February 28, 2024 • 21 mins
The food and agriculture industry is a critical sector that represents nearly a fifth of US economic activity. Businesses in this sector also rely on other important industries such as water, transportation, and energy. In this episode, Jonathan Braley, director of the Food and Ag-ISAC shares the top cyber threats facing the industry, as well as the various services offered through the ISAC.
Resources:
- Food and Agriculture ISAC website: https://www.foodandag-isac.org/
- Cybersecurity Guide for Food and Ag Small and Medium Enterprises: https://www.foodandag-isac.org/resources
- CISA publication on Chinese-manufactured UAS: https://www.cisa.gov/resources-tools/resources/cybersecurity-guidance-chinese-manufactured-uas
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Welcome to The Security Detail, a podcast by Splunk Surge, where we examine
the cyber threat landscape across different industries. I'm Madeline Tauber.
And I'm Audra Streetman. Today, we're examining the top cyber threats facing
the food and agriculture sector,
which spans everything from farms to food manufacturing facilities.
And this critical infrastructure sector makes up about a fifth of economic activity in the U.S.
(00:24):
It's also dependent on several other critical sectors, including water,
transportation, and energy, which we'll discuss in today's interview.
So to learn more about cybersecurity and food production, we spoke with Jonathan
Braley, who's the director of the Food and Agriculture ISAC,
which was officially formed in May of 2023.
Jonathan spoke to us about his career journey, the top cyber threats he's tracking,
(00:47):
and the services available to ISAC members. Take a listen.
So I joined the IT ISAC back in 2017. 2017, before that, I spent many years
with a company that set up cloud email services.
So I have a degree in information security and kind of joining the ITI SAC was
my first chance to get to use some of those skills.
(01:08):
Shortly after joining in 2017, I became responsible for the ITI SAC's Food and
Agriculture Special Interest Group, which we call SIGS.
And I suppose it's probably appropriate to give a little history of where the
Food and Agriculture ISEC came from.
Around 2013, 2013, the ITI SEC
received its first request from a food and agriculture company to join.
We were kind of confused when that came through, but it turns out that the food
(01:31):
and ag sector didn't have a formal ISAC.
There was one that was started, but it folded many years before.
It made sense to kind of bring this food and agriculture company in.
They were dealing with the same kind of IT risks and challenges that some of
our IT sector companies were.
So we started to get more food and agriculture companies. Eventually,
we set up this food and Agriculture SIG, which was a community within the ITI
(01:53):
SEC where we could talk about threats related to the sector specifically.
And then last year, there started to be a lot more focus on the food and ag sector.
You can think about things like JBS Foods, ransomware attacks on several food
and agriculture cooperatives.
And we started to hear some public concerns about a lack of a formal ISAC for the sector.
(02:13):
So the SIG and the board said it was best that we actually go and kind of rebrand
that SIG into the official food and agriculture ISAC. So that's what we did.
Kind of the condition being that they would still be able to collaborate with those IT ISAC members.
How many companies were there starting out? You said there was one that contacted
you. And then later on, how many were there before the ISAC was founded?
(02:35):
It kind of slowly grew. We got up to about a dozen with the SIG for a while,
and then we started to hit 20.
And then it made sense to build out the ISAC. And now we've doubled again.
We're getting closer to 40 and 50 member companies within that.
What kind of orgs are those?
Are those kind of smaller ones? Are there very large ones? Is it everything in between as well?
It's a place for all organizations across the food and agriculture supply chain, kind of farm to table.
(02:59):
If you're involved in food and agriculture, there's a place for you.
We have a mix of smaller, less mature, as well as larger, more mature organizations.
I would say primarily the ones that kind of started the ISAC were some of the
fairly larger, more mature organizations.
But I think what's great is our membership. It's very affordable.
Individual farmers can become members as well as larger corporations.
(03:22):
While our membership's restricted to
the private sector, we have built out relationships with DHS, CISA, FBI,
industry associations, and we're working currently to build out some collaboration
opportunities with some of these food and ag-focused research universities.
What kind of services do you offer to your members?
(03:42):
So as far as services go, we provide members with daily, weekly,
monthly curated threat intelligence reports.
We offer a threat intelligence platform, which has a secure enclave where members
can actually share indicators of compromise.
They also can use automated StixTaxi APIs to actually pull those indicators
directly into their security tooling.
We also do weekly and bi-weekly virtual calls where members can get together
(04:06):
and discuss discuss problems.
We have a repository of adversary playbooks.
These playbooks contain kind of historical details about nation state groups,
cyber criminal groups, ransomware groups.
Our operations team, we're putting details in there, but also members are able
to share new information about these groups.
