Glacier FarmMedia – Digital tech has been a double-edged sword for agriculture; it grows the sector but also exposes it to cyber security risks.
“The agricultural sector has increasingly become a target of cyber-attacks in ways that can cause serious disruption to the livelihoods of rural communities and to critical infrastructures, including supply chains,” said Janos Botschner, lead investigator for Cyber Security in Canadian Agriculture (CSCA).
Why it matters: Experts say cyber security should be a priority consideration for all critical infrastructure operators including the agricultural sector.
Read Also
Why do farmers hate paying taxes?
It didn’t take long in my accounting career to learn that farmers don’t like paying income tax. No one does…
CSCA oversees the multi-year Cyber Security Capacity in Canadian Agriculture project developed to strengthen and support domestic food security and well-being, rural economic development and resilience, and national prosperity. Funded by Public Safety Canada’s Cyber Security Cooperation Program, the project aims to bolster Canada’s agriculture sector cyber security capacity.
“Because of how important agriculture is to Canada’s well-being and prosperity, we all have skin in the game, so cyber security can be thought of as a joint responsibility,” Botschner said.
“However, good cyber security is more than a checkbox exercise. It’s something that requires regular attention, like any other form of business risk management.”
Botschner said a cyber gang announced in late 2020 its intentions to disrupt the agriculture and food sector in the coming year. In 2021 there was an attack on meat processor JBS, and two grain buyers in the U.S. were subjected to ransomware attacks during the harvest season.
“Disrupting supply chains at critical cycles and/or threatening to release confidential data are additional methods used to ratchet up perceived pressure on victims to pay a ransom,” he said.
The Federal Bureau of Investigation confirmed that in the fall 2021, six grain cooperatives fell victim during harvest. In addition, two attacks were levied in early 2022 that could have disrupted seed and fertilizer supplies.
“Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production,” said the FBI in a release.
“Although ransomware attacks against the entire farm-to-table spectrum of the FA [food and agriculture] sector occur regularly, the number of cyber-attacks against agricultural cooperatives during key seasons is notable.”
The FBI, along with cyber security agencies in Australia and the United Kingdom, issued a joint cyber security advisory in February that warns of an evolution in ransomware tactics. High-impact and sophisticated attacks involving critical infrastructure organizations, including agriculture, are becoming more common globally, which could significantly impact the food chain and food security for humans and livestock.
“A significant disruption of grain and corn production could impact commodities trading and stocks,” the FBI said.
“An attack that disrupts processing at a protein or dairy facility can quickly result in spoiled products and have cascading effects down to the farm level as animals cannot be processed.”
Botschner wouldn’t speculate on the magnitude of the threat facing Canadian producers and supply chains but noted the interdependent nature of Canadian and U.S. supply chains, purchasing arrangements and geopolitical positions warrant a risk analysis within each sub-sector.
“It is important to understand that the agriculture sector has many large organizations but also independent producers that are critical to the supply chain,” he said.
“Many (farms) are run by families who leverage the same devices and accounts for work and personal use. Most wouldn’t have a dedicated IT employee and may not have thought of business continuity plans.”
At the farm business level, it’s vital to assess risk and develop protocols for critical information back-up, prevention and recovery policies to safeguard against ransomware attempts.
Ag businesses should approach cyber security as they do fire safety, he said, with cyber-drills to ensure those involved in the day-to-day running of the farm understand how to quickly implement back-ups in the case of a digital shutdown.
Ritesh Kotak, a cyber/tech analyst based in Toronto, said several devices generate data within agriculture, such as smart irrigation systems, drones, weather sensors and other Internet of Things (IoT) monitoring tools in which aggregated data is provided for convenience.
Agriculture business owners often make the simple mistake of purchasing consumer devices, not enterprise-grade that have increased security and service scrutiny, said Kotak.
Vendors should be asked about their privacy policies, whether they share consumer data, and whether their support team is in-house or outsourced. Then clients can assess cyber risk.
“I personally like to look at the company information, how long have they been in business, who’s on their board, and any complaints against the company,” Kotak said, adding he speaks to customers to get a business-level assessment of the service.
He said it’s essential to craft policies, communicate and implement them with staff, and ensure the training on data and software is simple and understandable. That includes being wary of free trials, which could track user activity.
Reading the terms of service, while tedious, is critical to finding “hidden” information, he said. For example, the second-generation Nest smoke alarm has a microphone in it.
The terms of service for a Delaware-based face-recognition app he assessed showed the app stored data in St. Petersburg, Russia.
“This idea of data residency – you want to ask that question. Even though you’re using a cloud-based system, where’s my data being housed?” said Kotak. “And is there a way for me to house it north of the 49th parallel within Canada?”
He said customers could demand, and might even be required, to ensure data is housed in Canada, especially if working with government agencies.
Botschner said a collective move from a reactive to a proactive posture is needed toward cyber security.
“Over the next couple of years, our project will be producing knowledge products to help producers, policymakers and others explore and implement ways of enhancing cyber capacity within this key sector,” he said.
– Diana Martin is a reporter for Farmtario. Her article appeared in the May 16, 2022 issue.
