Tag Archives: cybersecurity

Kristy Gulsvig

Post-Incident Forensics:  Piecing Together the Puzzle After a Cyberattack

By Kristy Gulsvig
No Comments
Kristy Gulsvig

We live in an age where cybersecurity risks are everywhere—from the emails we receive to the online platforms we use. And industries, such as the food industry, that are part of our nation’s critical infrastructure are key targets for cybercriminals.

In September 2021, the FBI’s Cyber Division alerted companies that the Food and Agriculture industry was among the most susceptible to cyberattacks in the U.S. Since that alert, numerous attacks have taken place, many of them impacting global supply chains and endangering consumer safety.

The Connection Between Food Safety and Strong Cybersecurity

The food and agriculture supply chain is incredibly complex and consists of a web of interconnected systems and procedures. Farms and food processing plants have become heavily digitized in an effort to speed up production and add higher levels of efficiency.

Most farms and food processing facilities use advanced monitoring systems to check everything from temperature to packaging standards. And because many of these systems are automated, any interference or tampering could lead to severe consequences. This is why it is imperative that companies implement post-incident forensics techniques into their operations.

The Role of Post-Incident Forensics

In cybersecurity, digital forensics play a pivotal role in revealing hidden weaknesses that lead to breaches, and in pinpointing the origins of a cyberattack. While a post-incident forensic analysis can’t undo the harm already done, it can offer valuable insights to help deter similar breaches in the future.

These forensic investigations involve a lengthy and thorough process that requires a number of important steps that include:

Identification. During or in the early stages after a cyberattack, companies need to clearly identify the type of incident that has taken place. This is where investing in threat intelligence platforms and security information and event management (SIEM) solutions becomes important. These tools, along with human intervention, can be used to isolate specific events and locate the source of potential breaches in progress or ones that have recently taken place.

Preservation. During a criminal investigation, law enforcement agencies and detectives work diligently to preserve all forms of evidence; the same is expected when completing digital forensics. Because digital breadcrumbs can be modified or removed over time, it is important to isolate and mark specific information relevant to the investigation with a chain of custody. This ensures that anyone with access to files or systems for analysis is properly authorized to do so and can be accounted for.

Collection. A post-incident forensic analysis is all about data collection. There are any number of areas where data can be pulled to paint a bigger picture of the event. Relevant data from a cyberattack can be stored in equipment logs, hard drives or on cloud databases. Investigators will need a methodical process for locating and storing data so it can be analyzed in the future. They often use specialized technology such as forensic imaging software to create a copy of drives in their original state and pull in information without potentially damaging the original evidence.

Analysis. In the analysis stage of a digital forensic investigation, investigators comb through the gathered data to understand its significance. This phase can last from a few weeks to several months, based on the depth and impact of the cyber attack. This step is pivotal because it sheds light on vital details, helping cybersecurity teams understand exactly how the breach happened and formulate strategies to ward off future incidents.

Reporting. Once the analysis is concluded, it is the investigative team’s responsibility to draft a comprehensive report outlining key findings from their study. This report should be written in a way that is accessible to both technical experts and a non-technical audience, ensuring everyone clearly understands how the attack took place. This report is important not only for the organization to learn and adapt, but also to meet legal or regulatory standards. Some of these reports might be publicized, so it’s essential they accurately reflect the depth of the investigation and any necessary steps to take moving forward.

Challenges of Post-Incident Forensics in Food Safety

The food and agriculture sector presents unique hurdles when executing post-incident forensics. A primary obstacle for cybersecurity experts responding to an incident is the expansive nature of food and beverage supply chains. With large distribution networks, as well as various partnerships with suppliers, manufacturers and retailers, the potential for cyberattacks increases exponentially. This complexity often leads to longer timeframes required to trace the origins of an attack.

It’s also important to know that most major cyberattacks don’t stem from a singular breach. Typically, cybercriminals will invest considerable resources to infiltrate several systems or networks over a long period of time. Investigators will then often find themselves in a “Russian doll” scenario, where uncovering one level of the attacks reveals another one underneath it.

Over the years, it has also become significantly harder to source well-trained cybersecurity professionals who have both the industry knowledge and the forensic expertise necessary to tackle more complicated attacks. This often leads to organizations taking dangerous shortcuts and not adequately budgeting their incident response programs.

Best Security Practices for Food and Beverage Industries

To ensure that organizations are well-positioned to complete thorough post-incident investigations, there are some important cybersecurity best practices that should be implemented.

Invest in the Right Cybersecurity Infrastructure. Not every industry has the right infrastructure in place to protect themselves or successfully recover from a large-scale security event such as ransomware recovery. This is why investing in firewalls, intrusion detection systems and other cybersecurity solutions is integral to securing your systems. While these tools may not eliminate all the risks associated with modern cyber threats, they will help to significantly minimize attack surfaces.

Create a Comprehensive Disaster Recovery Plan. Though preventing attacks is a top priority for organizations, it’s just one aspect of a strong defense. For businesses in the food and agriculture sector, it’s crucial to also have a thorough disaster recovery strategy in place. The foundation of a successful post-incident forensics investigation is proper planning and clearly documented processes. Disaster recovery plans give organizations the ability to create a clear and methodical roadmap for how to proceed once a major issue has been identified.

Conduct Regular Security Audits. Given the evolving nature of technology, even the best-prepared organizations might inadvertently introduce vulnerabilities into their systems over time. This makes it crucial for organizations to routinely check their systems by conducting an SOC audit or undergoing a risk assessment to spot and address any potential flaws in their cybersecurity measures.

Collaborate With Outside Security Experts. Every industry has unique security challenges to address. But rather than tackling these issues on their own, critical infrastructure organizations can—and should—lean heavily on the security experts in their sectors. This includes partnering with risk assessment specialists and managed service providers that can help identify where gaps may exist in an organization’s security and work closely with stakeholders to address them.

