Welcome
 | 
My Account

PMMI Podcast

Episode #124 - Defending the Food Chain: How Industry Giants Unite to Safeguard Food and Beverage Processing from Cyber Threats

July 26, 2023

Guests: Scott Algeier, Executive Director of the Information Technology – Information Sharing and Analysis Center (IT-ISAC) and Executive Director of the Food and Agriculture – Information Sharing and Analysis Center and Paul Hershberger, Cyber Command Center Leader, Cargill

In this episode, we explore the ever-evolving realm of cybersecurity threats impacting our food producers. With bad actors continuously advancing their tactics in the cyber world, the Food and Agriculture Information Sharing and Analysis Center (ISAC) has taken proactive measures to safeguard food and beverage processing companies from potential cyber-attacks.

Join us as we welcome esteemed guests Scott Algeier and Paul Hershberger to unPACKed as they shed light on how industry giants like Conagra, PepsiCo, and Oracle have joined forces through the ISAC to share vital information, fortify defenses, and prevent cyber threats in the food chain. Discover how this collaborative effort aims to deter attacks and, when necessary, support food and beverage processing companies in restoring their cyber health.

This episode is a must-listen for anyone invested in the security of our food supply chain and the resilience of the food and beverage processing industry. Tune in now to gain valuable insights into the power of unity and proactive measures against cyber adversaries, ensuring a safer future for our food producers.

 

Speaker

Paul Hershberger

Paul Hershberger

Paul is a cyber security executive that has over 25 years of cyber security experience and is currently the Cyber Command Center Leader at Cargill where he provides global leadership and direction in the areas of Cyber Intelligence, Event Monitoring, Security Orchestration and Automation, Incident Response, Forensic Investigations, eDiscovery, Vulnerability Management, Threat Hunting, Attack and Penetration testing, Resiliency and Cyber Crisis Management. Prior to Cargill, Paul was the CISO at the Mosaic Company where he led the development and implementation of the global security strategy. Over the course of his career, he has worked in the areas of technology risk consulting, technology infrastructure architecture and design, IT audit and SOX compliance consulting. In addition to his cyber security experience, Paul served in the US Army for 12 years.

Scott Algeier

Scott Algeier

Scott C. Algeier is the Founder, President and CEO of cybersecurity consulting firm Conrad, Inc., Executive Director of the Information Technology – Information Sharing and Analysis Center (IT-ISAC) and Executive Director of the Food and Agriculture – Information Sharing and Analysis Center. He has spent the past twenty years at the intersection of cybersecurity policy and operations.

Scott is a member of the Executive Committee of the IT Sector Coordinating Council.  Scott also served as Executive Director of the Industry Consortium for Advancement of Security of the Internet (ICASI), Vice Chair of the National Council of ISACs and as industry Chair of the IT Sector Risk Assessment Committee, which developed the first ever public-private risk assessment of critical IT functions.

Previously, Scott was Manager for Homeland Security at the U.S. Chamber of Commerce, where he coordinated the U.S. Chamber’s critical infrastructure protection, cybersecurity, and disaster management public policy initiatives.

Scott earned his Masters’ in International Relations and European Studies from the University of Kent (England) and is an honor’s graduate of Gettysburg College.

Transcription

Sean Riley:

So with all the fancy introductions out of the way, I'd like to welcome two guests to the podcast today. First, we have Scott Alger. Welcome Scott.

Scott Alger:

Hi. Thank you for having me.

Sean Riley:

Oh, the pleasure's all mine. And we also have Paul Hershberger.

Paul Hershberger:

Hi, thank you.

Sean Riley:

So I'm an avid reader of ProFood World, so I've been following this for a bit. But for our listeners who are completely in the dark about this and they're finding out about this for the first time, let's see if we can explain it upfront. What is the Food and Ag-ISAC and why did it go way? Did it begin with?

Scott Alger:

Sure. The Food and Agriculture ISAC is an information sharing organization for food and agriculture companies. It is designed for cyber threat intelligence and really all hazards, threat intelligence sharing among food fruiting agriculture companies. There's a team of analysts that curates and delivers analytic products on a daily basis to the members and the member companies. Their analysts get together regularly to share information about threats that they're seeing, mitigations that they're implementing, best practices that they can collaborate on developing and best practices that they can deploy within their environments. So it's a trusted form for companies to share and receive threat intelligence about a range of threats facing the industry.

Sean Riley:

All right. With that being said, why is now in particular a crucial time to bring back the Food and Agriculture ISAC?

Paul Hershberger:

I think when you look at some of what's been happening in the broader industry and really the level of awareness that is just coming about around the need for that tighter collaboration across the industry, you see it in both the industry participants looking for ways to engage, but you also see a little bit more of the attention from government or agencies and looking at some of the regulatory space. There just seemed like this was the right time to reestablish as an ISAC. And when I say reestablishing as an ISAC, we've had a group of food and agriculture companies that have been operating for the past 10 years collaborating and sharing threat information as a special interest group within the IT ISAC. So it's not that we're starting from scratch. We actually have an operational model that's up and running, and we've had about two dozen companies that have been doing this for a while now. So when you look at the desire and actually interest across the market, it just made sense to kind of reestablish that group as an ISAC now.

