In February, produce company Dole released a brief statement announcing that it had experienced a ransomware attack. “While continuing to investigate the scope of the incident, the impact to Dole operations has been limited,” according to the statement.
While details of the attack remain limited, the cyberattack did result in disruption to Dole’s North American operations. Two grocery stores located in Texas and New Mexico contacted CNN, informing the news outlet of their inability to stock Dole’s salad kits.
Major food producers are a part of the critical infrastructure ecosystem. Attacks like the one executed against Dole highlight vulnerabilities in this ecosystem and highlight the need to understand and manage cyber risk.
The Impact of the Cyberattack
Dole’s loss of production is a clear result of the ransomware attack, but the consequences of a cyberattack can often be far-reaching. “There hasn’t been a detailed report of what happened at Dole, but in most cases where ransomware disrupts operations, attackers also get away with additional corporate data and use it as leverage in their demands,” says Grayson Milbourne, security intelligence director at OpenText Cybersecurity, a division of information management software company OpenText.
This kind of attack also calls attention to how one cybersecurity incident can impact more than just the initial victim. “The impact on the supply chain, production, and frankly, the impact on the management of employees across Dole, the company, are all compromised as a result of this one specific ransomware attack,” Simon Taylor founder and CEO of backup as a service company HYCU, tells InformationWeek. “This is a clear example of the extent to which ransomware attacks can create chaos not just for an individual company but across any industry at any time.”
Preventing Future Attacks
Any cyberattack is a call to action for organizations to recognize and manage their own risk. “Food and agriculture organizations rely on computers and networks as much as any other type of company,” says Kenneth Mendelson, senior managing director at security, compliance, and investigatory services consultancy Guidepost Solutions. “Periodic risk assessments should be performed by both the internal team but also by an external, independent third-party organization that can bring an unbiased perspective to an organization’s governance, controls, and capabilities.”
Organizations can look to resources provided by the National Institute of Standards and Technology (NIST), the Center for Internet Security (CIS), the International Organization for Standardization (ISO) and others, according to Mendelson.
Increased scrutiny and investment in cybersecurity basics and more advanced cybersecurity solutions is also an essential step for critical infrastructure organizations. Bob Maley, chief security officer of cyber risk monitoring company Black Kite, suggests that organizations take a quantitative approach to assessing risk and prevention. “Is the cost of investing in a system that protects against these attacks less than the potential cost of such an attack? When framed as a business question, it’s easier to understand the scope of these attacks on critical infrastructure,” he says.
Quantifying risk can guide an organization’s cybersecurity investments. “For example, if a certain application or system is identified as critical to operations, food and agriculture organizations can choose to invest in additional security controls or redundancy measures to mitigate the risk,” Maley says.
While prevention is essential, bad actors are inventive and persistent. Critical infrastructure organizations all need a plan in place for when a cyberattack is successfully executed. “It is very important that you develop a plan, get it approved by the board and make sure that you invest heavily in being able to recover your data if an attack occurs,” Taylor says.
Risk in the Critical Infrastructure Sector
Cyber threats facing critical infrastructure are on the rise. Nation-state groups are increasingly targeting the IT sector, communications, financial services, and transportation systems, according to the Microsoft Digital Defense Report 2022.
While some attacks are motivated by financial gain, others could be motivated by the disruption to the vital services provided by critical infrastructure operators. “Critical infrastructure also faces the type of attacks designed to frustrate users and the public to make a political statement or gain notoriety for the attackers or their causes,” Mendelson explains. “These attacks can range from disruptive denial-of-service attacks to complex, debilitating attacks targeted at an organization’s operational technologies or internet of things devices that can cause real harm to people and property in the physical world.”
Milbourne points out that critical infrastructure organizations will need to address growing risk with modern solutions. “There is a need to modernize much of our critical infrastructure and to futureproof these systems so that it’s easy to update firmware to address any discovered vulnerabilities,” he says. “Many of these systems were built and designed before the risk of cyberattack grew to what it is today. The next generation of critical infrastructure orchestration tools need to be built with security top of mind.”
New technology that holds such promise for businesses also gives more power to threat actors. “Cloud computing, vulnerability scanning, encryption, and now AI are among the advanced technologies in the hands of the attackers, making it harder and harder for defenders to withstand attacks, detect them and mitigate,” says Chris Grove, cybersecurity strategist, director at operational technology, industrial control system and IoT company Nozomi Networks.
A shortage in salad kits is a relatively minor inconvenience, but the Dole incident gives a taste of what could happen if the consequences of a cyberattack targeting critical infrastructure were amplified. “Many industry experts agree that we are on the precipice of a global cyber war. Taking that into account, interrupting a nation’s food supply is absolutely within the realm of goals that a nation-state-level cyberattack would be supporting. We need to be cognizant of this as we continue to develop our defenses,” Grove cautions.
What to Read Next:
The DDoS Attack on German Airport Websites and What IT Leaders Can Learn
GoDaddy Hit with Multiyear Breach
Royal Mail Posts Progress on Deliveries Following Cyber Incident Disruption