Establish the Right Security Culture. Post-incident forensics investigations are an important part of building a strong, more resilient food and agriculture sector. Although equipping an organization with the appropriate technology and processes is essential, establishing a culture of security awareness and accountability is beneficial for everyone involved. By following a well-outlined plan and collaborating with established cybersecurity experts, organizations can better safeguard against modern threats and reduce the damages when events occur.

Eric Sugar

Implementing ZTA for Cybersecurity: Benefits and Best Practices

By Eric Sugar
No Comments
Eric Sugar

When thinking about food safety, your first thought is likely safe handling and avoidance of potential contamination. However, cyberattacks pose an increasingly serious threat to food safety, food businesses and consumers.

As the food service industry becomes increasingly reliant on digital technology and processes in their day-to-day operations, cybersecurity should become an integral part of their safety considerations. Technologies that present vulnerabilities and must be protected include online ordering and delivery, point-of-sale systems, inventory management, supply chain management and customer loyalty programs.

Business leaders in the food service space may be surprised to learn that their businesses are key targets for cyberattacks.[1] The technologies used in the food service industry generate and store large amounts of data, such as customer information, payment details and product specifications, which could be valuable to cybercriminals who want to steal, manipulate or destroy it. These cyberattacks can cause significant operational disruption, financial losses, reputational damage, legal liabilities and customer dissatisfaction.

Zero-trust Architecture (ZTA): A New Approach to Solving Cybersecurity Issues

One new concept in the cybersecurity space that could fundamentally change how businesses approach the security of their data is zero-trust architecture (ZTA).[2] ZTA is based on the principle of “never trust, always verify,” meaning every request for access to a resource is verified by multiple factors before access is granted. This approach can help businesses protect their resources from various cyber threats.

ZTA offers several other benefits to businesses, thanks to its unique security features. For example, ZTA reduces the attack surface and prevents lateral movement by attackers within a network, as each resource is isolated and protected by granular policies and controls. ZTA also enhances the visibility and monitoring of network activity and behavior, improves the compliance and governance of data and assets, and increases the agility and scalability of network operations. In simpler terms, ZTA allows businesses to ensure their data’s security.

Implementing ZTA in Food Service

A ZTA system is effectively a combination of components that work together to enforce the policies and controls for accessing each resource across the network. Some components commonly found in ZTA systems include:

  • Identity and access management (IAM): IAM is an essential foundation for a ZTA approach, as this protocol authenticates and authorizes users (and their devices) before granting access to resources. Potential methods of IAM include single sign-on (SSO),[3] multi-factor authentication (MFA),[4] role-based access control (RBAC) and attribute-based access control (ABAC), among others.
  • Data protection: ZTA systems also implement strict data protection standards, which encrypt and secure data that is both in transition and at rest. Commonly used methods of data protection include transport layer security (TLS), internet protocol security (IPsec) and secure shell (SSH).
  • Network segmentation: Network segmentation is an important aspect of a ZTA approach to cybersecurity that isolates and restricts network traffic between resources. A system might use software-defined networking (SDN), software-defined perimeter (SDP) or micro-segmentation to achieve this effect.
  • Security information and event management (SIEM): Finally, a ZTA system implements SIEM, or the collection and analysis of logs and events from all the ZTA components. This allows businesses to monitor and detect anomalies across the network.

One example of a food service business that could benefit from implementing a ZTA system would be a restaurant that offers online ordering and delivery. The restaurant’s system may verify the identity, device health, network location and data encryption of each customer before granting access to the online menu and payment system. It could also verify the same information for each delivery driver before granting access to the order details and location information. Then, it would collect and analyze the logs and events from all ZTA components to monitor and detect any anomalies or threats across the network.

Protecting against cyberattacks should be a priority for any business. In the food service industry, you are dealing with sensitive data such as customer information, payment details and product specifications that must be protected at all costs. A zero-trust architecture (ZTA) system is the best way to ensure that this data is protected from wrongdoers who might want to access your data illegitimately.

 

References:

[1] Rundle, J. (2023, June 15). Food producers band together in face of cyber threats. WSJ. https://www.wsj.com/articles/food-producers-band-together-in-face-of-cyber-threats-8aa2e3ca

[2] CrowdStrike. (2023, June 28). What is Zero Trust Architecture (ZTA)? – CrowdStrike. crowdstrike.com. https://www.crowdstrike.com/cybersecurity-101/zero-trust-security/zero-trust-architecture/

[3] Teravainen, T. (2022). single sign-on (SSO). Security. https://www.techtarget.com/searchsecurity/definition/single-sign-on

[4] Multi-Factor Authentication (MFA) | CISA. (2022, January 5). Cybersecurity and Infrastructure Security Agency CISA. https://www.cisa.gov/resources-tools/resources/multi-factor-authentication-mfa

 

FSC logo

Highlights from the 2023 Food Safety Consortium

By Food Safety Tech Staff
No Comments
FSC logo

Last week, hundreds of food safety professionals, members of the FDA and USDA, and leaders in academia, food safety testing and cybersecurity met in Parsippany, New Jersey, for the 2023 Food Safety Consortium.

Keynote speaker Sandra Eskin, Deputy Undersecretary for Food Safety at USDA FSIS, and Erik Mettler, Assistant Commissioner for Partnerships and Policy in the FDA’s Office of Regulatory Affairs, opened the Consortium to discuss their agencies’ priorities for 2024 and took part in a town hall Q&A with attendees.

Eskin and Mettler
Sandra Eskin and Erik Mettler

In April, the USDA FSIS declared salmonella an adulterant in raw breaded chicken products. The agency is now reviewing comments and finalizing a framework for other poultry products and examining how to substantiate claims, such as “Pasture Raised,” “Grass Fed” and “Raised without Antibiotics.” Cell-cultured meat is another key focus for FSIS, and it is requiring labeling of “Cell Cultivated” on the packaging of these products.

