Food safety is, under the best of circumstances, a formidable endeavor that must balance policy with practice to protect the public health, the company and brand image, and the bottom line. That is business as usual. These are not ordinary times, however. The food industry continues to struggle with the many disruptions that occurred during the COVID-19 pandemic. A key issue is finding sufficient qualified employees, combined with the complex challenges of food safety training and protocol maintenance for these new and increasingly transient employees. Many managers also report problems that emerge from "not knowing their employees." This increases the potential for insider threats to emerge among disgruntled employees.
Cyber challenges are, likewise, increasing. Adversaries of all types use the internet to gain access to companies and steal anything of value. Hacktivists maliciously seek to achieve social justice, undermine public trust, alter policy, and damage food companies with which they disagree. Criminal organizations aim to rob and steal anything of value, including personally identifiable information (PII), which can be sold on the "Dark Web"—a part of the World Wide Web that is largely invisible to most people and is where criminal activities thrive.
Nation states, such as China, North Korea, and Iran, increasingly target U.S. critical infrastructure. The food and agriculture sector is part of their hybrid warfare campaign, intending to degrade and destroy systems capabilities, as well as gather intelligence that can be later used to challenge the U.S. militarily and economically.
An increasingly critical element of food safety and defense planning is assurance of data integrity—the ability to keep data unchanged as it is communicated or stored. Information being used for decision-making or reporting (e.g., government records) cannot be compromised, altered, or manipulated by unauthorized users.
Food companies generate, store, and disseminate massive amounts of data through information technology (IT) and operational technology (OT) systems. IT systems are the computers, data storage devices (e.g., servers), and networking devices that support essential business or enterprise operations, including those related to food safety and food defense monitoring and record-keeping. OT systems are the infrastructure, hardware, and software that control and monitor processes within food companies that enable the conversion of raw foodstuffs into products suitable for direct consumption, cooking, transport (e.g., cold chain), or storage. Cybersecurity for each of these complex and essential systems is similar, but in some ways distinct. Robust cybersecurity is an essential element of a comprehensive food safety plan and must complement other defensive programs.
Data sharing, like data integrity and cybersecurity, is a critical business function. Data sharing is generally internal to a company. A distinction is made here to external reporting, such as that which occurs with suppliers, logistics providers, or even government. Information sharing is a version of data sharing and is particularly important when it comes to threat-related information. Information can flow in both directions. Outwardly directed communication occurs when a company voluntarily shares information with other companies, sectors, or the government—for example, when a cybersecurity or food safety event occurs. Inwardly directed communication occurs when a company receives information that is voluntarily disseminated from other places, such as another company or the government.
Threat information is often transcendent in the sense that since any company can become a victim, it is advantageous that this information be shared, by everyone, even with competitors. If all companies willingly do so, everyone benefits. How is threat information best shared? The proven way is through the establishment and voluntary participation of an Information Sharing and Analysis Center (ISAC).
The food and agriculture sector is a critical infrastructure. The Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security defines critical infrastructures as those "…sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof."1
CISA likewise defines national critical functions (NCFs) as those "…functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof."2 In the case of Food and Agriculture, CISA indicates that the purpose of the NCFs are twofold:
- Produce and provide agricultural products and services
- Produce and provide human and animal food products and services.
Put simply, the infrastructure and personnel in the sector are essential to the production, safety, and distribution of the food supply.
So why does the Food and Agriculture sector not have an ISAC? Part of the answer is that there is reluctance to share information with potential competitors and regulatory agencies within government. Those concerns can be mitigated by understanding the functions of ISACs and how information is shared.
ISACs are owned and operated by the member constituents, not by the government. Membership is voluntary, and although there may be information sharing requirements, all shared information is anonymized and protected. Since it represents a critical infrastructure, information handled by the ISAC is considered protected critical infrastructure information (PCII) and, therefore, is not subject to Freedom of Information Act (FOIA) requests. This exclusion from FOIA enquiries is based on Exemption 4, which "protects trade secrets and commercial or financial information that is obtained from outside the government and that is privileged or confidential,"3 and Exemption 9, which "protects geological and geophysical information and data, including maps, concerning wells."4
ISAC information is also accessible only to members and, therefore, is not made public or given to regulatory agencies. Food companies have expressed concern that establishing an ISAC would make them vulnerable to the accusation of collusion or price-fixing. ISACs deal only in threat-related information that can be legally shared with other companies. This type of data sharing is done regularly and successfully within other sectors, such as banking, energy, communications, and transportation, all of which have ISACs. Food and agriculture is the only sector that lacks an ISAC.
With security threats against the sector increasing and cyber threats against the global supply system also on the rise, it is imperative that a food and agriculture ISAC be formed. It does not have to be fully capable at the start; just a few large companies that agree to pool and analyze threat information can plant the initial seed. If successful awareness and deterrence can be demonstrated, then other companies will join. At full capability, the ISAC can serve as a watch and warning center for the sector, providing timely threat analysis for members at all levels.
In the next article, the authors will look at what it takes to create and run a successful ISAC.
References
- U.S. Cybersecurity and Infrastructure Security Agency. "CISA's Role in Infrastructure Security." https://www.cisa.gov/infrastructure-security.
- U.S. Cybersecurity and Infrastructure Security Agency. "National Critical Functions." https://www.cisa.gov/national-critical-functions.
- U.S. Department of Justice Archives. Freedom of Information Act Guide, 2004 Edition. "Exemption 4." May 2004. Updated December 3, 2021. https://www.justice.gov/archives/oip/foia-guide-2004-edition-exemption-4.
- U.S. Department of Justice Archives. Freedom of Information Act Guide, 2004 Edition. "Exemption 9." May 2004. Updated December 3, 2021. https://www.justice.gov/archives/oip/foia-guide-2004-edition-exemption-9.
Robert A. Norton, Ph.D., is a Professor and National Security Liaison in the Office of the Vice President of Research and Economic Development at Auburn University. He specializes in national security matters and open-source intelligence, and coordinates research efforts related to food, agriculture, and veterinary defense.
Marcus Sachs, P.E., is the Deputy Director for Research at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security. He has deep experience in establishing and operating sharing and analysis centers including the Defense Department's Joint Task Force for Computer Network Defense, the SANS Institute's Internet Storm Center, the Communications ISAC, and the Electricity ISAC.