COVID-19, the Food Supply, and Cybersecurity: Coalescing Concerns
COVID-19 dramatically disrupted the food supply, but we must be prepared to tackle new kinds of disruptions in the future.
The COVID-19 pandemic should be viewed as a model of how national decision-makers, particularly in the U.S., responded to a monumental-scale crisis. Within this view, there are transcendent lessons to be learned and discoveries to be found by analyzing U.S. leadership's response. National decision-makers should accept the likely probability of another, similar national crisis.
The pandemic dramatically disrupted the food supply. In the short to medium term, many of the same decision-makers that were in place during the start of the pandemic could be in the same positions when the next crisis unfolds. How they reacted to COVID-19 may serve as a portent of how they will react again, particularly if lessons were not learned and adjustments not made.
This article seeks to explain the transcendent lessons of this national emergency, with the hope that being aware of them will help decision-makers better prepare for next time. Our food systems, like the larger supply chain, will be challenged in the future with new kinds of disruptions, making it essential that mistakes are not repeated and that proactive, correct solutions are discovered, and preparations made now.
Transcendent Lessons Learned
Among the transcendent lessons learned from U.S. leadership's response to the COVID-19 pandemic emerge seven key issues. The challenges and weaknesses exposed by these issues must be addressed if the U.S. is to successfully handle another national crisis of a similar magnitude.
- Lesson 1. We do not deal well with national-scale disruptions. The U.S. generally responds well to local and even occasional, large-scale regional crises, such as hurricanes. Part of the reason we do not deal well with national-scale emergencies may be that our nation has had so few. This pandemic surprised us because we were not prepared for it on a national level. Disruptions on the national scale will do just that, translating to inevitable delays of needed federal resources and emergency funding. Bureaucracies are slow, but emergencies are rapid. In future disruptions, assume and therefore plan to initially be on your own—perhaps even for weeks or months. Visit the Ready.gov page for businesses for more information on being prepared.
- Lesson 2. The U.S. lacks resiliency in both government and business. The nation discovered this issue during the pandemic, but so too did its adversaries. This deficiency is, in fact, a seriously complex and dispersed set of vulnerabilities that can be made into many exploitable elements, should an adversary ever choose to utilize them. Our adversaries know our weaknesses. By becoming more robust, we neutralize, mediate, and counteract their ability to exploit them. Visit the Cybersecurity and Infrastructure Agency (CISA) webpage for sector-specific plans and resources for protecting the critical food and agriculture sector.
- Lesson 3. Decision-makers and planners knew the potential risks, but did not adequately plan and prepare for the inevitabilities. Before the COVID-19 pandemic, for instance, the medical community was not adequately strengthened to fully respond to the scale of illness and death. In the future, do not ignore probabilities. Plan for them.
- Lesson 4. When it comes to solutions, one size does not fit all. Large cities were found to be particularly prone to failures, while smaller communities did better. Part of the reason was reflective of population differences. More people equaled more total cases. Fewer people meant fewer total cases. However, this does not account for everything that happened. Local solutions often were found to work best, since they accounted for the local nuances. A top-down approach did not work. The best solutions occurred when local decision-makers were empowered, rather than discouraged, from making decisions. In future disruptions, seek local solutions first.
- Lesson 5. In the midst of the disruption, the usual problems continued. Multitasking is critical to survival. Although the medical system desperately needed to focus on COVID-19, none of the routine medical emergencies disappeared. Babies were still being born, and people were still suffering from heart attacks, cancer, and life-altering accidents. Being so focused on one disease, the medical community across the nation struggled with multitasking. In the midst of the next national disruption, routine emergencies will not disappear. Future survival during escalating emergencies will require grander scales of multitasking problems, requiring the right people.
- Lesson 6. Cascading effects occurred. Before COVID-19, many people failed to anticipate that restaurant and school lunch closings would cause a backup in food processing, warehousing, and even production. Decision-makers in business and government did not have a unified continuity-of-effort plan, nor did they have a means to buttress local economies, which are the backbone of the national economy. Winners and losers often were chosen by political leaders, as they identified and prioritized "essential businesses." As a result, thousands of restaurants and other small businesses permanently shuttered across the country because they could not adapt to the massive changes (Figure 1). In the future, those that have the most flexible business continuity plans will be more likely to survive. The Federal Emergency Management Agency (FEMA) offers a comprehensive brochure with information on Continuity of Operation plans.