And I think we're currently tracking 170 to 200 different actors in there.
(04:28):
And then back in 2020, we also began tracking ransomware attacks against the food and ag sector.
Now we're also tracking ransomware attacks across all critical sectors.
And we have a ransomware tracker that members can use.
We use the metrics from that to build out a monthly ransomware report.
So that's been a great exercise and a value to members as well.
Are there any notable threat actors that are known to specifically target the agriculture sector?
(04:53):
Or is it more crimes of opportunity with ransomware groups just sort of targeting
whatever network they can get into?
A lot of the ransomware is opportunistic, but we do know that there's some more
sophisticated groups that will actively go after targets in the sector.
Lately, we've been developing a scoring system where we're calling it the predictive
adversary scoring system where we can take known adversaries that have attacked
(05:17):
the food and ag sector, looking at historical targeting, current activity,
frequency of attacks, sophistication level.
We can build out a score and we've taken that list of 200 adversaries and kind
of brought that down to 20 or 30.
China and Russia threat actors, they're pretty high on that list,
especially those that are known to target operational technology.
Plenty of financially motivated cyber criminals and ransomware groups that rank pretty highly as well.
(05:41):
And I think industrial espionage, the theft of intellectual property is a big concern.
Some of that intellectual property is incredibly valuable. It takes a lot of time to develop.
You can think about genetic work, how much expensive equipment is needed,
laboratory space, the the technical staff involved in that.
I know our members have said it can take years for a discovery in a lab to become
(06:04):
a product on a store shelf.
So if other countries are able to break into that timeline, steal that intellectual
property, they can shortcut their own development timelines,
but also potentially gain a competitive advantage against the US.
Members are doing a lot to protect that intellectual property.
A lot of it comes from protecting legitimate account access,
which is kind of low on the sophistication scale. Things Things like phishing
(06:26):
are always going to be a problem.
There's also more sophisticated techniques where actors will even go and attack
the supply chain, right?
They'll try to impact a small partner to gain access into the larger corporation.
Insider threats are also a big concern from an intellectual property perspective.
How do you monitor employees?
How do you prevent accidental and malicious insider activity when you're dealing
(06:47):
with this very sensitive, often very valuable trade secrets?
It sounds like industrial espionage is kind of a larger issue, right?
How could that affect our nation? And then also how you would advise your members
to protect themselves against industrial espionage?
Farming and agriculture is a pretty competitive sector, not just against other
(07:08):
nations, but even farmers side by side, it's pretty competitive.
So they keep some of those trade secrets very, very closely guarded.
These can be details about varieties of crops, planning strategies,
chemicals and pesticides being used. Also concerns that that stolen information
could damage customer trust, could lead to lost sales, impacted reputations.
I think implementing multi-factor authentication best practices is really important.
(07:32):
We're starting to see a movement towards some of those physical hardware keys as well.
Some of these sophisticated actors have actually found ways to breach typical
MFA solutions, even like prompts to your phone.
They use social engineering to try to trick people into allowing those prompts
so they can still get in. I think also having the principle of least privilege
where your provision users only have access to the things they need is important.
(07:54):
And then other things you could look at is leveraging data loss prevention technologies,
ensuring that the intellectual property is protected and monitoring how it's
moving through your networks is definitely an activity that I would recommend as well.
With this industry, the JBS ransomware attack was one that got national attention
and it sort of introduced what ransomware could do in terms of the food supply chain.
(08:16):
And I'm curious just from your point of view, what that was like when that happened
and how the industry has evolved since.
I think the JBS food ransomware attack really showed how even a small disruption
to a major sector partner has immediate impacts to food supply.
They had a very short time where systems were actually down a couple of days,
(08:38):
but that was a multi-week delay in food for a lot of areas.
And I think that really opened people's eyes to what if JBS Foods had a month-long
shutdown as a result of ransomware or something catastrophic that would have
enormous ripple effects kind of down the line.
I think the other challenge for the food and ag sector is all the the cross-sector
(08:59):
interdependencies as well.
So you need water for farming and livestock, oil and natural gas for heating applications.
You can think about transportation, whether that be tractor trailers,
railways, maritime, and then even things like communication.
You can think about GPS for those trucks and drones and things that they're using.
I'm curious what your thoughts are on the recent takedown of the LockBit infrastructure.
(09:23):
That's obviously one of the more notorious groups out there.
And we've seen several other international operations aimed at taking down this
infrastructure of these groups. Do you think that that's an effective strategy?
And have you heard from members about that being something that they're excited about?
Yeah, no, we're definitely excited. The challenge with some of these ransomware
groups, especially a group like LockBit, is they sell their malware to affiliates.
(09:49):
So when that ransomware group gets shut down, that's awesome.
