WASHINGTON – The chicken sandwich you had for lunch seemed like a simple meal. But there were many steps to get the chicken from the farm to your plate – and most of them were potential targets for cyberattacks.
The bird began its six-week life on a factory farm. It was loaded on a truck and transferred to a processing plant. After processing and packaging, it was placed on another truck and driven to storage, where it was refrigerated. Then it got the call to the grocer and was again transported by truck.
You picked it off the grocery shelf among dozens of identical packages and froze it for a few weeks before cooking it, mixing it with other ingredients and eating it.
At each step along that journey, that chicken interacted with cyberspace. On the field, the farmer used satellite measurement and GPS tracking to manage the crops you mixed with your poultry—a technique known as precision agriculture.
At the plant, the food processing was run by industrial control systems that directed floor operations. In the truck, the food deliveries were regulated by wired shipping orders between producers and distributers. In storage, the meat’s temperatures were maintained by data-controlled refrigeration. In retail, your financial transactions were executed through barcodes and scanners. And, of course, at the corporate level, the major brands that label your products supervised their far-flung operations through cyberspace.
“Agriculture is really getting in the last few years into large sums of data, and that data needs to be protected,” said Robert A. Norton, director of the Auburn University Open Source Intelligence Laboratory and faculty liaison to the Auburn Cyber Initiative. “Food defense spans many, many things. It can be insider threats. It can be industrial chemicals that you may have in your system. It can be human resources. Cyber pierces all of these things because it gets inside of the system that has to be defended.”
While the image of farming is more associated with cornfields, tractors and workers in overalls and straw hats, the food supply chain, from the farmer to the grocer, increasingly relies on big data.
And just like any other industry that relies on computer chips, there’s the potential for cyberattack ,
“What are the risks if somebody gets into these systems and screws around with the numbers?” said John T. Hoffman, senior research fellow at the National Center for Food Protection and Defense. “And puts too much of an ingredient in and suddenly takes a pretty mundane product with some minor seasoning in it and adds a toxic level and it goes out to people. Is that likely? No. But is it possible? Yes.”
A more likely threat is the theft of information, such as shipping documents. This can lead to thievery in physical space. Using information gained through hacks, cyber criminals can locate and steal cargos of food—an ideal target because they can easily be converted into money with limited potential legal ramifications.
The food industry has not made it difficult for cybercriminals to steal data. Many food processing plants use outdated operating systems like Windows 2000 or Windows XP, and few train their employees in basic cyber operations like changing passwords.
“You walk into a plant and you say, ‘When’s the last time you changed the password?’” Hoffman said. “Total silence. Well, how many people know the password? Everybody on the floor. So that means people who you fired two years ago still know the password to the system.”
In fact, Trustwave, a cybersecurity firm, found the food and beverage industry to be the second most compromised industry to online threats in its 2015 Global Security Report, behind only retail, and food sales are counted in the latter category.
Every step in the food supply chain is now linked through cyberspace, and as you move up that chain, the cyber dependence becomes greater.
“Food corporations face an assault from system attackers just like every other business,” Norton said. “And it’s constant. It’s unrelenting.”
The Farm
Farmers now rely on data at levels that match most other professions. Using satellite technology, farmers collect precise measurements and information about their fields, customizing each square foot to produce maximum yield. Similarly, they use advanced technology to measure nutrients, fertilizer and chemicals, monitor yields and automatically guide tractors. Agriculture specialists believe drones and robots will one day play a major role in the field.
A cyber threat exists in growing food, but Brian Williams, assistant extension professor at Mississippi State University, noted that farmers can revert to the traditional way of farming in an emergency.
For example, irrigation systems can be started using cell phones, but most farmers still check their fields daily and can start the systems manually if needed.
But the need for cyber protection increases in other sectors, like the transportation, water and chemical industries.
“As long as the food production is dispersed,” Norton said, “then you make it less vulnerable. Once you start to concentrate it, where it’s all in one place or it’s all under one control, then you make it more vulnerable.”
Processing and Delivery
A larger threat to the food industry emerges as you move up the supply chain. Processing and delivery are particularly vulnerable.
Manufacturing facilities with computer systems controlling production are often not well protected. In addition to outdated operating systems, few companies have cyber safety training for their employees, experts said, and backdoors into systems are frequently left open.
This lack of protection and intrusion detection can lead to large-scale theft of information, including delivery schedules. In fact, the truck is where food is most vulnerable, Norton said.
“If you look at it, map it out,” he said, “the things that become our food are actually in transportation mode more than they are in the processing mode.”
Cybertheft often is a precursor to physical theft—particularly cargos of food. Cybercriminals can steal shipping documents, learn detailed delivery operations and steal truckloads of food.
“The reason food is such an ideal product is it’s so easy to convert into cash,” Hoffman said. “You can do it within a couple of days, and the level of theft has gotten to be such that the justice department and others estimate that it might add as much as 20 percent to the cost of food because of the loss from theft. This goes back to cyber penetrations.”
In January, for example, a truck carrying $160,000 worth of cheese was stolen in Wisconsin. The thieves apparently broke into computer systems, downloaded the shipping documents and took delivery of the food in their truck.
Cargo theft is considered a local crime, not a federal one. When stolen, the missing truck is reported, not the missing food. After selling the food, the criminals often abandon the truck, and when it is found, case closed. The food is never tracked.
“If somebody loses a truckload of a product that’s worth $70,000 or $80,000 per truckload, and that happens a couple times a year,” Hoffman said, “you’ve grown way past any cost of implementing protections to prevent that.”
Corporations and Government
At the corporate level, there’s an incentive problem to forming more concrete cyber guidelines. The Department of Agriculture and Food and Drug Administration have been gathering information from experts and food corporations to create cyberprotocols.
But the industry has not been fully cooperative because sharing information on hacks could also reveal brand-damaging information.
“Logo and reputation, worth billions of dollars, are more valuable to them than the physical facilities,” Norton said. “What you could have is a cyber attack in which a corporation could be brought to its knees.”
Hoffman said it is the food industry’s responsibility to create cyberstandards.
“At the end of the day,” he said, “if somebody does something to these systems and if a product goes out and it makes people sick because of a cyberattack, companies are the ones who are going to be held responsible.”
But he also said government has a role in ensuring food cybersafety by conducting data security inspections at plants much like the health and safety inspections already in place.
Meanwhile, uncertainty remains over which government agency should take the lead in developing cyber standards for the food industry. Cyber experts in government are usually not found in the DOA or FDA, but in the Department of Homeland Security.