Ways That Food Retailers Can Better Protect Themselves From Threats
In an increasingly connected world, security has become a more important issue than ever, so Progressive Grocer made sure to address this pressing issue during its recent GroceryTech event, which took place June 10-12 at the Marriott Dallas Uptown. “Facing Down Threats: Tech Partnerships That Protect Key Infrastructure,” a session moderated by PG Senior Editor Lynn Petrak, featured Nathen Fritzsche, deputy chief information security officer, senior director of enterprise technology at Moran Foods/Save A Lot, and Kevin Minor, corporate engagement-Domestic Security Alliance Council (DSAC) at the FBI field office in Dallas.
Discussing the FBI’s DSAC and InfraGard initiatives, both of which are concerned with security threats, Minor explained: “Our DSAC program is more for the industry to have that one-on-one communication with the FBI. The InfraGard program is for the individual that’s working in the critical infrastructure, so that … those boots-on-the-ground individuals don’t get left out of that information flow in that stream. Not only that, we can’t predict or see all threats that are happening to our critical infrastructure. The only way that we could actually get an idea of the gaps in our blind spots is to open the floor up and bring people in, but it’s not a one-way communication stream. So we actually push out a lot of intel and vulnerabilities, threat information, whether it be on cyber or physical security threats, just to everybody at large so they have to ingest it, and then take it and utilize it within their respective companies.”
According to Minor, InfraGard is currently about 80,000 members strong, while the DSAC program has about 700 member companies.
Describing the threat landscape as “constantly evolving,” Minor noted that “in order for us to stay on top of that, we want to actually partner with our InfraGard members, because we want to seek the insight as to what they’re seeing. Usually, companies come to us, if we’re fortunate enough to have those established partnerships, with those threats in advance. Then actually we'll use our intelligence community contacts both domestically and internationally to kind of get a handle on some of [those] things.”
[RELATED: Weis Markets Concludes Investigation Into Data Breach]
Urging his fellow grocery execs to join their local InfraGard chapters, Fritzsche said: “There’s a lot of power in the communication, the cross-communication, between the different companies, and then also interaction … through DSAC. We actually have a relationship with the local [FBI] field office in St. Louis. We’ve reached out to our local FBI contact to let them know about threats that we’re seeing, whether it be targeted phishing, whether it be industry-related social engineering.
"We’ve also received communications from them about targeted card-skimming efforts and campaigns that are going on. It’s just that two-way communication, making sure that you’re both open and willing to share, and then also open and willing to receive the information," he continued. "I don’t have a large enough team to address every threat … so those partnerships across not just the industry, but then also government and law enforcement, are huge in making sure that we’re seeing the full threat landscape, or at least [as much of it as] we can.”
As for how Save A Lot, which consists of independently operated stores across the country, deals with cybersecurity matters, Fritzsche said, “We have a very robust communication strategy where we will reach out, both email and text message, we’ll have webinars, and then we also have the security bulletins that we send out organization-wide, which includes our retail partners and store associates.”
Minor recommended that grocery operators take a top-down approach to cybersecurity. “I think the company culture is set by the executive C-suites, and if you can get that buy-in and that push-down, it makes it a lot easier for the employees from the mid-level management down to actually ingest that and run with it,” he pointed out, “and I think another thing is just showing ’em the benefit in it, making them own the program, making it a value to them, is another way to achieve buy-in.”
The special agent went on to extol the “very short onboarding process” for both InfraGard and DSAC. “In regard to an application, you have to be 18 years old,” he noted. “You have to be either a current or former employee that worked in critical infrastructure, agree to a limited background check, obviously because we know that nation-state adversaries are trying to get into these portals to see exactly what we’re reporting on … and also you have to actually maintain some kind of participation in the program. We don’t want people in there that log in once and then you never hear from ’em again, because that affords people the ability to compromise the network.”
[RELATED: Ahold Delhaize Cyberattack Affected More Than U.S. Network]
Once accepted into InfraGard, members are granted access to the program’s portal, which is populated daily with information on various threats. “It may not be specific to your sector or your interest, but our mantra is ‘Connect to Protect,’” observed Minor. “So if we identify a threat that's affecting oil and gas, or dams, or the defense industrial base, we’re going to figure out a way to declassify or sanitize that threat, push it out there as intel, so that you could ingest it no matter what sector you’re in.”
He also urged companies to be proactive with regard to such threats: “What I would encourage you to do, if you have that established relationship with the FBI, I advise you to have those intentional conversations through tabletop exercises or just through general dialog about if we were to get hit, what resources could you apply? What could we expect your response to be? And our response is scalable, depending on what you want us to do, … we’re going to come in [with] as small a footprint as possible, and we’re just going to sit back and allow you to tell us what you need help with.”
Fritzsche likewise stressed the importance of establishing a relationship with the FBI ahead of any adverse events, “because, as someone who’s dealt with a cybersecurity incident that had to reach out to the hotline to contact the FBI many years ago, it is [not] an experience … that I would wish on a lot of people.”
In response to the then breaking news that UNFI had reportedly suffered a ransomware attack, he expressed sympathy, noting, “It is a rough couple of months that they’re in for, depending on how well prepared they were for it.”
[RELATED: UNFI Finally Receiving and Shipping Grocery Orders Following Cyberattack]
In the fast-moving world of security threats, what keeps the food and agricultural sector up at night? In its capacity as an intel collection agency, the FBI determined to find out. “Three of the top [concerns] were cyber-intrusions, malicious use or compromise of the supply chain, and then breach or compromise of a facility security,” said Minor, additionally noting business email compromise and cargo theft, along with natural disasters and geopolitical conflicts that could affect the supply chain.
Noting that email provided “a massive door into your organization,” through which security breaches could occur, Fritzsche went on to describe a recent social-engineering attack that was largely thwarted by the layers of security that Save A Lot had in place through proper training of staffers. “You’re never going to protect everything,” he admitted. “The goal is to protect enough, protect those critical assets, the critical infrastructure, and for everything else, make it just annoying enough to where they move on to the next target.”
In regard to emerging threats, Minor cautioned against intellectual property theft, particularly by China, which is keen to steal emerging U.S. technology. “Whether it be from an insider threat, whether it be from business email compromise or something of that nature, we really have to pay close attention to what our adversaries want and harden those systems to protect those at all costs,” he added. Additional emerging threats mentioned were AI and social media platform TikTok, both of which have the potential to be leveraged against U.S. companies – not necessarily by nation states like China, but also by activist groups.
Fritzsche emphasized that the most important way for companies to arm themselves against security threats was to have a plan. “The real power is having that roadmap, having that strategy and being able to execute against it,” he advised. “There’s power in progress. Don’t lose sight of progress in your journey to perfection. In that concept, the progress is how you get additional funding, how you get additional support, and how you move towards that more perfect solution.”