I mean, we saw LockBit, they were responsible for probably a quarter of all
ransomware events that we saw.
So I think we saw almost 3000 last year, ransomware events, and a quarter of
those were LockBit. So great work by law enforcement. I think we're really excited.
They just got Elf V Black Cat, which was the number two on our list a couple weeks previous to that.
(10:11):
But the kind of challenges those affiliates that they work with,
they'll often just jump to another group. So we're kind of waiting to see,
now that Lockbit, the major players out of the picture, where these affiliates
are going to go, what's going to be the next one that kind of spikes up.
Going back to talking about disruption in the supply chain, if there are any
interesting incidents that you know of, of technologies that we might not be
(10:36):
thinking of could be targeted or could be impacted.
I know you mentioned tractors, for example, or maybe IoT, anything like that.
I think what a lot of these actors are doing is they're scanning the web for
vulnerable, publicly exposed systems.
They are purchasing access from initial access brokers.
So they're just kind of focused on financial gain. They don't really care who the target is.
(11:00):
But I think when they do come across a food and agriculture company,
I think they do understand that that's a valuable target. So any company that's
involved in critical manufacturing, where they can seize production,
especially put strains on the public.
Now we're starting to see this marriage between information technology and operational technology.
Lots of reasons for that, you know, giving these systems internet connectivity
(11:21):
can bolster production, helps with logistics planning, you can connect manufacturing
facilities across the globe. Another big benefit is it allows remote access
for repairs and maintenance.
On one hand, it can enhance security because it allows for better monitoring capabilities.
But then on the other hand, you know, connecting those systems to the internet
makes them a bigger target for attacks.
(11:42):
I think another challenge is there can be a disconnect between some of those
OT and IT security teams.
But now that these are interconnected, companies are learning how to kind of
bridge those gaps. But attacks against operational technology, big concern.
If you were able to alter sensors and switches, it could cause food to spoil,
changing temperatures, you could ruin pharmaceutical applications.
(12:03):
Kind of more theoretically, I don't think we've ever seen this,
but if you were to somehow hack an ICS system, which could push that system
past some protective measures that are in place, could we see that using some sort of kinetic attack?
And you can also imagine the dangers of a system was being turned on while technicians
were cleaning or performing maintenance.
There could be some human health and safety concerns as well.
(12:24):
So I think you mentioned Internet of Things or IoT.
Every new device that has internet connectivity is another device that has to be monitored.
Another device has to be patched. And it also creates a new initial access vector
for companies to defend against.
I think another challenge is choosing the right vendors when you're buying all
this different hardware nowadays that has internet connectivity,
(12:46):
how do you pick the vendors that are creating these devices with security in
mind, I think is another big challenge.
There was a recent CISA warning a few weeks back about could Chinese manufactured
drones be sending data back to Chinese businesses, which could then in turn
be accessed by the Chinese government.
A large majority of drones are manufactured in China. They're used across US
(13:08):
critical infrastructure.
Food and ag sector, they might use these drones on farms for livestock monitoring,
In some cases, they even may be using them for fertilizer and pesticide applications.
So we have to start thinking about how that could be used by Chinese threat actors.
Going back to what you said at the beginning about these ransomware groups exploiting
(13:28):
vulnerabilities and publicly facing applications.
I'm curious if you're tracking initial access vectors and if you're seeing an
increase in using vulnerabilities or even zero days to get initial access compared
to previously more common methods like phishing.
You're spot on. That's been a big trend this year. That sophistication level
for some of these groups has definitely improved.
(13:50):
Instead of early on using phishing to see who eventually took that bait,
we're starting to see some of these groups exploit zero-day vulnerabilities.
So as soon as a vulnerability is announced, they will find an exploit.
Sometimes the affiliates they're working with will send them the exploit.
I think another trend we're seeing is we still call them ransomware actors,
But a lot of these groups aren't even encrypting systems anymore.
(14:12):
They're just stealing data, using that as leverage to get companies to pay.
A lot of companies have gotten really good at having backups, restoring systems.
So we're seeing a shift of them trying to find other means of extortion.
And when you're hearing from members, what are some of the most common challenges that you're hearing?
Is it about funding or staffing or even just basic hygiene measures?
(14:34):
What are some of the most difficult aspects of cybersecurity that a lot of these companies are facing?
Staffing will always be a challenge. I think we do hear complaints pretty often
about how hard it is to find the right talent and to fill some of these job
positions that might be vacant for multiple months.
I think sometimes they have high expectations for these certain people to be
(14:55):
out there, or I think they need to be more open to training people to fill some of these positions.
But one of our goals through that university partnership program,
which I mentioned earlier, is to help participating universities kind of understand
the skills that industry is looking looking for.
