Cybercrime is on the rise, and agriculture isn’t immune

Agriculture is vulnerable to the ever-evolving threat of cyberattacks and artificial intelligence advancement, farmers are warned.

“We’ve got a lot of great innovation and technology here in Canada, particularly in agriculture,” Cathy Lennon, general manager of the Ontario Federation of Agriculture, told attendees of a January cybersecurity webinar hosted by the farm organization.

“People may be interested in knowing more about the technologies, innovations or trade secrets contained in our computers.”

Why it matters: The agriculture sector is increasingly a target for cyberattacks.

While the main targets of cyberattacks are the healthcare, banking and energy sectors, agriculture is not immune. Attacks have occurred from inside and outside farming operations via disgruntled employees, animal activists or hackers.

In recent years, cyberattacks have cost Empire, the parent company of grocery chains Sobeys and Safeway, some $25 million in losses. JBS, the world’s largest meat processor, spent $13 million to recover systems and data and Maple Leaf reported a $23 million loss.

Lennon said the JBS hack impacted its processing plant and North American producers, who couldn’t ship their cattle until the ransom was paid.

“Why would someone hack into JBS and want their data and information?” asked Lennon. “For control?”

In response to digital threats, the University of Guelph recently launched a $4 million research and teaching innovation facility and offers a one-year master’s degree in cybersecurity and threat intelligence.

Its research indicates that cybersecurity standards in the agriculture sector lag in readiness and implementation, increasing its vulnerability.

“One of the biggest risks they’ve identified in agriculture is organizations are running on older and outdated software,” said Lennon. “And that’s a juicy target for ransomware.”

A simple solution is to itemize digital elements in the home and farm computing systems that require upgrades and updates. This includes wifi, software and operating systems, anti-virus software and subscriptions. Effective external hard drive back-ups and schedules are also recommended, as is a plan to update and close any gaps.

Lennon said each staff member should have a unique username and password that is routinely updated to eradicate access by former employees.

Incorporating two-factor authentication, password management software like Bitwarden or 1Password, and providing employees with cybersecurity training can defend against data breaches.

The human element

Cyberattacks rely on human error. Attackers hope a user will open an attachment or click on a link so they can gain access to data, programs and operating systems to freeze a computer, take remote control of farm operating systems, and alter data.

“(With password management systems), all you need to remember is your one strong password,” said Matt Harrison, OFA’s IT manager.

“And if, for whatever reason, one of those sites does get taken down or interrupted, you’re not losing any of your core passwords. You’re only losing a random one you have no tie to.”

He said Apple and Google-generated passwords stored on a password management system are hard to crack but they are vulnerable when stored on an open source like a computer.

Last Pass is the only password manager known to have had a data breach, and hackers only accessed client names, not accurate password combinations.

He cautioned that facial recognition software, while user-friendly, is less secure than unique passwords.

Lennon suggests discussing suppliers’ cybersecurity protocols and learning what personal or farm data they retain, to prepare against hackers and push the agriculture sector to increase its defences.

AI a new hacker tool

While most people are aware of phishing emails, AI is giving rise to new types of scams. These include vishing, where a phone call mimics a familiar voice, and smishing (scam text messages) that appear to come from a familiar sender. In those cases, the use of language may not be quite right, providing an alert that it may not be from the assumed sender. But the language is improving.

“We need to be aware that AI will start to make these conversations (and online interactions) we have with fraudsters more real,” Lennon explained.

“They’re going to be able to mimic and copy and communicate with us even better than they do today.”

Agriculture is increasingly reliant on technology in the barn for heating and cooling, watering and environmental systems, GPS or robotic milkers, all of which generate information and data, she said.

Attacks close to home

Lennon gave two farm-level cyberattack examples, both on Ontario farms in the past year. Hackers took command of a poultry barn’s environmental systems, demanded a ransom to return control, and threatened the livestock if the producer didn’t pay.

In the other case, animal activists commandeered a swine barn’s security cameras and threatened to release alleged animal abuse caught on film if the operation didn’t issue a false confession.

The hog producer resolved the issue quickly, realizing there was no video of abuse, said Lennon, but it highlighted a weak spot in cybersecurity.

The poultry operation faced a tougher decision: pay the ransom to unlock the system or risk birds’ lives.

“Imagine the impacts on your farm if it is interrupted for a day, a week, or a month,” she said. “These are some very real examples.”

The threat extends to control of operating systems, data manipulation and effects on system programs, all of which can put businesses at risk.

For example, given the number of robotics and automated tasks in a dairy, a hacker could compromise milking protocols so a treated cow’s milk enters the bulk tank instead of being segregated.

Agromart/Sollio’s accounting system breach two years ago made customer names, addresses, phone numbers, credit cards and, in some cases, cropping and personal farm information vulnerable to release on the dark web.

The company is addressing the long-term impacts of the attack through a class action lawsuit.

The OFA carries a cybersecurity insurance policy. However, well-developed farm-level policies that define terms and conditions, coverage and required protocols have yet to reach the market.

“The cost is so great. I believe this is an area the insurance sector is going to have to pencil out and figure out how to make this affordable and realistic as well.”

Lennon said cybersecurity must be carefully assessed and bolstered throughout the agricultural and food chain sector.

“What’s happening at the farm? What’s happening with those suppliers? What’s happening at processing? What’s happening at retail?

“Because the impact is so huge, how can you win? I think it will be a big step to start to have those conversations.”