Why is cybersecurity not a selling point?

The importance of cybersecurity can’t be understated so why don’t equipment companies market top-notch digital security capabilities as a feature in their products?

For that matter, why are even passing mentions of cybersecurity rare? 

These questions are posed by David Masson, a long-time digital security professional and director of enterprise security for the globe-spanning AI and cybersecurity company Darktrace.

Why it matters: Every internet-connected device and software is a potential route for hackers, including the software and AI on farm equipment.

In a June 21 interview with Farmtario, Masson questions whether companies in the farm equipment or auto industry really grasp what could happen should nefarious actors gain access to their machines via the software used to operate them.

With combines, tractors and trucks riddled with software, there are many potential points of entry. The speed in which AI processes data compounds any potential problem because humans may not respond fast enough to limit an attack.

Rendering a machine inoperable is just one of many potential outcomes. Disrupting the depth at which an autonomous planter sets seed or skewing the amount and location of fertility inputs, for example, is possible through hacking.

Doing so in a way that ensures the human operator remains unaware of the issue is also possible, particularly if there are inadequate or no contingency systems built in.

“It will basically vandalize a field, and do it all at the same time,” says Masson, referring to a hypothetical AI-driven machine under a cyberattack.

“I haven’t seen VPN, firewall and antivirus being used in these products. No one is asking when the last time the [car or tractor] was virus checked.”

Cybersecurity threats are real. Masson cites the 2021 JBS cyberattack, which cost the meat packer significant down-time and an $11 million ransomware payment to a Russian criminal organization, as one example.

Of course, not every farmer runs high-tech or autonomous tractors or drives vehicles laden with digital systems. That means they’re safe, right?

Not a chance.

Threats can go two ways. Even someone who doesn’t directly deal with software-heavy machines might be vulnerable. Bad actors can use even basic routes to access other people, companies and organizations.

Conversely, a company experiencing a threat might inadvertently provide the perpetrator(s) with information on its customers or access to them.

Masson says every person is a potential conduit for cyber threats, “part of a threat actor’s greater plan,” whether or not they realize it. Despite this, his experience suggests security safeguards are often an afterthought. Developers prefer to deal with security at the end of a product, if at all.

A federal cybersecurity policy?

Masson also references the significance of recent federal legislation aimed at improving Canada’s cyber resilience.

A new critical infrastructure cybersecurity law, Bill C-26, was brought before the house June 14. The official press release indicates the proposed legislation seeks to amend the Telecommunications Act to provide the federal government with legal authority to mandate action to secure Canada’s telecommunications system.

This includes prohibiting Canadian companies from using products and services from high-risk suppliers. The Critical Cyber Systems Protection Act (CCSPA) was also introduced, aimed at securing Canada’s critical infrastructure.

Part of the legislation would ensure cyber incidents of a specified severity threshold must be reported to the federal government. Masson believes this is generally positive and detailed his thoughts in an email.

“In Canada, we are used to considering the cyber and privacy legislation brought out by allied countries [but] often overlook our own attempts … Now the Canadian federal government is finally realizing that to deal with the increasing scale, complexity and speed of cyberattacks, it will need facts and data,” Masson wrote.

“Any private or public organization is often reluctant to talk about its victimization by a cyberattack, never mind report it by law to a central body. There are many reasons behind this reluctance, some legal, some revolving around a desire to protect reputation.

“Disclosure of an ongoing attack may make things worse, and sometimes that’s because the organization doesn’t have the technology to reveal what’s happening. But keeping these cyber incidents in the dark poses problems when trying to defend nationwide infrastructure from attack; forewarned is fore-armed.

“The Canadian federal government has a good idea about the scale of the cyberthreat to itself and uses this to take steps to defend and better mitigate the risk from attack. But outside of government, understanding of the cyberthreat facing the entire country is patchy,” he added.

“There are local polls, business sector surveys and a small sampling of affected businesses and individuals, but these attempts at assessment are fragmented and siloed and can’t give Canada the big picture. Enacting legislation that will compel cyberattack reporting to a central point will finally allow Canada to build the big picture, which will allow much better allocation of resources, budget and people to deal with the cyberthreat we face nationally.” 

Protecting yourself – some basic BMPs 

Masson provides tips to reduce the risks posed by nefarious cyber actors.

The basics of personal “cyber hygiene” can include: 

• Separate home/personal Wi-Fi from Wi-Fi used for work.
• Regularly install updates and security patches for software when available.
• Regularly backup files to offline storage.
• Use adequate passwords.
• Separate home/personal Wi-Fi from Wi-Fi used for work.
• Regularly install updates and security patches for software when available.
• Regularly backup files to offline storage.
• Use adequate passwords.