食品公司成为黑客攻击目标,美国食品安全面临新威胁
提供我们新鲜美味的感恩节大餐的供应链是所有行业中最脆弱、最分散的供应链之一,也是最难保障的供应链之一。
本月早些时候,白帽黑客萨姆·库里在推特(Twitter)上披露,他和一群其他白帽黑客于今年7月悄悄花了10天时间,在农业机械巨头约翰迪尔(John Deere)的企业网络和网站上发现了100个独有的漏洞,包括可以让攻击者接管客户账户或者访问员工证书信息的漏洞。库里补充说,该公司后来修补了所有漏洞,但这次演习暴露出了一个更大的问题,这个问题正在食品和农业行业日益加剧。
去年,美国各地的多家食品零售商和加工厂成为勒索软件的攻击目标,因此,美国联邦调查局(FBI)提醒该行业注意风险的增加,而且,美国总统乔·拜登最近签署了一项保护美国食品安全的行政命令。各州也已经采取行动,保护他们的食物和水免受日益增长的网络威胁。加利福尼亚州和内布拉斯加州最近采取行动,制定相应的应对计划,并为农民提供相关教育培训。
将蔬菜或加工产品从美国一端的农场运送到另一端的餐桌所需的系统绝对是物流蜘蛛网,涉及众多的供应商、运输商和零售商,他们有各自的系统和工具来保证自己的安全。
来自州和联邦合作伙伴的额外支持对于降低供应链带来的风险至关重要,但还必须与网络安全行业的更多教育培训相配合,让农民和零售商知道如何保护自己免受威胁。
像库里这样的白帽黑客已经在这样做了——但不仅仅是企业网络存在潜在风险。在今年8月的黑客大会上,一名自称“病态代码”(Sick Codes)的黑客展示了一个漏洞,任何人只要能够接触到几种型号的约翰迪尔公司的拖拉机,就可以让机器越狱,破解农民在机器上设置的数字锁。
虽然黑客的展示部分是为了支持农民维修自己机器的权利,但“病态代码”的分享也让我们瞥见这一可怕的假设能够带来的现实世界后果。在一场演示中,“疾病代码”展示了恶意攻击者如何敲几下键盘就可以破坏普通的农业设备,并威胁到全球粮食安全。
当然,以一家企业为目标,造成许多其他企业的混乱是任何供应链攻击的本质(还记得SolarWinds供应链攻击事件吗?)食品供应链系统的分布式性质——还必须在国际上运作,使食品供应链更加复杂——这与SolarWinds供应链没有什么不同。攻击者只需要攻击供应链的一个环节,就能够破坏整个食品生产或运输系统的平衡。
很少有行业的利润率可以比食品和农业行业更低,为了保证食品的流通,他们往往会对第三方合作伙伴是否有适当的安全控制措施进行尽职调查。不幸的是,当特定地区的粮食供应链中断时,几乎所有人都能够感受到供应链中断带来的后果:价格上涨,货架缺货,这让人想起新冠疫情爆发初期的情况。
同样,很少有行业像食品和农业这样在技术实力上有如此大的差距。一些农场可能完全由数据驱动,而另一些农场的运行部分依靠搭载Windows 98操作系统的台式电脑。这给向农民销售产品的设备制造商和依赖他们的零售商带来了独有的困难:在网络素养存在如此大的差异的情况下,你如何在全球范围内修补系统漏洞,并保持系统更新?
简而言之就是保持简单。农民可以通过使用高强度密码、限制网络连接数量,甚至只是与当局分享潜在异常行为的信息,来建立自身的网络弹性。食品和农业行业也能够通过关注银行业和科技业等其他利润更丰厚的行业的情况,在抵御攻击方面先行一步。对于像约翰迪尔和卡特彼勒(Caterpillar)这样担心自己的知识产权可能在网络攻击中被窃取的农业制造商来说,借鉴其他跨国公司保护知识产权的做法可能是有益的,尽管约翰迪尔目前保护知识产权的策略存在争议。只要有可能,供应链中的参与者应该对供应商进行压力测试,以确保他们的基本网络控制到位,从而使那些互联网络不会被攻陷。
食品和农业行业的信息共享与分析中心(ISAC)也已经成立20多年了,帮助企业识别和减轻行业中的威胁,同时促进网络卫生。如果食品加工厂、零售商或农场负担得起,他们就应该分配适当的预算用于安保或将全天候监控外包,以确保没有人侵袭他们的环境。实施良好的漏洞管理计划——即使对业务至关重要的搭载Windows 98操作系统的台式电脑不能打补丁,连接它的机器也应该打补丁。掌握所有可以打补丁的机器的漏洞,将对保持安全大有裨益。
全球粮食危机日益恶化,农民及其从农场到餐桌供应链的合作伙伴必须认真对待粮食安全问题。网络安全是保证家庭餐桌上有食物的关键因素,因此,从安全部门到农业行业都必须共同努力来保护食品供应链的安全。(财富中文网)
马克·曼格利莫特(Mark Manglicmot)是Arctic Wolf公司的安全服务高级副总裁。
Fortune.com上发表的评论文章中表达的观点,仅代表作者个人观点,不代表《财富》杂志的观点和立场。
译者:中慧言-王芳
提供我们新鲜美味的感恩节大餐的供应链是所有行业中最脆弱、最分散的供应链之一,也是最难保障的供应链之一。