- Lesson 7. People remain the weakest link. Food processing was prioritized as essential, but the industry still struggled—particularly in meat and poultry processing—because of the reliance on manual labor over automation. Before COVID-19, incentives for automation were not sufficient to inspire large-scale changes across the industry, since the continued utilization of people was often cheaper than substantial investment in new equipment, processes, and facilities. COVID-19 changed that paradigm, but it is not yet clear for how long. After the pandemic, will automation continue to increase in meat and poultry processing? Time will answer that question. For the future, continuity of business planning for the future must consider the loss of people, processes, equipment, and facilities as potentially equally impactful.
FIGURE 1. Many Restaurants and Small Businesses were Forced to Close During the Pandemic
Preparing for Future Threats and Disruptions
Think for a moment if a different national-scale disruption had occurred instead of a pandemic. Being transcendent lessons, the above insights also apply to other kinds of threats, including those that occur in food processing, its systems, food safety, or food defense programs.
The U.S. is under continuous attack by adversaries, both microbial and human, that are seeking to exploit our vulnerabilities. Increasingly, threats are being realized, and food corporations are just as vulnerable to cyberattacks as other business sectors. Food companies have seen such a significant recent escalation in the number and severity of attacks that the Federal Bureau of Investigation (FBI) issued a Private Industry Notification Cyber Criminal Actors Targeting the Food and Agriculture Sector with Ransomware Attacks in September 2021.1
Future disruptions, particularly at the national scale, are likely to be multi-faceted. Future disruptions may, on occasion, be made more complex if naturally occurring events (e.g., earthquakes, hurricanes, and floods) are intentionally coupled with attacks by malign actors. Hidden single points of failure are common in this interconnected world. When disruptions occur, they are often rapidly dispersed both temporally and spatially, creating their cascading character. In other words, in the future, bad will likely be layered upon bad.
Distractions will likely be present in abundance. Distractions can cause perceptions to change, creating further crises when attention is diverted away from the heart of the problem. Emergencies often create a tunneling effect on the perception of threats.
Future disruptions will require leaders to remain calm and focused, meaning that government and business decision-makers will need to be trained to deal with chaos and ambiguity in much the same way as those in the military are trained.
Critical Infrastructure and Critical Functions
Food and agriculture are critical infrastructure sectors. Critical infrastructure sectors are those "…whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof."2
Beyond being part of critical infrastructure, food and agriculture also serve as national critical functions (NCFs), which are "…functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof."3 A collapsed food chain is a nation-killer.
NCFs are more specifically divided into subcategories of functions ("function sets") including:
- Connect
- Distribute
- Manage
- Supply.4
Connect Functions
Connect functions are heavily populated by Internet- and information-related capabilities including routing, systems access, and connection services. These functions enable businesses to communicate across a globally dispersed enterprise, but also with customers and, when necessary, to government. Connect functions also include the technologies involved in positioning, navigation, and timing, all of which are necessary for the timely delivery of things like ingredients to food processing plants or, ultimately, finished food products to the consumer.
Problem solution 1: Prepare and defend your company's ability to connect, even during emergencies.
Distributive Functions
Distributive functions include the delivery of electricity, as well as maintenance of services enabling supply chains, like rail, road, and air. The importance of these functions is particularly evident when they are lost, such as during a major power outage, a hurricane, or other natural disaster. A sustained loss of power can dramatically affect the food chain, even where backup power (i.e., generators) is available.
The catastrophic damage sustained by Puerto Rico during Hurricane Maria in 2017 is an example where the effect of lost power coupled with transportation losses shut down not just food production, but also food processing and delivery. Additionally, foodstuffs already in the cold chain were threatened with losses, as generators strained to maintain cold temperatures. Had these generator systems been attacked by malign actors or perhaps surreptitiously programmed to cause failure during a power disruption, food companies would have lost their ability to operate on an emergency basis.
Problem solution 2: Prepare and defend your company's assets and its reliance on its distributive connections.
Manage Functions
Manage functions include wastewater, cyber incident management, providing and maintaining infrastructure, and protecting sensitive information. Food processing is highly dependent on water systems, which must be managed properly to help ensure food safety. Although not specifically listed, internal food safety and defense management are included in this category, since they are necessary to ensure safe food products for the consumer.
Cyber incident management continues to be a prominent need, as companies are frequently falling prey to criminal organizations and nation-state-sanctioned cyber adversaries. In today's global, hypercompetitive business environment, cyberattacks are no longer viewed as just one of the costs of doing business, an attitude more common in the past. Rather than ignoring the risk, the new business reality is that it is not a matter of if cyberattacks will occur, but rather when. Cyberattacks are likely to become an increasingly common disruption in our future.