And then also we hope to create internship and job placement opportunities through that as well.
The other kind of challenges for the sector, how do we help these small farms
(15:18):
that likely don't have a dedicated security staff?
They don't have any resources for cybersecurity.
And we know that impacts to those small partners or can have ramifications for the larger one.
And then I think the last piece is threat awareness is another Another challenge
for the sector, I think historically, attacks against the food and ag sector
haven't really hit the headlines like other sectors.
(15:40):
Obviously, JBS was big, but we don't see the attacks as often as we do with other sectors.
So I think understanding the threats is a challenge without joining some sort
of information sharing organization where you're talking with other companies,
sharing threats that you're seeing.
And regarding those challenges, is there any legislation that you're tracking
(16:00):
or that you're aware of that would improve any of that? that?
So for example, improved funding for cybersecurity in that industry?
There's kind of a concern generally that the movement towards increased regulation
and mandatory cyber incident reporting might divert some of the already scarce
resources away from actual security to compliance.
The Food and Ag ISAC, we recently submitted public comments on the FAR mandatory
(16:24):
incident responding regulations.
We believe in voluntary incident Incident reporting works well with the ISAC.
If more funding was available for the sector, I would like to see more curated
threat intelligence for food and agriculture sector companies kind of coming
out of the government side.
Welcome to I'm the CISO and I say so. This is a segment where we ask interview
(16:47):
guests what they would recommend or even mandate if they were the CISO of an
organization in the industry that they're speaking about.
So we asked Jonathan what he would say if he was the CISO of a company in the
food and agriculture industry. And here's his answer.
Properly segmenting operational technology really important so that you aren't
touching your corporate IT, which is kind of more commonly attacked by things
(17:09):
like phishing, so that adversaries aren't able to get into the operational technology is really important.
I'm a huge proponent of multi-factor authentication.
I think that's one of the greatest things you can do, especially now with,
you know, hardware tokens coming out.
I think it's going to be very hard for adversaries to bypass that.
Phishing awareness and training, insider threat training, very important.
(17:30):
Implementing processes to prioritize.
Patching across IT and OT, coming up with a way to prioritize which systems
are are most critical, having a way to determine when systems are vulnerable,
how do you patch them, and then
kind of going back to what we talked about earlier, disaster recovery,
planning as well as testing.
I think sometimes people come up with a plan, they don't actually do a tabletop
(17:52):
and test it and try to make sure that it actually works.
I have to admit that I really enjoy learning about the technologies that are
used in agriculture and food, just because it's not something that we hear about too often.
And I actually read some case studies about how IoT is used in monitoring the
well-being of livestock.
(18:13):
They call that precision livestock farming. And it made me think about how compromise
there could be detrimental.
So for example, if an attacker gains access to the data or the devices,
they could really affect the health of an entire herd of cows if they were to
hide, for example, animals are sick, or they delete information that's important
for feeding or breeding.
So Jonathan mentioning Chinese drones potentially monitoring things like fertilizer
(18:39):
and pesticide application really made me think about how this information could
be used to affect the growth of an entire crop and then how that would affect food supply for us.
Yeah, I absolutely think that point he made about CISA's drone advisory was interesting.
I actually hadn't seen that. So we'll, of course, link to that in the show notes.
I also thought it was interesting, but not surprising, that LockBit makes up
(19:01):
such a large percentage of ransomware attacks on this industry.
I think that the disruption operations that we talked about will have an impact,
especially if they continue at the current rate.
I think ransomware affiliates can move to another group or rebrand,
but I do think the The prosecution involved in the disruption of their infrastructure
introduces a whole new level of risk that could actually dissuade cyber criminals
(19:25):
from getting involved in ransomware or continuing with these attacks.
So I think it's a deterrent that's worth the effort. But I'm curious,
what did you think about that?
Yeah, Audra, as we continue doing these episodes, we hear about ransomware more and more.
And it's interesting to see how it applies across different industries. industries
but also interesting to see how you have
(19:46):
to focus on the specific things that
these adversaries are trying to steal so in this case it's the intellectual
property for example in another industry it might be that they actually do want
the ransom or they do want to release the data to undermine credibility right
so there are the similarities there are the differences and it's great to see
how that applies across all of these different industries that we're interviewing doing.
(20:09):
Yeah, definitely. I think that's one of the benefits of having ISACs that are
industry specific so that companies can take a look at the threats that are
unique to their industry and what competitors and other companies are experiencing.
So we'll, of course, link to more information about the ISAC in the show notes.
And you can also read more about cyber threats to this industry in our ongoing
(20:30):
blog series at splunk.com slash surge. That's spelled S-U-R-G-E.
