Ransomware made up more than half of the cyber attacks against the sector in 2023, where a dependence on “just in time” delivery of products and services makes such disruptions particularly damaging. Most ransomware groups that hit the sector appear to be indiscriminately striking any target they can, rather than specifically homing in on food and agriculture. But sometimes attackers seem to understand how to exploit the industry’s particular workings to cause extra pain: for example, in recent years, ransomware attackers hit several grain co-ops right during the fall harvest.
Some disruptions could be harmful to human health, too. Attacks that compromise an industrial control system could change how chemicals are handled, or they could alter the temperature and pressure at which food is maintained, resulting in tainted products, Braley said.
Nation-state actors have also been eyeing the sector, too, and were responsible for more than a quarter of the attacks hitting it. Often, these actors seek to steal intellectual property so they can piggyback on a victim’s research and development, sparing themselves the time and investment. But Braley also expects to see food and agriculture targeted for disruption or destruction as geopolitical tensions rise, similar to nation-state activities around water and energy.
Cyber criminals using methods other than ransomware made up 15 percent of the 2023 attacks. These included phishing campaigns, business email compromise and other methods to steal employee credentials, get paid for fraudulent invoices or get employees to download malicious files. Just a small portion of attacks — 4 percent — were ideologically driven. This “hacktivism” category included some actors associated with nation states, too, such as the Iran-linked CyberAv3ngers group that hacked programmable logic controllers to protest Israel.
The ISAC found attackers often deployed phishing to trick employees, used legitimate tools found on victims’ systems to hide their tracks and maintained long-term access on compromised machines, all the while stealthily siphoning off data.
Segmenting operational technology is important for organizations in the space, as they often cannot immediately halt equipment’s operations to update with fixes for new vulnerabilities, but instead may need to schedule patching around production activities and vendors’ availability to help. Good cyber hygiene can help, with examples such as making offline backups, monitoring essential systems for vulnerabilities, applying multifactor authentication, training employees on phishing, signing up for threat alerts and testing incident response plans.
The food and agriculture sector has drawn federal attention, too. Earlier this year the Cybersecurity and Infrastructure Security Agency (CISA) made the sector a focus of Cyber Storm, a biennial, multiday tabletop exercise that draws together participants from state and federal government, the private sector and international partners. The exercise helps organizations vet their incident response processes and security measures, as well as to see how well collaboration and information sharing is working across groups.
The April tabletop simulated scenarios in which fictitious attackers exploited misconfigured cloud services, and CISA’s September after-action report details lessons learned.
In part, the Cyber Storm event revealed that organizations didn’t always understand which aspects of securing their cloud environments were their responsibilities and which were their cloud service providers’. The exercise also showed need for updating incident response plans, especially plans for how to handle communications and who to contact during an event.
CISA also found some issues with how the federal government shares sensitive threat information — or, at least, issues with how that sharing was perceived. Those findings can help inform new approaches, coming at a time when the federal government is assessing the effectiveness of how it currently handles information sharing.
One problem was that while many participants found federally shared intelligence valuable, some from state government and critical infrastructure believed that the federal government didn’t trust them enough to share sensitive information, even with personnel who had security clearances or were otherwise vetted. Many participants wanted to see the federal government share more information, more quickly, as well as streamlining how it determines the sensitivity of information.
The after-action report also found organizations may avoid complying with required incident reporting because they face no penalties for skipping this. Also, they often don’t receive enough follow-up communication after reporting to show them the benefits of doing so. More communications, and a streamlined reporting process, could help.
