Food Ransomware Attacks Underscore Need for New Information Security Approach
It used to be that the professionals who worked in food safety operated in a sphere far removed from their counterparts in information security. But take a look around, and you see their distinct domains moving closer together — perhaps not surprising given that we live in a world that relies as much on instant communication as it does on farm-to-table supply chains. Add to this news reports of the sector's expensive data breaches and ransomware attacks.
One food safety expert who can attest to the heightened awareness is Suzanne Barkley, Director of Supply Chain Certification at NSF, the international standards and certification organization. Her team conducts audits benchmarked against the Global Food Safety Initiative (GFS), including the SQF, BRCGS, FSSC and IFS standards. These audits occur at food and packaging manufacturers and storage and distribution facilities, with all efforts designed to help ensure food safety.
Barkley tells the story of an NSF client who asked to have their audit rescheduled due to a cyberattack causing lost access to their files. NSF certification staff responded that contingency plans for such incidents are covered under the Food Standards Section 3.11, with an expectation that a site can manage through such an occurrence to help ensure the safety and legal production of their product. In other words, the standard understands that a cyberattack can occur. However, you are still expected to have a contingency plan in place to be audited and certified to produce your food products under this standard. This company requested a six-month delay, which meant that an auditor would not have set foot in their facility for more than 12 months. That’s a problem in terms of protecting public health and food safety.
This example shows the importance of certification in the food and agriculture industries, which are among the critical infrastructure sectors designated by the Cybersecurity and Infrastructure Security Agency (CISA). Zoom out to the larger industry panorama, and you will appreciate the impact of increased cyberattacks on food and agriculture companies, not to mention millions of American households.
The U.S. Department of Agriculture advises that food and agriculture businesses implement effective measures to protect networks from ransomware attacks. These include data backups, network segmentation, recovery plans, off-site servers, software patching, multifactor authentication, passphrases, anti-malware software and security training for all employees — recommendations that food certification professional Suzanne Barkley is glad to share with the food and agriculture sector worldwide.