Many Future Food Defense Problems Will Begin with Cyber
By Robert A. Norton, Ph.D. and Jason Lancaster
Imagine that you work for Acme-Z Food Corp. You go to your computer, only to find you are locked out of all your files and systems, which are being held for ransom. How much would you pay to get those files back? What would happen to your company if the accounts, the proprietary information, the records, the formulas, the recipes, and even the control software for your systems were gone—forever?
Are cyberattacks an existential threat? The answer, unfortunately, is yes. Cybersecurity is one of the elements that can make or break your business.
A Nightmare Come True: Atlanta
On March 22, 2018, the city of Atlanta suffered a targeted ransomware attack that shut down the city’s online systems and digital services. Researchers identified the ransomware as “SamSam,” a particularly vicious malware that infiltrates a system by exploiting an open vulnerability. After a successful breach, the malware quickly propagates within the infected system by utilizing common exploiting/hacking tools, enabling it to easily spread to adjacent systems.
Previously, SamSam has been used to target state government infrastructures and the healthcare industry. Researchers surmise that victims are predetermined and targeted. Put differently, adversaries were looking at Atlanta, exploring the city’s systems, looking for the things that make Atlanta’s systems vulnerable.
The attack on Atlanta disrupted a number of the city’s processes, activities, and services. Citizens were unable to pay water bills, police officers had to hand-write and manage reports, and government employees had to complete and file paperwork by hand. Beyond the actual ransom that Atlanta very quietly paid, there no doubt were costs associated with loss of time and extra effort for the victims.
The attack was motivated by greed. That being said, there may have been other motivations. Some adversaries, nation states for example, may use a ransomware attack to study our nation’s response. For that reason alone, there are lessons to be learned here.
A large city like Atlanta should have been better prepared. That the city was not adequately prepared says volumes about the configuration and management of municipal cyber systems. This is important, because an attack like this one could be just the first salvo, with larger attacks coming. If the people who manage a city as large as Atlanta could make bad decisions about designing and maintaining a secure cyber system, what hope is there for a food company?
Cyber system vulnerabilities can be exploited from the outside, or internally because an employee makes a bad decision such as opening a malware link in an email. Actual malevolence by someone inside your company might also be the cause. Cyber systems have to be robust enough to ward off relatively sophisticated cyber adversaries. In a sense, you are urging adversaries to “move on,” to target someone else. Your defenses should be strong enough that an adversary will decide your defenses are not worth the trouble to breach.
An Evolving Threat: Ransomware
The food and agriculture sector is considered “critical infrastructure” or “CI,” meaning our society cannot function without it. This sector is dependent on other critical infrastructure sectors, such as the power grid, water, and transportation. Ransomware poses a serious threat to all of these inter-linking systems.
In November 2016, for example, ransomware halted the city of San Francisco’s light rail system. Luckily, the city’s municipal transportation agency was able to restore the system from a stored back-up, thus avoiding paying the ransom and losing too much money to downtime. The malware campaign could have been very costly as well as leaving many San Franciscans without reliable, necessary transportation and sending shudders through other CI sectors.
If the same thing happened to a power grid or other vital infrastructure, the attack could be immensely disruptive. Since CIs are attached to other CIs (cyber to water; water to food; food to banking, etc.), the initial attack could serve as the entry point, creating a cascading effect that could impede or damage access to services necessary for our welfare, and in a worst case scenario, our survival.
The aggregate damages could be unimaginable. Unchecked, such an attack could bring our nation to its knees. In time of actual war, we can expect our adversaries to give no quarter. American corporations and industry will be prime targets.
A Nation-State Adversary: Russia
Russia is, in many ways, incapable of confronting the U.S. in a sustained shooting war, but in terms of offensive cyber capabilities, Russia is what the military calls a “near peer.” That means Russia’s capabilities are very close to those of the U.S., and CIs are conceivably targets.
A joint technical alert issued by the Department of Homeland Security and the Federal Bureau of Investigation recently warned critical infrastructure sectors about Russian government cyber activity targeting U.S. CIs with a “multi-stage intrusion campaign.” The Russians have specifically targeted third-party suppliers or organizations that are trusted by CI companies. These compromised entities are then used to launch cyberattacks against the primary CI targets, employing tactics such as spear-phishing emails. Intended victims assume that emails and files from trusted third-party suppliers and organizations are safe, so they don’t hesitate to open attached files and click on links.
After successful attacks, the Russians continue to exploit leveraged users’ credentials and some critical internal files, enabling remote access. Because of these tactics, Russia is considered a “persistent threat.” If Russia targets your corporation, you probably won’t know. Where nation states are involved, attribution can be exceedingly difficult.
Given the sophistication of persistent adversaries like Russia, how can a food corporation prevent system compromise? First, corporations should start with the basics. Administrators should keep all systems and applications updated, minimizing known vulnerabilities; this is particularly important in the case of the SamSam strand and similar ransomware strands.
Additionally, administrators may want to consider implementing a premium anti-ransomware protection tool. Many of these tools monitor for suspicious behavior, prevent file modification, and provide a way to recover lost files. Security Information and Event Management (SIEM) technology is a supplement to these kinds of software; administrators may consider utilizing a SIEM to watch for suspicious changes to files on the system, such as multiple file name changes or increased file sizes within the same directory. Such changes may indicate the addition of a file header and/or footer by the ransomware, with the addition containing information necessary for file decryption.
Regular back-up of important data also can alleviate the headaches caused by a successful ransomware attack; administrators may be able to wipe a compromised system clean and restore it with archived data, sustaining relatively little damage from the malware. Critical infrastructure providers also should ensure third-party suppliers evaluate and update their own systems.
Finally, educate employees about security, because employees are integral to preventing an attack. Many strands of ransomware find their way into a victim’s system through a malicious email attachment or downloaded executable file. Employees should be taught not to open suspicious emails, not to plug unknown or suspicious hardware accessories into their computers, and not to use corporate systems for personal use. They should also be knowledgeable about using restricted passwords and should use multi-factor authentication to access important accounts.
If a system does succumb to a ransomware attack and does not have a data archive from which to restore the system, administrators usually have three options: Pay the ransom to unlock their data, which may or may not happen; restore data using their back-up; or hire a specialized security team to attempt to recover the data and vaccinate the machine. Having a predetermined specific incident response plan will also help.
Cyber security is a matter of system planning and management and urging all employees to adhere to the basics, but being ready when they don’t. Securing CIs is important, particularly where one touches another. And food corporations have to learn to better protect themselves, because the National Security Agency (NSA) will not and cannot be used to protect food and agriculture, at least directly.
NSA and the U.S. Cyber Command are responsible for gathering Intelligence, but corporations do not have access to this intelligence and therefore must gather their own Intelligence to better protect their assets. That means that corporations, in many ways, are on their own. Cyber security is no longer just a cost of doing business; in the future, cyber security may be key to corporate survival because nation state adversaries can be expected to target food and agriculture in the event of war.
Robert A. Norton, Ph.D., is a professor at Auburn University and chair of the Food Defense Working Group in the Auburn University Food System Institute. A long-time consultant to federal and state law enforcement agencies, the Department of Defense, and industry, he specializes in intelligence analysis, weapons of mass destruction defense and national security. For more information on the topic or for more detailed discussions about specific-security related needs, he can be reached at firstname.lastname@example.org or by phone at 334.844.7562. Jason Lancaster is with SpyCloud, which helps businesses prevent data breaches and account takeover attacks by alerting when employee or company assets have been compromised. This is accomplished through an early warning breach detection service powered by a team of intelligence analysts. Check your organization’s exposure at spycloud.com.