BY TREVOR BACQUE • ILLUSTRATIONS BY VECTEEZY.COM
Cybersecurity breaches continue to plague major companies around the world, and for good reason: the nefarious “actors” behind the attacks stand to make substantial sums of money if they are able to pinch the right company at the right time in just the right place.
It played out in May of 2021 when ransomware hackers hit the Colonial Pipeline on the American east coast. With fuel deliveries immediately halted, the company felt defeated enough to quickly pay 75 bitcoin with a value of $4.4 million USD to the cyber criminals, which many believe to be the Eastern European operatives known as DarkSide.
Before the month was over, agriculture was the target. In a ransomware attack against JBS SA, the world’s largest cattle processor was brought to its knees almost overnight and operations were temporarily shuttered at its Canadian, U.S. and Australian facilities.
Even though JBS spends in excess of $200 million annually on IT, its systems could not withstand the attack, which the FBI said was carried out by Russian-based REvil. The group demanded $22 million in bitcoin from the Brazilian mega company.
In many instances, companies make a hard peace with the fact that the stolen information is simply gone and begin rebuilding, opting to never negotiate, but not JBS. Whatever information was compromised proved vital enough to come to the table. In an unprecedented move, JBS negotiated. After only a few days the company paid half of the initial demand, $11 million, all in Bitcoin, to the hackers. They won. JBS lost. Agriculture noticed.
Any industry can come under cyber attack, so perhaps the shock was not that an agricultural company was attacked, but that it hadn’t happened sooner.
“This was a bit of a wakeup call,” said Sylvain Charlebois, director of the agrifood analytics lab at Dalhousie University in Halifax, NS. “They had to shut down plants for several days … that is just not good. You are compromising the integrity of supply chains and many markets. The entire agrifood industry should be concerned about what happened at JBS. The fact that they had to pay the ransom is even more concerning. It points to the fact that the agrifood sector is not necessarily ready to deal with cyber attacks, or made cybersecurity a priority. Many companies aren’t ready. JBS is one of the largest agrifood companies in the world, one could think other companies could be targeted by cyber attacks, unfortunately.”
Charlebois framed the attack as agriculture having its “Tylenol moment,” a reference to tampered pain reliever pills covertly laced with potassium cyanide that killed seven Chicago area residents nearly 40 years ago.
“Back in 1982 no pharmaceutical companies were expecting customers to walk into a store with poison products on shelves, but it did happen,” he said. “Agrifood companies are very good at managing risks, generally speaking, but they’ve never actually considered risks that aren’t food related.”
Charlebois believes industry always leads on policy, but is worried how far behind government may be on this issue.
“I can assure you cybersecurity is nowhere near the Canadian Food Inspection Agency’s [CFIA] radar,” he said plainly. “It’s not even close. You can’t rely on government to push that agenda.” At the time of writing, a quick search of the CFIA website confirmed it has zero posted information related to cybersecurity in Canada’s food system.
With the hit on JBS, Charlebois rightly thinks Cargill should be concerned, but so should similar players such as McCain and Maple Leaf Foods. Grain handlers and railways should sleep with a metaphorical eye open, too.
“I think everyone is exposed here,” he said. “In transportation, I suspect there’s been some movement there. When I think of most grain handlers, mills, things like that, I wouldn’t be surprised if they made cybersecurity a priority. When I saw the JBS ransom, I thought, ‘oh, this is just not good news for everyone.’”
Such high-profile attacks affect everyone to different degrees, including the average farmer. Charlebois believes it is vital farmers and their networks join the conversation about cybersecurity. A shutdown such as JBS endured should alarm them. After all, if a meat processor halts operation, what do feedlot owners do? Extrapolate far enough and it raises the question of how feed grain farmers may be affected. Similar questions arise with crush plants and grain mills.
“Farmers are suppliers are JBS; I don’t see how farmers shouldn’t be part of the conversation,” he said. “The one thing I’ve learned, the weakest link you have will be the target used against you. This is the food supply chain. If you’re not concerned about cybersecurity now, you should be.”
SIZE DOES MATTER
Wendy Young backs this spot-on assessment of the situation by Charlebois. She is a 30-year IT and cybersecurity veteran and vice-president of data systems and security at NGen, an industry-led, non-profit that leads one of Canada’s five research superclusters, Advanced Manufacturing.
Young talks of countless instances of hackers accessing smaller systems to make a leap into larger, potentially more lucrative ones. “Why would somebody want to hack you?” she asked. “You are a small organization. What’s the value of that data to those threat actors? If they can find a small chink in the armour of the supply chain they’re after or if the supply chain is connected to a big system, that’s the value of wanting to hit the small company.”
The internal leapfrogging often goes largely unnoticed, too, because information is not often tampered with at the lower levels, which Young explains is typically HR-related data and is difficult to leverage as part of a ransom payment.
“They are looking for the money, they’re looking for the easy win,” she said. “They may want to attack you to get to the next guy, and in some cases you’d never know. It is important for the whole supply chain to understand their part.”
