On November 10, the White House released a National Security Memorandum (NSM) aimed in part at improving cybersecurity within the food and agriculture sector. The NSM contains a clear message: “The evolving threat environment requires the sector and its essential workforce to better prepare for and respond to incidents with broad impacts on our national and economic security.” If cybersecurity was not a priority for your organization in 2022, it should be one in 2023.
The food and agriculture industry has benefited greatly by incorporating technology into core business functions, which makes the industry more efficient. Farmers now provide more food on less land thanks in part to precision agriculture. A complex, interconnected logistics system—propelled by information technology—enables just in time delivery of product. But this interconnectedness creates risk that needs to be managed. Even if an adversary may not intend to disrupt the food supply chain, a short disruption can quickly rise to a national security concern.
This is the impetus behind the NSM: There is a national security interest in ensuring the integrity and resilience of the global food supply chain. Addressing these threats, however, requires individual action by an untold number of companies. Many of these companies operate on small margins and lack resources to understand the or mitigate cyber risks.
The cyberthreat environment is complex and ever changing. Nation state actors seek core intellectual property and other proprietary information. Social activists launch campaigns aimed at disrupting access to public-facing Internet sites. Mis- and disinformation spreads through social media channels.
Organized cybercriminal gangs are motivated by money. Often, the victim is not necessarily the intended target. But sometimes the food and agriculture industry is targeted specifically. On December 12, the FBI, CISA, the FDA and the Department of Agriculture issued a public advisory warning of Business Email Compromise attacks, demonstrating the financial loss attacks can cause.
Developing a Common Approach to Cyber Risks
Developing a common approach to defend against these threats is challenging since industry and government view risk in different ways. This often leads to disagreement on risk tolerance and risk mitigation. While policymakers focus on national security risks, businesses focus on corporate risks.
While cyber risk is one of many business risks enterprises mitigate, these resources compete against other business priorities. Meanwhile, there is a government interest in ensuring that cyberattacks do not impact national security or cause wide-scale economic damage. Also, the fact that the most advanced cyber adversaries are nation states is a national security concern.
It is not reasonable to expect companies to be able to defend themselves against cyberattacks from well-resourced nation states. However, just because an organization is not able to defend itself from the most sophisticated attacks does not mean it should not defend against less sophisticated and more common attacks.
Realistically, there is a limit to what companies can spend. At some point the cost is not worth the return, and it makes more sense to assume or transfer the risk. In short, the risk management calculus for industry (business risk) and government (national security risk) are different. A business may be effectively managing a threat appropriate to its business risk while government is concerned about the national security risk of that same threat.
While it is important for government to address perceived national security risks, government policy should be informed by industry subject matter expertise. Most of the food and agriculture industry is owned, operated, or managed by private industry. Industry best understands its risks, vulnerabilities, and interdependencies. This expertise needs to be included in policymaking.
Industry Guidance and Reporting Requirements
In the fall of 2022, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) with the goal of helping companies defend against complex cyberattacks. When fully implemented, regulations developed under this law will require critical infrastructure “covered entities” –likely including food and agriculture companies—to report certain cyber incidents to DHS’ Cybersecurity and Infrastructure Security Agency (CISA). The idea is that CISA will use the information in the incident reports to better understand the threats and issue guidance to help industry and government protect themselves. CISA recently concluded a public “Request for Information” and is expected to issue the Notice of Proposed Rulemaking for implementation of this program in March 2024.
CIRCIA signifies a more aggressive regulatory approach by policymakers and is symbolic of a larger debate that has been unfolding for 20 years. That debate being: What is the best way to increase cybersecurity within private industry? Some believe regulations are needed to force organizations to take proper security measures. Others contend that regulations will divert resources from security to compliance and do little to assist small businesses who have the fewest resources and are most at risk.
Regardless, mandatory incident reporting is on its way. However, it should not be viewed as a replacement for voluntary industry action. Voluntary collaboration with industry peers will remain a core component of industry cyber risk management.
There is a long history of such collaboration. For over 20 years, the IT-ISAC has facilitated the sharing of cyber threat intelligence within the IT industry. For over a decade, it also has supported a designated forum for food and agriculture companies to actively engage with each other to mitigate cyber risks. It is the only industry-only forum of its kind established to serve food and agriculture companies.
The Food and Ag SIG reflects three core realities in cybersecurity. One is that the attackers are already sharing with each other. They are actively leveraging their individual expertise to attack for a common benefit. To keep pace, industry needs to actively share threat analysis and effective defensive mitigations.
Second, the threat landscape is too complex for any one company to defend against alone. There are too many threat actors, too many vulnerabilities, and too few resources for any one company to adequately address the threat by itself. Companies are stronger when working together.
Third, the economics of cybersecurity favor the attackers. It is more expensive to defend than it is to attack. Defenders need to maximize their resources.
A Cost-Effective Force Multiplier
The Food and Ag SIG serves as a cost-effective force multiplier by enabling companies to share active threat intelligence targeting the food and agriculture industry. By engaging with analysts from peer companies facing similar business challenges and threats, companies can reduce their vulnerability to a wide range of risks. While there are common attacks all enterprises face, the food and agriculture industry faces unique actors that utilize customized methods for specific purposes. The IT-ISAC Food and Ag SIG helps companies address this challenge through:
- An intelligence management platform containing active threat indicators and analysis.
- Adversary attack playbooks on over 200 threat actors, including those targeting the food and agriculture industry. These playbooks catalogue tactics, techniques, and procedures used by attackers, including how they gain access to and move through environments and actions to defend against these threats.
- A tracker of over 250 ransomware campaigns impacting the food and agriculture industry.
- Engagement with cybersecurity analysts from the world’s leading technology companies.
- Member-only meetings with analysts from peer companies in the food and agriculture industry.
- Briefings from security experts on attacks and adversaries targeting the industry.
- Daily reporting on trending threats and vulnerabilities.
- Vendor neutral Incident specific reporting.
Looking ahead, 2023 will continue to be an active year for cybersecurity. The skillsets of attackers continue to advance. Nation states have the intent and capability to attack private industry. There remains too much reward and too little risk for many criminal gangs. As long as the likelihood of making money remains high and the risk of getting caught remains low, we will continue to see organized cybercriminal activity such as ransomware, despite the great work of our under-resourced law enforcement professionals.
In this environment, every company needs to re-evaluate their security posture and practices. While there is no one-size fits all approach to security, there are steps companies can take to manage their risks. Engage with your industry peers. Back up data. Deploy encryption. Implement and improve patch management policies. Enable multi-factor authentication. Segment networks. Implement credential access and control policies based on an employee’s need for access and terminate such access upon employee separation. Review (or create) and test incident response and business continuity plans. Simple actions can have big results.
Voluntary industry action and active collaboration not only enhances your corporate security it makes the industry as a whole more secure. Active sharing of cyber intelligence and effective mitigations improves security and reduces the potential of disruptions within the supply chain. The voluntary actions of individual companies managing enterprise risk can indeed have the collective effect of reducing national level risk.