And that's all the time we have for this episode of The Security Detail.
If you like what we're doing, please share The Security Detail with your friends.
You can look for us on Podbean, Apple, Spotify, or wherever you find your podcasts. Thanks for listening.
Welcome to The Security Detail, a podcast by Splunk Surge, where we examine
the cyber threat landscape across different industries. I'm Madeline Tauber.
And I'm Audra Streetman. Today, we're examining the top cyber threats facing
the food and agriculture sector,
which spans everything from farms to food manufacturing facilities.
And this critical infrastructure sector makes up about a fifth of economic activity in the U.S.
(00:24):
It's also dependent on several other critical sectors, including water,
transportation, and energy, which we'll discuss in today's interview.
So to learn more about cybersecurity and food production, we spoke with Jonathan
Braley, who's the director of the Food and Agriculture ISAC,
which was officially formed in May of 2023.
Jonathan spoke to us about his career journey, the top cyber threats he's tracking,
(00:47):
and the services available to ISAC members. Take a listen.
So I joined the IT ISAC back in 2017. 2017, before that, I spent many years
with a company that set up cloud email services.
So I have a degree in information security and kind of joining the ITI SAC was
my first chance to get to use some of those skills.
(01:08):
Shortly after joining in 2017, I became responsible for the ITI SAC's Food and
Agriculture Special Interest Group, which we call SIGS.
And I suppose it's probably appropriate to give a little history of where the
Food and Agriculture ISEC came from.
Around 2013, 2013, the ITI SEC
received its first request from a food and agriculture company to join.
We were kind of confused when that came through, but it turns out that the food
(01:31):
and ag sector didn't have a formal ISAC.
There was one that was started, but it folded many years before.
It made sense to kind of bring this food and agriculture company in.
They were dealing with the same kind of IT risks and challenges that some of
our IT sector companies were.
So we started to get more food and agriculture companies. Eventually,
we set up this food and Agriculture SIG, which was a community within the ITI
(01:53):
SEC where we could talk about threats related to the sector specifically.
And then last year, there started to be a lot more focus on the food and ag sector.
You can think about things like JBS Foods, ransomware attacks on several food
and agriculture cooperatives.
And we started to hear some public concerns about a lack of a formal ISAC for the sector.
(02:13):
So the SIG and the board said it was best that we actually go and kind of rebrand
that SIG into the official food and agriculture ISAC. So that's what we did.
Kind of the condition being that they would still be able to collaborate with those IT ISAC members.
How many companies were there starting out? You said there was one that contacted
you. And then later on, how many were there before the ISAC was founded?
(02:35):
It kind of slowly grew. We got up to about a dozen with the SIG for a while,
and then we started to hit 20.
And then it made sense to build out the ISAC. And now we've doubled again.
We're getting closer to 40 and 50 member companies within that.
What kind of orgs are those?
Are those kind of smaller ones? Are there very large ones? Is it everything in between as well?
It's a place for all organizations across the food and agriculture supply chain, kind of farm to table.
(02:59):
If you're involved in food and agriculture, there's a place for you.
We have a mix of smaller, less mature, as well as larger, more mature organizations.
I would say primarily the ones that kind of started the ISAC were some of the
fairly larger, more mature organizations.
But I think what's great is our membership. It's very affordable.
Individual farmers can become members as well as larger corporations.
(03:22):
While our membership's restricted to
the private sector, we have built out relationships with DHS, CISA, FBI,
industry associations, and we're working currently to build out some collaboration
opportunities with some of these food and ag-focused research universities.
What kind of services do you offer to your members?
(03:42):
So as far as services go, we provide members with daily, weekly,
monthly curated threat intelligence reports.
We offer a threat intelligence platform, which has a secure enclave where members
can actually share indicators of compromise.
They also can use automated StixTaxi APIs to actually pull those indicators
directly into their security tooling.
We also do weekly and bi-weekly virtual calls where members can get together
(04:06):
and discuss discuss problems.
We have a repository of adversary playbooks.
These playbooks contain kind of historical details about nation state groups,
cyber criminal groups, ransomware groups.
Our operations team, we're putting details in there, but also members are able
to share new information about these groups.
And I think we're currently tracking 170 to 200 different actors in there.
(04:28):
And then back in 2020, we also began tracking ransomware attacks against the food and ag sector.
Now we're also tracking ransomware attacks across all critical sectors.
And we have a ransomware tracker that members can use.
We use the metrics from that to build out a monthly ransomware report.
So that's been a great exercise and a value to members as well.
Are there any notable threat actors that are known to specifically target the agriculture sector?
