Part 1: Debilitating Effect
Anne Riberio, an excellent & prolific reporter on the ICS security beat for Industrial Cyber, wrote about the ransomware attack causing outages at Dole last week. It begins with
The recent ransomware attack on food giant Dole plc emphasizes the growing threat that cyber-attacks continue to pose to critical infrastructure sectors.
Anne is correct that Dole is part of the Food & Agriculture sector, and that sector is one of the 16 designated as critical infrastructure by CISA. CISA defines critical infrastructure as sectors:
whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
The problem is that any incident that has an impact, cyber related or other, on a company that is part of critical infrastructure gets raised to or described as a threat to critical infrastructure.
If Dole went away, couldn’t deliver any product for a year or even was forced out of business, would it have a debilitating effect on a country and its citizens? Of course, not. This is likely true for most of the companies in the Food and Agriculture sector (baby formula may be the exception that proves the rule).
It would be bad for Dole’s employees and shareholders. The price of fruit would go up and availability would go down. The citizens in the US and other countries would be fine.
A real threat to be concerned about in the Food and Agriculture sector is disease and pests that spread and endanger the whole supply. Some would argue that climate change is a real threat to the food supply. These seems a stretch to me as I see us being able to adapt unless it changes quickly in a short timeframe, such as less than five years.
Dole, and any corporation, needs to include cyber risk to OT / ICS in their risk management program. I would hope Dole had a ransomware incident in its risk register after all the cases of ransomware the last two years.
We, the press and OT security community, need to do a better job of how and when we use the term ‘critical infrastructure’. If an attack did not have the possibility of having a “debilitating effect” on a country or large region, then it is not a critical infrastructure attack.
Part 2 – We’re Tougher Than You Think
As a response to my comment on Anne’s article, Grant Geyer wrote:
I heard from an SME yesterday that Hawaii could only sustain a four day lapse in food supply chain(!)
I have no doubt Grant heard that. It’s not true. I live on Maui. In 2020 during the early days of Covid we went almost two weeks with little or no containers coming into the port and air supply also severely degraded. The shelves were starting to go bare, like you see with a hurricane in Florida or a blizzard in Boston.
Even if the stores ran out of food, the island would be ok for weeks. Panic would grow, hopefully sharing would occur. It wouldn’t be fun, but people and society are not so fragile.
This is related to Recovery Time Objectives (RTO). When you ask a manager or executive what the RTO should be, they almost always pick a time period much shorter than what the business would require.
The cyber risk challenge, to a company or a critical infrastructure, is tough enough without putting undue requirements on it. This likely will mean accepting the risk of living with sub-optimal results or discomfort.
A few other items related to this Dole story and Maui
- Transportation of agriculture is often the key, not production. The US Sector Specific plan notes this as well. Certainly this is the case in Maui.
- A company’s agriculture products, such as Dole, being unavailable is rarely a serious issue except for the vendor. We often go months without a product being available here in Maui for a variety of logistics or economic reasons. I’m convinced if there is a supply shortage, Maui is one of the first to be dropped due to the transportation costs leading to lower margins.