Young is familiar with companies that choose to eschew ransoms and instead decide to rebuild kidnapped data, thinking it the shrewd decision. “Five to six years and $15 million later, they’re still trying to recover. If you lose that data and can’t recover, what’s the impact to your business?” For JBS, which paid out eight figures in short order, the answer was likely too long.
Even though Young does not view farms as a primary target of hackers, it does not mean they are off the hook. “If you only think they’re looking for data other than disruption to your system and shutting down your entire business, then you will miss the holes in your systems,” she cautioned. “They do a lot of homework. These guys are really smart. They understand who your supply chain is; we’re all in business, we’re all connected.”
With so much agricultural field data being sent into the cloud, concerns linger about where the information is stored and how secure its servers are. Young said farmers have a right to be concerned.
“When you are working with these third parties … talk to them about cybersecurity,” she said. “Lots of organizations won’t include that in their base product. It’s great that [agricultural machines] are connected to the internet, that a third party can secure and monitor it, but what’s their security?”
DON’T USE “bob2020”
“Is any system perfect? I haven’t seen an industry where it’s not a problem.” So said Cameron Bergen, CEO and co-founder of Mode40, a Steinbach, MB agrifood and IoT solutions provider with a focus on cybersecurity. Digital susceptibility is an issue for all businesses he said, and this includes agriculture and its peripheral industries.
“Vulnerabilities exist in everything from financial institutions through health care and inside the food space. Our simple take is organizations have to pay attention … doing regular assessments with the right certifications and assume failure is going to happen.”
While combat against cybersecurity threats is carried out by IT teams that administer complex systems, common-sense precautions such as passwords are just as important. “Don’t use ‘bob2020,’” he explained.
Email filtering systems are essential for any business owner, whether a sole-proprietor farmer or a value-added farm operation and Berger said businesses deal with the issue of cyber crime non-stop. “It still occurs more frequently than you want to know.”
While farmers may be hesitant to send agronomic data to the cloud, Bergen believes skepticism was warranted 10 years ago, but not today. “We see an increase in confidence with the level of [security] cloud service providers have brought [to] their infrastructure,” he said. “That infrastructure has matured. It’s proven itself in other industries. I don’t see the same reluctance anymore.”
Aside from internal checks and balances, Bergen suggested anyone with a business of any size is wise to solicit outside perspectives. “You have to have external, unbiased views that can deliver to you and challenge you about best practices,” he said. “It’s where we can find some of our biggest weaknesses. We can talk about advanced methodologies all day long, but until you check the box on the basics, it’s rare we don’t find a scenario to fix your internal assessments and checks even on the most basic levels. Fix low-hanging fruit now.”
Farm size is not a factor in this equation because hacking can occur for any reason to any person. Farms need to be vigilant since their livelihood is, to varying degrees, tied into the data they collect.
“If your facilities that have animals in them, or plants, that rely on that infrastructure to grow, you should be asking yourself this question: What are you doing today? It could be a one-family farm, one building. The answer should be: I have a plan, I know what I’m doing.”
CANADIAN CENTRE FOR CYBERSECURITY
Is your farm or additional business venture secure? How do you know? Well, one way is to get in touch with the Canadian Centre for Cybersecurity (Cyber Centre). Based in Ottawa, ON, the high-tech bureaucratic wing of the federal government provides loads of free information on how the average business may implement practices and procedures to stay safe in a connected world. Whether a farm plans to move its business operations to the cloud or wishes to conduct an internal cybersecurity audit, the Cyber Centre is a trusted resource.
According to the group’s 2020 National Cyber Threat Assessment, cyber crime remains the top threat most likely to affect Canadians and their businesses, specifically those in the small- and medium-sized categories.
And while we’re not talking about showering or brushing your teeth daily, good online hygiene is essential to staying healthy when connected. The Cyber Centre offers these six pragmatic tips to safeguard yourself or your business.
Train your employees: Email phishing is the most common method that attackers use to spread ransomware. Regardless of what security features are installed on a device, if a malicious link is opened, that device could be compromised. Employees must know how to recognize phishing attempts and how to report them.
Disable macros: Countless ransomware attacks are sent as Microsoft Office attachments. When an attachment is opened, they are prompted to enable macros to see the document’s content. Once they enable macros, the actual ransomware payload will download and execute. Keep macros disabled by default.
Patch operating systems (OS) and third-party apps: Unpatched and unsupported operating systems present easy vulnerabilities for would-be attackers. Be sure to keep your OS and all third-party apps patched with the newest updates.
Restrict access: Users should only have the minimum amount of access required to fulfil their job duties. Restrict administrative privileges as much as possible.
Backups: Perform frequent backups and make sure information is not connected to the internet or local networks. If ransomware is planted on just one device, it can rapidly spread across your entire network without detection.
Practice recovering: Organizations are encouraged to run a simulated ransomware attack and practice its recovery procedure. How long would it take to get back up to regular, pre-attack levels? Often, the answer is much longer than initially thought. Such an exercise can show you where your farm or business is most vulnerable.
For more resources or to download a free cybersecurity audit kit, visit cyber.gc.ca.