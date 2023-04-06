



Just-in-time logistics means that even short-term cyberattacks can have serious consequences. Hacks that disrupt fertilizer or pesticide production can force farmers to interrupt planting seasons. Violations at meatpacking plants can lead to destabilizing supply shortages. Tampering with a food processing business can lead to deadly contamination. Already, ransomware attacks that forced businesses to shut down for a week have left schools without milk, juice and eggs, according to Sachs.

A major disruption in this sector leads to immediate public health and safety concerns, says Mark Montgomery, who served as executive director of the Cyberspace Solarium Commission.

Despite being increasingly vulnerable, says Sachs, the food and agriculture sector still doesn’t really understand the threat mindset, nor do higher-profile sectors, such as financial services and energy.

Critical businesses, limited support

Today, food and agriculture is one of four critical infrastructure sectors (out of 16) without an ISAC, along with dams, government facilities, and nuclear reactors and materials.

The food and agriculture sector was one of the first to launch such a center in 2002, but it was dissolved in 2008 because few companies were sharing information through it. Members feared that such openness would undermine their competitive advantages and expose them to regulatory action. Now, Sachs says, companies are concerned that sharing information with each other could result in antitrust lawsuits, even if such collaboration is legal.

Select companies participate in a Food and Agriculture Special Interest Group (SIG) housed within IT-ISAC, which gives them access to data and analytics from some of the world’s largest technology companies, as well as resources such as playbooks for taking on specific pirate groups.

Our work with industry has really expanded over the past three years or so, says Scott Algeier, Executive Director of IT-ISAC. During the same period, IT-ISAC recorded 300 ransomware attacks in the food and agriculture sector.

But GIS offerings are limited, argues Sachs. It does not organize regular large-scale exercises simulating attacks on food and agricultural companies, does not have a 24/7 monitoring center that constantly monitors the infrastructure of these companies (as well as related events such as extreme weather and supply chain disruptions), and cannot automatically generate information and alerts by comparing classified government intelligence with data from sensors inside this infrastructure. I appreciate everything Scott does there, says Sachs. It is a very good thing. But it is not an ISAC.

Algeier says IT-ISAC has held exercises focused on the food and agriculture sector and members can contact us 24/7 if needed.

But the industry needs its own ISAC that can analyze the threat and provide a real operational assessment, says Brian Harrell, former deputy director of infrastructure security at the US Cybersecurity and Infrastructure Security Agency (CISA).

Pfluger says, Many people I’ve spoken to think there needs to be a dedicated ISAC.

Businesses also need more support from the federal government.

The US Department of Agriculture, the industry sector risk management agency, is significantly less effective than other SRMAs, Montgomery says. The USDA doesn’t even have dedicated funding for its security support, which includes biannual industry meetings, weekly threat bulletins, and occasional town hall meetings.

