The agriculture and food industry has been consistently innovating and evolving to meet the country’s needs. Farmers have more and more digitally connected devices on their farms– everything from self-driving tractors, ID tags for livestock, drones, and even robotics. Innovations like these bring many benefits to farmers, but they also bring risks, especially from cyberspace. And cybersecurity of the agricultural sector is still at a nascent stage.
Several countries and governments are yet to understand that cyberattacks on the food and agriculture sectors will have some of the most significant real-world consequences. The recent attack on meat packaging giant JBS and how the global pandemic impacted the food sector are examples of how vulnerable the U.S. food supply chain is to disruption. An attack targeting the supply chain can yield catastrophic results.
These vulnerabilities have long been recognized. As early as March 2016, when the farmers embarked on the digital transformation route, the FBI and the USDA addressed cyberattacks targeting the Food and Agriculture Sector. The federal bodies encouraged farmers to enquire about data management practices and listed several cybersecurity best practices. These included:
- Monitoring employee logins that occur outside of normal business hours.
- Using two-factor authentication for employee logins, especially remote logins.
- Creating a centralized Information Technology e-mail account for employees to report suspicious e-mails.
- Providing regular training to remind and inform employees about current social engineering threats.
- Monitoring unusual traffic, especially over non-standard ports.
- Monitoring outgoing data, and be willing to block unknown IP addresses.
- Closing unused ports.
- Utilizing a Virtual Private Network (VPN) for remote login capability.
The agencies also recommended reaching out to the US-CERT for all kinds of assistance on cyber readiness.
But more than five years later not much has changed, the industry continues to be one of the most underprepared sectors against cyber-attacks because of the lack of compliance and regulatory mandates.
Like several industries, the concept of cybersecurity for the agriculture sector is still an afterthought. The agricultural corporations and collectives should voluntarily adopt the ISO 27001, NIST framework for cybersecurity or PCI-DSS standard. These frameworks can provide and offer guidelines for securing data in the sector.
Severe gaps even at a federal level
You cannot simply blame the industry for the lack of adoption of the best cybersecurity practices, as federal bodies have not done enough to protect our food supply. A recent report from the Senate Homeland Security and Government Affairs Committee found glaring cybersecurity gaps in several sectors, including the State, Transportation, Agriculture, Health & Human Services, Housing & Urban Development, Education, and the Social Security Administration. According to the report, several of these industries have not improved their cybersecurity postures in the last couple of years.
This should be a wake-up call because USDA maintains sensitive information via its Direct Loan System (DLS) stores. These include names, Social Security numbers, liabilities, and assets owned to process loan applications.
USDA also has sensitive national security information related to its participation in the Select Agent Program and the Food Safety and Inspection Service’s vulnerability assessments. The Food Safety and Inspection Service’s vulnerability assessments “inform the development of countermeasures to help prevent or mitigate the impacts of an intentional attack on the food supply.”
The audits also found USDA’s use of unsupported software, exposing the department to several cyber risks.
Winds of Changes
American National Standards Institute (ANSI) and the German Institute for Standardization (DIN) are exploring possibilities to develop a roadmap for smart agriculture. It could lead to U.S.-German leadership on this subject in other organizations.
The Biden administration recently released the national security memorandum on “Improving Cybersecurity for Critical Infrastructure Control Systems.”
With the Memorandum, the White House urged critical infrastructure owners and operators to follow voluntary guidelines and mandatory requirements to protect critical services from cyber threats. These include:
- Implementing specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems within prescribed timeframes
- Developing and implementing a cybersecurity contingency and recovery plan
- Conducting an annual cybersecurity architecture design review