Cybersecurity and Food Defense: Establishing an ISAC for the Food and Agriculture Sector
With security threats on the rise, an Information Sharing and Analysis Center (ISAC) is needed for the food and agriculture sector
In our first Cybersecurity and Food Defense column, we discussed how security threats against the food and agriculture sector are increasing, and how cyber threats against the global supply system are also on the rise. We also suggested that an Information Sharing and Analysis Center (ISAC) be formed for the sector. It does not need to be fully capable at the start; just a few large companies that agree to pool and analyze threat information can plant the initial seeds. If successful awareness and deterrence can be demonstrated, then other companies will join. At full capability, the ISAC can serve as a watch and warning center for the sector, providing timely threat analysis for members at all levels.
ISACs bring together experts from different industries to share information and collaborate on cybersecurity, physical security, and other issues. In this article, we look at the history of ISACs, explore the need for an ISAC in the food and agriculture sector, and discuss the steps that should be taken to establish one.
The History of ISACs
The first ISACs were established in the U.S. following the publication of Presidential Decision Directive 63 (PDD-63),1 which mandated the creation of public-private partnerships to reduce the nation's vulnerability to cyber and physical attacks. The directive aimed to improve the nation's cybersecurity capabilities by promoting information sharing and collaboration between government agencies and private organizations. PDD-63 called for a single ISAC to be established by the private sector with appropriate federal assistance. It set forth a vision of a coordination center similar to the Centers for Disease Control and Prevention (CDC) in Atlanta:
As ultimately designed by private sector representatives, the ISAC may emulate particular aspects of such institutions as the Centers for Disease Control and Prevention that have proved highly effective, particularly its extensive interchanges with the private and non-federal sectors. Under such a model, the ISAC would possess a large degree of technical focus and expertise and non-regulatory and non-law enforcement missions. it would establish baseline statistics and patterns on the various infrastructures, become a clearinghouse for information within and among the various sectors, and provide a library for historical data to be used by the private sector and, as deemed appropriate by the ISAC, by the government. Critical to the success of such an institution would be its timeliness, accessibility, coordination, flexibility, utility, and acceptability.1
Ultimately, a single ISAC was not created, but instead separate ISACs were established by each of the critical infrastructure sectors. The first was the Financial Services ISAC (FS-ISAC), established in 1999. The financial sector recognized the importance of sharing information and collaborating on cybersecurity issues, and the FS-ISAC quickly became a model for other sectors to follow. Following the September 11 terrorist attacks in 2001, it expanded its role to include physical threats to the financial sector.
Today, there are more than 20 ISACs in operation, covering critical infrastructure sectors ranging from healthcare and transportation to energy and defense. These organizations have played a crucial role in preventing cyber and physical attacks and in responding to them when they occur.
Missing from the list of sector ISACs is the food and agriculture sector. One was created in 2002, but it was disbanded six years later. Since then, a smaller special interest group (SIG) hosted by the IT-ISAC2 remains as the only information sharing group with a focus on food and agriculture security. It meets virtually and has no physical location for a real-time, around-the-clock analysis and warning staff. It also does not conduct training, exercises, and other functions performed by the larger-sector ISACs.
Why an ISAC is Needed for the Food and Agriculture Sector
The food and agriculture sector is a vital component of the global economy, and it is increasingly reliant on computer technology. From farm equipment and crop management systems to food processing and distribution networks, computer technology plays a critical role in every aspect of the industry. Those computer systems are connected by networks and, in many cases, those networks are accessible to the public internet.
A successful attack on these networked systems could compromise food safety, damage crops, and disrupt the entire food supply chain. Unfortunately, many organizations in the sector are ill-equipped to deal with these threats, and there is a lack of technical threat information sharing and collaboration across the industry.
This is where an ISAC can play a critical role. By bringing together experts from across the food and agriculture sector, an ISAC can facilitate information sharing, analysis, and collaboration, allowing organizations to better protect themselves against cyber and physical attacks.
Does Information Sharing Violate FTC Regulations?
Price fixing entails development of an agreement (written, verbal, or inferred) among competitors to raise, lower, maintain, or stabilize prices or price levels. A food and agricultural sector ISAC would not collect, discuss, or disseminate any information related to prices. The ISAC charter could expressly include this prohibition as a requirement for entry into the organization and a cause for dismissal. Inclusion of such requirements would be up to the member companies. Other sectors' ISACs are also subject to price fixing regulations and have successfully navigated these concerns. Since ISACs frequently communicate with each other, their charters could serve as models for the development of a new food and agriculture charter, or perhaps even serve to provide advice on best practices.
ISACs focus solely on threat-related information, enabling the development of industry best practices that better assure protection and thereby decrease liability, but also assist in containment, mitigation, and remediation should a threat event occur. ISACs belong to the sector members and are designed to help those member companies better protect themselves. ISACs do not belong (and are not dictated by) the government.
