Psst, are your vulnerabilities showing?

My leisure reading is usually dictated by my mood and what is readily available at my library or through the Libby app. This past May, I read 2 novels in the political thriller genre. The first book told the story of a US intelligence agent working against time to find an individual extremist plotting an attack on the United States by creating a synthetic smallpox virus and covertly introducing it into the vaccine supply chain.¹ The plot of the second book centered on a cyberattack targeting the US power grid as an act of revenge.² Both books were suspenseful and entertaining works of fiction.

I quickly became unsettled when I attended the Agriculture Threats Symposium hosted by the US Federal Bureau of Investigation (FBI) in early June and learned just how closely my fictional reads could mirror reality. This 2-day symposium was attended by approximately 400 individuals representing various sectors of agriculture, academia, and state and federal law enforcement and government agencies. Speakers covered topics including foreign terrorist threats, domestic violent extremist threats, cyber threats, threats of foreign malign influence from nation states, threats to the agricultural supply chain, safeguarding the bioeconomy, and information sharing between agriculture and the law enforcement and intelligence communities.

The accidental or intentional introduction of a foreign animal disease (FAD) is considered to be one of the biggest threats to the swine industry. And for good reason: the impacts of an FAD introduction on animal health, public health, and the agriculture economy would be catastrophic. However, as global politics and technology continue to evolve, so too have the possible types and sources of threats to animal agriculture. For the sake of resiliency our scope of prevention, preparedness, and response must also expand to account for these new types of threats, including cyber threats.

Think of all the elements of veterinary practice and pig production that are dependent on digital devices, connected/internet-enabled equipment, and the generation and storage of electronic data. Now imagine if one of those components was suddenly taken offline, did not work, or was stolen. What if your feed mill was taken offline? What if your company, production, or animal health data was stolen and held for ransom? The proliferation and implementation of precision livestock farming technology nets many advantages for swine production but does increase the industry’s “digital surface area” creating more possible entry points for cyberattacks. If it is connected, there is a risk it can be controlled, manipulated, or shut down. Cyber risk is business risk.

In 2022, the FBI estimated financial losses from reported cybercrimes to be $10.3 billion.³ The primary cyber threats to the food and agriculture sector are:

• Business email compromise (BEC) scams target businesses or individuals by compromising email accounts, phone numbers, texts, or virtual meeting applications through social engineering or computer intrusion techniques with the goal of conducting unauthorized transfer of funds.³ These types of scams are likely to evolve with the evolution of artificial intelligence and deep fake capabilities.
• Ransomware is malicious software that encrypts data, making it unusable, or blocks access to a computer system. The perpetrator holds the data hostage and threatens to destroy the data or release it to the public until a ransom is paid.³
• Data theft uses computer intrusion to acquire confidential or secured personal or business information.³
• Denial of service attacks flood the target host or network with traffic until the target cannot respond or crashes, preventing legitimate users from accessing information systems, devices, or other network resources.⁴

These cyber threats are not mutually exclusive, nor is this list all inclusive, so investing in cybersecurity is not only good for business security, but also national security. The scope, complexity, and impact of cyberattacks are increasing. At the same time, the level of technical knowledge and resources required to conduct cyberattacks is decreasing.

There are 3 key steps you can take to protect yourself and your business against cyber threats. First, know your self and business – identify and protect your most important assets and biggest risks. Second, focus on basic cyber hygiene⁵:

• Download updates for all devices, applications, and operating systems to limit flaws in the system.
• Use strong passwords that are at least 15 characters long, are unique and not used elsewhere, and are randomly generated. I admit I was guilty of reusing memorable passwords until I started using a password manager tool.
• Turn on multifactor authentication. In addition to strong passwords, this extra step helps verify it is you by asking for two forms of information: something you know (eg, pin numbers or security questions), something you have (authentication application or confirmation text), or something you are (eg, fingerprint or faceID).
• Think before you click to avoid phishing schemes, which is where more than 90% of successful cyberattacks start.

And third, do not go it alone. Did you know there is an entire government agency dedicated to understanding, managing, and reducing risk to our cyber and physical infrastructure? Operating within the US Department of Homeland Security as a nonregulatory agency, the Cybersecurity and Infrastructure Security Agency (CISA) has 10 regional offices and cybersecurity and protective security advisors located in each state. The CISA advisors work to connect critical infrastructure owners and operators to resources, analyses, and tools to help build cyber and physical security and resilience. You can find your regional office and state advisors by visiting cisa.gov/about/regions. A full list of the resources and services offered by CISA can be found at cisa.gov/cyber-resource-hub. Best of all, these resources and services are available at no cost to you. Contact your state cybersecurity advisor for an initial discussion on where to start on your cybersecurity journey.

If you or your business do become a victim of cybercrime, a report should be filed with the Internet Crime Complaint Center (IC3; ic3.gov) to initiate an investigation. The IC3 is run by the FBI, the lead federal agency for investigating cybercrime. Additionally, tip information about suspicious activity in or around food and agriculture production sites can be submitted to the FBI by phone (1-800-225-5324) or web (tips.fbi.gov). Better yet, locate your nearest FBI field office (fbi.gov/contact-us/field-offices) and build a relationship with them as you would with your local law enforcement agencies. You can be as helpful to them as they are to you when it comes to identifying and addressing potential threats to the food and agriculture sector. As the adage goes: see something, say something!

Sherrie Webb, MSc
JSHAP Associate Editor

References

*1. Hayes T. I am Pilgrim. Atria. 2014.

*2. Abrams S. Rogue Justice. Doubleday. 2023.

*3. Internet Crime Complaint Center. Internet Crime Report. US Dept of Justice Federal Bureau of Investigation. 2022. Accessed June 14, 2023. https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf

*4. Cybersecurity and Infrastructure Security Agency. Understanding denial-of-service attacks. CISA blog. February 1, 2021. Accessed June 14, 2023. https://www.cisa.gov/news-events/news/understanding-denial-service-attacks

*5. Cybersecurity and Infrastructure Security Agency. 4 things you can do to keep yourself cyber safe. CISA blog. December 18, 2022. Accessed June 14, 2023. https://www.cisa.gov/news-events/news/4-things-you-can-do-keep-yourself-cyber-safe

* Non-refereed references.