Nailing Down the Basics of Food Chain Security

Criminal organizations are your second-most-likely adversary and their attack vector should not surprise you.

Getty Images 1001622406
Getty Images

In the first installment of this series (Food Logistics, October 2019), the issues of insider threats and disgruntled employees were discussed. Every company is likely to have a small percentage of disgruntled employees, most of whom will never act violently. All have to be properly managed so an escalation of aggressive activities does not occur. There are other, more challenging, threats that can damage brand, profitability and even a company’s survivability.

Criminal organizations are an ever-present reality, and corporate survivability and profitability depend on recognizing the threat and managing solutions. Criminal organizations come in all shapes and sizes. On the lowest end of the scale are groups that seek to steal anything of value.

Know Your Threat Actors 

Employees, unfortunately, are most often the perpetrators of theft, which is a continual security problem. These thefts are usually crimes of opportunity and are not organized, but the collective effect can be massive. In fact, companies and retail stores have actually been shut down because of the level of losses. In one famous example, Sam Walton personally turned off the lights and padlocked the doors of a Walmart where employees were “…stealing the store blind…”

At this level, the sum of individual thefts can approach or exceed a more organized theft effort. In terms of company losses, it really matters little whether an individual criminal or a group actually stole the truck; company assets are gone either way. So comprehensive theft prevention planning has to address both insider and external threats.

Moving up the scale, we find more focused and methodical threat actors. This stratum includes corrupt government individuals and criminal organizations. Corruption is a way of life in many nations in which food chain companies operate, and corporations in the past have often considered payoffs as a cost of doing business.

Unfortunately, it is an uncomfortable reality that corporations are likely (at some point and in some places) to be faced with the decision of whether to pay a bribe. Company response is dependent on many factors, including a careful calculation of the costs (not just monetary) versus expected benefits. Regardless of the decision, companies will have to live with the consequences.

Getty Images 839805736Getty Images

Corrupt officials and criminal organizations also can be involved in sabotage, extortion, kidnapping and cyber ransoming. Personnel, facilities, equipment and systems are likely to be targeted. Personnel safety should be a first consideration.

Because of subject sensitivities, security strategies for dealing with each kind of potential threat will not be discussed here in detail. The hard-won critical lesson is that it is necessity for companies to plan ahead for contingencies, rather than waiting for the crisis that is sure to come.

At this level of threat, physical security is extremely important, since sabotage and extortion are two potent means for causing harm. Under ideal conditions, security managers regularly interact with food safety and food security personnel. Unfortunately, in many companies, these domains frequently remain stovepiped until there is a crisis.

Destruction by Other Means—The Cyberattack Vector

The news is filled with examples of companies and municipalities experiencing cyberattacks. Systems are attacked, on occasion destroyed, and always compromised. Increasingly, systems or data are held hostage, with the demand for ransom. Companies should expect these types of ransomware attacks to increase in the future and plan accordingly.

It is not too much of a stretch to say that it is not a matter of if you will experience a cyberattack, but when. Your company will be attacked. Many of these operations are now driven by foreign criminal organizations and entities with a connection to foreign governments (e.g., North Korea). Criminal organizations, like foreign governments, are also increasingly targeting proprietary information and personally identifiable information (PII) about employees and customers. Why target your proprietary information? PII has value in the black market.

Most companies realize the cyber threat. What they may not realize is how that threat is escalating in sophistication. It is no longer sufficient to say, “We have firewalls…” The cyber adversaries your company has to really worry about are highly sophisticated and, in many cases, well beyond the capability of most companies (except perhaps the largest), to defend against. Assume that from this point on, professional cyber security experts will have to be engaged. That will be an expense (perhaps significant), but also an investment.

Even with this new reality, there are things that can be done internally to make your systems and data more secure. It has become almost trite to say it, but rule No. 1 in protecting corporate assets is “…backup, backup and then backup!” All data and control systems software should be stored in duplicate at multiple remote locations so they can be quickly retrieved if any kind of compromise (e.g., manmade, fire, natural disaster and the like) occurs. It is hard to believe that in this era of escalating cyber threats, companies still lose non-backed-up data and systems software.

As in any system, the weakest link is always the human element. Employees are often educated about the basics of cybersecurity, but are seldom tested by mock challenges (e.g., a pretend phishing email). Companies also are too often complacent about passwords and access credentials. Complex passwords that are randomly but regularly changed should be the norm in even the smallest food chain companies. What is the most frequent password today? Password. That is unacceptable.

Criminal organizations and threat nations often target corporate employees by offering to buy their access credentials. System credentials enable system penetration. Successful system penetration can result in total system compromise. Do you have a disgruntled employee? They might be ripe for targeting by cyber criminals. Companies need to work with cybersecurity professionals to help spot the telltale clues that an employee is trolling for an offer or has actually been compromised, selling their credentials to the highest bidder.

Making More Robust Cyber Defenses

The Cybersecurity and Infrastructure Security Agency (CISA) is the nation’s risk adviser, working with partners to defend against today’s threats and collaborating to build a more secure and resilient infrastructure for the future. Agriculture and the food chain are critical infrastructures, making CISA a possible solutions provider. CISA provides extensive cybersecurity and infrastructure security knowledge and practices to its stakeholders, sharing that knowledge to enable better risk management, and putting it into practice to protect the nation’s essential resources.

More specifically, CISA provides risk awareness and helps people understand how to mitigate the threats and vulnerabilities they may encounter and to improve their risk posture. Put differently, CISA helps you identify your problems and advises you on the fixes. The agency doesn’t actually fix your problems, which is left to you, but it does help you develop your own robust defenses. Food chain companies are strongly urged to go to the CISA cyber resource page at (www.us-cert.gov/resources/cybersecurity-framework).

The new reality is that we live in a hypercompetitive global environment, where the demarcation between competitor and adversary continues to blur. The adversaries described here are real, and your company is likely dealing with these types of adversaries on a regular basis. There are other adversaries, worse still, associated with competitors or even with nation states. In the next article in this series, the issues associated with competitors and actual hostile states will be discussed.

If there is one lesson we all must learn, the boundaries between peace and war are increasingly blurred. This new reality means that there are no longer any front lines or any separation between the military, national security and critical infrastructures. We are the front lines and must work cooperatively and collaboratively to ensure the continuation of a safe, secure and economical food supply. We are all fighters now.  

Latest