Problem solution 3: Prepare and defend your company against the inevitable cyberattacks that will target it.
Supply Functions
The supply function specifically lists the outputs of food and agriculture:
• Produce and provide agricultural products and services
• Produce and provide human and animal food products and services.3
In essence, this describes the endpoint of the supply chain—the food supply, as well as the supply chain's ultimate purpose, which is to provide a safe, economical, and uninterrupted (i.e., secure) food supply to the consumer (Figure 2).
FIGURE 2. The Supply Chain's Ultimate Purpose is to Provide Safe, Economical, Uninterrupted Food Supply to Consumers
Looking across the NCFs, one is struck by their interdependencies and the role each must play in producing a safe and secure food supply. Should any functionality suffer degradation or disruption, all functionalities immediately begin to degrade. Beyond critical functionality, the food supply depends on many other critical infrastructures. Cascading effects are probable in any major disruptive event. A cyberattack on the power grid would inevitably affect the water supply immediately, thus affecting food processing functionalities, since both power and water would be lost.
Problem solution 4: Prepare and defend your company's supply chains.
Cyber Dependencies: The Future of Food Safety and Defense
Food safety and food defense are essential sub-processes necessary for a properly functioning food chain. Like many other essential functions, these sub-processes are dependent on cyber systems, whether directly (e.g., monitoring process functions, maintaining processing temperatures, etc.) or for record-keeping and reporting. A major disruption resulting from a coordinated cyberattack could be exponentially different from the scale of the COVID-19 disruption because all three domains of the food chain triangle—people, foodstuffs, and infrastructure—might be affected.
A unique feature of cascading effects in the food chain is that they can move in either direction. A forward cascade would empty grocery shelves, while a backward cascade could affect the agricultural producer. A cyber-borne event at the postharvest–preharvest interface could potentially cause effects in both directions. In this sense, the food chain operates much like a busy highway. A small disruption, such as an accident, causes backups that can stretch for miles, sometimes in both directions, depending on the nature and scale of the accident.
The potential threats to our critical infrastructure from malicious software (malware), such as ransomware, continue to rise significantly. New ransomware threats continue to aggressively target essential U.S. infrastructures, as well as many companies that support these infrastructures. A 2021 statistical report estimated that the cost of ransomware damage skyrocketed to almost $20 billion in 2020.5 Additionally, new forms of ransomware appear in the form of Ransomware as a Service, or RaaS.
According to CrowdStrike experts, well-known ransomware groups, such as Darkside, recruit smaller actors to carry out attacks, splitting the profits.6 This type of ransomware has become big business and is a significant concern for critical infrastructures across the country, as well as their supporting supply chains. RaaS from the Darkside ransomware group attacked the Colonial Pipeline in May of 2021, causing a significant disruption to gasoline supplies in the eastern part of the U.S.
A recent statistical study concluded that many organizations are unprepared for ransomware attacks. According to a survey of 582 information security professionals, 50% do not believe their organization is prepared to repel any ransomware attack.7 According to the same report, a significant number of the companies attacked by ransomware had up-to-date malware security and systems with up-to-date patching.7
Suppose ransomware continues to plague governments, utilities, and other critical infrastructures along with their supply chains throughout the country. That could cause escalating cascading effects, where an attack on one infrastructure or utility affects multiple dependent critical infrastructures. For example, a large-scale ransomware attack on the electric grid could also affect water treatment plants and agriculture. Food processing and refrigeration equipment also requires electricity. The food supply is interdependent with many of the other critical infrastructures and critical functions. The constant in all of this is cyber—its systems, functionalities, and processes (Figure 3).
FIGURE 3. The Food Supply is Interdependent with Many Other Critical Infrastructures and Functions, Including All of its Cyber Systems
As malicious actors become increasingly capable, there is a high probability for new levels of sophistication in the types of ransomware attacks that may be experienced. For example, recent ransomware attacks have included a double layer of malevolency, incorporating extortion (e.g., threats to confidential files), in addition to holding the systems hostage and, thereby, extorting money. Many organizations today are even facing the triple threat of ransomware combined with threats to publish confidential files of clients and customers combined with Ransom Denial of Service (RDoS) demands.8 Ransomware attacks are, by any measure, the most likely future cause of serious disruption for business.
