The US Department of Justice put the food and agriculture sector on notice that companies need to beef up cybersecurity or risk attacks that could hobble their business and affect the critical infrastructure responsible for the US food supply.
In a Private Industry Notice (PIN) published Sept. 1, the FBI warned that cybercriminals are increasingly targeting the sector with ransomware and other attacks. Citing an unnamed private industry report, the notice stated that the increased use of automation in the food and agriculture sector has boosted the number of potential weak points that attackers could exploit.
"Ransomware may impact businesses across the sector, from small farms to large producers, processors and manufacturers, and markets and restaurants," the advisory stated. "Cybercriminal threat actors exploit network vulnerabilities to exfiltrate data and encrypt systems in a sector that is increasingly reliant on smart technologies, industrial control systems, and internet-based automation systems."
In 2020, attacks against the food and agriculture industry jumped more than sixfold, vaulting the industry into seventh most targeted industry, according to telemetry data from security firm Malwarebytes. The industry will likely rise a few more places in the list: In the first three months of 2021, attacks continued to increase, rising a more modest 36%, the company said.
Malware detections, 2019 vs. 2020
Source: Malwarebytes' 2021 State of Malware Report
At the end of May, the REvil gang infected meat producer JBS USA with ransomware, extracting an $11 million payment from the company for the keys to decrypt its systems.
While many ransomware attacks — increasingly driven by ransomware-as-a-service schemes and their affiliates — chase the targets that are easiest to exploit, attackers are also looking at companies that rely on automated operations that, if taken down, will force the company to pay, says Adam Kujawa, director of Malwarebytes Labs.
"[T]he next phase of ransomware chaos is going to involve the targeting of organizations that have automated, operational systems," he says. "For these organizations, stealing some data probably won’t stop them from making money, but if you’re able to hijack and stop their production systems, machinery, etc., then you have a situation where every hour that goes by that the systems stay down, more and more [money] is lost for the organization."
The DoJ Private Industry Notice highlighted the attack against JBS, without naming the company but providing details specific to the incident. Officials also described an attack against a US bakery company in July, a US beverage company in March, and a US farm in January. In all cases, the victim company's operations had been disrupted by the attack, the FBI stated in the advisory.
The DoJ notice called for companies to regularly back up their data, test those backups, and confirm that they are able to recover from their backups. In addition, the PIN recommended a number of commonsense hardening measures, such as two-factor authentication, network segmentation, regular patching, and disabling any remote access to systems.
Industrial firms should also keep their information and operations systems separate and recognize that even separate systems can cause disruptions within scope of the other. The attack on oil and gas transport network Colonial Pipeline, for example, did not reach its operational network but disrupted the billing system. In effect, the company could still deliver gas but could no longer determine who bought how much.
Because many companies, farms, and factories are still in the early days of automation, they are even more vulnerable, says Malwarebytes' Kujawa.
"As mentioned in the ... alert, many of these types of organizations could still be in the process — or haven’t begun yet — of digitizing their operations, which leaves them very vulnerable to attacks before they can even get their security up and running," he says. "This is another likely reason for an increase against these organizations."
The supply chain for the sector also has to be wary. A group of vulnerability researchers claimed they had access to John Deere & Co.'s operations center, which allowed them to collect data on the company's farm customers and gave them the "keys to the kingdom," according to a discussion that Malwarebytes reportedly had with the researchers.
While at least one of the attacks first breached the systems of a managed service provider (MSP), Malwarebytes' Kujawa recommended that companies make use of MSPs if they do not have the skill to implement commonsense security measures.
"Although we have seen some MSPs be used by attackers as a way to infect lots of companies at once," he says, "for the small business, it’s still a better way to go than trying to do security yourself, without the budget or know-how."