(04:53):
Or is it more crimes of opportunity with ransomware groups just sort of targeting
whatever network they can get into?
A lot of the ransomware is opportunistic, but we do know that there's some more
sophisticated groups that will actively go after targets in the sector.
Lately, we've been developing a scoring system where we're calling it the predictive
adversary scoring system where we can take known adversaries that have attacked
(05:17):
the food and ag sector, looking at historical targeting, current activity,
frequency of attacks, sophistication level.
We can build out a score and we've taken that list of 200 adversaries and kind
of brought that down to 20 or 30.
China and Russia threat actors, they're pretty high on that list,
especially those that are known to target operational technology.
Plenty of financially motivated cyber criminals and ransomware groups that rank pretty highly as well.
(05:41):
And I think industrial espionage, the theft of intellectual property is a big concern.
Some of that intellectual property is incredibly valuable. It takes a lot of time to develop.
You can think about genetic work, how much expensive equipment is needed,
laboratory space, the the technical staff involved in that.
I know our members have said it can take years for a discovery in a lab to become
(06:04):
a product on a store shelf.
So if other countries are able to break into that timeline, steal that intellectual
property, they can shortcut their own development timelines,
but also potentially gain a competitive advantage against the US.
Members are doing a lot to protect that intellectual property.
A lot of it comes from protecting legitimate account access,
which is kind of low on the sophistication scale. Things Things like phishing
(06:26):
are always going to be a problem.
There's also more sophisticated techniques where actors will even go and attack
the supply chain, right?
They'll try to impact a small partner to gain access into the larger corporation.
Insider threats are also a big concern from an intellectual property perspective.
How do you monitor employees?
How do you prevent accidental and malicious insider activity when you're dealing
(06:47):
with this very sensitive, often very valuable trade secrets?
It sounds like industrial espionage is kind of a larger issue, right?
How could that affect our nation? And then also how you would advise your members
to protect themselves against industrial espionage?
Farming and agriculture is a pretty competitive sector, not just against other
(07:08):
nations, but even farmers side by side, it's pretty competitive.
So they keep some of those trade secrets very, very closely guarded.
These can be details about varieties of crops, planning strategies,
chemicals and pesticides being used. Also concerns that that stolen information
could damage customer trust, could lead to lost sales, impacted reputations.
I think implementing multi-factor authentication best practices is really important.
(07:32):
We're starting to see a movement towards some of those physical hardware keys as well.
Some of these sophisticated actors have actually found ways to breach typical
MFA solutions, even like prompts to your phone.
They use social engineering to try to trick people into allowing those prompts
so they can still get in. I think also having the principle of least privilege
where your provision users only have access to the things they need is important.
(07:54):
And then other things you could look at is leveraging data loss prevention technologies,
ensuring that the intellectual property is protected and monitoring how it's
moving through your networks is definitely an activity that I would recommend as well.
With this industry, the JBS ransomware attack was one that got national attention
and it sort of introduced what ransomware could do in terms of the food supply chain.
(08:16):
And I'm curious just from your point of view, what that was like when that happened
and how the industry has evolved since.
I think the JBS food ransomware attack really showed how even a small disruption
to a major sector partner has immediate impacts to food supply.
They had a very short time where systems were actually down a couple of days,
(08:38):
but that was a multi-week delay in food for a lot of areas.
And I think that really opened people's eyes to what if JBS Foods had a month-long
shutdown as a result of ransomware or something catastrophic that would have
enormous ripple effects kind of down the line.
I think the other challenge for the food and ag sector is all the the cross-sector
(08:59):
interdependencies as well.
So you need water for farming and livestock, oil and natural gas for heating applications.
You can think about transportation, whether that be tractor trailers,
railways, maritime, and then even things like communication.
You can think about GPS for those trucks and drones and things that they're using.
I'm curious what your thoughts are on the recent takedown of the LockBit infrastructure.
(09:23):
That's obviously one of the more notorious groups out there.
And we've seen several other international operations aimed at taking down this
infrastructure of these groups. Do you think that that's an effective strategy?
And have you heard from members about that being something that they're excited about?
Yeah, no, we're definitely excited. The challenge with some of these ransomware
groups, especially a group like LockBit, is they sell their malware to affiliates.
(09:49):
So when that ransomware group gets shut down, that's awesome.
I mean, we saw LockBit, they were responsible for probably a quarter of all
ransomware events that we saw.
So I think we saw almost 3000 last year, ransomware events, and a quarter of
those were LockBit. So great work by law enforcement. I think we're really excited.
They just got Elf V Black Cat, which was the number two on our list a couple weeks previous to that.
