Regardless of whether geopolitical, criminal or espionage agendas are involved, global hyper-connectivity now demands food supply security to be beefed up.
Producers and suppliers in the food and agriculture sector have long focused on diversified food sources and improved productivity through technology adoption as their top priority. However, in recent years the surge in cyberattacks targeting critical infrastructure has meant that cybersecurity must now take center stage.
Just last September the FBI published a bulletin highlighting the rise in ransomware attacks targeting the food and agriculture critical infrastructure sector, with concern that these attacks would impact the food supply chain.
Then, in February 2022, the US, UK and Australia issued a joint Cybersecurity Advisory on the “Increased Globalized Threat of Ransomware” against critical infrastructure sectors, including food and agriculture, noting that ransomware tactics and techniques continued to evolve in 2021, demonstrating “ransomware threat actors’ growing technological sophistication and an increased ransomware threat to organizations globally.”
Legacy systems vs. modern cyber threats
The crux of the issue is that many food and beverage production sites run on legacy operational technology (OT) that was never designed to be connected to the internet. However, the recent push for digitalization had exposed old systems to new cyber threats.
Claroty’s own data indicates that more researchers and threat actors were looking at vulnerabilities in IT and OT systems running in food and beverage plants, with a 56% increase in industrial control system (ICS) vulnerabilities from 2019 to 2020 after relatively few reports prior to 2019.
Adding to the threat landscape are the pandemic-driven work trends where more people can now work literally from anywhere in the world, meaning that attacks can come from everywhere.
Then there is the issue of yielding to ransom demands: data from a 2021 global survey of 1,100 critical infrastructure organizations showed that over 60% of respondents experiencing a ransomware attack had chosen to pay the ransom, which ranged from US$500k to more than US$5m.
For many companies, the cost of paying the ransom was cheaper than the cost of not abiding by the demand. However, cybersecurity authorities discourage the paying of ransoms. This is because it gives the perpetrators more resources to wreak more havoc on other victims, while simultaneously not being a guarantee of getting the cybercriminals to honor their word. Additionally, firms that pay off the ransom often stop working with authorities to track and catch the criminals.
Regardless of the decision whether to pay or not, the advice given is to immediately disconnect affected systems from the network, or if that is not possible, to power them down to prevent further damage. Restoration and recovery needs to be based on a list of critical priorities, and organizations that have already planned out a response in case of such an emergency will clearly be able to get back on their feet more quickly.
Making hyper-connectivity more secure
The only way to mitigate the risk is to understand how to make hyper-connectivity more secure, by addressing gaps in processes and technology, and preparing for the worst.
A number of national agencies have shared guides addressing the issue of ransomware, such as the US Cybersecurity and Infrastructure Security Agency (CISA), UK’s National Cyber Security Centre (NCSC), and the Australian National Cyber Security Centre (ACSC). All stress the importance of recent reliable backups, and are a part of security for the system as a whole.
Effective industrial cybersecurity starts with knowing what needs to be secured. Good practices include maintaining a current inventory of all assets, processes and connectivity paths, and strengthening them where possible. Resilience can be built through network segmentation. Maintaining and storing backups offline will enable quicker data restoration when needed.
Employees also need to be aware of what could go wrong, and organizations need to take the responsibility of training their staff of the dangers of social engineering and phishing techniques. Even simple practices like not supplying passwords openly via email and reporting suspected phishing attempts all play their part in maintaining resilience.
Finally, organizations should be diligent in testing their incident response plans, and conduct tabletop exercises to put those plans into motion, all without impacting production environments. Training and testing improves response, and ensures business continuity.