In May of this year something unusual happened: the food and agriculture industry formed an ISAC, called the Food and Ag-ISAC or Food and Agriculture Information Sharing and Analysis Center. Cyber experts have repeatedly cited the sector’s lack of its own ISAC as a dangerous security gap in the industry’s ability to get a full picture of the tremendous risks it faces. Backers of the ISAC, which includes major industry players like PepsiCo to Tyson Foods, expect it to fortify the defenses of its members. Ironically, the food and agriculture sector was one of the first to launch such a center, in 2002, but it disbanded in 2008 because few companies were sharing information through it. Members were afraid that such openness would jeopardize their competitive advantages and expose them to regulatory action.
While food did have a sub-group as part of the IT-ISAC (Information Technology, Information Sharing Analysis Center), members felt it was time to have their own ISAC, tailored to their specific issues to keep pace with increasingly complex threat environments. Until recently Food and Agriculture was one of the four (the others being Dams, Government facilities and Nuclear reactors and materials) out of the 16 critical sectors identified by CISA that did not have its own ISAC.
In an almost prescient report, the April issue of Wired magazine reported on the precarious position of America’s agriculture industry, which was operating at the time without their own ISAC, or information sharing and analysis center.
As Wired pointed out, the same remote access technology that allowed John Deere to disable Ukrainian tractors that had been stolen by the Russians could also be used to disable tractors across the United States. The Wired article went on to say that the food industry has massive industrial facilities where temperature and humidity are precisely controlled by internet connected systems, and a hacker could engineer a catastrophe by altering the controls. By some estimates, they could literally wipe out “tens of thousands” of birds in 10-15 minutes.
One of the largest and most publicized attacks on the food sector was the 2021 cyberattack at JBS, the world’s largest meat processing company. The attack shut down plants, was blamed for an increase in beef prices and the Food and Drug Administration encouraged other companies to increase production in response to this attack and expected shortfalls.
Information Sharing Analysis Centers (ISACs) were initially established in 1998 by a presidential directive and were created to “enable critical infrastructure owners and operators to share cyber threat information and best practices.” Many ISACs are well resourced, come with membership fees and have infrastructure and full-fledged security operations centers for monitoring threats on a global scale.
ISACs assist critical infrastructure in the protection of facilities, personnel, and customers from any potential cybersecurity threats, as well as other possible security breaches. ISACs exist as monitoring systems across several sectors. The National Council of ISACs currently lists over 20 members in such diverse areas as automotive, aviation, utilities including gas and electricity, government, finance, healthcare, real estate, space, transportation, entertainment and media, information technology and defense, including maritime and soon the food and agriculture sector.
ISACs facilitate information gathering, sharing, and monitoring between public and private sectors in order to stay abreast of potential threats and vulnerabilities. By collecting, analyzing, and disseminating actionable threat information, members are given tools to enhance their ability to foresee and manage risk. Since 1998, ISACs have been sector specific, allowing the industry partners affiliated with each to monitor threats and share best practices in terms of threat mitigation. With the ability to reach deep into their sectors, ISACs are critical as they communicate and maintain sector-side situational awareness. Many have 24/7 threat warning systems in place to test security levels, increasing quality and quickness of threat response time. In many cases, they act as the first line of risk mitigation and threat containment.
The sophisticated and comprehensive information sharing that defines ISACs allows them to effectively safeguard cybersecurity, and in some cases preemptively interrupt a cyberattack. Hackers are always advancing their game with malware and other malicious tools designed to compromise security and steal sensitive information. The quality and speed of threat response of the integrated communication supported by ISACs can stop potentially catastrophic hacks from advancing past the threat stage.
There are also attempts to set up similar organizations for smaller groups and companies that fall outside the range of traditional ISACs. Information Sharing and Analysis Organizations (ISAOs), are the result of a White House directive in 2015 to promote voluntary cyber threat information sharing within such groups. The US Department of Homeland Security (DHS) was tasked to encourage development of ISAOs for smaller entities that might fall outside an ISAC, including private companies, non-profits, government departments, and state, regional and local agencies.
In an article in CSO Online, according to Christy Coffey, vice president of operations at the Maritime and Port Security ISAO (MPS-ISAO), the effort has paid off. “We’ve had some incredible wins which are the result of customer information sharing, backed by quality analytics.” According to Coffey, some recent examples include identifying ransomware in a shared email and notifying others in the ISAO within minutes and developing a blocklist from customer-shared IPs that reduced unauthorized login attempts by over 99%. According to Coffey, “without information sharing there would be no insight.”
Some recent events have changed the narrative about the privacy of cyber-attacks, leading to some legal drama in this area of cybersecurity, and raising the question: when it is appropriate or necessary for information to be shared beyond the confines of the networking system meant to protect it.
In November 2020, the law firm of Covington & Burling LLP became one of many victims of a cyber-attack by Hafnium, a hacking group believed to be associated with the Chinese government. On March 6, 2021, the SEC began investigating possible violations of securities laws connected to Hafnium cyber-attacks.
On March 21, 2022, the “SEC subpoenaed Covington to disclose ten categories of information about the attack. Covington responded to each request except for one, Request No. 3, which sought: (1) the names of the firm’s public company clients impacted by the attack; (2) the nature and timing of the attackers’ activity with respect to each impacted client; and (3) any communications that Covington provided to each client regarding the attack. Covington objected to Request No. 3, citing attorney-client privilege and its attorneys’ duty to maintain client confidences under the D.C. Bar’s Rules of Professional Conduct.“
Ultimately the judge ordered Covington to comply with the SEC’s modified Request No. 3 seeking only the names of the impacted clients, but only for the seven clients whom Covington determined may have had material nonpublic information compromised in the cyberattack. Originally the SEC had asked the court to intervene in a subpoena seeking the names of nearly 300 clients it said may have been affected by the 2020 hack of the firm.
Covington & Burling has agreed to disclose to the SEC the names of six clients whose information may have been exposed in a cyberattack on the law firm, ending a broader legal battle with the agency over its client list.
According to Bloomberg Law, one of the firm’s clients has continued to object to the release of its name and has “indicated its intent to intervene to pursue an appeal,” the filing said. “The proposal, which must get court approval, requires the SEC to keep the clients’ names confidential.”
This brings up interesting questions for both ISACs and other organizations such as ISAOs, as to when does information sharing become “voluntary” and when do government agencies have the right to step in and request information, either voluntary or otherwise.
In its brief, Covington warned — alongside other law firms and the Chamber of Commerce — that victims could be disincentivized from reporting hacks to the federal government. This could impact the willingness of some victims to report cybercrimes to various Federal agencies. “That’s a critical point because the U.S. government says it relies on voluntary cooperation from victims to understand the scope of hacks and respond.”
Obviously, this is a potential point of contention that will continue to evolve and need to be resolved at some point in the future.
At CYRIN we know that as technology changes, a cybersecurity professional needs to develop the skills to evolve with it. Whether you’re affiliated with an ISAC or an ISAO, you need to continue to evolve and train on real tools and realistic scenarios. The people who run our most sophisticated systems, the military, have continued to entrust us with training some of these specialized cyber warriors. For the military, for educators, for the private sector, we continue to evolve and develop solutions with “hands-on” training. This hands-on approach is the most effective training and is crucial to attracting and keeping the critically needed people who defend our systems.
Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. These tools and our virtual environment are perfect for a mobile, remote workforce. People can train at their pace, with all the benefits of remote work, remote training, and flexibility. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!