FPDI on Protecting the Food That Arrives on Our Tables Daily

A bit of advice for anyone interested in understanding the complex world of information security trends in the food and agriculture sector: Talk to John Hoffman at the Food Protection and Defense Institute (FPDI) at the University of Minnesota. Hoffman is that rare expert who can explain big technical subjects in a way that people who are not experts can readily understand — exactly whom you want to shed light on this vitally important and often overlooked sector.

Hoffman is a Senior Research Fellow at FPDI. Here’s how he describes the work he and his colleagues do: “The institute was established in 2004 as a Department of Homeland Security (DHS) Center of Excellence. Our mission is to assist the federal government, the states and the private sector in protecting our nation’s food supply from disruptions caused by intentional acts, such as terrorism or food fraud, or natural disasters.”

The disruptions Hoffman mentions include cyberattacks and cybercrime. In this low-key sector, only very few attacks ever show up in national news headlines and stories. But institute staff have been working for years at the forefront of developing and implementing strategies to aid the nation’s food supply owners and operators in protecting their operations. And they have a special focus on assisting the private food and farm sector in reducing cybercrime risk.

Food and agriculture is the sector we all take for granted, yet it’s the industry that puts safe food on our tables every day. Even the U.S. government did not recognize this vital sector as a part of our critical infrastructure until 2003. “Up until then, it was never considered in efforts to protect our infrastructure against terrorism or large-scale disruption,” Hoffman says. “Yet it is 20% of our economy and the one sector that you cannot opt out of.”

When Hoffman talks to clients in the industry, he asks them about the challenges they face upgrading computer networks to reach a level of security consistent with today’s cybersecurity and digital supply chain environment. “Many of the systems now in use within operational technology systems, from production agriculture to food manufacturing and packaging, are based on older digital technologies,” he says.

“These older operating systems have worked just fine for decades, so there has been little reason to update them with devices that integrate with more current and secure systems,” he adds. “And making the needed upgrades is potentially expensive and time-consuming. Today these older legacy systems are still largely unprotected and susceptible to intrusion and disruption by cybercriminals.”

Hoffman points to management’s constant need for rapid access to operations data. This requires broad connectivity within firms and externally between vendors within a given supply chain, which adds penetration risk to company operations and networks. Also, consider how access to business networks has expanded due to employee email and time-management systems. The potential attack surface has increased, but cybersecurity has often not kept up.

“The overall potential vulnerability of these critical infrastructure networks has grown considerably over the past two decades,” Hoffman says. “That’s the challenge we face. Going back now to harden these systems, train employees on cybersecurity practices and upgrade legacy systems is a daunting task for many firms. That’s especially true for the smaller farms and food ingredient and product processing firms that are so ubiquitous within our food supply chains.”

John Hoffman and his colleagues at the Food Protection and Defense Institute work every day advising clients, both in the public and the private sectors, on cybersecurity best practices. They fully understand the cyber challenges faced by food producers, processors and distributors. And they also recognize the importance of people understanding the role they play in protecting this critical infrastructure sector that delivers quality food to our tables every day.