本月早些时候,白帽黑客萨姆·库里在推特(Twitter)上披露,他和一群其他白帽黑客于今年7月悄悄花了10天时间,在农业机械巨头约翰迪尔(John Deere)的企业网络和网站上发现了100个独有的漏洞,包括可以让攻击者接管客户账户或者访问员工证书信息的漏洞。库里补充说,该公司后来修补了所有漏洞,但这次演习暴露出了一个更大的问题,这个问题正在食品和农业行业日益加剧。
去年,美国各地的多家食品零售商和加工厂成为勒索软件的攻击目标,因此,美国联邦调查局(FBI)提醒该行业注意风险的增加,而且,美国总统乔·拜登最近签署了一项保护美国食品安全的行政命令。各州也已经采取行动,保护他们的食物和水免受日益增长的网络威胁。加利福尼亚州和内布拉斯加州最近采取行动,制定相应的应对计划,并为农民提供相关教育培训。
将蔬菜或加工产品从美国一端的农场运送到另一端的餐桌所需的系统绝对是物流蜘蛛网,涉及众多的供应商、运输商和零售商,他们有各自的系统和工具来保证自己的安全。
来自州和联邦合作伙伴的额外支持对于降低供应链带来的风险至关重要,但还必须与网络安全行业的更多教育培训相配合,让农民和零售商知道如何保护自己免受威胁。
像库里这样的白帽黑客已经在这样做了——但不仅仅是企业网络存在潜在风险。在今年8月的黑客大会上,一名自称“病态代码”(Sick Codes)的黑客展示了一个漏洞,任何人只要能够接触到几种型号的约翰迪尔公司的拖拉机,就可以让机器越狱,破解农民在机器上设置的数字锁。
虽然黑客的展示部分是为了支持农民维修自己机器的权利,但“病态代码”的分享也让我们瞥见这一可怕的假设能够带来的现实世界后果。在一场演示中,“疾病代码”展示了恶意攻击者如何敲几下键盘就可以破坏普通的农业设备,并威胁到全球粮食安全。
当然,以一家企业为目标,造成许多其他企业的混乱是任何供应链攻击的本质(还记得SolarWinds供应链攻击事件吗?)食品供应链系统的分布式性质——还必须在国际上运作,使食品供应链更加复杂——这与SolarWinds供应链没有什么不同。攻击者只需要攻击供应链的一个环节,就能够破坏整个食品生产或运输系统的平衡。
很少有行业的利润率可以比食品和农业行业更低,为了保证食品的流通,他们往往会对第三方合作伙伴是否有适当的安全控制措施进行尽职调查。不幸的是,当特定地区的粮食供应链中断时,几乎所有人都能够感受到供应链中断带来的后果:价格上涨,货架缺货,这让人想起新冠疫情爆发初期的情况。
同样,很少有行业像食品和农业这样在技术实力上有如此大的差距。一些农场可能完全由数据驱动,而另一些农场的运行部分依靠搭载Windows 98操作系统的台式电脑。这给向农民销售产品的设备制造商和依赖他们的零售商带来了独有的困难:在网络素养存在如此大的差异的情况下,你如何在全球范围内修补系统漏洞,并保持系统更新?
简而言之就是保持简单。农民可以通过使用高强度密码、限制网络连接数量,甚至只是与当局分享潜在异常行为的信息,来建立自身的网络弹性。食品和农业行业也能够通过关注银行业和科技业等其他利润更丰厚的行业的情况,在抵御攻击方面先行一步。对于像约翰迪尔和卡特彼勒(Caterpillar)这样担心自己的知识产权可能在网络攻击中被窃取的农业制造商来说,借鉴其他跨国公司保护知识产权的做法可能是有益的,尽管约翰迪尔目前保护知识产权的策略存在争议。只要有可能,供应链中的参与者应该对供应商进行压力测试,以确保他们的基本网络控制到位,从而使那些互联网络不会被攻陷。
食品和农业行业的信息共享与分析中心(ISAC)也已经成立20多年了,帮助企业识别和减轻行业中的威胁,同时促进网络卫生。如果食品加工厂、零售商或农场负担得起,他们就应该分配适当的预算用于安保或将全天候监控外包,以确保没有人侵袭他们的环境。实施良好的漏洞管理计划——即使对业务至关重要的搭载Windows 98操作系统的台式电脑不能打补丁,连接它的机器也应该打补丁。掌握所有可以打补丁的机器的漏洞,将对保持安全大有裨益。
全球粮食危机日益恶化,农民及其从农场到餐桌供应链的合作伙伴必须认真对待粮食安全问题。网络安全是保证家庭餐桌上有食物的关键因素,因此,从安全部门到农业行业都必须共同努力来保护食品供应链的安全。(财富中文网)
马克·曼格利莫特(Mark Manglicmot)是Arctic Wolf公司的安全服务高级副总裁。
Fortune.com上发表的评论文章中表达的观点,仅代表作者个人观点,不代表《财富》杂志的观点和立场。
译者:中慧言-王芳
The supply chain that produces our fresh-tasting Thanksgiving dinners is one of the most fragile and fragmented of any industry–and one of the hardest to secure.
