Virtually no mandatory cybersecurity rules govern the millions of food and agriculture businesses that account for about a fifth of the U.S. economy — just voluntary guidelines exist. The two federal agencies overseeing the sector include the USDA, which has faced criticism from Congress for how it secures its own data. And unlike other industries that have formed information-sharing collectives to coordinate their responses to potential cyber threats, the food industry disbanded its group in 2008.
Now, food producers need to face the fact that disruptive cyberattacks are part of what Agriculture Secretary Tom Vilsack calls their “new reality.”
National security threats to the agricultural supply chain haven’t received enough attention across the entire federal government, argued Rep. Rick Crawford (R-Ark.), who serves on both the House Intelligence and Agriculture committees.
“Too often agriculture is dismissed as: ‘It’s important but it’s not that big a deal,’” Crawford said in an interview. “If you eat, you’re involved in agriculture. We all need to recognize that it’s a vital industry and this [incident] illustrates that.”
The North American Meat Institute, which represents meatpackers, declined to comment on the state of the industry’s cybersecurity measures or potential changes following the hack.
The downside of ‘enormous technology’
The cry of alarm from the University of Minnesota’s Food Protection and Defense Institute arrived in the most unassuming of packages: as one of more than 180 official comments filed to the USDA related to a presidential order about securing the nation’s supply chains.
“Fast-spreading ransomware attacks could simultaneously block operations at many more plants than were affected by the pandemic,” the institute warned in its May 18 filing, noting that Covid-19 last year forced a shutdown of slaughterhouses that prompted fears of meat shortages and price spikes.
It was just the latest in a series of warnings from national security and law enforcement agencies, private cybersecurity companies and academic researchers.
In November, the cybersecurity firm CrowdStrike said in a report that its threat-hunting service had witnessed a tenfold increase in interactive — or “hands-on-keyboard” — intrusions affecting the agriculture industry over the previous 10 months. Adam Meyers, the company’s senior vice president of intelligence, said that of the 160 hacking groups or gangs the company tracks, 13 have been identified in targeting agriculture.
A 2018 report from the Department of Homeland Security examined a range of cyber threats facing the industry as it adopts digitized “precision agriculture,” while the FBI said in April 2016 that agriculture is “increasingly vulnerable to cyberattacks as farmers become more reliant on digitized data.”
The industry also offers plentiful targets: As the Department of Homeland Security’s cyber agency notes, the ag and food sector includes “an estimated 2.1 million farms, 935,000 restaurants, and more than 200,000 registered food manufacturing, processing, and storage facilities,” almost all under private ownership.
For decades, however, most farmers and foodmakers have prized productivity over all else, including security — trying to eke out profits in an industry with chronically narrow margins and meet the growing global demand for food. In the quest for efficiency, meat plants are ratcheting up their processing line speeds and investing in robotics to more quickly carve up carcasses. Farmers are adopting high-tech innovations like drones, GPS mapping, soil sensors and autonomous tractors, with vast data behind it all.
All that connectivity and automation comes at a cost.
“This is part of the downside of having an enormous technology, enormous capacity to turn a lot of data and become more efficient,” Vilsack said. “There are risks associated with that.”
‘No industry is off limits’
The disruption to JBS, which controls nearly a quarter of America’s cattle processing, has raised concerns mainly about the impact on meat markets. USDA data shows wholesale beef prices have steadily ticked higher each day since the hack, with choice cuts climbing above $341 per hundred pounds as of Thursday morning.
Higher prices are just one of many potential consequences. Cyberattacks could also lead to the sale of tainted food to the public, financial ruin for producers, or even the injury and death of plant workers, according to the Food Protection and Defense Institute, a DHS-recognized group.
In its public comments to USDA, the institute highlighted gaping holes in the industry’s preparedness, including a general “lack of awareness throughout the sector” and scant guidance from government regulators. It also noted that large parts of the industry rely on decades-old, custom-written software that is essentially impossible to update, along with outdated operating systems like Windows 98.