Sean Riley:

So there has been people, there has been companies involved in doing this quietly, but now we've expanded the reach a little bit.

Paul Hershberger:

Absolutely.

Sean Riley:

Okay.

Paul Hershberger:

Reach and visibility, I'd say.

Sean Riley:

Yeah, that's fair to say because yeah, that definitely the visibility. So the thing that is forefront on my mind is why are food companies suddenly ripe for cyber attacks? I'm not sure how I understand how bad actors are benefiting with attacking food companies in particular.

Scott Alger:

Yeah. Well, I think it's important to recognize that all critical infrastructure sectors are being targeted by attacks. There's really no company that's immune to an attack. And whether you're being targeted or whether you're a random victim of a large scale attack that doesn't necessarily target you or anyone specifically, but just it's a moneymaker attack. Any company is at risk. So it's not as though the food and agriculture industry is uniquely being targeted.

That being said, I think there are a couple trends impacting security within the food and agriculture industry. The key one is that the technology is being increasingly integrated into modern farming. Thanks to technology, we're able to create more yields, we're able to create more products more efficiently. So the technology has changed agriculture. This integration is great. There's lots of efficiencies, but it also creates a larger attack surface. So the fact that there is such a larger attack surface now because of the integration of technology is one reason why there's some risk to the industry. I think the other is there's just bad actors out there. There's different bad actors or targeting different companies for different information using different means. And we are able to track and monitor these actors so that the companies can defend themselves. Some of these actors are looking for financial gain, some of them are after intellectual property. So I think it's a combination of the increased technology as well as those different motivations of specific adversaries.

Sean Riley:

Very interesting.

Paul Hershberger:

And especially those financially motivated ones. They understand markets and they do their own research to look at where they have high probabilities of finding people who will pay ransoms. One of the key things that they've been doing over the years has been looking at how do they actually look at supply chain and supply chain vulnerabilities and start stepping into different sectors, looking at how they can target critical pieces of supply chains. Because if you hit something that other companies are dependent upon, you're going to increase your likelihood that there's going to be a payout there. So they understand the way markets work, and they try to target where they feel that they can actually be profitable.

Sean Riley:

So it's way more sophisticated than the idea of a person in a hooded sweatshirt somewhere attacking a computer. This is a network that is researching and looking into places that they're going to potentially attack.

Paul Hershberger:

Yeah. Threat actors, they're very organized. They do their own homework.

Sean Riley:

Right.

Scott Alger:

And I think one thing, in addition to being very well organized, in addition to doing their own homework, they also share and collaborate with each other. They serve as force multipliers. They hire people for skill sets that they don't necessarily have themselves. So they're collaborating in cyberspace, right? They're collaborating to launch their attacks, which makes a forum such as the Food and Agriculture ISAC so essential. The attackers are collaborating, the defenders need to collaborate as well.

Sean Riley:

That's fascinating. I just never thought of it at that depth and that level where you say they're literally hiring particular people who have a specific skillset for hacking into someone's system like that.

Scott Alger:

It's really is a business.

Sean Riley:

Yeah.

Scott Alger:

And again, those who are out there to make money, it's a business for them. And then there were those nation state actors who deployed different tactics and different techniques against different enterprises for different purposes. And what the food and agricultural ISAC enables the companies to do is to track these actors, track their techniques, track their procedures so then we can deploy effective mitigations against it. Because no one company can analyze all those information on its own. No one company can be up-to-date on all of these actors. So pulling these resources, it serves as a force multiplier for the industry defenders.

Sean Riley:

Wow. It's kind of overwhelming. So with that in mind, in the event of an attack, how does the Food and Agriculture ISAC, how do you get involved? How do you jump in and try to help?

Scott Alger:

That's a great question. Of course, the first goal is to try to provide information so that companies reduce the likelihood of them being attacked. We provide vendor neutral analysis and vendor neutral threat intelligence to these companies so that they can try and minimize the risks and take the appropriate defensive actions. But in the case that there is a successful attack or someone experiences an incident, there are several ways that the Food and Ag-ISAC can help. Remember, member companies voluntarily share information. So they would have to voluntarily share the incident with us and provide indicators of compromise or provide details about the attack that they're willing and able to share.

And then we're able to A, serve as an early warning network for the other food and agriculture companies. Hey, we've seen this attack. Be on the lookout for this. But B, we serve to help the company in the attack and help the company that's experiencing the attack. We're not deploying a team to help them turn off an attack. The analysts within the Food and Ag-ISAC member companies can share their knowledge with the company that's experiencing the incident. Yes, we've seen this before. This is what you need to do to block the attack. We've solved something similar last week. This is how we did it, this is how we mitigated it. Have you tried adjusting this setting, right? Maybe that will stop the attack for you.

