![undefined](https://cdn.buttercms.com/FgOLVAS0QXOk71Si7Wdu)
Reports of cyberattacks targeting the food and agriculture sector increased in mid-2021, disrupting operations and highlighting vulnerabilities across the attack surface. At the onset of harvest season, Crystal Valley and NEW Cooperative became the latest victims of ransomware attacks, which will most likely increase in frequency and negatively impact the food supply chain. Considered one of the 16 Critical Infrastructure and Key Resources (CIKR) sectors, the food and agriculture sector is comprised of an estimated 2.1 million farms – 9,900 of which are in New Jersey, 935,000 restaurants, and more than 200,000 registered food manufacturing, processing, and storage facilities, accounting for roughly one-fifth of the nation's economic activity. New IT systems are continuously in development to increase production and efficiency, such as connected farm equipment, irrigation, drones, and satellites. As the sector moves to adopt more smart technologies and internet of things (IoT) devices, security gaps are exposed and the attack surface increases. Secondary and tertiary effects of ransomware attacks may impact businesses across both the nation and local regions, from small farms to large producers, processors, manufacturers, storage facilities, logistics, port facilities, and restaurants. Additionally, disruption in the supply chain may cause spoilage or shortages, eventually contributing to higher prices felt by consumers. Threat actors likely pivoted to targeting food and agriculture over other industries, such as automotive and manufacturing, which were heavily impacted economically due to pandemic fallout. Furthermore, the recent technological advances coupled with novice users creates a low barrier to entry, making the industry an appealing target to threat actors.
Cyberattacks against the food and agriculture sector increased 607 percent in 2020 according to Malwarebytes, making it the seventh most targeted industry. Attacks continued to increase, rising another 36 percent during the first quarter of 2021. The Federal Bureau of Investigation (FBI) recently released a Private Industry Notification (PIN 20210901-001) cautioning the sector of ransomware attacks. Ransomware victims often suffer significant financial loss from extortion payments and remediation costs, with subsequent losses of revenue, productivity, and reputational damage. Companies may also experience the loss of data to include proprietary information and personally identifiable information (PII). Many across the industry indicate the need for dedicated intelligence sharing and representation, including updated response plans, as the most recent National Infrastructure Protection Plan (NIPP) Food and Agriculture Sector-Specific Plan has not been updated since 2015. The IT-ISAC currently operates the Food and Agriculture Special Interest Group in order to facilitate collaboration and information sharing. More information and additional resources can be found on the Department of Agriculture and the Department of Health and Human Services websites - the designated co-sector risk management agencies for the food and agriculture sector.
Notable cyberattacks targeting the food and agriculture sector include:
- January 2021: A ransomware attack against an identified US farm resulted in losses of approximately $9 million due to the temporary shutdown of their farming operations.
- March 2021: A US beverage company suffered a ransomware attack that caused significant disruption to its business operations, including its operations, production, and shipping.
- May 2021: Sodinokibi/REvil ransomware compromised computer networks of JBS, a global meat processing company with locations in the US and overseas, which resulted in the exfiltration of company data and the shutdown of some US-based plants.
- July 2021: A US bakery company lost access to their server, files, and applications, halting their production, shipping, and receiving as a result of Sodinokibi/REvil ransomware which was deployed through software used by an IT support managed service provider (MSP). The bakery company was shut down for approximately one week, delaying customer orders and damaging the company’s reputation.
- August 2021: In less than 48 hours, a research and penetration testing group of less than 10 people was able to gain root access to John Deere’s Operations Center, which connects to all third-party connectivity services. This provided the penetration testers’ access to all farms’ digitally connected data, water supplies, and irrigation, and was considered the “keys to the kingdom.”
- September 2021: NEW Cooperative, which offers feed and grain, fertilizer, and other crop protection services to Iowa farmers, suffered a BlackMatter ransomware attack demanding $5.9 million. Another ransomware attack occurred within the same week targeting Crystal Valley Cooperative, which services over 2,500 farms throughout Minnesota and Iowa, interrupting daily operations.
Recommendations:
- Regularly back up data, air gap, and password protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.
- Implement network segmentation.
- Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, and secure location (i.e., hard drive, storage device, the cloud).
- Establish, test, and update incident response (IR) and continuity of operations (COOP) plans.
- Install updates/patch operating systems, software, and firmware as soon as they are released.
- Use multi-factor authentication (MFA) where possible.
- Use strong passwords - regularly change passwords to network systems and accounts, implementing the shortest acceptable timeframe for password changes. Avoid reusing passwords for multiple accounts.
- Disable unused remote access/RDP ports and monitor remote access/RDP logs.
- Require administrator credentials to install software.
- Follow the principle of least privilege and audit user accounts with administrative privileges.
- Install and regularly update anti-virus and anti-malware software on all hosts.
- Only use secure networks and avoid using public Wi-Fi networks. Consider installing and using a VPN.
- Consider adding an email banner to messages originating outside your organization.
- Disable hyperlinks in received emails.
- Focus on cyber security awareness and training. Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities (i.e. ransomware and phishing scams).