(10:11):
But the kind of challenges those affiliates that they work with,
they'll often just jump to another group. So we're kind of waiting to see,
now that Lockbit, the major players out of the picture, where these affiliates
are going to go, what's going to be the next one that kind of spikes up.
Going back to talking about disruption in the supply chain, if there are any
interesting incidents that you know of, of technologies that we might not be
(10:36):
thinking of could be targeted or could be impacted.
I know you mentioned tractors, for example, or maybe IoT, anything like that.
I think what a lot of these actors are doing is they're scanning the web for
vulnerable, publicly exposed systems.
They are purchasing access from initial access brokers.
So they're just kind of focused on financial gain. They don't really care who the target is.
(11:00):
But I think when they do come across a food and agriculture company,
I think they do understand that that's a valuable target. So any company that's
involved in critical manufacturing, where they can seize production,
especially put strains on the public.
Now we're starting to see this marriage between information technology and operational technology.
Lots of reasons for that, you know, giving these systems internet connectivity
(11:21):
can bolster production, helps with logistics planning, you can connect manufacturing
facilities across the globe. Another big benefit is it allows remote access
for repairs and maintenance.
On one hand, it can enhance security because it allows for better monitoring capabilities.
But then on the other hand, you know, connecting those systems to the internet
makes them a bigger target for attacks.
(11:42):
I think another challenge is there can be a disconnect between some of those
OT and IT security teams.
But now that these are interconnected, companies are learning how to kind of
bridge those gaps. But attacks against operational technology, big concern.
If you were able to alter sensors and switches, it could cause food to spoil,
changing temperatures, you could ruin pharmaceutical applications.
(12:03):
Kind of more theoretically, I don't think we've ever seen this,
but if you were to somehow hack an ICS system, which could push that system
past some protective measures that are in place, could we see that using some sort of kinetic attack?
And you can also imagine the dangers of a system was being turned on while technicians
were cleaning or performing maintenance.
There could be some human health and safety concerns as well.
(12:24):
So I think you mentioned Internet of Things or IoT.
Every new device that has internet connectivity is another device that has to be monitored.
Another device has to be patched. And it also creates a new initial access vector
for companies to defend against.
I think another challenge is choosing the right vendors when you're buying all
this different hardware nowadays that has internet connectivity,
(12:46):
how do you pick the vendors that are creating these devices with security in
mind, I think is another big challenge.
There was a recent CISA warning a few weeks back about could Chinese manufactured
drones be sending data back to Chinese businesses, which could then in turn
be accessed by the Chinese government.
A large majority of drones are manufactured in China. They're used across US
(13:08):
critical infrastructure.
Food and ag sector, they might use these drones on farms for livestock monitoring,
In some cases, they even may be using them for fertilizer and pesticide applications.
So we have to start thinking about how that could be used by Chinese threat actors.
Going back to what you said at the beginning about these ransomware groups exploiting
(13:28):
vulnerabilities and publicly facing applications.
I'm curious if you're tracking initial access vectors and if you're seeing an
increase in using vulnerabilities or even zero days to get initial access compared
to previously more common methods like phishing.
You're spot on. That's been a big trend this year. That sophistication level
for some of these groups has definitely improved.
(13:50):
Instead of early on using phishing to see who eventually took that bait,
we're starting to see some of these groups exploit zero-day vulnerabilities.
So as soon as a vulnerability is announced, they will find an exploit.
Sometimes the affiliates they're working with will send them the exploit.
I think another trend we're seeing is we still call them ransomware actors,
But a lot of these groups aren't even encrypting systems anymore.
(14:12):
They're just stealing data, using that as leverage to get companies to pay.
A lot of companies have gotten really good at having backups, restoring systems.
So we're seeing a shift of them trying to find other means of extortion.
And when you're hearing from members, what are some of the most common challenges that you're hearing?
Is it about funding or staffing or even just basic hygiene measures?
(14:34):
What are some of the most difficult aspects of cybersecurity that a lot of these companies are facing?
Staffing will always be a challenge. I think we do hear complaints pretty often
about how hard it is to find the right talent and to fill some of these job
positions that might be vacant for multiple months.
I think sometimes they have high expectations for these certain people to be
(14:55):
out there, or I think they need to be more open to training people to fill some of these positions.
But one of our goals through that university partnership program,
which I mentioned earlier, is to help participating universities kind of understand
the skills that industry is looking looking for.
And then also we hope to create internship and job placement opportunities through that as well.
The other kind of challenges for the sector, how do we help these small farms
(15:18):
that likely don't have a dedicated security staff?
They don't have any resources for cybersecurity.
And we know that impacts to those small partners or can have ramifications for the larger one.
And then I think the last piece is threat awareness is another Another challenge
for the sector, I think historically, attacks against the food and ag sector
haven't really hit the headlines like other sectors.
