The latest preparation effort is Cyber Storm — a massive, multiday tabletop exercise involving state, local, tribal, territorial, federal and private-sector organizations — and it probed how well participants respond to a simulated cyber attack on food and agriculture.
The mock scenario imagined that adversaries exploited misconfigurations in victim organizations’ cloud environments to cause a range of effects.
“Some organizations saw [mock] exfiltration of sensitive company data; others experienced decreased or blocked user access; and some had their data manipulated — from customer orders to employee information,” said Lisa Beury-Russo, associate director for Cybersecurity and Infrastructure Security Agency (CISA) exercises, in an email to GovTech.
The exercises helped more than 2,000 participants test how their internal practices and policies worked. They also tested coordination and sharing of information between government and the private sector, said CISA Executive Assistant Director for Cybersecurity Eric Goldstein in a media briefing.
This was the first time that Cyber Storm — now in its ninth year — homed in on food and agriculture, Beury-Russo said. The sector was chosen because its organizations expressed interest in participating. Also, a new sector-specific information sharing and analysis center had launched, Beury-Ruso said.
This also comes at a time when federal lawmakers are pushing for legislation to safeguard that sector against cyber attacks, introducing the Farm and Food Cybersecurity Act in January. The bill would direct CISA and the U.S. Department of Agriculture (USDA) to conduct biennial studies of cybersecurity threats and vulnerabilities facing the sector, as well as ways federal government can help. The studies would include analyzing government and private agencies’ abilities to prevent, detect, respond to and recover from such attacks.
Additionally, the proposed legislation would see the USDA and federal partners conduct annual cross-sector exercises that simulate food-related emergencies or disruptions. The exercises would aim to determine how well federal, state, local, tribal and territorial governments, as well as private-sector organizations, are prepared for and able to respond to such a crisis, among other findings. Lessons learned from the exercises would be shared with participants as well as used to inform the USDA and partners’ recommendations to Congress for improving cybersecurity and resilience.
Attacks on the sector can take many forms.
REvil’s 2021 hack on JBS Foods gave a taste, with JBS’ meat plants temporarily closing and slaughters paused. Fears circulated that prolonged disruption would cause meat prices to rise.
A hypothetical ransomware attack might also disrupt seed production, delaying planting, said the Food and Ag-ISAC in a new report. Farmers might then need to palletize crops and relocate them to regions that still have active growing seasons, at considerable cost.
Mark Montgomery, executive director of CSC 2.0, said in a Cipher Brief column that hackers could hypothetically compromise and falsify agricultural data to create fears of a disease outbreak, which might take inspectors months to debunk. During that time, “sick” livestock would be killed, harming herds, while foreign countries fearful of health risks would ban U.S. agricultural imports.
“The economic disruption could be catastrophic,” Montgomery wrote.
Food and agriculture is the seventh most targeted by ransomware, out of 11 critical sectors monitored by the Food and Ag-ISAC and IT-ISAC. Last year saw more than 2,900 ransomware attacks against those sectors, with 5.5 percent hitting food and agriculture, while a high of 15.5 percent hit manufacturing.
Ransomware attacks plaguing the sector appear to be opportunistic and financially motivated, per the report.
Law enforcement action and internal drama may have, at least temporarily, tamped down on some attacks. The amount of ransomware targeting the sector originally rose year over year in January, but quickly dropped, declining year over year for each of the ensuing months, per the report. This change happened after two of the most prolific perpetrators suffered turmoil, with law enforcement disrupting LockBit infrastructure in February and BlackCat announcing its dissolution in March, seemingly to avoid paying its affiliates.
But the group Play — known for attacks like those on Lowell, Mass., and Oakland, Calif. — remains a significant threat actor, responsible for 14 out of 167 attacks hitting the food and agriculture sector in 2023 and five in the first few months of 2024.
More insights on food and agriculture cybersecurity are to come, with CISA next looking to publish lessons learned from this year’s Cyber Storm and an after-action report, Goldstein said.