Mettler discussed the “mass reorganization” of the FDA that is currently underway following the 2022 Reagan Udall report, noting that Jim Jones, the new Deputy Commissioner for Human Foods will have full control of policy and resources of the Human Foods program. A key focus will be risk management prioritization. Expect to see full reorganization in late summer or early fall of 2024.

Reorganization of the FDA’s Human Foods program was a hot topic that was also discussed in depth during Modernizing the U.S. Food Safety System with panelists Stephen Ostroff, former FDA commission, Barbara Kowalcyk, faculty at Georgetown University, and Bill Marler, food safety attorney with Marler Clark.

Session Highlights

This year, attendees had the opportunity to take part in full-day pre-conference workshops, including Food Safety Auditor Training with Trish Wester, president of the Association for Food Safety Auditing Professionals, and the Food Safety Culture Design Workshop with Gina Nicholson Kramer, Associate Director of Partnerships, Policy, & Learning at The Ohio State University, and Richard Fleming and Austin Welch of Sage Media.

Sessions during the two-day Consortium covered everything from data analytics to risk mitigation, grassroots food safety culture and recall trends.

Steven Gendel
Steven Gendel

Attendees were able to take part in a Panel Discussion with the Producer and Food Safety Experts Behind “Poisoned: The Dirty Truth About Your Food” Documentary with producer Kristin Lazure and featured members of the film, including Dr. Darin Detwiler, CEO of Detwiler Consulting Group, and professor at Northeastern University, attorney Bill Marler, and Brian Ronholm, director of food policy at Consumer Reports.

Steven Gendel spoke on regulatory guidance, thresholds and best practices for Allergen Advisory Labeling, followed by Tracie Sheehan of Mérieux Nutrisciences who presented Protecting Allergic Consumers through Audited and Validated Allergen Control Plans.

Cybersecurity panel FSC2023
Food Safety and Cybersecurity panel discussion

Two sessions highlighted the growing threat of cyber attacks. Attendees gained valuable insights from Mark Wittrock, Assistant Director – Health, Food, and Agriculture Resilience Office of Health Security, U.S. Department of Homeland Security, in Re-Imagining Food Protection as a National Security Issue – DHS Perspective, and Scott Algeier of the Food-Ag ISAC, who led a panel discussion on Food Safety and Cybersecurity.

“We’d like to thank all of our attendees, speakers and sponsors for helping make this year’s Food Safety Consortium a success. Through discussion, sharing of knowledge and building industry connections, the food industry will be better prepared to tackle the biggest challenges facing food safety, ensuring a safer and more resilient food supply for consumers,” said Rick Biros, founder and program director of the Consortium and publisher of Food Safety Tech. “We look forward to welcoming everyone to next year’s program in Washington, DC.”

Save the Date: The 2024 Food Safety Consortium will take place October 20-22 in Washington, DC. The call for abstracts is now open.

Reception at 2023 Consortium

About the Food Safety Consortium: ​Organized by Food Safety Tech, the Food Safety Consortium Conference, launched in 2012, is an educational and networking event that has food safety, food integrity and food defense as the foundation of its educational content. With a unique focus on science, technology, best practices and compliance, the “Consortium” features critical thinking topics that have been developed for both industry veterans and knowledgeable newcomers.

 

Hacker

Ransomware: Lessons Learned from One Food Company’s Experience

By Food Safety Tech Staff
No Comments
Hacker

In fall 2021, G&J Pepsi-Cola Bottlers Inc, came face-to-face with a potential ransomware attack and was able to avert it. We spoke with G&J’s enterprise infrastructure director, Eric McKinney, and cybersecurity engineer, Rory Crabbe, to learn more about how they detected and responded to the attack, the steps they have taken to strengthen their cybersecurity, and what advice they have for other food companies in the wake of the near catastrophe.

What happened to G&J back in 2021, and when did you realize something was wrong?

McKinney: Around Labor Day of 2021, we received a really weird call. The callers were acting as if they were friends looking out for our best interest, and they alerted us to the fact that there may be compromises to our system. They showed us a spreadsheet of usernames in our active directory to verify that they were in our systems, and they said we could pay them to prevent an attack. We did not engage with them further—and we think they may have been part of it—but we believed that something was happening.

Eric McKinney
Eric McKinney

We went through all of our servers—we don’t have a large footprint, because we are a cloud first organization—but we did detect some software that should not have been installed on a couple of our servers. We removed that immediately, but we were unable to find the beacons that they leave behind that act as triggers to start encrypting your files.

We made the decisions that if anything happened, we were not going to negotiate, we were not going to try to get our systems back, we were going to shut everything down and roll back. I put myself on call and sure enough I got a call two days later at 3:00 a.m. from one of our people. He was logging in remotely to a server and he said, “Something don’t look right.” I go to his screen and I immediately see the locked files and realize this is really happening.

The thing that saved us ultimately is we use native platform backups. We use Microsoft Azure. So we immediately shut everything down and started rolling back our systems as far back as we could go. Those backup files were not compromised because we don’t leverage backups that tie to a file system within a server. The only way you can touch them is if you have our Cloud credentials, which are all multi-factored.

How did this affect operations?

McKinney: The net impact was our critical systems were down for about seven to eight hours, and we were recovering PCs for almost a week—there were 100 to 150 PCs that were impacted as it continued to move laterally through our organization, and we had to get them all flushed out. We had to roll the system back two weeks, so we lost two weeks of data. That impacted the accounting team the most.

We did experience an event—it was not an almost event. But we never lost a single case of sales and we never paid a single dollar. We took everyone’s computers and blew them away, handed them right back to them and said you’re starting fresh. Fortunately, this only affected employees’ files. They could still get their emails and the things that were in OneDrive.

