A looming threat
UMN institute combats cyberattacks in food production through research, education
UMN institute combats cyberattacks in food production through research, education
The headlines this fall have been filled with concerns over strained supply chains and their role in the rising prices of consumer goods. Earlier this summer, a different set of headlines regarding supply chains also were cause for concern, though many outside the food production industry probably weren’t paying them as much mind.
JBS, the world’s third largest meat processor, found itself at the center of a major cyberattack in May that shut down company production on a global scale. Hackers used ransomware to infiltrate and seize control of JBS’ production systems, demanding payment in order to restore control to JBS. Ransomware is a type of software that is maliciously used to block access to a computer system. In the end, JBS paid hackers $11 million to resolve the attack and prevent further disruptions.
The attack thrust the relationship of food safety and cyber security into the spotlight and has since sparked discussions across the food production industry and the government entities charged with overseeing it. Many were caught off guard by the JBS attack, but one set of researchers based at the University of Minnesota saw it coming. In fact, they’ve been raising an alarm about the threat cyberattacks pose to food production for years.
The Food Protection and Defense Institute (FPDI) at the U of M has worked since 2004 to protect the global food supply through research, education, and the delivery of innovative solutions. Part of that mission includes identifying cybersecurity vulnerabilities in the food and agriculture sectors and educating stakeholders about their potential impact.
For a long time, folks thought that cyberattacks targeted just the retail and financial aspects of food production, that it was just stealing data and intellectual property.
Jennifer van de Ligt
“For a long time, people thought that cyberattacks targeted only the retail and financial aspects of food production, that it was just stealing data and intellectual property,” says Jennifer van de Ligt, PhD, FPDI director and associate professor in the College of Veterinary Medicine. “What has changed more recently is the use of ransomware to completely lock up production systems and demand huge sums of money to unlock them.”
She and FPDI staff members John Hoffman, senior research fellow and retired colonel, and Stephen Streng, analyst and technical writer, have been making the rounds in the wake of the JBS attack in hopes of bringing more awareness to the danger posed by vulnerabilities in the food production and agriculture sectors.
As the JBS case illustrates, technology plays a large role in facilitating the production of food, from meat processors to candy makers. Software is used across the production floor and beyond. In meat processing for example, computers control or track animal weight and condition, feeding records, logistics of getting the animal from farm to a processing facility, intake of animals at the facility, time and temperature sensors during harvesting and processing, water flow sensors, and much more.
In the case of the JBS attack, cybercriminals were able to not only stop the company from shipping meat to grocery stores but also prevent its facilities from receiving animals from producers, according to van de Ligt. Disruption of vital production equipment, in particular, becomes more than just a food supply issue.
“Food manufacturing is so electronically controlled now that when you experience cyber breaches, whether it's a denial of service or ransomware or targeting and manipulating sensors, it can have tremendous food safety implications,” van de Ligt says.
Much of the technology used in food production was installed during the 1990s and early 2000s, when many companies realized they could harness its power to increase efficiency and productivity. However, age has become one of production technology’s greatest vulnerabilities. Unlike a personal computer that might see its operating system upgraded on a regular basis, it’s not uncommon for the technology regulating these production processes to forgo upgrades for years, even decades.
Hoffman recalls touring one facility and noting its production software was still running on Windows 98—in 2017. Part of the reluctance to upgrade these operating systems is convenience and costs.
“If you're a company and you have a device that works today just like it did 25 years ago, and it's controlled by Windows 98 on a single terminal—why break something that's not broken?” Hoffman says. “It works. It works perfectly, it's repeatable, it's reliable. It does exactly what we want.”
The problem lies in connecting these production terminals to larger networks that have access to the internet. If hackers are able to access the company’s network through the web and locate these aged systems, those systems—and everything they control—become vulnerable. Developers no longer create patches and fixes for old operating systems such as Windows 98, meaning that there also is little in the way of security from stopping cyberattacks.
Another vulnerability comes when companies merge. The unification of their information management systems takes place at the top levels of leadership but often not further down the line.