Adversaries are constantly looking for opportunities ripe for exploitation. The cyber connectivity of your company provides them an attack vector, by which entrance can be gained to your systems and processes. Using this connectivity, adversaries can also target your employees for further exploitation.
Before and during a malicious move against your company, your adversary will seek to identify vulnerabilities and exploitable elements, as well as disguise their actions and distract. Subterfuge is as old as warfare itself. Expect it in abundance before, during, and after a coordinated and sophisticated cyberattack. You are not alone in responding, however; several federal agencies are available to help if you are a victim.
The Federal Bureau of Investigation (FBI), the Cybersecurity & Infrastructure Security Agency (CISA), and the U.S. Department of Homeland Security (DHS) continue to update companies about common-sense approaches to deal with the growing threat of ransomware, without crippling cost.
CISA, along with the Multi-State Information Sharing and Analysis Center (MS-ISAC), produced and distributed a complete ransomware guide in 2020 that includes "Ransomware Prevention Best Practices" and a complete "Ransomware Response Checklist."9 Recent FBI and Internet Crime Complaint Center (IC3) public service announcements, such as "Ransomware PSA I-091516-PSA,"10 have also highlighted the continuation of ransomware attacks, along with the common-sense best practices that organizations can take to secure their critical infrastructure.
As they continue to monitor significant increases in ransomware attacks, organizations must realize that there is a place to report these crimes quickly. FBI and IC3 have set up a complaint referral portal where ransomware complaints can be directly forwarded to the agencies. If it is believed that an internet-enabled crime has occurred, then organizations should quickly file a report with IC3, thereby better supporting the recovery of lost funds. If an organization has been affected by a network intrusion, data breach, or ransomware attack, then immediate contact should be made with the nearest FBI field office or reported to tips.fbi.gov.11
Threat Protection and Mitigation
Like other sectors, the food industry is vulnerable to cyberattacks directed against internet-connected systems. Fortunately, most threats can be countered by following best practices developed over the past 30 years. Asset owners should begin by applying the National Institute of Standards and Technology (NIST) Cybersecurity Framework.12 This initiative was developed collaboratively between industry, academia, and government and continues to improve as better defensive steps are discovered.
The NIST Cybersecurity Framework is fairly comprehensive and may seem a bit overwhelming. It may also seem that proper cybersecurity is achieved by following a checklist of items—that, once completed, it makes an organization "secure." In reality, security is a never-ending process that requires constant monitoring, evaluation, and improvement. It also requires senior-leader involvement at the board or C-suite level.
In addition to technical protections, organizations should have strong internal security policies, including items such as:
• Explicit statements of what is, and is not, permissible
• A security baseline for employees and managers
• A framework for disciplinary or legal action
• Guidance for incident handling and recovery.
Organizational policies can, and should be, more restrictive than public laws and regulations. They will, of course, need to be integrated with existing policies and procedures and should be designed to have a minimal impact on operations and production.
Finally, the best way to find out about a new threat or vulnerability is to be part of an information-sharing group. Most sectors have an Information Sharing and Analysis Center (ISAC) that provides members with timely warnings and alerts. Unfortunately, the food and agriculture sector does not have a formal ISAC, although efforts are underway to create one. Until a food and agriculture ISAC is created, consider monitoring sites such as the U.S. Computer Emergency Readiness Team13 for information on emerging threats.
This article examined several of the lessons learned through the national emergency posed by the COVID-19 pandemic, notably the impacts to food supply and food system security. It is hoped that, in laying out these lessons, national decision-makers and industry can better prepare for the next disruptive event using the proactive solutions developed today.
Food Safety Summit Workshop:
Cybersecurity and What It Means to the Food Safety Professional
At Food Safety Magazine's annual Food Safety Summit, May 9–12, 2022 in Rosemont, Illinois, an attendees-only workshop will examine cybersecurity and what it means to the food safety professional. The two-session workshop, led by esteemed members of the U.S. Army Defense Intelligence Agency, the U.S. Department of Homeland Security, and Michigan State University, will provide the latest input from experts within the federal government, the food industry, and universities to define the threats and preventive controls for cybersecurity in the food safety/quality and food processing sectors. For more information and to register, please visit the Food Safety Summit website.
Notes
The views expressed in this article are those of the authors and do not necessarily reflect the official policy or position of Auburn University, the State of Alabama, the U.S. Air Force, the U.S. Department of Defense, or the U.S. Federal Government.