The things that really worked in our favor were our Cloud-first strategy and getting away from a legacy client architecture. We were still able to communicate. We could send emails, we could set up Teams and we had all the tools to coordinate and get out of this and recover as quickly as we did. The second thing was having those native platform-based backups.

How did this change your digital and cybersecurity strategies?

McKinney: We were doing weekly backups, now we back up every day. And these are full system backups, which means that if you hit restore, the whole system lights back up not just the data but also your operating system that it runs on.

Crabbe: We also reached out to a lot of companies, including Arctic Wolf, who we ultimately began working with to help us figure out what we didn’t know. We worked with them to go through our environment and come up with ideas on how to improve. We are a big Microsoft shop, and we started utilizing a lot of the native tools that we already had such as Defender for Endpoint and the security portal. This addressed a lot of the low hanging fruit, such as automatic updates and not allowing outside vendors to contact us without going through a vetting process.

Rory Crabbe
Rory Crabbe

Arctic Wolf went through our system and sent us a list of recommendations, and a lot of what we did involved utilizing the native tools that we already had, shoring up our defenses, making sure the backups work and creating a disaster recovery plan.

McKinney:  We quickly went from being a business of convenience, where we said, “let’s allow USB drives,” to changing all of our technical policies by turning on all of our attack surface reduction rules. We blocked all logins from outside the U.S. and brought in new team members dedicated to cybersecurity.

I have some self-confidence issues due to this attack because your failures are put on display, and there is a feeling that if you were doing a better job this would have been prevented. But we were a very small team and we were responsible for cybersecurity, ERP (enterprise resource planning) initiatives, development initiatives, support and infrastructure initiatives and data initiatives. When you’re wearing all of these hats things do get missed, and in the end it ended up being one application update. One application patch was exposed, which set all of this off. in terms of where we’ve gotten better, we signed up with an MSP (managed service provider) to monitor our environment 24 hours a day seven days a week. In addition, these companies assist your team by keeping them up to date with the latest techniques and providing proactive communication on things that we should be doing to secure and protect our environment.

We’ve taken a lot of steps over the past two years and we still have a long way to go. We will never stop or become complacent.

There is a concern among some people that the Cloud is less secure, and it’s better to control your own servers. Is that a misconception?

Crabbe: When it’s on premise it is your responsibility. If something happens to your infrastructure, you’ve got to be on call and wake up to deal with that. So not only is the Cloud a reduction in personnel work; it’s also peace of mind. Microsoft has its own team of engineers, and they have physical security in place as well. The Azure building is protected by armed guards to protect the data from physical hackers. It’s a lot easier to apply security policies to something that’s in the Cloud because Microsoft can give you options for all kinds of things that you didn’t even know you needed. This makes it easier to visualize where you are and where you need to go.

McKinney: These are also publicly traded companies that have to follow all of the controls that come with being publicly traded. They’re going to do a better job than the one or two individuals that you have at your company who cannot work 24/7 365 days a year.

I appreciate you guys talking openly about this, because one of the issues that comes up in food defense and cybersecurity is people aren’t necessarily sharing information that could help others recognize vulnerabilities. Is it difficult to share this information?

McKinney: We didn’t want to talk about it for a long time. It’s hard to put your failures—or at least what is perceived as a failure—out there. But when you look around, you realize this can happen to anyone. It happened to MGM with all their resources. And one issue that isn’t discussed very often is, behind the business implications is an incredibly stressed out IT team that really is traumatized by an event like this.

In talking with others who have been through this, it’s often the most stressful thing that’s ever happened in their lives. It certainly is the most stressed out I’ve ever been. You’re thinking, I just cost my company millions of dollars. I shut down my business. We may not be able to get product to our people. So many things flash through your mind, and you really don’t want to talk about it or advertise it. Luckily for us, we had the right systems but most importantly we had really great executive support and great team members to help us recover.

When it comes to access management, companies have to balance convenience for their employees with the need for stringent security. Were employees understanding of the changes you had to make, and how did you communicate these changes in processes?

Crabbe: There was a lot of frustration with people saying this worked before, why can’t we do it now? One of the benefits of being a family-owned company is that we are a fairly small group, so we were able to deal with it on almost a case-by-case basis. We have an internal system that people can submit their issues or requests through, and we review them. For example, if somebody needs to move a device to a USB stick to take to an external vendor, we can look at that and say what alternatives do we have? Can we use OneDrive or another native tool to share that information? Does it have to be a USB stick? Or, if someone is going on vacation in Mexico, they can submit a ticket and we can allow them remote access from a specific country for a specific amount of time so they can log-in. We can tell them yes or no on a case-by-case basis and explain why we made the decision.

McKinney: This event also made us ask questions like, do we even need USB sticks? There are so many other tools we can use. A lot of the changes involved looking at more modern ways to collaborate. And a lot of that revolves around retraining and catching your workforce up with the new tools that we have available.

Based on your experience, what advice would you offer other companies?

McKinney: The IT spend in the food and beverage industry is typically small compared to industries like insurance or banking or health care. You need to capture all the signals from all your systems—emails being sent, open, received, etc.—and you must monitor those. Then you need the right algorithms and the right people to make sense of that data. If you are not able to maintain a large enough in-house team, investigate an MSP. They can ingest all the signals, funnel them and turn all that data into actionable items. Also, store your backups off site and limit access. Don’t store them with your production data.

Crabbe: Shore up your defenses using your native tools and create a disaster recovery plan. Those would be my two biggest recommendations for any company going forward. Dig deep and utilize what you’ve got. There’s probably a lot more available to you than you realize you have, and don’t be afraid to reach out to third-party vendors for help.

