Cybersecurity has become a hot-button issue among all companies, especially meat processors, in the wake of cyberattacks over the last few years. The JBS cyberattack that occurred in late May garnered national attention well outside the agriculture news channels.
John Hoffman, a senior research fellow at the Food Protection and Defense Institute at the University of Minnesota, said there are some strategies industry leaders should consider to protect their information.
The industry is changing quickly, but many legacy systems are still being used in the beef supply chain. At the same time, more automation elements are being added to the plant leaving more accessibility to information systems within companies. Hoffman believes working to shore up both facility elements is what businesses must invest in right now.
“We don’t have enough compartmentalization,” Hoffman said. “People tend to look at these information systems purely from the convenience standpoint, wanting to be able to access anything in the company, anytime, from anywhere – you can’t have that. If you have that broad of connectivity, somebody is going to find a way into it. If you compartmentalize your system, then it makes it difficult for somebody to get in one part of the company and get to another part of the company.”
Hoffman emphasized the need for companies to require two- and three-factor identifications to log onto company servers.
Hoffman also stressed updates to current operating systems. He said obsolete operating systems are what make the food manufacturing floor vulnerable. Even with buy-in on cybersecurity from employees and companies, parts of the federal government also need to be involved in prominent intelligence aspects of attacks.
“If you can reasonably foresee these cyberattacks and this threat, then you need to take steps to limit the risk to the company, to the products and your consumers against what might happen,” Hoffman said. “But the truth is companies cannot do that by themselves. They need the resources of the government, intelligence, and law enforcement services. I think to do a better job of keeping them informed, there needs to be a much tighter partnership on exchanging information about what could be at risk versus what the threat is and what that threat might generate as a risk against some vulnerability in the company’s cyber systems.”
Hoffman said all companies need to think about coming up with a strategy to deal with ransomware attacks, just like they need other safety protocols in the plant.
“They have to be treated like any other safety hazard in the food world,” Hoffman said. “And the preventive controls and rules need to apply to cyber just like they do everything else on that food processing line.”
This leaves companies needing to secure the systems inside the facilities and work with everyone along the food supply chain.
Hoffman sees the next step as building trust and buy-in across the private and public sectors. The subject of ransomware is broad and complex, so any resource is necessary for all parts of the infrastructure to be successful.
“One of the problems is that big companies have a lot more resources, they can spend money in this arena,” Hoffman said. “Smaller companies don’t have the resources. If there aren’t standards in regulation about what minimum things need to be done, some people aren’t going to do it.”
More regulation and standards could soon be coming from the federal government. Recently, Senators Marco Rubio (R-Fla.) and Diane Feinstein (D-Calif.) introduced the bipartisan Sanction and Stop Ransomware Act. One of the steps the bill would take includes developing cybersecurity requirements for critical infrastructure entities consistent with existing federal regulations and the National Institute of Standards and Technology. The bill also wants all parts of the infrastructure, public or private, to report the discovery of ransomware operations within 24 hours.
Other sections of the legislation include propose imposing sanctions on state-sponsored attacks and regulate cryptocurrency exchanges to reduce the anonymity of accounts in specific attacks.
“Our bipartisan bill provides the tools necessary to help safeguard critical infrastructure while discouraging and disrupting these criminal organizations, including the regimes who harbor them,” Rubio said. “It is time for the United States to take strong, decisive action to protect American businesses, infrastructure, and government institutions.”
Even with government laying out some concrete steps, there are endless scenarios that IT and defense personnel must prepare for in the future, including attacks that will crossover to different parts of the infrastructure like water systems. That’s why Hoffman stressed these points more than anything.
“We need to improve log-in credentials, and how credentials are used for two- and three-factor authentication for coming in,” Hoffman said. “We need better education of employees to prevent them from being susceptible to phishing emails and extortion via email and those kinds of things. That has to be addressed. And we need better intelligence sharing back and forth between the government and the companies to begin to interdict some of this. By having better information, you get better information, and you can take better defensive steps.”