The Colonial Pipeline ransomware incident that shut down a vital pipeline delivering fuel from the Gulf Coast to the Northeastern United States is the latest in a growing list of attacks on America’s supply chain. There are important lessons that the agriculture industry can take away from this attack that will inform how we approach supply chain risk in the months ahead.
Supply chains are under attack, and the government is getting involved
The first lesson is that America’s supply chains are under attack, by nation states in examples like the SolarWinds hack, and criminal organizations in instances like Colonial Pipeline. The issue so concerned the President that he signed “Executive Order 14017 on America’s Supply Chains” in February. The order directed federal agencies to identify vulnerabilities in crucial U.S. supply chains, initially in semiconductor manufacturing and advanced packaging, high-capacity batteries, critical minerals and strategic materials, and pharmaceuticals and active pharmaceutical ingredients.
A broader one-year review will examine other critical supply chains, including the production of agricultural commodities and food products. In response, the USDA announced that they would seek comment on food system supply chains to support resilient, diverse, secure supply chains. In a media statement, they noted:
“The comments received will help USDA assess the critical factors, risks, and strategies needed to support resilient, diverse, and secure supply chains and ensure U.S. economic prosperity, national security, and nutrition security for all Americans. Such supply chains are needed to address conditions that can reduce critical processing and infrastructure capacity and the availability and integrity of critical goods, products, and services.”
If you are interested in commenting, you’ll find more information on the Federal Register website.
Just this month and in the wake of the SolarWinds hack, the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute for Standards and Technology (NIST) released guidelines designed to help companies defend against software supply chain attacks.
CISA and NIST produce actionable content that IT Directors working in agribusiness can leverage to improve their company’s security posture. You’ll find information about supply chain IT risk management on their site, in addition to a recently published ICT Supply Chain Risk Management Toolkit.
The attention being paid to these issues by the highest levels of government indicates the level of risk to the supply chain. So now is the time to check the health of your prime suppliers and vendors. Doing this will help prepare your organization for what’s ahead.
More recently, President Biden released another Executive Order on “Improving the Nation’s Cybersecurity.” It’s a lengthy statement. It establishes a cybersecurity review board, a host of supply chain initiatives, and asks for government / private sector partnerships.
The following section is worth noting:
“The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace. In the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced.”
Lesson #1: Proactively manage your supply chain risk.
Rethink your perception of “hackers”
There is a long-held perception that hackers are 16-year-old nerdy kids hiding away in their mother’s basement pushing scripts around for fun. At one point, this may have been the case, but the cybercriminal persona is much more sophisticated today.
Cybercriminals are highly organized, technically competent, geographically dispersed, and focused only on one thing: your money. As reported on the Krebs On Security website, the group responsible for the Colonial Pipeline breach said, “We are apolitical, we do not participate in geopolitics, do not to tie us with a defined government and look for other motives. Our goal is to make money.”
You work hard to build a great business, and you work hard to build and maintain relationships with your customers; don’t let cybercriminals steal those too.
Lesson #2: For cybercriminals, it’s not personal; it’s just business.
Breaches are rarely quickly fixed
It took one week for the Colonial Pipeline to return to regular operations. You can no doubt calculate what a one-week outage at your business looks like in terms of lost revenue and potential lost business. In addition, Ag businesses have lost customers and business to competitors because of security incidents, with hundreds of thousands of dollars lost to ACH fraud.
Being out of business for one week is optimistic. In an article by investigative journalist Kim Zetter, Anatomy of a $2 Million Darkside Ransomware Breach, she writes that “restoring backed-up data can take weeks for a large firm and months for a company to return to normal.”
It is critical for your IT team, or managed services provider, to have your disaster recovery and business continuity plans and protocols in place, tested, and ready to deploy. Those are two big topics, and you can read more about disaster recovery on ZAG’s blog here, here, here, and business continuity here.
As ZAG CEO Greg Gatzke recently wrote on LinkedIn:
“Too many people confuse Backups with Disaster Recovery. If the company is experiencing an attack, the goal must be to get systems restored quickly and cleanly. Relying on backups can cause significant delays that can dramatically hurt the organization. Snapshots are often the best solution to recover promptly. Remember, it takes time to ensure the environment is clean of criminal activity … often more time than just failing back to a snapshot! Ensure your organization is ready for this.”
Greg regularly posts insights like the above on LinkedIn. He is worth following for timely updates about the latest information technology best practices.
Lesson #3: Ensure your business continuity plans are in place and tested.
Agribusiness supply chains are especially at risk
In an insightful case study recently released by ZAG, the IT Director at The Nunes Company, Johnny McGuire, noted that, “When it comes to technology, many areas of agriculture are very behind the times, and people care more about new tractors than their IT infrastructure.” We certainly encounter companies who still see IT as a cost center rather than an opportunity to become more competitive and win new deals.
Because some industry participants are slow to update IT, secure their networks and applications, and adopt best practices, the entire supply chain is at risk both upstream and downstream. Unfortunately, companies like yours are potentially at risk, too.
Although everyone in agriculture is fiercely competitive, there are times when the industry comes together in the face of threats that endanger all of us. Such as in the instance of food safety. Today, the supply chain threat should be another. While it is more abstract and perceptually less immediate than food safety, it is no less real.
Lesson #4: We are in this together, and we’re only as strong as the weakest link.
It is “risk management,” not “fix management”
In a post on Food Logistics dating back to 2019, Chris Boyd, a threat researcher at the internet security company Malwarebytes, perceptively said about IT security:
“I’d start with the assumption that everything is compromised—whether that’s the physical building security, firewall policies, malware on the network, or data leaks—then think ‘What’s the most damage that could come out of this?’ Once you know the worst that can happen, you can take steps to lessen the impact.”
It is not until we know the nature of a potential risk that we can address it. Risk management is about management, not avoidance. Not every risk needs to be, or reasonably can be, fixed.
Let’s say, for example, that your supply chain involves a third-party supplying glass bottles, or clamshells, or even another commodity used in production. Let’s also imagine that they are a single-source supplier to your business. You audit their IT security posture and find that they are at serious risk of being hacked. Working with a company like ZAG or your internal IT team, you determine that in the event of an IT breach, production will likely stop for 14 days. What do you do?
Do you insist that they fix their IT? Find another supplier? Increase your inventory of their product to guarantee supply an additional 14 days? Roll the dice and do nothing? The point is that you have options, and until you take the necessary steps to understand the threat, you’re flying blind (so to speak).
Lesson #5: Not every risk needs a fix, but to not be informed is criminal.
There are simple ways to audit your supply chain security risk
Although there is an inevitable element of doom and gloom when discussing IT security, or “FUD” as it’s called in marketing (fear, uncertainty, doubt), the fact is that there are ways to check on the health of your supply chain IT security risk.
Maintain an open dialog with your downstream suppliers. Have your IT team (or MSP) engage directly with the supplier’s IT team. Generate a list of best practices or standards that you can use to ensure your suppliers meet minimum security requirements.
Maintain an open dialog with your upstream customers. Conduct internal audits and report those results to your customers. More and more, we see our clients checking their downstream supplier IT security, and you should assume that your customers are doing the same to you.
Audit your suppliers. As noted above, you can use tools to run external scans on your supplier’s IT systems. Once you know what their risk exposure looks like, you can have a meaningful conversation with them about getting it fixed.
Lesson #6: You have options, and if you’re not sure where to start, we can help.
If there is one takeaway from this post, it is this: most leaders within the Ag industry are not thinking about supply chain IT risk, and they need to start thinking about it now. We are here to help.