 

Different types of food

FDA, USDA and DHS Release Review on Emergent Risks Facing U.S. Food and Agriculture

By Food Safety Tech Staff
No Comments
Different types of food

The U.S. Food and Agriculture (FA) sector is facing significant risks that require improved communication and collaboration between industry and government agencies. On July 13, the FDA, USDA and Department of Homeland Security (DHS) released the 120 Day Food and Agriculture Interim Risk Review, which provides a review of critical and emergent risks to the FA sector, as well initial mitigation strategies, factors contributing to risk and proposed actions to address risks.

Risks identified in the review include:

Chemical, Biological, Radiological, & Nuclear (CBRN) Threats. CBRN threats are defined as “hazardous contaminants such as poisonous agents including toxic industrial compounds and materials, toxins, and chemical agents and precursors; natural or genetically engineered pests and pathogens of livestock, poultry, fish, shellfish, wildlife, plants, and insects; and physical effects of nuclear detonations or dispersion of radioactive materials.”

Initial Mitigation Strategies: Prevention of CBRN incidents may be achieved through expanding and enhancing existing physical security and administrative controls, including many food defense mitigation strategies, such as control of entry systems at critical points in production, processing, storage, and transportation, surveillance of critical points, pre-employment screening, and clear marking of employees who are authorized to be at critical points.

Cyber Threats. While these are not new risks, the review notes that as the food industry increases its dependence upon technology, including the move toward automation, precision farming and digital agriculture, the likelihood and severity of a crippling cyberattack increases.

Initial Mitigation Strategies: Some FA sector entities have assessed and mitigated cybersecurity vulnerabilities through entity-specific action, using and applying the National Institute of Standards and Technology Cybersecurity Framework or other actions. Future activities should include the reviewing and securing of interconnectivities between systems. To do this, all FA sector entities, both public and private, must improve their understanding of cyber threats and vulnerabilities and reduce their gaps in protection. Future efforts in cybersecurity in the FA sector should prioritize the sharing of information about cyberattacks, research into cybertheft of food and agriculture intellectual property, FA sector dependency on the energy sector and interdependencies within the FA supply chain. The review also highlights the need for funding for a program to assist small and medium size facilities to increase implementation of effective cyber security mitigations.

Climate Change: Natural disasters and extreme weather events, limited water resources, loss of pollinators and pollinator services, and increased exposure potential to pests and pathogens are among the threats to future agricultural productivity which may be exacerbated by climate change.

Initial Mitigation Strategies: Research on environmental hazards and degradation within the FA sector should include water use, irrigation system improvements, dryland management practices, and crop system utilization. Similarly, research targeting pollinator habitat, how climate change affects pollinators, pollinator forage, and pollination rates as it pertains to crop yield, and current and emerging pests and pathogens that negatively impact the optimal health outcomes of people, animals, plants, and their shared environments to include the health of pollinators is vital to long-term crop sustainability and food security. The use of improved monitoring systems, predictive modeling to inform surveillance, early warning systems, and better control options can help reduce the risk of pest and disease agricultural damage due to climate change.

Potential Factors Contributing to Risk

A “potential factor contributing to risk” is defined in the review “as features or operational attributes that render an entity open to exploitation or susceptible to a given hazard.” These include:

  • Food and Agriculture Industry Consolidation
  • Input Shortages, including labor, energy, IT/data, and consumables.
  • Aging and Insufficient Transportation Infrastructure
  • Trade Disruptions
  • Foreign Acquisition
  • Gaps in Preparedness

Proposed Actions

The FDA, USDA and DHS developed a timeline of proposed actions, which includes short-, mid- and long-terms strategies to enhance strategic planning, understanding of FA sector risks, and information sharing and engagement. Next steps include:

Threat Assessment: Identify potential actors and threats, delivery systems, and methods that could be directed against or affect the FA sector. (60 days and annually thereafter)

120-Day FA Risk Review: Identify risks to the FA sector from all hazards, identify activities to mitigate risks categorized as high-consequence and catastrophic, identify steps to improve coordination and integration across the FA sector, inform ongoing development of the Federal Risk Mitigation Strategy. (120 days)

Vulnerability Assessments: Identify vulnerabilities within the FA sector in consultation with state, local, tribal, and territorial (FSLTT) agencies and private sector partners. (180 days)

Risk Assessment: Prioritize by the highest risks for the FA sector, implement benchmarking off of results generated from the CBRN Strategic Risk Assessment Summary. The first draft would focus on CBRN and cyber threats with later iterations to include other threats (e.g., energy disruption, pandemics, catastrophic weather events, consequences of climate change). (365 days)

Risk Mitigation Analysis: This will include high-level actions for mitigating threats, a proposed timeline for their completion and a plan for sharing information. The analysis will identify strategies, capabilities, and areas of research and development that prioritize mitigation of the greatest risks as described in the risk assessment, and include approaches to determine the effectiveness of national risk reduction measures. (545 days)

A Unifying Food and Agriculture Community Architecture

Recognizing the need for improved coordination and communication, and an over-arching framework to direct and maintain a consistent

approach to preparedness and response to high-consequence and catastrophic incidents within the FA sector, the review also includes a proposed “Food and Agriculture Resilience Architecture.”

The proposed Architecture represents an “integrated, whole-of-community and whole-of-government system of stakeholders and capabilities” approach to strengthening the readiness and resilience of FA sector.

 

 

Scott C. Algeier
FST Soapbox

Re-Evaluating Our Cybersecurity Posture and Practices

By Scott C. Algeier
No Comments
Scott C. Algeier

On November 10, the White House released a National Security Memorandum (NSM) aimed in part at improving cybersecurity within the food and agriculture sector. The NSM contains a clear message: “The evolving threat environment requires the sector and its essential workforce to better prepare for and respond to incidents with broad impacts on our national and economic security.”  If cybersecurity was not a priority for your organization in 2022, it should be one in 2023.

