The agricultural industry has for a long time been viewed as low risk from potential cyberattacks. However, with more and more farms and food processing plants adopting new technologies to streamline production and integrate with supply chain services, cybercrime is becoming an increasingly severe threat to agri-business. The number of attacks is on the rise.
Global Supply Chains
Only recently, we've seen evidence of these attacks with REvil (a Russian-based hacking group) allegedly claiming responsibility for the attack on JBS, the world's largest meat processor. The attack affected thousands of employees in Australia, Canada, and the US.
In addition, the group claimed to have broken into the systems of several other companies in the food industry, including Smithfield Foods, and Pilgrim's Pride, potentially gaining access to sensitive data. (Read also: Big Data is Big Business in Agriculture.)
But it's not just about the risk of a data breach and loss of access to services; it's the loss of production and the financial fallout from these attacks. Plus, although not immediately apparent, a cyberattack can have far-reaching and potentially disastrous consequences to both the industry and individual consumers.
A report from McAfee states: "Cybercrime costs the world economy more than $1 trillion, or just over one percent of global GDP, which is up over 50 percent from a 2018 study that put global losses at close to $600 billion." Beyond the worldwide figure, the report also explored the damage reported beyond financial losses, finding that 92 percent of companies felt effects beyond monetary losses.
A new AgriFutures Australia report by BDO explores the cyber threats facing Australia's rural industries following two significant attacks in the past 12 months. Rural industries failing to protect against cyber threats are not only putting themselves at risk; they are also putting Australia's food security at risk.
In March 2021, the Canadian government announced funding to enhance cybersecurity in the agriculture sector. The Minister of Public Safety and Emergency Preparedness has said: "Canadian agriculture is a critical and increasingly interconnected service, and it is a key part of our economy, trade, and food supply. This funding to the Community Safety Knowledge Alliance for their Cyber Security Capacity in Canadian Agriculture project will help foster collaboration and protect cyber systems from compromise." The Canadian Cyber Security Cooperation Program launched in August 2019 under the National Cyber Security Strategy set aside $10.3 million in funding over five years, with $4.2 million available from 2021 to 2024.
Critical National Infrastructure
On Feb. 5, 2021, in Oldsmar, Florida's west coast experienced a cyberattack on its water supply. A hacker maliciously took charge of the Industrial Control Systems (ICS) and boosted the level of sodium hydroxide (Lye) to 100 times higher than usual. An instance of Lye poisoning can cause burns, vomiting, severe pain, and bleeding. The breach was remedied before anyone was hurt, but the results could have been disastrous.
More recently, cybercriminals took control of the Colonial pipeline via a ransomware attack that temporarily interrupted fuel supplies, resulting in fuel shortages, panic buying, long queues, and ultimately, chaos in our communities.
The disruption to supply chains, even a small one, is far from trivial. Depending on the perpetrators' motives, attacks like these could be viewed as an act of cyber warfare, primarily when it affects any part of a Critical National Infrastructure (CNI).
Sectors that come under the heading of Critical National Infrastructures are similar regardless of where you are in the world. Malicious threat actors carry out attacks regularly, making it a National Security issue. The US, UK and Canadian governments each have a list of similar CNI's that include: Agriculture, Food, Water, Public Health, Emergency Services, Government, Defense, Information and Telecommunications, Energy, Transportation, Banking and Finance, Chemical Industry, Postal and Shipping.
Like many industries, the Agricultural & Food sectors operate on a just-in-time supply chain basis, requiring sophisticated logistics operations. Unfortunately, supply chains disrupted by a cyberattack can't afford any downtime; this means it's more than likely that these businesses will pay the ransom to get back up and running.
Smart Agriculture: Farming and Diversification
More and more farms are diversifying into other business areas and revenue streams such as holiday accommodation and glamping. Others are adopting Smart Farming technologies, installing sensors that can monitor soil quality, water feed levels, and crop irrigation controls.
Some sensors control lighting, temperature, and humidity management for indoor crop growing. There are specialized software solutions that target specific farm types or use cases that introduce IoT platforms and autonomous tractors.
