Enable breadcrumbs token at /includes/pageheader.html.twig

Food Security: Mitigating the Dangers of Digital Poison

As digital modernization expands, the food and agriculture industry must remain cyber-resilient to ensure the safety of everyday consumers.

While modern technology is an effective tool for the food and agriculture industry, it still poses cybersecurity threats to businesses around the globe. Credit: KarlosWest/Shutterstock

From tractors to drones to Internet of Things tools, the food and agriculture (FA) industry has used cutting-edge technologies to its advantage for centuries. Modern digitization, however, is often served with a side of risk.

Much like the rest of the U.S. critical infrastructure—80% of which is controlled by the private sector—the FA sector faces an increased number of cyber threats. And a threat to any member of the supply chain can have detrimental effects on all participating parties.

A recent report by the Food and Ag-Information Sharing and Analysis Center (ISAC) showed 167 ransomware incidents against the FA sector in 2023.

The FA specific not-for-profit center was launched from the IT-ISAC community in May 2023 due to a growing number of requests from industry members. Through its work, the organization remains in close partnership with federal agencies such as the Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Agriculture, the Food and Drug Administration and the Department of Homeland Security (DHS).

Though most attacks appear to be opportunistic, the report mentions, a small disruption to everyday processes has significant consequences. “Any downtime caused by an attack could lead to a chain reaction of delays, potentially causing late planting or harvesting windows,” it states.

While financial gain is a popular motive for malicious actors, intellectual property and classified information theft are also of concern.

“Our role is to engage, educate and help those critical infrastructure owners and operators understand the risk of not upgrading systems, of not incorporating cybersecurity best practices,” Brannan Villee told SIGNAL Media in an interview.

Villee is the program manager at the DHS Science & Technology (S&T) Directorate’s Critical Infrastructure Security and Resilience Research program.

“One of the things we’ve seen in critical infrastructure is ... everything is going great until it’s not,” Villee continued, stating that more often than not, FA businesses do not have the resources or the knowledge of supply chain security and cybersecurity standards.

The recently released National Security Memorandum-22 requires all businesses to report cybersecurity attacks, which Villee believes will significantly help bring awareness to the growing issue.

“While revealing that they might have vulnerabilities,” she continued, “in theory it’s helping other critical infrastructure sectors and organizations adopt practices so that they are not the victim of the next attack.”

In 2021, for example, JBS Foods, the world’s largest beef supplier, fell victim to a data breach. The company consequently paid $11 million to the Russian-owned ransomware hacking group named REvil.

“This was just a month after the Colonial Pipeline was hacked,” Villee stated. “Even though there weren’t pressing supplies on fuel, there was panic.”

Unmanned aerial systems (UAS), aka drones, are often Chinese manufactured, which could threaten the food and agriculture industry and consequently the U.S. critical infrastructure. Credit: Melnikov Dmitriy/Shutterstock

Ransomware attacks put many food suppliers at risk. In 2021, JBS Foods, the world’s largest beef supplier, was forced to pay a $11 million ransom to secure its data. The two-day shutdown trickled down to global shortages. Credit: Tada Images/Shutterstock

The referenced attack caught global attention as it was the largest cybersecurity breach on an oil infrastructure target in the U.S.

In a separate instance in Florida, a water treatment system was hacked. “The hacker was trying to poison the water supply,” Villee explained. “They were trying to increase the level of sodium hydroxide, which could have put people at risk of being poisoned.”

In May, the U.S. Department of the Treasury revealed the identity and sanctioned the senior leader of LockBit, a Russia-based ransomware group responsible for nearly 25% of all ransomware attacks in 2023, according to the Food and Ag-ISAC report. “LockBit has targeted over 2,500 victims worldwide and is alleged to have received more than $500 million in ransom payments,” the Treasury Department’s press release stated.

The Food-Ag ISAC offers its members a repository of adversary playbooks, which include nation-state and ransomware groups, with a tracker specifically aimed at the FA sector. Additionally, the nonprofit developed a predictive adversary scoring system that looks at historical targeting, sophistication levels and more. China and Russia remain at the forefront of malicious attackers.

