The death of Qasem Soleimani at the hands of the American military is considered a game changer by many because Iran’s chief architect of terrorism was successfully targeted, putting the Iranian government on notice that similar results can be repeated if malign activities continue. Iranian decision-makers remain bent on revenge, and the cyber realm provides a likely attack vector, given the potential for plausible deniability. The likely cyber targets? U.S. critical infrastructures, including the U.S. food supply and its backbone, agriculture.
We often assume our food supply is a constant, incapable of failure. This is mistaken. Our food supply and supporting logistical systems are in fact a system of systems, which is both a blessing and a curse. The blessings are efficiency and economy, which ensure that the U.S. has the most diverse and economical food supply of any nation in the world. The curse is that single-point failures can cause cascading effects, disrupting the entire system.
For decades, Iran has developed sophisticated terrorist capabilities, and immediately after Soleimani’s death the press expressed worry about “sleeper cells,” or terrorists in hiding. Iran’s mobilization of such cells would elevate the potential for violence, but law enforcement is constantly on the lookout for them. Another concern is “lone wolves,” or individuals who commit violent acts on their own, without specific directions from any nation or group. Again, law enforcement is on the hunt.
Could attacks from either occur in the U.S.? Of course they could, but adversaries aren’t restricted to using improvised explosives or guns. Terrorism can take other forms, such as attacking the food supply. Cyber may in fact become the weapon of choice for sleeper cells and lone actors seeking to cause panic and sow distrust of a government unable to protect us.
The Information Technology-Information Sharing and Analysis Center (IT-ISAC) was formed by companies in the information technology sector as a forum for managing risks to their corporate IT infrastructure. As expected, the IT-ISAC observed multiple reports of attacks originating from Iran across various industries in the days following the killing of Soleimani.
The governor of Texas reported that Texas state agencies alone were seeing 10,000 attempted attacks per minute. In addition, there were public reports of password-spraying attacks on the U.S. grid emanating from Iran. “Password-spraying” is the attempt to guess passwords for hundreds or even thousands of different accounts, in this case targeting U.S. electric utilities as well as oil and gas firms.
The likelihood of Iran continuing malign activities in the cyber realm is very high because deterrence in cyberspace is very difficult, since it is hard to impose costs on cyber-architects and actors. For example, while the U.S. has indicted many people for nation-state cyberattacks, these actors are unlikely to be arrested and face trial. The U.S. is beginning a campaign as part of a larger strategy of warring by attrition, as evidenced by escalating economic sanctions. In the meantime, we as a nation should expect possible acceleration of increasingly sophisticated cyberattacks by Iran. All critical infrastructures, including food and agriculture, will be targeted.
What is the appropriate corporate response to these continuing threats? First, remain calm and carry on in the development of robust cyber defenses.” Your greatest defense is corporate resiliency, meaning you become capable of absorbing a cyberborne strike with a minimum of business disruption.
Cyber Impact
Concerns about Iran launching cyberattacks against critical infrastructure are well-founded. Iran has developed offensive cyber capabilities, and Iranian actors have attacked critical infrastructure in the past. Most famously, from 2011-2013 Iranian actors launched wide-scale and impactful Distributed Denial of Service attacks against U.S. financial services institutions. In March 2016, seven Iranians were indicted by the U.S. Justice Department for launching these attacks on behalf of the Iranian government. In addition, we know that other nation states have deployed offensive cyber tools during heightened times of geopolitical tension:
• Russia was blamed for a series of cyberattacks in 2007 against Estonia.
• In December 2016, Russia is alleged to have hacked the power grid in the Ukraine to knock off power to millions of people. Russia is reported to also be probing the U.S. power grid.
• In 2012, the Shamoon Virus fried 35,000 machines belonging to Saudi Aramco in a cyberattack attributed to Iran.
• A programmer working on behalf of North Korea is alleged to have been responsible both for the 2014 attack on Sony Corporation as well as launching the 2017 WannaCry ransomware.
This is not a complete list. Of course, the U.S. government has also launched cyber offensives against adversaries. The Stuxnet virus, which allegedly targeted the Natanz nuclear facility in Iran with the goal of disrupting its development of nuclear weapons, is thought to have been developed by the U.S. and/or Israel. More recently, the U.S. also is reported to have launched cyberattacks against Iranian missile systems. Multiple nation states have been known to launch attacks against critical infrastructure. In addition to nation state actors, hackers often act independently, launching revenge attacks motivated by a sense of patriotism or injustice.
The threat from Iranian cyberattacks is real. The Iranians have demonstrated past intent and capability. It is so real, in fact, that on January 4, 2020, the Department of Homeland Security warned of Iran’s “robust cyber program” in a terrorism alert. This threat was followed by another alert on January 6 that warned specifically of the potential of Iran to launch cyberattacks in response to the killing of Soleimani. This threat is heightened for critical infrastructure companies, including those in the food and agriculture industries.
What can companies do in this heightened threat environment? Begin by taking basic cybersecurity precautions. Doing the small things the right way can pay big dividends. Some simple, inexpensive but effective ways companies can begin to secure themselves:
• Make sure your machines are updated: Whenever possible, use the “automatic update” feature to ensure hardware and software are running the latest versions. Patches plug vulnerabilities. Bad guys get into your network by exploiting vulnerabilities. By reducing your vulnerabilities, you increase your security.
• Deploy anti-virus and anti-malware tools: These tools are not foolproof but provide an essential layer of defense to protect against known malware and viruses.
• Back up your data: If you were to experience a breach or become a victim of ransomware, you can quickly regain access (and keep your business running) if you have access to your data. Offsite data storage generally is recommended, and several tools are available for automatic, online backup of files and systems.
• Implement two-factor authentication: Two-factor authentication forces a user to prove their identity twice—typically with a username/password combination and a secondary authentication. Often this is a text message to the user’s mobile phone, although there are two-factor authentication methods that provide even greater security.
• Understand the risks to your business: Cyberattacks can be disruptive or they can be debilitating. Debilitating attacks threaten core business operations and threaten your company’s ability to stay in business. Identify and understand core business functions so you can protect them by creating redundant capabilities.
• Collaborate with peers: Your network is one very small part of the global Internet infrastructure. Engage with peers to learn what they are seeing and understand what security practices they have implemented. Also share with companies that have worked for you. Information ISACs offer companies the opportunity to engage with peers in a trusted environment under the protection of non-disclosure agreements. The IT-ISAC has a Special Interest Group dedicated to sharing among the food and agriculture industry. Identify the right forum for you and engage!
• Access open source tools and data: There are excellent tools available on the Internet that can assist you in improving your security. You can sign up from alerts from the Department of Homeland Security, you can leverage the National Institute of Standardds and Technology’s Cybersecurity Framework to build your cybersecurity program.
Robert A. Norton, Ph.D., is chair of the Auburn University Food System Institute’s Food and Water Defense Working Group. He is a long-time consultant to the U.S. military, federal, and state law enforcement agencies. His blog, Bob Norton’s Food Defense Blog, can be found at aufsi.auburn.edu/fooddefense/blog/. He can be reached at nortora@auburn.edu or 334.844.7562.
Scott Algeier is the executive director of the IT-ISAC.