Whether you are running a glamping business alongside your existing agribusiness or applying smart tech to your current farming business, there is a common denominator: you still depend on network infrastructure in some form to run your business. If connected to the internet, your systems are susceptible to cyberattacks. It is a case of when, rather than if cybercriminals will target you. (Read: The 6 Most Amazing AI Advances in Agriculture)
Whether you operate a dairy farm or grow crops, even if you've diversified into glamping, then chances are you are running a website and taking payments for orders or bookings. The website you run is a linchpin for your business model. You are likely using an integrated e-commerce platform, which includes a payment gateway – is it secure? Have you considered cybersecurity in agriculture? Does your website have any vulnerabilities such as those listed on the latest OWASP Top Ten Attacks list? How frequently are your web servers patched against the latest zero-day exploits? Do you perform regular penetration testing on your infrastructure? Can your business continue if your website goes offline? Remember, your business is still at risk from cyber threats.
Smart Farming Industry Technologies
Innovative Farming technologies attract attention from cybercriminals. Malicious hackers are always looking for new vulnerabilities to exploit and any opportunities for financial gain. Cybercriminals located anywhere around the globe can still identify and control devices that have been incorrectly configured and sit exposed via their IP address, making them a security risk. Many IoT devices have out-of-date firmware installed or inherent vulnerabilities. Any of these weaknesses can allow an attacker easy access to your smart farming network, (for instance remote sensing or smart sensor technology,) enabling the attacker to either take control for sabotage or hold your data hostage via ransomware.
Agribusiness Security Risks
Key cyber risks for agricultural businesses include, but are not limited to:
- Theft of devices.
- Unauthorized access to private data, your own and that of your customers.
- Theft of proprietary information (like contracts or security designs.)
- Potentially damaging access to equipment and farm systems.
How to Determine if Your Farm Is at Risk from Cyberattack
Regardless of whether you run a smallholding or a medium-size family farm, or complex agriculture systems mega farm, the best way for farmers to determine whether they are at risk is to begin by looking at their current IT setup.
Create an inventory of all the devices and equipment you have that enables your agriculture business to operate. In addition, producers need to audit each system on their network and assess the security controls associated with each process, looking for potential weaknesses or vulnerable entry points. These two technical areas are best left to cybersecurity experts.
Finally, farmers should ask themselves if it makes sense to outsource cybersecurity support on an ad hoc basis or invest in a managed service agreement with a third party. (Read also: 5 Industries Facing Game-Changing 5G Transformation.)
What Defenses are Available for Agricultural Security?
As the number of threats increases, the demand for security-hardened technologies will only grow. Many security solutions already exist on the market to protect against cyber threats, including:
- Hardened Server Operating Systems.
- Vulnerability Scanning.
- Deception Technology (DT).
- Breach & Attack Simulation (BAS).
A regular patching schedule and robust backup system are all essential controls that should be implemented within your network, some as standard, and others (such as DT and BAS) fit into an advanced category of active defense.
Deception Technology (DT): Deception Technology is a cloud-based Security as a Service (SecaaS) platform that specializes in protecting enterprises and industrial control systems (ICS) from cyberattacks. The software provides continuous threat monitoring and network forensics capabilities to detect and mitigate advanced cyber-attacks targeting industrial control systems (ICS) such as those used in agriculture to control production equipment, irrigation, automated feed supply machines, and HVAC units. Deception Technology also prevents malware from entering the organization's network through any of the following Internet-facing ports: TCP/80, TCP/443, TCP/139, and UDP/139.
Breach and Attack Simulation (BAS): This new tool enables you to simulate attacks on your live network so you can discover your blind spots and identify any gaps or misconfiguration anywhere in your agricultural technology.
The threat of cyber-attacks on agricultural enterprises and associated supply chains is increasing. Just as fences need to be erected around cattle and sheep as a protective perimeter, IoT and other networked devices, servers and websites need to be protected by a security perimeter, using appropriate Next-Generation Firewalls, Antivirus & Malware detection, EndPoint protection, and a selection of other security measures.
Whatever business sector you operate in, there's a combination of layered defenses to suit your budget, operational size, and exposure. Regardless of the industry, these measures can defend all business types. It's time to take action and secure your food production business against Cyberattacks in 2021 and beyond.