(15:40):
Obviously, JBS was big, but we don't see the attacks as often as we do with other sectors.
So I think understanding the threats is a challenge without joining some sort
of information sharing organization where you're talking with other companies,
sharing threats that you're seeing.
And regarding those challenges, is there any legislation that you're tracking
(16:00):
or that you're aware of that would improve any of that? that?
So for example, improved funding for cybersecurity in that industry?
There's kind of a concern generally that the movement towards increased regulation
and mandatory cyber incident reporting might divert some of the already scarce
resources away from actual security to compliance.
The Food and Ag ISAC, we recently submitted public comments on the FAR mandatory
(16:24):
incident responding regulations.
We believe in voluntary incident Incident reporting works well with the ISAC.
If more funding was available for the sector, I would like to see more curated
threat intelligence for food and agriculture sector companies kind of coming
out of the government side.
Welcome to I'm the CISO and I say so. This is a segment where we ask interview
(16:47):
guests what they would recommend or even mandate if they were the CISO of an
organization in the industry that they're speaking about.
So we asked Jonathan what he would say if he was the CISO of a company in the
food and agriculture industry. And here's his answer.
Properly segmenting operational technology really important so that you aren't
touching your corporate IT, which is kind of more commonly attacked by things
(17:09):
like phishing, so that adversaries aren't able to get into the operational technology is really important.
I'm a huge proponent of multi-factor authentication.
I think that's one of the greatest things you can do, especially now with,
you know, hardware tokens coming out.
I think it's going to be very hard for adversaries to bypass that.
Phishing awareness and training, insider threat training, very important.
(17:30):
Implementing processes to prioritize.
Patching across IT and OT, coming up with a way to prioritize which systems
are are most critical, having a way to determine when systems are vulnerable,
how do you patch them, and then
kind of going back to what we talked about earlier, disaster recovery,
planning as well as testing.
I think sometimes people come up with a plan, they don't actually do a tabletop
(17:52):
and test it and try to make sure that it actually works.
I have to admit that I really enjoy learning about the technologies that are
used in agriculture and food, just because it's not something that we hear about too often.
And I actually read some case studies about how IoT is used in monitoring the
well-being of livestock.
(18:13):
They call that precision livestock farming. And it made me think about how compromise
there could be detrimental.
So for example, if an attacker gains access to the data or the devices,
they could really affect the health of an entire herd of cows if they were to
hide, for example, animals are sick, or they delete information that's important
for feeding or breeding.
So Jonathan mentioning Chinese drones potentially monitoring things like fertilizer
(18:39):
and pesticide application really made me think about how this information could
be used to affect the growth of an entire crop and then how that would affect food supply for us.
Yeah, I absolutely think that point he made about CISA's drone advisory was interesting.
I actually hadn't seen that. So we'll, of course, link to that in the show notes.
I also thought it was interesting, but not surprising, that LockBit makes up
(19:01):
such a large percentage of ransomware attacks on this industry.
I think that the disruption operations that we talked about will have an impact,
especially if they continue at the current rate.
I think ransomware affiliates can move to another group or rebrand,
but I do think the The prosecution involved in the disruption of their infrastructure
introduces a whole new level of risk that could actually dissuade cyber criminals
(19:25):
from getting involved in ransomware or continuing with these attacks.
So I think it's a deterrent that's worth the effort. But I'm curious,
what did you think about that?
Yeah, Audra, as we continue doing these episodes, we hear about ransomware more and more.
And it's interesting to see how it applies across different industries. industries
but also interesting to see how you have
(19:46):
to focus on the specific things that
these adversaries are trying to steal so in this case it's the intellectual
property for example in another industry it might be that they actually do want
the ransom or they do want to release the data to undermine credibility right
so there are the similarities there are the differences and it's great to see
how that applies across all of these different industries that we're interviewing doing.
(20:09):
Yeah, definitely. I think that's one of the benefits of having ISACs that are
industry specific so that companies can take a look at the threats that are
unique to their industry and what competitors and other companies are experiencing.
So we'll, of course, link to more information about the ISAC in the show notes.
And you can also read more about cyber threats to this industry in our ongoing
(20:30):
blog series at splunk.com slash surge. That's spelled S-U-R-G-E.
And that's all the time we have for this episode of The Security Detail.
If you like what we're doing, please share The Security Detail with your friends.
You can look for us on Podbean, Apple, Spotify, or wherever you find your podcasts. Thanks for listening.
Popular Podcasts
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Nikki Glaser Podcast
Every week comedian and infamous roaster Nikki Glaser provides a fun, fast-paced, and brutally honest look into current pop-culture and her own personal life.