Is your produce business prepared for a cybersecurity attack?
In response to what it says is a “significant increase in the frequency of ransomware and other cyberattacks,” ProduceSupply.Org, a consortium of North American produce suppliers working together on technology initiatives in fresh produce, has released the first revision of the PSO Cybersecurity Best Practices for Produce Suppliers to provide produce companies with a framework to defend and protect themselves from cyberattack.
“There have been high-profile, invisible cyberattacks on members of the agricultural community in just the last five or six months and as recently as April, [which prompted] the FBI to put out their cybersecurity advisory for the agricultural sector,” Eric Regnier, information and technology security manager at ZAG Technical Services, told The Packer.
Cyber criminals are specifically targeting agricultural companies when they're at their most vulnerable or most operationally sensitive, like when they're trying to get crop out of the ground, added Regnier. This timing improves the cyberattacker’s ability to extract a ransomware payment.
The growing threats prompted the PSO to form the PSO Cybersecurity Council in December 2021. The council is comprised of 16 information technology professionals from 10 produce companies, including Calavo Growers, Duda, Foxy Produce (The Nunes Company), Grimmway Farms, L&M Companies, Oppy, and Tanimura & Antle. ZAG Technical Services, a provider of information technology for Western agribusinesses, donated its technical expertise to the initiative as subject matter experts.
“As a commodity-based industry, PSO members are reliant on each other and our ancillary suppliers to deliver fresh, perishable produce into the supply chain on a 24/7 basis — and cyberattacks can thwart those efforts,” said Johnny McGuire, chairman of the PSO Cybersecurity Council and IT director for The Nunes Company, in a statement. “The PSO wanted to introduce some actionable best practices that suppliers can take back to their IT departments and implement immediately.”
Based on the National Institute of Standards and Technology Cybersecurity Framework and tailored to meet the specific demands of the fresh produce industry, the guidelines are broken down into three tiers — high, middle and low — and meant to provide actionable guidance to improve cybersecurity defenses for companies of all sizes. Companies can determine what their tier is with the implementation tier calculator.
“Thinking about security is quite daunting for any organization, and particularly for resource-constrained organizations,” said Regnier. “It’s easy to get paralyzed in the process, and it can become so overwhelming that it's hard to understand where to even begin.
“What we endeavor to do with these standards is to take the NIST cybersecurity framework, which is a globally recognized standard for cybersecurity, and develop a roadmap for the implementation of cybersecurity standards and best practices that are sized to the organization to make it achievable and easily understandable,” added Regnier.
Small companies are targets, too
Everyone with a presence on the internet is at risk, said Regnier, including smaller companies that think they’re flying under the radar due to their size. “Oftentimes, cyber criminals are actively looking for ways to get into small companies every bit as much as larger ones,” he added.
The PSO is offering these standards, which are free and open to all, with the goal that anyone who needs or wants them can access them. The consortium hopes that, by creating a forum for transparency and the sharing of best practices, the produce industry can better protect itself.
“We hope that people will go to our website, download our standards and start talking about them internally,” McGuire told The Packer. “A lot of this starts with management. They have to buy into it, and we certainly see a lot of analogies between preparing for a cyberattack and with what happened with food safety in the Salinas Valley in 2006.”
Seeking to be a resource across the industry and its organizations, the PSO formed the Cybersecurity Council and established cybersecurity standards to be openly shared for the benefit of all.
“There’s nothing more important than protecting the nation’s food supply,” said Erik Larsen, chief operating officer of PSO. “These standards provide a framework for building safeguards across the industry we care so much about.”