The food and agriculture industry hasn’t traditionally been mentioned as a cybersecurity target like the banking, energy, and healthcare industries, which have been (and continue to be) hit hard by ransomware and other threats, resulting in millions of dollars lost, and in some cases the closure of facilities due to the financial impact of those incidents.
But recent attacks to brands like JBS, Schreiber Foods, Sysco, Dole, and others, has prompted an updated version of the food and agriculture information sharing and analysis center (Food and Ag-ISAC) which originally existed from 2002 to 2008, but was discontinued due in part to a lack of interest by companies to participate and share information with each other.
More than a decade later, it’s clear the food and agriculture industry is in the crosshairs of cybercriminals, so the 2023 version of the Food and Ag-ISAC—which launched a few weeks ago—operates as its own entity and not a subgroup, and has the initial backing of food giants Bunge, Cargill, Conagra, Corteva, PepsiCo, and Tyson.
|See how cyberattacks in food manufacturing can impact the supply chain.|
Those at the Food and Ag-ISAC say the organization provides curated threat intelligence so companies can identify attacks, incidents, and threat indicators enabling them to share and deploy effective mitigations to protect their companies and the entire food and agriculture sector. The Food and Ag-ISAC is the only information-sharing group dedicated to serving the food and agriculture industry, where connectivity and technology are increasingly integrated into that sector.
We sat down with Scott Algeier, executive director of IT-ISAC, to find out why the Food and Ag-ISAC was resurrected and given a prominent place under the IT-ISAC umbrella in 2023, and what has changed in food and agriculture cybersecurity since 2008.
PROFOOD WORLD: Why is the time right to bring back the Food and Ag-ISAC?
ALGEIER: Having a special interest subgroup within the IT-ISAC isn’t the same as having a designated ISAC for the food and agriculture industry. Over the last 18 months, there’s been increased recognition by the food and agriculture sector that they were one of the few without a designated ISAC. Within member companies we have seen renewed interest, so we figured this was a good time to launch a Food and Ag-ISAC and grow it with a focus on sustained success this time.
Today’s Food and Ag-ISAC is starting with sensibilities already in place from the previous version. We have a strong core of member companies who are significant industry players and are adopting it, and they’ve already been engaging with each other for over a decade. Some of those growing pains the first ISAC had, like trying to build trust with members and trying to build capabilities to help them, I think we’ve overcome those. Today, we already have capabilities, we already have trust, and we already have analysis. We’re not starting from scratch, we’re building off of a solid foundation.
PFW: Let’s say one of today’s member companies experiences a cyberattack. How does the Food and Ag-ISAC become involved?
ALGEIER: The model that we have is food companies will be the primary responders to the incidents. They’re the ones who are responsible for identifying the incident and managing containment during the incident response, but [with Food and Ag-ISAC] they have a community of analysts within the industry that help them. They have various methods through setting up meetings, secure checks, email listservs, regularly scheduled meetings, contacting the operations team, and contacting companies individually that they’ve been working with through the ISAC. They can communicate with each other: “We’re seeing this. We’re not sure what it is. Is this familiar to you? Have you seen this before?”
We also have adversary attack playbooks on multiple threat actors they can consult, and we have ransomware trackers they can view. If a company is victimized from a ransomware campaign, we have a tracker that can help them identify indicators within our intelligence management platform that correlates to other incidents. We also think that by sharing this information ahead of incidents that it increases the chance companies will be able to manage these risks. And if they do become a victim, they’ll be able to recover more quickly because of the total capabilities we offer them.
PFW: Generally speaking, why would a food company be targeted for a cyberattack?
ALGEIER: I think different actors have different motives. Why would they attack an oil and gas company or a health care company? Some cybercriminals are looking for money, and some nation/state actors are looking for intellectual property. Of course, there’s always the possibility that critical infrastructure can be targeted by a nation/state for disruption.
|See how cyberattacks are impacting the food manufacturing industry post-pandemic.|
I think the food and agriculture industry is like most other critical infrastructure sectors, which is you have larger enterprises with more resources that are generally better able to defend themselves than the smaller enterprises with fewer resources. And one of the goals that we have within our Food and Ag-ISAC is to help increase the security level of those smaller enterprises, so we can drive secure practices back to them and they can elevate their defenses and improve their mitigation and incident response.
PFW: Does each Food and Ag-ISAC company monitor their cybersecurity using their own equipment, or is there some level of standardization of tools to make it easier for members to communicate with each other?
ALGEIER: Not everyone is using the same equipment and not everyone uses equipment in the same way. They have their own risk management plans, they deploy tools, technologies, and response plans. They make their own security investments based on what they think is right for their company.
We do provide a toolset they can plug into and we have our intelligence management platform they can plug their security tools into so they can get the indicators that we’re seeing and uploading that other member companies are seeing. And then through this platform, companies will be able to pull those indicators from the platform into their security tools. So, there is a common technology that we all leverage through the IT-ISAC for indicator sharing. But once you get into the enterprises, the companies make their own investments on security and technology tools they deploy internally.
PFW: Are there plans to have a Food and Ag-ISAC annual meeting for member companies to check in with each other in person?
ALGEIER: We’re working towards annual meetings, but we currently have virtual meetings every other week where the analysts from the member companies come together to talk about what new threats they’re seeing, what they’re monitoring, what potential vulnerabilities have announced, how that’s impacting them, and how they’re mitigating them. We also have other ways our members communicate between meetings like secure chat listservs.
PFW: Was there anything you wanted to add or something we missed?
ALGEIER: We’re really excited about the great feedback we’ve received and the support we have from the industry, our policymakers, transportation partners, and the food and agriculture industry, who really are supportive of the Food and Ag-ISAC mission and our common desire to defend this critical infrastructure. We look forward to working together to protect each other and the industry as a whole. I think it’s an exciting time for the industry, and it’s great they now have an industry lead forum to help manage risk.