for criminals. non-profit organization

However, the JBS hack as well as the colonial pipeline ransomware attack in May and the subsequent gasoline-buying panic. show that “No industry is unrestricted,” he added. Ransomware providers “go wherever they think they can extract money.”

Daniel, the Obama administration’s interim cyber coordinator, said he would recommend industry executives to take basic steps, such as assessing their companies’ digital readiness. and reviewing federal safety guidelines.

“What I will tell them is You really have to think How do you manage cybersecurity risks? The same way you manage commodity price risk. The same way you manage the risks of natural disasters. Just as you manage legal risks,” Daniel said.

white house Every company recommends the same. On Thursday, to increase their protection, including installing the latest software updates and requiring additional authentication for everyone who logs in to their system.

CrowdStrike’s Meyers said the seriousness of cybersecurity varies. “It depends on who you’re talking to in the ag industry,” he said, that multinational conglomerates with intellectual property worthy of protection are a priority. But “when you step into the food chain, simply put. is that they probably think less about it.”

The JBS hack “is a big wake-up call for all these small, medium and large businesses. You can’t hit your head in the sand. And hopefully it doesn’t happen to you because it is,” Meyers said. “You have to be prepared. And you have to prepare yourself for battle. because if you don’t You will pay the ransom and someone will come over to eat your lunch.”

call on the parliament to take action

Congress may have to step in to help resolve the situation, Crawford, a congressman from Arkansas. which introduced a new law earlier this year. This will establish an internal intelligence office, the USDA said. The office will serve as a channel for the department to keep farmers informed of the threat to their livelihoods. including espionage and cyber operations by perpetrators

The main reason the industry is not prepared to deal with threats like ransomware is the US intelligence community. It doesn’t consider the national security threat to agriculture as much as it should, Crawford argued.

He added that communication had to go both ways: companies need cyber experts to share what they see with government agencies. There is no such requirement for the food and agriculture industry.

“What I would recommend the private sector to do is to be as proactive in these areas as possible,” said Crawford, who is hosting the forum. “Business Intelligence and Supply Chain Integrity” this summer, featuring cybersecurity experts. Government officials and agents, secret communities to educate local businesses on digital threats.

The USDA is not proposing any major policy changes. After the attack, JBS, however, urged food and agriculture companies to take voluntary steps to protect IT and infrastructure from cyber threats. On Thursday, Vilsack pointed to guidance from DHS’ Cybersecurity and Infrastructure Security Agency that companies can be used for their own protection

No problem, policy suggestions from experts in the field. Most of the offerings involve educating industry leaders and employees. Set minimum standards for cybersecurity. or improve the coordination between the company and the department

Another step suggested by the Food Protection and Prevention Agency: USDA and DHS should work with industry to create a cyberthreat clearinghouse, also known as a cyberthreat clearinghouse. “Data Sharing and Analysis Center” to collaborate on the study and management of digital risks.

Other important industries Including the electricity and financial sectors, ISAC already exists, but the food industry does not. Instead, some food and agriculture companies have joined a broader data-sharing group covering the information technology industry, said Scott Algiers, IT-ISAC executive director.

“They wanted to engage with other companies, but there was no ISAC, so they applied to us,” said Algiers, whose organization also hosts a threat sharing platform for the electoral industry.

The nonprofit Internet Security Alliance has called on the federal government and other incentives for food companies to increase their cyber defenses.

“Increasing cybersecurity costs money. And finding additional funding will not be easy for this sector. as it is governed by tight margins and faces a highly competitive global market,” the group wrote on its website.

Helena Bottemiller Evich contributed to this report.

Source link