Chinese-manufactured unmanned aerial systems (UAS) could also pose serious threats to U.S. critical infrastructure sectors, including FA.

A report titled Cybersecurity Guidance: Chinese-Manufactured UAS was released by CISA and the FBI in January to raise awareness of growing threats and ways to mitigate risks to sensitive information.

“The People’s Republic of China has enacted laws that provide the government with expanded legal grounds for accessing and controlling data held by firms in China,” the guidance reads.

The People’s Republic of China’s 2021 Data Security Law allows the country’s government access to each company and all data received from Chinese-operated companies.

Chinese-manufactured UAS continue to be used across U.S. critical infrastructure, however, Jonathan Braley, director of threat intelligence at Food and Ag-ISAC stated as a guest on The Security Detail podcast in February.

“The food and ag sector, they might use these drones on farms, for livestock monitoring,” he said. Drones may also be used for fertilizer and pesticide applications, among other effective agriculture tools.

“We have to start thinking about how that could be used by Chinese threat actors.”

Cybersecurity attacks have, however, brought much-needed awareness to a growing issue.

In January, a bipartisan bill was introduced in the U.S. Congress by seven U.S. senators. The Farm and Food Cybersecurity Act of 2024 proposes an enhancement of FA sector cybersecurity and resilience. The bill also asks for “an annual cross-sector simulation exercise relating to a food-related emergency or disruption.”

This isn’t just a national issue, however. Russia’s attacks on Ukraine’s grain supply showed the world that a breach of one could affect all.

Cybersecurity has been a topic of interest for the U.S. Agency for International Development (USAID) for the last five years, said a USAID cybersecurity expert.

“Our team is really focused on cybersecurity as a development challenge,” the representative said. “Increasingly, we’re really seeing cybersecurity as a cross-cutting issue that we need to be thinking about for every technical sector.”

Formed under USAID’s Digital Strategy, the cybersecurity team released its Cybersecurity Primer in 2021 to build awareness of the growing impact of cyber threats.

Similarly, the U.S. Government Global Food Security Strategy 2022-2026 speaks to enhanced integration of digital technologies, which informs the work USAID provides through food security initiatives such as Feed the Future.

The agency’s Bureau for Resilience, Environment and Food Security additionally has a digital strategy action plan, which outlines how the bureau responsibly uses digital technologies in its program.

One of those areas is a focus on cybersecurity.

“A lot of the communities that we’re working with are just being introduced to new digital technologies now, so the level of cyber hygiene is often pretty low,” the USAID official said.

“In one case, the social media account of a trader in Sub-Saharan Africa was taken over,” they described. “With information that the cyber attacker was able to glean from the Facebook account, they were essentially able to [access] that person’s bank account.”

The cyber team has also seen cases of unknown numbers entering WhatsApp groups to track and collect information of all the members to later target each of them for cyber-crime.

“It really means that [this] kind of basic cyber hygiene needs to be incorporated into all the training and the work that we’re doing with farmers and people in the agricultural sector so that they’re using these technologies safely.”

With a global increase in cutting-edge technologies, specifically the integration of artificial intelligence (AI) and machine learning (ML), threats to the modern FA landscape are rapidly changing.

“[AI] has helped cyber criminals in many forms, generate more believable phishing attempts and social engineering,” said Jonathan Braley at a Food and Ag-ISAC hosted webinar to celebrate its one-year anniversary in May.

The more widely known AI scams, such as voice phishing and deepfakes, continue to threaten all sectors. “From a cyber crime perspective, AI has given low-level criminals a lot more tools,” Braley stated.
Industrial espionage is an added concern.

“We’re seeing intellectual property accidentally be added into language models, so somebody will ask a question and might not realize that the intellectual property that they’re putting into that free service is actually getting pulled into the model where another person can view that.”

On the other hand, Braley said, AI continues to be integrated into many tools used by the FA sector, therefore making it vital to remain cautious of unknown risks. Any new and connected device requires continuous monitoring.

Though basic security practices such as software updates, multifactor authenticators and file encryptions are important, awareness and proactivity are essential for remaining cyber resilient.