Joining us on the podcast this week is Joe Weiss. Joe is an international authority on control systems cybersecurity as well as a Managing Partner at Applied Control Solutions. Over the course of this episode, Joe walks us through some of the biggest threats to cybersecurity, particularly for the food industry. We talk about the methodology and intent behind most cyber-attacks while also digging into the smallest entry-point that can do the biggest damage.
You will definitely want to listen to the full episode because we cover a lot of important ground. You'll find only a smattering of our conversation in the transcript below, so be sure to listen to the recording.
Erin: Joe, welcome to the Food for Thought podcast. It's great to have you on today.
Read More From Joe Weiss
Control Systems Cybersecurity Expert, Joseph M. Weiss, is an international authority on cybersecurity, control systems and system security. In his Unfettered blog, Weiss weighs in on cybersecurity, science and technology, security emerging threats and more. Read on to learn more
Joe: Thank you very much for the invitation.
Erin: We are talking about something that is very important now more than ever. I mean, it's always been important for the industry, but with what's been going on with cybersecurity... I know you are a cybersecurity expert. You are one of the foremost authorities that I know of when it comes to issues that we're going to talk about today. I'm going to dive in with my first question, and we're going to get started. Whether it's a food company or not, can you talk to me about how hackers are getting access to different systems to launch some of these ransomware attacks?
Joe: Okay, before I answer that directly, I want to mention a couple of things. Ransomware is really an IT attack, not a control system attack. Ransomware is basically getting access to the IT network, and essentially encrypting the data, and then demanding a payment before they provide you the decryption key. Ransomware is not an attack on the control system network. I am not aware of, at least as of now, any ransomware that is actually aimed at control systems. Ransomware normally comes from things like phishing, where people send you emails, and have you click on them or click on an attachment, if you will, that sends you to effectively a "poisoned website" where they can then access your network.
When you've been reading about all of these ransomware attacks, whether it was JBS, the Colonial Pipeline, Scripps Health, ransomware is literally its own pandemic right now. It's an almost free means of gaining money without getting caught.
Erin: It's frightening. That's definitely frightening.
Joe: What makes it worse is when insurance companies cover your ransom payment, because then it makes it somewhat painless for you to pay the ransom. And the ransomware is now you know, the way they would have software as a service, they now literally have ransomware as a service. It's its own industry, and it is, very well organized and structured. And there are two things about it. One is holding your data for ransom in an encrypted way so you can't get to it. Or two, releasing, publicly releasing the information where you may have information on there, you don't want people to see. But the other thing that's scary is you're trusting criminals, you're trusting, "Hey, if I pay you, you're really going to decrypt my information, you're going to throw away what you have and not make it public." That's kind of a scary, bad assumption.
Erin: I know what happened with JBS was a ransomware was a ransomware attack. Can you explain the different kinds of cyberattacks in more detail for the less technically inclined?
Joe: What you have is you have two different types of systems. One is you have your IT information technology systems for billing, for inventory, for HR, and those are just networks where you have routers and switches. But you don't have control system devices or sensors monitoring pressure level and temperature flow. You don't have controllers trying to control pumps, and motors, and valves, you know, heat exchangers…things like that.
Most of the cyberattacks that you hear about are cyberattacks of the IT network, either because you want to do a denial of service, so that your computer goes down. Those can be intentional or unintentional. Then you have malware, which is very intentional where it's like ransomware—you want to encrypt things. That's really more the IT side of it.
The part that manufacturers should be much more concerned about is when the control systems get compromised. That's your distributed control system, your SCADA system, supervisory control and data acquisition, your programmable logic controllers, or sensors, or actuators because when you start compromising them, things blow up, and people die. This is really bad, ugly stuff. And ironically, that's where we have the least security to this day.
When you talk about what's different, you think about two cases. One is Stuxnet—the cyberattack of the uranium centrifuge facilities—they weren't trying to steal anything. They were trying to damage or destroy the centrifuges. They were doing it by changing bits and bytes because that’s what was controlling the sensors, controllers, pumps, and motors. When you do that, really bad things happen.
Another type of attack—a physics-based attack. I talk about that in a blog post. The Aurora vulnerability is still being shunned by the electric industry. What they did is said that when you have alternating current equipment, you have a sine wave. If you shut off the relays of a substation—which is like a fuse in a house—and you bring back that relay but out of phase with the grid, the sine waves don't line up. The restarting of this AC equipment out of phase will damage or destroy equipment, the same way as if you put a stick of dynamite underneath it.
These are the things we really care about. Because this is what can compromise the safety of food production. It isn't going to be the IT. The IT is going to affect the billing. The control systems can and have affected the actual integrity of the process and actually caused food to be, if you will, compromised and people have gotten sick and gone to the hospital and caused food recall.
Erin: Right. It becomes a food safety issue.
Joe: This is a safety issue. And yet to this day, the Food Safety Modernization Act (FSMA) has no requirements to this day for cybersecurity of the control system used in the food manufacturing process, to this day.
Erin: How does someone or group have access to a control system to perform a cyberattack?