If desired by member companies, a food and agriculture ISAC could work in collaboration with the Cybersecurity and Infrastructure Security Agency (CISA) by aiding the identification and subsequent protection of "Protected Critical Infrastructure Information" or "PCII." The Critical Infrastructure Information (CII) Act of 2002 and 6 CFR Part 29 ensures that information voluntarily shared with the government that is confirmed as PCII is protected from:
- Disclosure from Freedom of Information Act (FOIA) requests
- Disclosure under state and local disclosure laws
- Use in regulatory proceedings
- Use in civil actions.3
CISA's PCII Program also enables CISA and other federal, state, and local government security analysts to assist companies in the following activities:
- Analyzing and securing critical infrastructure and protected systems
- Identifying vulnerabilities and development of risk assessments
- Enhancing preparedness, resilience, and recovery measures.
In other words, CISA's PCII Program protects your company's critical infrastructure-related information and enables you to better identify vulnerabilities and find problem solutions. The PCII Program does not compel companies to share their business-related and sensitive information. Instead, it asks that companies voluntarily share what they are willing to share, including that which is identified as PCII. The business decides what is and is not shared with CISA.
PCII access requirements are strictly defined. CISA regulates access and stipulates that, "Only authorized federal, state, and local government employees or government contracted personnel who are trained and certified in the strict safeguarding and handling requirements, have a need-to-know, have homeland security responsibilities, and sign a non-disclosure agreement (non-federal employees only) may access PCII."3 Regulatory agencies (e.g., the Department of Agriculture and/or the Food and Drug Administration) and personnel (inspectors, auditors, etc.) would normally not be given access to PCII, unless that information was related to a homeland security purpose and, as such, could not be used in regulatory proceedings.
Steps to Establish an ISAC for the Food and Agriculture Sector
Establishing an ISAC for the food and agriculture sector will not happen quickly. To be successful, a limited pilot capability might be a useful first step. The pilot Food and Agriculture ISAC (FA-ISAC) can then be expanded into a larger and broader organization. To ensure success, the food and agriculture sector will need to:
- Identify key players: Stakeholders will include representatives from across the industry, including growers, processors, distributors, retailers, and others.
- Determine goals and objectives: This should include identifying the types of threats the ISAC will focus on, the types of information that will be shared, how the information will be analyzed, and the expected products to be created by the organization.
- Establish a governance structure: This includes identifying a chairperson or executive director, establishing a board of directors, creating subcommittees as needed, and outlining the roles and responsibilities of each member.
- Develop operational procedures: The FA-ISAC must have well-defined operational procedures that outline how information will be shared, how incidents will be reported, and how response efforts will be coordinated. This includes creating an incident response plan and establishing a system for tracking incidents and responses.
- Secure funding: Funding can come from a variety of sources, including government grants, private donations, and membership fees.
- Develop information sharing policies: Information sharing is a core component of any ISAC, and policies must be established to ensure that sensitive information is protected while still being shared with relevant parties.
- Establish a technology platform: An ISAC requires a technology platform to facilitate information sharing and collaboration. The platform should be secure, scalable, and easy to use, and should allow members to share information in real time. These platforms are in use at other ISACs and are commercially available.
- Build relationships: An ISAC is only as strong as the relationships it builds with its members and other organizations. The FA-ISAC should work to build relationships with industry associations, government agencies, and other relevant organizations to ensure that it has the support and resources it needs to be effective.
- Conduct regular training and exercises: Regular training and exercises are essential to ensure that members are prepared to respond to cyber threats. The FA-ISAC should conduct regular training sessions and tabletop exercises to test response plans and ensure that members are up to date on the latest threats and best practices.
Establishing an ISAC for the food and agriculture sector is a critical step in improving the cybersecurity posture of the industry. By bringing together experts from across the sector, an ISAC can facilitate information sharing and collaboration, allowing organizations to better protect themselves against cyber and physical attacks.
In our next articles, we will look at how threat information currently flows within the sector and discuss how those flows can be improved via the proposed FA-ISAC. We will also explore options for where a food and agriculture ISAC should be hosted and if it should be virtual, like the current SIG, or if it should have a physical facility with around-the-clock staffing, similar to other large-sector ISACs.
References
- The White House. Presidential Decision Directive NSC-63. "Subject: Critical Infrastructure Protection." May 22, 1998. https://irp.fas.org/offdocs/pdd/pdd-63.htm.
- IT-ISAC. "Food and Agriculture SIG." https://www.it-isac.org/food-and-ag-sig.
- Cybersecurity and Infrastructure Security Agency. "Protected Critical Infrastructure Information (PCII) Program." https://www.cisa.gov/pcii-program.
Robert A. Norton, Ph.D., is a Professor and National Security Liaison in the Office of the Vice President of Research and Economic Development at Auburn University. He specializes in national security matters and open-source intelligence, and coordinates research efforts related to food, agriculture, and veterinary defense.
Marcus H. Sachs, P.E., is the Deputy Director for Research at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security. He has deep experience in establishing and operating sharing and analysis centers including the Defense Department's Joint Task Force for Computer Network Defense, the SANS Institute's Internet Storm Center, the Communications ISAC, and the Electricity ISAC.