Agriculture and Food Manufacturing Sectors: Make Cybersecurity a Top Concern

Anyone looking for an expert in the world of information security as it relates to the food and agriculture industry might want to beat a path to John Hoffman’s door. His official title is Senior Research Fellow at the Food Protection and Defense Institute (FPDI) at the University of Minnesota, which means that he works with a lot of top-level information security people in this sector. But he makes it a priority to ensure that the small farmers and food firms also get the help they need.

“We have been at the forefront of food defense research and development of strategies and tools to aid our nation’s food supply owners and operators to protect their operations,” Hoffman says. “We have also focused on assisting the private sector to reduce risks from cybercrime. FPDI currently works with all the federal food and agriculture sector agencies, as well as the Department of Homeland Security, the Department of Defense and private industry firms.”

Food and agriculture tend to operate quietly and away from big news stories and splashy headlines. That changed dramatically in May 2021, when meatpacking giant JBS suffered a serious ransomware attack. “The attack was a wake-up call for many,” Hoffman recalls. “But it should not have been. There have been high-impact attacks for more than a decade. We began to see cyber intrusions in food processing networks about two decades ago.

“But these quickly shifted to intrusions intended to find and steal intellectual property from these firms, such as recipes, vendor and customer lists, and employee information,” Hoffman adds. “These were potentially far more damaging than simple ransomware attacks, and they became quite common by 2005. I and others within DHS and the other agencies in the food and agriculture sector began to raise the alarm about the level of such attacks more than 15 years ago.”

After the JBS attack, stories appeared prominently on news networks and business websites. The industry was getting publicity, but not the kind it wanted. And Hoffman would like to remind us that not every successful ransomware attack hits a big company with deep pockets, like JBS. Some attacks target smaller, family-run enterprises. When that happens, there can be a serious human cost; sometimes families lose their businesses and livelihoods. But this doesn’t have to be the case.

He offers a hopeful message for those more vulnerable operators: There are effective solutions available to address the challenge of ransomware attacks. And they can often be implemented with little or no cost, which solves a critical issue for the smaller, family-run food and agriculture firms. These solutions fall into technical, physical and educational areas.

Technical

• Keep an inventory of information technology (IT) and operational technology (OT) systems.
• Create and maintain separate, isolated backups for all your data and frequent server images.
• Maintain active, real-time intrusion monitoring on all networks and gateways into your systems.
• Ensure that all operating systems (OS), applications, firewalls, anti-malware and anti-virus software are secure and current.
• Do the same for all intrusion detection, routers and hardware across all networks, both OT and IT.
• If there are outdated but critical legacy devices and systems, isolate them from other networks.
• Properly maintain and update your networks, hardware, applications and operating system.
• Implement applications that monitor and record/report user IDs that access all critical systems.
• Maintain a technical systems plan for responding to and isolating a cyber intrusion.

Physical

• Isolate critical systems from the internet, including OT and legacy systems that are not easily upgraded.
• Always make sure to isolate and secure your backup location, wherever that location might be.
• Never allow company employees to connect any external devices to any of your network systems.
• Always ensure that all connections with customers and suppliers are made by using a secure VPN.
• Make sure that all suppliers and customers acknowledge and comply with your security standards.
• Implement a policy that uses physical devices and two or three-factor access for all network entry.
• Have a company-wide policy that limits network access on a need-to-know basis only.
• Update or replace legacy cyber or network-controlled devices, applications and operating systems.
• Have a plan that isolates systems from the web, so all production systems can remain functional.
• Have manual workaround plans that enable critical functions to continue despite a cyberattack.

Educational

• Conduct ongoing cyber hygiene training for all employees across every level within the company.
• Make sure to update training and operational standard operating procedures continuously.
• Engage recommended third-party cybersecurity firms to assist in both training and system monitoring.
• Conduct weekly cyber risk reviews and cyber event assessments as soon as practical after each event.
• Have a plan that includes training for how you will eject an attacker from your system once detected.
• What you do tomorrow will not prevent what may happen today, so have a plan for IT and OT security.

John Hoffman works with many upper-echelon people as part of his position at the Food Protection and Defense Institute, but he never forgets the small farmers, food processors and wholesalers who are important to his constituency. He would like us to remember them as well, because they put quality, affordable food on our tables, and they do it quietly and efficiently every single day.