As food and agriculture companies increasingly enter the crosshairs of government-backed hackers, with everything from animal health to crop innovation on the line, the sector’s new cybersecurity collaboration group has had to grow fast.
For many years, cyberattacks were low on the food industry’s priority list. Executives focused on more obvious industry problems, like sickened cows and wheat spoilage. But eventually, ransomware attacks and nation-state espionage became too disruptive to ignore. In May 2023, major industry players including PepsiCo, Tyson Foods, Cargill and Conagra teamed up to form the Food and Agriculture Information Sharing and Analysis Center, filling a void that experts had described as uniquely dangerous.
Two years into the food ISAC’s work, the organization finds itself busier than ever, as it helps companies protect the U.S. food supply from cyberattacks that could have devastating consequences for the food supply chain. Victims in the sector have included Dole, Mondelēz, Sysco and United Natural Foods, as well as dairy giant HP Hood, which had to shut down manufacturing plants after a 2022 breach.
“There’s a lot of attention being paid to cybersecurity now within the industry,” Scott Algeier, the executive director of the food ISAC, told Cybersecurity Dive. “There’s a lot of issues that grab people’s attention in this space, and in the past, I think cybersecurity hasn’t always risen to the top. We’re seeing that change.”
Uniting the sector
When the food ISAC launched, it wasn’t starting from scratch. Food and agriculture companies were already exchanging cyber threat information and receiving security services through a “special interest group” inside of the information technology industry’s ISAC. Launching the standalone ISAC involved migrating those resources over to the new group without disrupting companies’ access to them.
“We didn’t want to start with zero capabilities,” Algeier said. “They became … accustomed to having these robust capabilities … [and] the relationships that were developed with the technology providers.”
The new group also sought to differentiate itself from an earlier industry ISAC that launched in 2002 and shut down in 2008. That group failed because members were reluctant to share information with competitors and worried about the antitrust implications of doing so. But 15 years later, new legal protections from the federal government and the productive IT-ISAC experience convinced companies to try again. “They had these trust relationships [with each other] that were already established,” Algeier said, “and they had multiple years of success sharing with each other.”
Today, the ISAC is a hub of robust information-sharing between food and agriculture companies, according to Algeier. “We’re collecting better data,” he said. “Our member companies are actively sharing with us. … We have more accurate visibility into what's going on in the sector, and we’re able to produce intelligence that reflects this.” Those improved insights have allowed the ISAC to update its cybersecurity guidance for small and medium-sized businesses with more specific information about adversary activity, such as attacks on remote monitoring and management tools.
The group issues alerts about geopolitical conflicts, joins other ISACs in highlighting especially serious threat activity and partners with universities to improve research and development. It also publishes threat reports, including one in May that documented a surge in ransomware attacks on food and agriculture organizations.
FMI, a major food-industry trade group, has benefited from the ISAC’s “relevant, real-time insights that are both actionable and valuable,” said Doug Baker, the group’s vice president of industry relations. “When a threat emerges in one part of the supply chain,” Baker said, “they help us share that intelligence more broadly, enabling retailers and suppliers to anticipate and respond before disruptions escalate.”
Robert Norton, a biosecurity and national security expert at Auburn University, commended the ISAC’s work thus far and said he hoped it could eventually “fill long-standing gaps” in the sector’s resilience, including by adding smaller companies to its membership.
The ISAC does not publish its full membership roster, but it lists some companies that have agreed to be publicized — all of which are industry giants. Algeier said the ISAC includes “companies of all sizes” headquartered in 22 states and four countries, noting that industry associations can funnel information from the ISAC to their members.
The number of small and medium-sized firms in any ISAC is a key factor in how far its guidance reaches. Strong representation from small organizations helps an ISAC catalyze systemic improvements in its sector’s cybersecurity posture. If small companies don’t participate in an ISAC’s programs or receive its advice, they will remain vulnerable to hacks that disrupt operations at the bigger companies that rely on them.
CISA, USDA ties
Although it is a relatively new group, the food ISAC has quickly formed relationships with officials at key federal agencies, including the Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Department of Agriculture. Algeier said his group’s relationship with CISA remains “pretty strong” despite the massive departures that have strained the agency’s resources. Food ISAC leaders meet with CISA employees at least once a month, he said, to “compare notes” about threat activity, mission priorities and publications under development.
“We still feel as though we have the connections we need within CISA and USDA to meet the mission,” Algeier said.
The Trump administration’s recently published National Farm Security Action Plan specifically mentions the food ISAC as a major partner, something that heartened the group’s leadership. Algeier said the plan “cemented the role” of his group as a cyber-intelligence-sharing hub. “The administration has been pretty clear in their support for engaging with us.”
The ISAC’s biggest policy concern is the looming expiration of the 2015 Cybersecurity Information Sharing Act, which created liability protections that helped encourage food and agriculture companies to revisit the idea of ISAC. Algeier said his group hopes Congress will reauthorize the law, although ISAC members will likely continue sharing information even without liability protections.
Precision, with risk
Continued collaboration through the ISAC will be essential to protecting food and agriculture businesses, which face a diverse array of cybersecurity risks.
Many concerns flow from the sector’s growing use of digital processes and automation, from GPS-guided tractors to crop-monitoring drones to systems that track cows’ milk output. “Reliance on some technology is now being integrated into food and agriculture in ways that it hasn’t been done before,” Algeier said. These operational technology platforms also generate significantly more data than farmers and food processors have traditionally had to store (and secure).
Attacks on these OT systems or the data they generate could have widespread consequences because of the food industry’s vast supply chains. From farms to processing plants to wholesalers to supermarkets, the network that brings food to a shopper’s table relies on the uninterrupted activities of many companies. These interdependencies make the U.S. food system more efficient, but they also expose each of its participants to more risk.
“The interconnectedness, and the just-in-time-delivery [aspect] of the food and agriculture sector makes it unique from some of the other sectors,” Algeier said.
Even short-term supply-chain disruptions could be devastating to food and agriculture companies, because their revenues often depend on volume to a degree not found in other sectors.
“That makes cybersecurity more important,” Algeier said, “because you need to maintain the continuity in order to keep the business going.”
Aggressive adversaries, determined defenders
Keeping the business going can be a challenge when facing off against sophisticated hackers. The food and agriculture sector has experienced ransomware attacks, but the ISAC believes they have been opportunistic thus far rather than targeted. The sector’s real adversaries, Algeier said, are government-backed hackers intent on stealing trade secrets to benefit their regimes.
“There’s seed technology that is very useful for some of these other nation-states,” Algeier said. “In the same way that they steal intellectual property to increase their military, nation-state actors are interested in intellectual property from the food and agriculture sector so they can elevate their agriculture programs internally within their countries.”
For all the threats they face, companies in the sector have weathered cyberattacks with relatively little downtime, a promising sign of their readiness to confront growing security risks.
“Some of these supply chains — they bend a little bit, but they haven’t broken,” Algeier said. “The sector is showing some resilience in its ability to adjust to some of these disruptions.”