Earlier this month, white-hat hacker Sam Curry disclosed on Twitter that he and a group of other white-hat hackers quietly spent 10 days in July discovering 100 unique vulnerabilities on farming machine giant John Deere’s corporate networks and websites, including exploits that would enable attackers to take over customer accounts or access employee credential information. The company had since patched everything, Curry added, but the exercise speaks to a much larger issue that’s picking up steam in the food and agriculture industry.
Within the last year, multiple food retailers and processing plants across the U.S. have been targeted by ransomware, prompting the FBI to alert the sector of the elevated risk and President Biden to recently sign an executive order protecting America’s food security. States, too, have taken action to protect their food and water from growing cyber threats, including recent action in California and Nebraska to develop response plans and educate farmers.
The system required to deliver a vegetable or a processed good from a farm on one end of the U.S. to a dinner table on the other end is an absolute spiderweb of logistics, involving numerous suppliers, transporters, and retailers with their own individual systems and tools to keep themselves safe.
The extra support from state and federal partners is critical to mitigating the risk that the supply chain carries, but it must be paired with more education from the cybersecurity industry on how farmers and retailers can protect themselves from threats.
White-hat hackers like Curry are already doing this–but it’s not just corporate networks that are potentially at risk. A hacker who goes by the moniker “Sick Codes” demonstrated an exploit at the DefCon security conference in August of this year that allows anybody with physical access to several models of John Deere and Co. tractors to jailbreak the machinery, overriding the digital locks that farmers put on their machines.
While the hacking display was partially done to support farmers’ rights to repair their own machinery, Sick Codes also shared a glimpse into a terrifying hypothetical with real-world consequences. In one presentation, Sick Codes showed how a single motivated attacker could take down common agricultural equipment–and threaten global food security with a few keyboard strokes.
The idea of targeting one business to cause chaos in many others is, of course, the nature of any supply chain attack (Remember SolarWinds?). The distributed nature of the food supply chain system–which also has to work internationally, convoluting the chain even further–is no different. Attackers only have to target one segment of the supply chain to throw the entire food production or delivery system off balance.
Few industries keep thinner profit margins than food and agriculture, and often doing their due diligence on whether a third-party partner has the proper security controls goes by the wayside in order to keep food moving. Unfortunately, when the food supply chain breaks in a specific region, the consequences are felt by virtually everyone through higher prices and scarcely stocked shelves, reminiscent of the early days of the COVID-19 pandemic.
Similarly, few industries have such a large gap in technological prowess as food and agriculture, where some farms might be entirely data-driven and others might be partially run on a Windows 98 desktop computer. This presents a unique problem for the equipment manufacturers that sell to farmers and the retailers that rely on them: How do you keep systems patched and up to date across the globe when there’s such a discrepancy in cyber literacy?
The short answer is to keep it simple. Farmers can build resiliency into their networks by using strong passwords, limiting the number of network connections they have, and even just sharing information on potential strange behavior with the authorities. The food and agriculture industry can also get a head start on defending themselves against attackers by paying attention to what’s happening in other, more lucrative industries like banking and technology. For agricultural manufacturers like John Deere and Caterpillar that fear their intellectual property could be stolen in a cyberattack, taking hints from how other international companies defend their IP can be beneficial, though John Deere’s current strategy of safeguarding its IP is controversial. Whenever possible, players in the supply chain should be stress-testing vendors to ensure that they have the basic cyber controls in place, so that those interconnected networks don’t get taken down.
The food and agriculture ISAC has also been around for more than 20 years to help businesses identify and mitigate threats in the industry while promoting proper cyber hygiene. If a food processing plant, a retailer, or a farm can afford it, they should allocate a proper budget to security or outsource 24/7 monitoring to ensure nobody’s infiltrating their environment. Implement a good vulnerability management program–even if that business-critical Windows 98 desktop can’t be patched, the machines connected to it should be. Staying on top of vulnerabilities across any and all machines that can be patched will go a long way toward staying safe.
With the global food crisis worsening every day, it’s critical that farmers and their partners in the farm-to-table supply chain take food security seriously. Cybersecurity is a critical ingredient to keeping food on families’ tables, and together, from the security sector to the agricultural industry, we must work to defend the food supply chain.
Mark Manglicmot is the SVP of Security Services at Arctic Wolf.
The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.
