The Ag industry is now a ransomware target, along with many other American industries. I wrote this article in June 2021 for the ZAG Technical Services blog about the White House open letter on ransomware and its potential impact on the Ag industry.
In the shadow of the recent JBS and Colonial Pipeline ransomware incidents, the White House issued a bluntly worded open letter to America's corporate leaders urging them to protect their businesses "against the threat of ransomware."
The letter outlines a range of information technology (IT) security practices that companies should adopt. These form the basis of a robust, defensive security posture that every enterprise should follow, including multi-factor authentication (MFA) and business continuity planning.
Here are some of the memo's highlights most relevant to agriculture industry CXOs, executives, and leaders:
A bias for action
The first is an explicit request for action, with the White House directly calling on executives to:
"… immediately convene their leadership teams to discuss the ransomware threat and review corporate security posture and business continuity plans to ensure you have the ability to continue or quickly restore operations."
All great executives have a bias for action, and so this should not be a significant ask.
Recommendation: Gather the CXO team, line of business leaders, and IT stakeholders to review your business continuity plans. If you don't have these plans in place, it is better to know now.
Cause v. Effect
Separating the consequence of weak security posture—ransomware—and the security posture itself is essential. The White House called out several best practices that companies should implement. Consider these not only to be best practices but also your new security baseline:
- Multi-factor Authentication (MFA)
- Endpoint detection and response
- A solid security team
- Backup strategy
- Patch management
- Incident response plan
- Network segmentation
- An overall risk-based security program, informed by cyber threat intelligence and validated through penetration testing.
Recommendation: Of these practices, if there was one thing every executive should do today, deploy MFA everywhere. Doing this is now as rudimentary as installing antivirus and malware on your workstations. MFA isn't infallible, but it's critical. From there, action the other items as prioritized by your IT team and/or managed services provider.
Public policy indicators
I want to call out two other comments in the memo because they impact agriculture manufacturing, and I think they indicate the administration's policy intent.
The first is regarding testing incident response plans:
Would you turn off your manufacturing operations if business systems such as billing were offline?
According to investigative journalist Kim Zetter, Colonial Pipeline shut down operations because they couldn't bill. Shutting down critical infrastructure and supply chain operations because a company can't bill customers won't fly much longer.
The second involves network segmentation and is closely related to the first point:
"It's critically important that your corporate business functions and manufacturing / production operations are separated … to ensure ICS networks can be isolated and continue operating if your corporate network is compromised."
Between the list of best practices and supply chain operations, it looks like the administration is setting a baseline of minimum expectations. They soon won't be asking.
It seems antitrust is on the table too. According to the Wall Street Journal:
Sen. Chuck Grassley (R., Iowa) said the (JBS) cyberattack's fallout showed the risks of industry consolidation that has led to a handful of big companies processing the bulk of America's meat.
"If you had 10 companies instead of four, or 20 companies instead of four, we'd be less vulnerable if one of them was hacked," said Mr. Grassley, who has proposed legislation that he said would require meatpackers to compete more directly on livestock purchases. "It ought to teach us something, that there have been too many mergers," he said.
Recommendation: At the risk of sounding trite, we collectively need to take this issue seriously.
How can agriculture leadership respond?
It's unlikely that anyone reading this will put their hand up in favor of more regulation. Instead, leadership within each sector should convene and address the cybersecurity issue as the fresh produce industry addressed food safety issues.
It is better to proactively engage with what is essentially a national cybersecurity emergency than wait for the government to intervene.
This topic isn't new. Forward looking executives, like ZAG President Greg Gatzke, are discussing this presently. Greg tabled a proposition to form an "Ag Industry Cyber Council" along the lines of the LGMA. If anything in this post resonates, please reach out to Greg (website, LinkedIn) to continue that conversation.
Lastly, I propose we re-frame how we think about cybercrime, viewing it as a competitive threat like any other. No executive sits around passively while competitors take market share. They respond, and that response typically involves investment. That response requires a bias for action. That is what we need right now.
What the Ag industry can learn from the Colonial Pipeline hack
If you found this post informative, I wrote a post discussing six lessons the Ag industry can learn from the Colonial Pipeline hack. From managing supply chain risk to business continuity planning, we hope it gives you a few ideas to improve your company's security.