“The agriculture industry probably lags behind some of the other industries that have been hit harder by cyber crime” like the financial sector, which has long been a prime target for criminals, said Michael Daniel, president and chief executive of the Cyber Threat Alliance, a nonprofit organization.
However, the JBS hack, just like the ransomware attack on Colonial Pipeline in May and the ensuing gasoline-buying panic, shows that “no industry is off limits,” he added. Ransomware operators “are going to go wherever they think they can extract money.”
Daniel, a cyber coordinator during the Obama administration, said he would recommend that industry executives take basic steps like assessing their companies’ digital preparedness and reviewing federal security guidelines.
“What I would be telling them is: You really need to be thinking about how you manage your cybersecurity risk, just like you manage commodity price risk, just like you manage natural disaster risk, just like you manage legal risk,” Daniel said.
The White House similarly advised all companies on Thursday to harden their defenses, including by installing the latest software updates and requiring extra authentication for anyone logging onto their systems.
Meyers, from CrowdStrike, said seriousness with which cybersecurity is regarded varies “depending on who you’re talking to in the ag industry.” He said multinational conglomerates that have intellectual property worth protecting make it a priority, but “as you get down the food chain, so to speak, they probably think about it less seriously.”
The JBS hack “is the big wake-up call for all these small, medium and large businesses. You can’t stick your head in the sand, and hope it’s not going to happen to you because it is,” Meyers said. “You need to be prepared, and you need to get yourself ready to fight. Because if you don’t, you’re going to be paying a ransom and somebody’s going to be eating your lunch.”
A call for Congress to act
Congress may need to step in to help fix the situation, said Crawford, the House member from Arkansas, who reintroduced legislation earlier this year that would establish an intelligence office within USDA. The office would serve as a conduit for the department to keep farmers informed of threats to their livelihood, including espionage and cyber operations by malign actors.
A key reason the industry isn’t prepared against dangers like ransomware is that the U.S. intelligence community hasn’t considered the national security threats to agriculture as much as it should, Crawford argued.
He added that communication must go both ways: Companies need to have their cyber experts share what they see with their government counterparts. No such requirements exist for the food and ag industry.
“What I would advise the private sector to do is be proactive on these things as possible,” according to Crawford, who is organizing a “business intelligence and supply chain integrity” forum this summer that will feature cybersecurity experts, government officials and representatives from the clandestine community to educate local businesses about digital threats.
USDA has not proposed any significant policy changes following the JBS attack, instead asking food and agriculture companies to take voluntary steps to safeguard their IT and infrastructure from cyber threats. Vilsack on Thursday pointed to guidelines from DHS’ Cybersecurity and Infrastructure Security Agency that companies can adopt for their own protection.
There’s no shortage of policy recommendations from experts in the field. Most proposals involve educating industry leaders and employees, setting minimum standards for cyber safety or improving coordination between companies and agencies.
Another step recommended by the Food Protection and Defense Institute: USDA and DHS should work with the industry to create a cyber threats clearinghouse — known as an “information sharing and analysis center” — to collaborate on studying and addressing digital risks.
Other critical industries, including the electricity and financial sectors, already have their own ISACs, but the food industry does not. Instead, some food and ag companies have joined a broader information-sharing group that covers the information technology industry, said Scott Algeier, executive director of the IT-ISAC.
“They wanted to engage with other companies but did not have an ISAC. So they applied to us,” said Algeier, whose organization also provides a threat-sharing forum for the elections industry.
The nonprofit Internet Security Alliance has called for federal grants and other incentives for food companies to step up their cyber defenses.
“Increasing cybersecurity will cost money, and finding the additional funding will not be simple for the sector since it is governed by tight margins and faces a highly competitive world market,” the group wrote on its website.
Helena Bottemiller Evich contributed to this report.