The food and agriculture industry has benefited greatly by incorporating technology into core business functions, which makes the industry more efficient. Farmers now provide more food on less land thanks in part to precision agriculture. A complex, interconnected logistics system—propelled by information technology—enables just in time delivery of product. But this interconnectedness creates risk that needs to be managed. Even if an adversary may not intend to disrupt the food supply chain, a short disruption can quickly rise to a national security concern.

This is the impetus behind the NSM: There is a national security interest in ensuring the integrity and resilience of the global food supply chain. Addressing these threats, however, requires individual action by an untold number of companies. Many of these companies operate on small margins and lack resources to understand the or mitigate cyber risks.

The cyberthreat environment is complex and ever changing. Nation state actors seek core intellectual property and other proprietary information. Social activists launch campaigns aimed at disrupting access to public-facing Internet sites. Mis- and disinformation spreads through social media channels.

Organized cybercriminal gangs are motivated by money. Often, the victim is not necessarily the intended target. But sometimes the food and agriculture industry is targeted specifically. On December 12, the FBI, CISA, the FDA and the Department of Agriculture issued a public advisory warning of Business Email Compromise attacks, demonstrating the financial loss attacks can cause.

Developing a Common Approach to Cyber Risks

Developing a common approach to defend against these threats is challenging since industry and government view risk in different ways. This often leads to disagreement on risk tolerance and risk mitigation. While policymakers focus on national security risks, businesses focus on corporate risks.

While cyber risk is one of many business risks enterprises mitigate, these resources compete against other business priorities. Meanwhile, there is a government interest in ensuring that cyberattacks do not impact national security or cause wide-scale economic damage. Also, the fact that the most advanced cyber adversaries are nation states is a national security concern.

It is not reasonable to expect companies to be able to defend themselves against cyberattacks from well-resourced nation states. However, just because an organization is not able to defend itself from the most sophisticated attacks does not mean it should not defend against less sophisticated and more common attacks.

Hacker
The economics of cybersecurity favor the attackers. Collaboration allows defenders to maximize their resources and gain more even footing to protect their companies.

Realistically, there is a limit to what companies can spend. At some point the cost is not worth the return, and it makes more sense to assume or transfer the risk. In short, the risk management calculus for industry (business risk) and government (national security risk) are different. A business may be effectively managing a threat appropriate to its business risk while government is concerned about the national security risk of that same threat.

While it is important for government to address perceived national security risks, government policy should be informed by industry subject matter expertise. Most of the food and agriculture industry is owned, operated, or managed by private industry. Industry best understands its risks, vulnerabilities, and interdependencies. This expertise needs to be included in policymaking.

Industry Guidance and Reporting Requirements

In the fall of 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) with the goal of helping companies defend against complex cyberattacks. When fully implemented, regulations developed under this law will require critical infrastructure “covered entities” –likely including food and agriculture companies—to report certain cyber incidents to DHS’ Cybersecurity and Infrastructure Security Agency (CISA). The idea is that CISA will use the information in the incident reports to better understand the threats and issue guidance to help industry and government protect themselves. CISA recently concluded a public “Request for Information” and is expected to issue the Notice of Proposed Rulemaking for implementation of this program in March 2024.

CIRCIA signifies a more aggressive regulatory approach by policymakers and is symbolic of a larger debate that has been unfolding for 20 years. That debate being: What is the best way to increase cybersecurity within private industry? Some believe regulations are needed to force organizations to take proper security measures. Others contend that regulations will divert resources from security to compliance and do little to assist small businesses who have the fewest resources and are most at risk.

Regardless, mandatory incident reporting is on its way. However, it should not be viewed as a replacement for voluntary industry action. Voluntary collaboration with industry peers will remain a core component of industry cyber risk management.

There is a long history of such collaboration. For over 20 years, the IT-ISAC has facilitated the sharing of cyber threat intelligence within the IT industry. For over a decade, it also has supported a designated forum for food and agriculture companies to actively engage with each other to mitigate cyber risks. It is the only industry-only forum of its kind established to serve food and agriculture companies.

The Food and Ag SIG reflects three core realities in cybersecurity. One is that the attackers are already sharing with each other. They are actively leveraging their individual expertise to attack for a common benefit. To keep pace, industry needs to actively share threat analysis and effective defensive mitigations.

Second, the threat landscape is too complex for any one company to defend against alone. There are too many threat actors, too many vulnerabilities, and too few resources for any one company to adequately address the threat by itself. Companies are stronger when working together.

Third, the economics of cybersecurity favor the attackers. It is more expensive to defend than it is to attack. Defenders need to maximize their resources.

A Cost-Effective Force Multiplier

The Food and Ag SIG serves as a cost-effective force multiplier by enabling companies to share active threat intelligence targeting the food and agriculture industry. By engaging with analysts from peer companies facing similar business challenges and threats, companies can reduce their vulnerability to a wide range of risks. While there are common attacks all enterprises face, the food and agriculture industry faces unique actors that utilize customized methods for specific purposes. The IT-ISAC Food and Ag SIG helps companies address this challenge through:

  • An intelligence management platform containing active threat indicators and analysis.
  • Adversary attack playbooks on over 200 threat actors, including those targeting the food and agriculture industry. These playbooks catalogue tactics, techniques, and procedures used by attackers, including how they gain access to and move through environments and actions to defend against these threats.
  • A tracker of over 250 ransomware campaigns impacting the food and agriculture industry.
  • Engagement with cybersecurity analysts from the world’s leading technology companies.
  • Member-only meetings with analysts from peer companies in the food and agriculture industry.
  • Briefings from security experts on attacks and adversaries targeting the industry.
  • Daily reporting on trending threats and vulnerabilities.
  • Vendor neutral Incident specific reporting.

Looking ahead, 2023 will continue to be an active year for cybersecurity. The skillsets of attackers continue to advance. Nation states have the intent and capability to attack private industry. There remains too much reward and too little risk for many criminal gangs. As long as the likelihood of making money remains high and the risk of getting caught remains low, we will continue to see organized cybercriminal activity such as ransomware, despite the great work of our under-resourced law enforcement professionals.