“Down at the operational technology level and the mid-level information management, data management, and financial management, they're all disparate systems,” Hoffman says. “They may not have a good understanding or inventory of what all these pieces and parts are. And if they don't have that, how do they know what to protect and what’s at risk?”
For the public, what’s at risk is safe food products available in adequate supply at affordable prices. For many people, their relationship with food production begins and ends at the grocery store shelf. In reality, there is a long line of steps and organizations involved before that food reaches the shelf. And many of them are intertwined in ways consumers may not realize. If one industry experiences a large-scale disruption, it starts a chain reaction in others.
“People don't often understand cascading effects and these infrastructures. They're very complex,” Hoffman says. “The food infrastructure depends on the water infrastructure, food infrastructure depends on the energy infrastructure, the food infrastructure depends on the transportation infrastructure. And they are all run by cyber systems now, and they're all vulnerable.”
For example, another cyberattack happened just prior to the JBS incident but saw far wider news coverage. On May 7, a ransomware attack compromised software managing Colonial Pipeline, an oil pipeline system that mainly serves the southeastern United States. The attack forced Colonial to shut down the pipeline, becoming the largest cyberattack on oil infrastructure ever recorded in the U.S.
The impact was immediate. Fuel shortages occurred as a result of the attack and panicked consumers rushed to fill their tanks, driving up gasoline prices. Transportation companies incurred higher costs to ship products, including food. The elevated costs were passed on to consumers in the form of price increases that have continued into the fall.
The spotlight cast on supply chains this fall serves as a stark reminder that disruptions to the production and transportation of goods—including food—can have very real and expensive consequences for companies and consumers. It also underscores the need to prevent cyberattacks on food production and other vital infrastructure that could further exacerbate economic woes in the U.S.
Our food comes from a long supply chain that's integrated into all these other infrastructures and all these dependencies on things working within the supply chain.
John Hoffman
“Our food comes from a long supply chain that's integrated into all these other infrastructures and all these dependencies on things working within the supply chain,” Hoffman says. “When you break a piece of that, you can shut the supply chain down. So if you look at it from the standpoint of the bad guys, what's one of the most essential infrastructures? It's the food infrastructure. Who's going to pay quickly to get back online? They are.”
Large companies such as JBS have the ability to pay ransoms to regain access to their systems, but van de Ligt notes not every food producer has the financial resources to do so. The same goes for having the financial capacity to make pricey upgrades to technology systems. With slim profit margins, even those that have the ability to upgrade often hold off. In the absence of a regulatory requirement that sets standards for cybersecurity, van de Ligt says not all companies will do so. That’s because they know that if they pass that cost on to the consumer, there’s a chance the consumer will no longer buy their products and seek out a less expensive option, perhaps one that did not upgrade its cyber systems.
With regulation at the federal level lagging, it’s likely one of the biggest drivers of increasing cyber security among food producers will instead be insurance companies and investors, according to Hoffman. Insurers can change requirements that could prompt companies to upgrade their production technology in order to receive or continue to receive coverage against cyberattacks. Likewise, investors can put pressure on companies to reduce their cyber—and in turn financial—risks.
Still, van de Ligt and Hoffman both hope to see pushes for uniform regulations for governing food production technology and cyber safety at a national level. Current federal food safety guidelines cover numerous aspects of the production process—they say cybersecurity should be no different. A complicating factor to this is there is no one-size-fits-all solution that can be implemented across the food production industry.
There are a lot of cybersecurity policies, protocols, and standards that are developed, implemented, and applied in a variety of industries. But, if you take one of those existing structures and try to just pick it up and plop it into the food and agriculture industries, it doesn't fit right.
Jenifer van de Ligt
“There's currently no alignment on what those regulations should look like,” van de Ligt says. “There are a lot of cybersecurity policies, protocols, and standards that are developed, implemented, and applied in a variety of industries. But, if you take one of those existing structures and try to just pick it up and plop it into the food and agriculture industries, it doesn't fit right.”
As discussions of cyber security continue in the media and within government agencies, FPDI staff will continue to raise awareness about the threat cybersecurity poses to food production, push for increased regulation, and educate food producers on how they can prevent themselves from being the target of the next big attack.