Raising the Alarm: The Importance of Cybersecurity in the Food Sector

In the world of cybersecurity, there are experts so knowledgeable that their colleagues regularly seek them out for advice on solving tough problems. Unfortunately, their knowledge rarely gets shared beyond a circle of insiders on the front lines of security. And then there are experts who prioritize getting useful advice to people in the real world who really need it. John Hoffman falls squarely into the second group.

Hoffman is a Senior Research Fellow at the Food Protection and Defense Institute at the University of Minnesota. “The institute was established in 2004 as a Department of Homeland Security (DHS) Center of Excellence,” he explains. “Our mission is to assist the federal government, the states and the private sector in protecting our nation’s food supply from disruptions caused by acts of terrorism, food fraud or natural disasters.”

The food and agriculture sector is considered a vital part of our nation’s critical infrastructure by the Cybersecurity and Infrastructure Security Agency (CISA) in Washington. The industry is primarily in the hands of private owners and includes an estimated 2.1 million farms, 935,000 restaurants, and more than 200,000 registered food manufacturing, processing and storage facilities. This sector alone accounts for about 20% of the country’s total gross national product.

The expression “resource rich, cyber poor” is sometimes used to describe how certain food and agriculture firms approach cybersecurity — meaning that even many well-managed companies do not devote sufficient resources to securing internal operations and networks. Hoffman acknowledges that this may be a fair description in some cases but says that the overall picture is more complicated than what an outside observer might see at first glance.

“Cyber systems in many cases have had inadequate attention across the sector in terms of modernization, hardening and standards,” he says. “Some suggest this has simply been the result of complacency. This is true in many cases. However, these systems have worked well for many years. And upgrading them is much more of a challenge than in other manufacturing environments because of regulatory and food safety requirements.

“Another factor is the scale of consolidation within food processing in the United States over the past two decades,” Hoffman adds. “This has led to firms absorbing operations and processing activities with disparate computer operating systems. In many cases, it takes the acquiring firm years to sort out, inventory and upgrade these systems to ensure uniformity and security across these internal systems.”

The ransomware attack on meatpacking giant JBS back in May 2021 created a whole new awareness. “This cyberattack was a wake-up call for many in the sector,” he recalls. “Yet it should not have been. There have been high-impact attacks within the sector for more than a decade. We began to see cyber intrusions in food company networks two decades ago. In the early attacks, the intent was simply to disrupt operations, often by less sophisticated criminals.

“But these quickly shifted to intrusions intended to find and steal intellectual property from these firms — things like recipes, vendor and customer lists, and employee information,” Hoffman notes. “These were potentially far more damaging than simple ransomware attacks, and they became quite common by 2005. I and others within DHS and the other agencies in the food and agriculture sector began to raise the alarm about the level of such attacks more than 15 years ago.”

After the JBS attack, a slew of stories appeared on news networks and in business publications. But John Hoffman reminds us that not every successful ransomware attack targets a big company with deep pockets; some attacks victimize smaller, family-run enterprises. There is a real human cost to these attacks on more vulnerable food and agriculture businesses, which may cause families to lose their livelihoods. And it’s often a loss that could have been avoided.