So there are the team of analysts from the Food and Agriculture ISAC member companies serve again as a force multiplier. They serve as an extra team of analysts that's available to these companies when they're experiencing an incident. So a company can, even if it's not a full scale incident and they're not exactly sure what it is, they're saying, Hey, this happened today, hasn't happened before. Not sure what it is. Has anyone else experienced that? And then there's a whole team of analysts that are waiting there to help you.

Sean Riley:

Well, that seems super helpful. That's a lot that you just laid out there that people are doing when they jump in like that, which is wonderful to hear. So you touched on a lot of it, but does each Food and Agriculture ISAC company monitor their cybersecurity independently? Or are there standard tools to make it easier for members to communicate? Is there a standard operating practices that are already out there or is it all just reactionary to what's happening?

Scott Alger:

Yeah, so I think the short answer is each member company has their own tools that they deploy. And through the Food and Agriculture ISAC, we provide a suite of tools as well to the member companies, but those are easily plugged into their internal environments. So the companies are responsible for monitoring their own networks, but we provide tools that enable them to send them indicators and other analysis that they can easily ingest into their environments. But I think Paul can probably provide some better examples as to how member companies actually take value out of their ISAC membership.

Paul Hershberger:

Yeah, and to Scott's point, one of the biggest things from a tooling perspective is the Food Ag-ISAC provides a platform that companies can connect to for intelligent sharing. It's not the active monitoring, it's not hunting in those environments, but it's the conduit to share the things that everyone else is seeing. So we talked about the value as an industry coming together and sharing that information. It's truly about how do you plug in and be fast with how you are able to capture intelligence, feed it into the platform, and then disseminate it out to all the other companies. Because when you think about the speed of attacks, the speed of attacks are, you have to move fast to stay ahead of them, and you have to move fast to share what you learn so other organizations can stay ahead of them. That's where the ISAC comes into play and the tooling that is available through the ISAC is exactly that platform for intelligent sharing. Not instant monitoring, not instant response, but intelligence sharing.

Scott Alger:

You don't have to be a highly mature company to take advantage of the tool sets that we offer and the intelligence that we provide. Not every company is going to be able to automate the consumption of indicators into their environments. So our team of analysts provide daily reports to member companies as well. Weekly reports, and then incident specific reports highlighting the threat environment, providing analysis on specific incidents and attacks so that even if you're not a highly sophisticated enterprise with the tools to automate the ingestion of indicators, you still have actionable intelligence that you can use and take back to your enterprise. So the Food and Agriculture ISAC is not designed just for the largest food and agriculture companies in the world. It's designed for them and small, medium-sized businesses. We curate the intelligence through the different segments of our membership. So you do not have to be one of the largest food and agriculture companies in the world to receive cyber threat intelligence from the Food and Ag-ISAC or to get value from the intelligence that's being shared throughout.

Paul Hershberger:

And that's a good point, Scott, because Ias thinking about the automated sharing to it, but oh, by the way, we have a chat channel, but that channel is open to the members of the Food Ag-ISAC and all you have to do is you have a question, you throw it in there, or if you see something unusual, you throw it in there and it's open for the community to consume that and chime in with the conversation as well.

Sean Riley:

Very cool. Because that was actually, I was going to put a button on it by asking how do companies, the smaller or the mid-level companies find out this information or where do they go to get more information on the Food and Agriculture ISAC?

Scott Alger:

That's a great question. Thank you for that. So the website is foodandag-isac.org. We also have a guide specific for smaller medium size of businesses that that's available on the website. We developed a cybersecurity guide for smaller, medium-sized enterprises to try and drive security, improve security practices throughout the sector. It's a easy to implement guide, it's a low to no cost implementation, and for companies who are trying to build, trying to figure out how they can improve their cybersecurity posture. So it's a great resource for specifically for small, medium-sized enterprises.

However, as we just noted, we think companies of all sizes can take advantage of analysis and the intelligence that's being shared through the Food and Ag-ISAC and especially having access to the analysts from the other member companies. There's a team of people that understand what you're dealing with and they understand the fights and they're willing to help. Everyone's in the same boat. Nobody has enough resources in this space, so it is much more expensive to defend than it is to attack. So engaging with our peers provides a really cost-effective way for you to defend your enterprise.

Sean Riley:

Well, that's awesome. And this was awesome. I learned things that I didn't know even having a little bit of background from reading Michael Costa from ProFood World's interview with you about this, Scott. So I just want to take the time now to thank both of you for taking time out of I know our busy days, so thank you Scott, and thank you Paul for coming on here and sharing this with our listeners.

Scott Alger:

Yeah, thank you very much. It's great to be here.

Paul Hershberger:

Yeah, thank you