In this environment, every company needs to re-evaluate their security posture and practices. While there is no one-size fits all approach to security, there are steps companies can take to manage their risks. Engage with your industry peers. Back up data. Deploy encryption. Implement and improve patch management policies. Enable multi-factor authentication. Segment networks. Implement credential access and control policies based on an employee’s need for access and terminate such access upon employee separation. Review (or create) and test incident response and business continuity plans. Simple actions can have big results.

Voluntary industry action and active collaboration not only enhances your corporate security it makes the industry as a whole more secure. Active sharing of cyber intelligence and effective mitigations improves security and reduces the potential of disruptions within the supply chain. The voluntary actions of individual companies managing enterprise risk can indeed have the collective effect of reducing national level risk.

FSC Logo

Addressing Today’s Food Safety Challenges: Food Safety Consortium Brings Networking, Discussion and Education to New Jersey

FSC Logo

The 10th Annual Food Safety Consortium will take place in person October 19-21 in Parsippany, New Jersey. The 2022 program features panel discussions and breakout sessions that address key issues, challenges and opportunities for food safety and quality professionals.

Keynote “Leading with Science at FSIS” – Dr. Denise Eblen, Assistant Administrator, Office of Public Health Science, USDA, Food Safety & Inspection Service

The three-day consortium will open at 1:00pm on October 19. The keynote address and Q&A with Dr. Eblen of the USDA FSIS will be followed by panel discussions on the State of the Food Safety Industry, moderated by Dr. Darin Detwiler, Director of the Master of Science in the Regulatory Affairs of Food and Food Industries, Northeastern University, and Food Safety Culture: Communicating to the C-Suite, moderated by Deb Coviello, founder of Illumination Partners, followed by an opening night networking reception.

Days two and three feature panel discussions covering food safety culture, technology, supply chain and reformulation challenges and compliance concerns, as well as a presentation by Frank Yiannas, FDA Deputy Commissioner for Food Policy and Response. Attendees can join the faculty of more than 25 top-level food safety and quality professionals to discuss:

Food Safety & Quality 4.0: Data Analytics and Continuous Improvement: Jill Hoffman, Senior Director, Food Safety and Quality, B&G Foods, Gina Kramer, Director Partnerships & Learning, Center for Foodborne Illness & Prevention, OSU, and Steven Mandernach, Executive Director, AFDO

Quality & Manufacturing Efficiency: How Does Quality Show Value to the Organization? Gary Smith, Vice President of Quality Systems, Gourmet Foods and Gift Baskets, 1800FLOWERS.COM and John Butts, Founder & Principal, Food Safety By Design

Food Defense & Cybersecurity: Jason Bashura, Senior Manager, Global Defense Pepsi Co.

Diversification of Supply Chain Capacity: Trish Wester, President, Association for Food Safety Auditing Professionals, and Allison Milewski, Sr. Director, US Brand Quality, Mondelēz International

COVID-19 & Food Supply (Research Presentation): Presented by Dr. Donald Schaffner, Rutgers University and Dr. Ben Chapman, North Carolina State University

Product Reformulation Challenges: April Bishop, Senior Director Food Safety TreeHouse Foods, Peter Begg, Vice President Quality and Food Safety, Hearthside Food Solutions and Ann Marie McNamara, Vice-President Food Safety and Quality for Supply Chain, US Foods

Blending Employee Culture with Food Safety Culture: Melody Ge, FSQA Director, StarKist, Co., Mitzi Baum, CEO, STOP Foodborne Illness and Elise Forward

The Crossroads of Strategic, Tactical and Operational Planning in Food Safety Culture: Jill Stuber and Tia Glave, Co-Founders Catalyst

Biggest FSQA Challenges: Shawn Stevens, Attorney, Food Industry Counsel, Jorge Hernandez, VP, Quality Assurance, The Wendy’s Company, and Elise Forward, Founder & Principal Consultant, Forward Food Solutions

FSQA Technology: How Far is Too Far? How to properly analyze new FSQA technology before you sign the purchase order. Gary Smith, 1800FLOWERS.COM, Jorge Hernandez, The Wendy’s Company, and Peter Begg, Hearthside Food Solutions

Risk Assessment: Peter Begg, Hearthside Food Solutions, and Melanie Neumann, EVP & General Counsel, Matrix Sciences International

Audits: Blending in-person with Remote: Laurel Stoltzner, Corporate QA Manager OSI Industries, and Trish Wester, Association for Food Safety Auditing Professionals

Preparing the Next Generation of FSQA Leaders: Dr. Darin Detwiler, Northeastern University, Ann Marie McNamara, US Foods, and Dr. Don Schaffner, Rutgers University

View the full agenda.

Don’t miss out on opportunities to network with other food safety and quality professionals during the opening night reception, networking lunches and coffee breaks, and the Women in Food Safety cocktail reception on October 20.

Registration options are available for in-person and hybrid team attendance.

Event Hours

  • Wednesday, October 19: 1:00 pm – 6:30 pm (ET)
  • Thursday, October 20: 8:00 am – 7:00 pm (ET)
  • Friday, October 21: 8:00 am – 12:30 pm (ET)

Register today at foodsafetyconsortium.org.

 

Food Safety Consortium

10th Annual Food Safety Consortium Back In-Person with New Location and Focus

By Food Safety Tech Staff
No Comments
Food Safety Consortium

EDGARTOWN, MA, Feb. 23, 2022 – Innovative Publishing Company, Inc., publisher of Food Safety Tech, has announced the dates for 2022 Food Safety Consortium as well as its new location. Now in its 10th year, the Consortium is moving to Parsippany, New Jersey and will take place October 19-21.