Support for lead author Robert A. Norton, Ph.D., and the production of this article was provided by the Alabama Agricultural Experiment Station and the Hatch program of the National Institute of Food and Agriculture, U.S. Department of Agriculture. The article represents the personal opinions of the authors and does not reflect official policy or statutory-related opinion of the U.S. Federal Government, the National Institute of Food and Agriculture, and/or the U.S. Department of Agriculture.
References
- U.S. Federal Bureau of Investigation. Private Industry Notification. "Cyber Criminal Actors Targeting the Food and Agriculture Sector with Ransomware Attacks." September 1, 2021. Pin Number: 20210901-001.
- U.S. Cybersecurity & Infrastructure Security Agency. "Critical infrastructure sectors." October 21, 2020. https://www.cisa.gov/critical-infrastructure-sectors.
- U.S. Cybersecurity & Infrastructure Security Agency. "National critical functions." https://www.cisa.gov/national-critical-functions. For more on National Critical Functions, see: https://www.cisa.gov/sites/default/files/publications/factsheet_national-critical-functions_508.pdf.
- U.S. Cybersecurity & Infrastructure Security Agency. "National critical functions set." https://www.cisa.gov/national-critical-functions-set.
- Purplesec. "2021 Ransomware Statistics, Data, & Trends." https://purplesec.us/resources/cyber-security-statistics/ransomware/.
- CrowdStrike. "Ransomware as a Service (RaaS) Explained." January 28, 2021. https://www.crowdstrike.com/cybersecurity-101/ransomware/ransomware-as-a-service-raas/.
- PurpleSec. "2021 Ransomware Statistics, Data, & Trends." https://purplesec.us/resources/cyber-security-statistics/ransomware/.
- Smith, D. Security Magazine. "Welcome to the New World of Triple Extortion Ransomware." May 18, 2021. https://www.securitymagazine.com/articles/95238-welcome-to-the-new-world-of-triple-extortion-ransomware?v=preview.
- U.S. Cybersecurity & Infrastructure Security Agency. “Ransomware Guide." September 30, 2020. https://www.cisa.gov/publication/ransomware-guide.
- Internet Crime Complaint Center (IC3). "High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations." 2019. https://www.ic3.gov/Media/Y2019/PSA191002.
- Internet Crime Complaint Center (IC3). "Complaint Referral Form." https://ransomware.ic3.gov/default.aspx.
- National Institute of Standards and Technology (NIST) Cybersecurity Framework. "Cybersecurity Framework." https://www.nist.gov/cyberframework.
- U.S. Cybersecurity & Infrastructure Security Agency. U.S. Computer Emergency Readiness Team. https://www.cisa.gov/uscert/.
Robert A. Norton, Ph.D., is a Professor of Veterinary Infectious Diseases at Auburn University and works as the National Security Advisor in the Office of the Vice President of Researcher. A long-time national security researcher, Dr. Norton began his professional career while serving in the U.S. Army at the U.S. Army Medical Research Institute of Infectious Diseases at Fort Detrick, Maryland. Beyond his official duties at Auburn University, he has also served as an advisor to multiple federal and state agencies on issues related to weapons of mass destruction, food defense, and open-source intelligence. At present, he is a member of the Department of Homeland Security's Food, Agriculture, and Veterinary Defense Task Force.
Joseph McGarvey, Ph.D., C.I.S.S.P., has published several articles on critical infrastructure protection, ransomware threat mitigation, cybersecurity, and other topics. He has 14 years of critical infrastructure protection experience at North American Electric Reliability Corporation and six years of experience in supervisory control and data acquisition (SCADA) systems in the oil and gas transmission sector. As a Ph.D. Research Cyber Security Professor for the U.S. Air Force, Dr. McGarvey has researched and presented on a number of topics including space cybersecurity, space critical infrastructure, advanced cyber offensive techniques, threat intelligence and analysis, advanced cyber digital forensics, advanced security techniques, and countermeasures, and many others.
Marcus (Marc) Sachs, P.E., is the Deputy Director for Research at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security. He is a retired U.S. Army Officer and was a White House appointee in the George W. Bush administration. His private sector experience includes serving as the Deputy Director of SRI International's Computer Science laboratory, as the Vice President for National Security Policy at Verizon Communications, as the Senior Vice President and Chief Security Officer of the North American Electric Reliability Corporation (NERC), and as the Chief Security Officer of Pattern Computer. He was also the Director of the SANS Internet Storm Center and has co-authored several books on information security. He holds degrees in civil engineering, computer science, and technology commercialization, and is a licensed Professional Engineer.