Joe: We have very little cybersecurity for the control system devices. You can get to the control systems from many different ways. For example: wireless or an IT system that hasn't been segmented or separated from the control system.
The concern is, once you get past the hard ‘outside’ of a control system, it’s very easy to disrupt it on the inside. Control Systems are like M&Ms candies: hard on the outside, chewy on the inside. It may be difficult to get to them, but when you get into to them, there's no protection. And that's really saying something considering it is 2021.
Erin: Let’s talk about the JBS cyberattack, again, specifically with the ransomware. JBS paid the ransom. From your standpoint, is this a wise thing for companies to do? I've heard different opinions on this from different sources, but I'm curious, from your expertise, what your thoughts are.
Joe: Ransomware is just like any other form of extortion. You pay off, all you're going to do is encourage the extorters or the extortionist. On the other hand, you're saying to yourself "I need my data back."
if you're asking me, "Should we be doing that?" Of course not. But then again, I'm not the one they're trying to extort from. And if you've got things that you absolutely critically need, but you're also assuming whoever's done that is going to be honest about returning things. You're also assuming, when I pay you, you really are going to give me a file to be able to decrypt, and you aren't going to put my information on the dark web. You're dealing with criminals to start with.
Erin: With other kinds of cyberattacks are there and what is the incentive for a person, a group, a hacker to ‘attack’?
Joe: Hacking was originally aimed at banks, and other forms of places where there was money. Part of why the control system world was so late to the table is, whoever thought that somebody would want to hack a meat processor? There is no money to be made.
There are different kinds of organizations or people that want to hack. You've got criminals that want money. You have what are called hacktivists. You have people who, for example, don't like a timber company or an oil and gas company, and will therefore try and cyberattack you because they don't like what the company is doing.
One of the other things was just this would basically be individuals who wanted to make a statement in the hacking world, "Look who I was able to hack." Then there’s the disgruntled employee. It can be an employee of the company, or it can be an employee of the supplier who's supplying the company but disgruntled.
Then the one that's probably most disconcerting, and that's what you've got going on right now in Switzerland with President Biden and Putin is you have the nation states who are hacking for nationalistic reasons. The bottom line is what I consider in cyber is the poor man's atom bomb.
Erin: Cyberattacks can like bring down a whole company, yet it seems like companies don't take this as seriously as maybe they need to. Why do you think that people aren't taking this more seriously or taking more preventative measures?
Joe: Let me give you two parts to the answer. The first part is the IT piece. If you think of the Colonial Pipeline, what I heard was, they were looking for a cybersecurity manager for months before the attack occurred. You have a lot of companies that don't think that cyber could be critical to their existence, so they haven't until they get hit. But then you have the manufacturing space, which is the control system part of the world, and part of what's happened is IT has kind of hijacked the world of controls, of cybersecurity.
What the board keeps hearing is all of the IT stuff; it’s rare that the board hears about the control system issues. But it's about how do you get them to care about the control systems? How do you get them to realize if they get there, they can taint the food you're making and what you're eating. They can taint the water you're drinking, or cause trains or planes to crash, or pipelines to break. That's still been a hard sell and it shouldn't be.
Erin: How do we get companies, people, or industries to care more about control systems?
Joe: We need the insurance companies, credit rating agencies, and SEC to basically say, if you don't do an adequate job of securing your control systems then we’re not going to insure you or you're going to have premiums through the roof. When the board starts seeing dollars at risk, they will do it. Until that happens, we’re just going to have this discussion and nothing is going to happen.
Part of what has to happen is for both the insurance companies and the credit rating agencies to realize they are at risk. They could go bankrupt because of this. And until that occurs, we're not going to make progress.
Erin: What are a few takeaways for our listeners to take control of their cybersecurity?
Joe: The first is senior management—at the board level, in the C-level—need to treat cybersecurity as a high-risk. Number two, treat control system cybersecurity as an existential risk to the company because if the senior execs don't do that, you're dead on arrival. It has to start at the top. Engineers and the network people have to work together.
When it comes to the control systems, the engineers need to lead and the network people need to be their support, not the other way around. The tail cannot wag the dog. You're making food, you're not running a network. The network is there to help you make food. You also need to know what is in your network; and you have to know what you have installed. You can't be secure or safe if you don't know what you have. You have to have this basic inventory and situational awareness.
Lastly, there needs to be training of executives, of the network people, and of the engineering, or production people on what this really is and how they need to be working together.
There is very little of that despite what people claim. The focus is purely on the IT part of the networks, not how does your facility really work, and what do you need to make it work reliably, safely, and securely. If you can't do all three of those efficiently, you're not going to survive.
One final point, about ransomware. There's already been almost 12 million control systems cyber incidents to date. There's been over 1500 deaths to date. There's been well over $90 billion in direct damage from control systems cyber incidents. And people aren't really aware of almost any of these. It is very real. But there's very little monitoring and very little training. And there's very little control system cyber forensics to really help people understand what's going on. This isn't a hypothetical and it might eventually bite you. It's very real and Russia, China, Iran, North Korea, cyber extortionists are all aware of this