“COVID-19’s impact on the food safety community has been significant and its impact will continue to be felt for years,” said Rick Biros, president of Innovative Publishing Company and director of the Food Safety Consortium, in his blog about the current state of the food industry. “The goal now is not to get food safety back to 2019 levels but to build it better. These issues must be discussed among peers and best practices must be shared. This year’s event will help facilitate this much needed critical thinking and meeting of the minds.”

The 2022 program will feature panel discussions and concurrent breakout sessions intended for mid-to-senior-level food safety professionals that address important industry issues, including:

  • C-Suite Communication
  • Employee Culture
  • What is the State of Food Safety and Where is it Going?
  • Audits: Blending in-person with Remote
  • Quality 4.0: Data Analytics and Continuous Improvement
  • Digital Transformation of Food Safety & Quality
  • Technology: How Far is Too Far?
  • The Days FSQA Folks Fear the Most
  • FSQA’s Role in Worker Rights and Conditions
  • Analyzing and Judging Supplier’s Human Rights and Environmental Records
  • New Trends in Food Fraud
  • Diversification of Supply Chain Capacity
  • Product Reformulation Challenges due to Supply Chain Challenges
  • Traceability
  • Preparing the Next Generation of FSQA Leaders
  • Food Defense & Cybersecurity
  • Food Safety and Quality in the Growing World of e-commerce
  • Quality Helping Improve Manufacturing Efficiency with How Does Quality Show Value to the Organization?

The event will also feature special sessions led by our partners, including the Food Defense Consortium, GFSI, STOP Foodborne Illness and Women in Food Safety.

Tabletop exhibits and custom sponsorship packages are available. Contact Sales Director RJ Palermo.

Registration will open soon. To stay up to date on registration, event keynote and agenda announcements, opt in to Food Safety Tech.

About Food Safety Tech

Food Safety Tech is a digital media community for food industry professionals interested in food safety and quality. We inform, educate and connect food manufacturers and processors, retail & food service, food laboratories, growers, suppliers and vendors, and regulatory agencies with original, in-depth features and reports, curated industry news and user-contributed content, and live and virtual events that offer knowledge, perspectives, strategies and resources to facilitate an environment that fosters safer food for consumers.

About the Food Safety Consortium

Food companies are concerned about protecting their customers, their brands and their own company’s financial bottom line. The term “Food Protection” requires a company-wide culture that incorporates food safety, food integrity and food defense into the company’s Food Protection strategy.

The Food Safety Consortium is an educational and networking event for Food Protection that has food safety, food integrity and food defense as the foundation of the educational content of the program. With a unique focus on science, technology and compliance, the “Consortium” enables attendees to engage in conversations that are critical for advancing careers and organizations alike. Delegates visit with exhibitors to learn about cutting-edge solutions, explore three high-level educational tracks for learning valuable industry trends, and network with industry executives to find solutions to improve quality, efficiency and cost effectiveness in the evolving food industry.

Food Safety Consortium Virtual Conference Series

2021 FSC Episode 8 Preview: Food Defense: Yesterday, Today and Tomorrow

By Food Safety Tech Staff
No Comments
Food Safety Consortium Virtual Conference Series

You don’t want to miss this week’s episode of the 2021 Food Safety Consortium Virtual Conference Series. The session, Food Defense: Yesterday, Today and Tomorrow, will discuss pre-FSMA IA Rule voluntary food defense programs, compliance timelines, and regulatory compliance vs. enterprise risk based approaches to food defense. Presenters will address the status of Food Defense plan quick checks and share insights on Food Defense Plan reanalysis. Participants will gain insights on threat intelligence sources and food defense-based research updates. Other topics to be covered include a brief overview of recently released insider risk mitigation reference material, cyber/IT “vulnerabilities”, critical infrastructure protection and how an all-hazards mindset to “all of the above” can help to contribute to a Food Protection Culture.

The following is the line up of speakers for Thursday’s episode, which begins at 12 pm ET.

  • Jason Bashura, PepsiCo (moderator)
  • Food Defense Yesterday with Raquel Maymir, General Mills
  • FBI HQ Perspectives of Food Defense with Helen S. Lawrence and Scott Mahloch, FBI
  • Food Defense Tomorrow with Frank Pisciotta, ASIS Food Defense & Ag Security Community and Cathy Baillie, Mars, Inc.
  • Risk-based Food Defense with Jessica Cox, Department of Homeland Security, Chemical Security Analysis Center
  • Food Defense & Supply Chain Perspectives: Regional Resilience Action Plan with Jose Dossantos, Department of Homeland Security/CISA

The Fall program runs every Thursday from October 7 through November 4. Haven’t registered? Follow this link to the 2021 Food Safety Consortium Virtual Conference Series, which provides access to all the episodes featuring critical industry insights from leading subject matter experts!

FDA

FDA Launches Office of Digital Transformation

By Food Safety Tech Staff
No Comments
FDA

Taking a step further in prioritizing technology and data modernization efforts, today the FDA announced the launch of a new Office of Digital Transformation. The office realigns the agency’s information technology, data management and cybersecurity roles into a central office that reports directly to the FDA commissioner. The reorganization will also help FDA further streamline its data and IT management processes, reducing duplication of processes, and promote best practices, technological efficiencies and shared services in a strategic and secure way.

“Good data management, built into all of our work, ultimately helps us meet and advance the FDA’s mission to ensure safe and effective products for American families,” said Acting FDA Commissioner Janet Woodcock, M.D., in an FDA news release. “The agency began these efforts because, as a science-based agency that manages massive amounts of data to generate important decisions and information for the public, innovation is at the heart of what we do. By prioritizing data and information stewardship throughout all of our operations, the American public is better assured of the safety of the nation’s food, drugs, medical devices and other products that the FDA regulates in this complex world. This reorganization strengthens our commitment to protecting and promoting public health by improving our regulatory processes with a solid data foundation built in at every level.”