Agriculture pays little attention to computer system security, but it will be an increasing threat as farms gets larger, technology use increases and global actors look to disrupt food systems.
That means that agriculture is well behind other important sectors of the economy in protecting its computer networks, says a cybersecurity researcher.
It’s a reality that has hit home for one Eastern Canada’s agro-retail and agronomic service providers. The Agromart Group, based near London, Ont., found itself the victim of a recent cyberattack when a hacking group locked down parts of its computer system, eventually leading to personal information of farmers being posted for auction after the company refused to pay a ransom.
Why it matters: Data thieves are increasingly seeing agriculture as an opportunity area as more individual data collection sources show up on farms.
Eric Allaer, who farms in southwestern Ontario, was one of those farmers. His information was posted to the internet by the hacker group Revil after it compromised the computer systems of the Agromart Group in late May.
After the system was locked and Agromart refused to pay a ransom, the hackers then decided to auction off the data to the highest bidder.
“Hackers were asking for money to get our data back. The decision was made not to pay in according to our values and authorities’ recommendations,” David Brand, Agromart’s general manager, said via email.
Brand says the data breach was contained to Agromart and didn’t affect any other connected businesses, such as its parent company Sollio.
Agromart was able to continue business operations, he said, although it operated “manually” for a while and he expects, “the situation will be back to normal shortly.”
Revil tried to sell the data on the dark web – a part of the internet not accessible by search engines and where business is conducted anonymously.
Revil posted some examples from the data it stole, including a mostly redacted credit application from Eric Allaer’s farm in the south end of Lambton County. The Agromart breach was widely reported by cybersecurity blogs and publications that monitor hacking and the dark web and some of them posted some of the example documents.
Putting up data for auction is a new tactic for groups like Revil, which is why it was covered by the cybersecurity press.
Brand says Agromart customers were contacted about the data breach and have been offered a year of monitoring of credit from Equifax at no cost. The company also created an Equifax hotline for customers with any questions.
Allaer says he was quickly contacted by his local Southwest Agromart. They met with him and signed him up for the year of Equifax monitoring.
Not a top-of-mind concern
Ali Dehghantanha, director of the Cyber Science Lab at the University of Guelph’s School of Computer Science, says farmers aren’t paying much attention to cybersecurity.
“I’ve talked with many farmers, very large farmers, who think that their internet service provider is responsible for security. They think that because they are a farmer in rural Canada, no one is attacking them,” he said.
Dehghantanha pointed to a survey of about 100 Canadian farmers, looking at their cybersecurity preparations. The study showed that most of the farmers weren’t willing to spend the money to install anti-virus software on their computer systems after a free trial had ended.
“That’s quite disappointing and quite dangerous,” Dehghantanha said. “Compared to other sectors like the financial sector, the level and state of cybersecurity in agriculture is way behind.”
That compares to a similar study in the Netherlands, where farmers were much more aware of computer hacking threats, possibly because of greater proximity to Russia where many of the threats originate.
It also contrasts with the financial and utilities sectors, where larger organizations have been active in creating standards for individual businesses and organizations to follow relating to cybersecurity, Dehghantanha said. Agriculture, meanwhile, still needs a sector organization to take the lead in developing those best practices, he argued.
Steve Brown, senior project manager for cybersecurity practice at BDO, says that there are three areas to consider when looking at small and medium-size business: people, process and technology.
Have staff been trained, updated regularly and do they understand high-risk data behaviour? Does the business have policies that are documented and can be referred to when a situation arises? Have they been reviewed and updated?
There may be data security technology that farmers and farm businesses can use, starting with antivirus software and moving to third-party monitoring of systems, Brown said. If the people and processes aren’t there, however, he added, technology will not solve the problem.
Pandemic increases risk
The COVID-19 pandemic, with its sudden surge of people working away from their corporate cybersecurity in favour of home offices, opened opportunity for hackers, Dehghantanha said. Less-protected home networks can give hackers an easier route to computer systems, he noted, while a greater mix of personal computing and business computing on the same machines can also ease the way for hackers.
If a worker is using a work laptop for personal email and they accidentally open an email from a hacker, that action could compromise not only their personal data, but also corporate data.
Mark Sangster, vice-president and industry security strategist at eSentire, an Ontario cybersecurity company, says the pandemic shifted thinking about cybersecurity from being iron clad in buildings where data could be protected, and quickly moved it outside. He doesn’t expect that data management will go back to being centralized.
In many ways, farmers have always worked like many people are working now – from home and on decentralized systems that are used for business and personal information.
Sangster says that manufacturing became a target for hackers when they realized that a great number of individual machines were connected to the internet. The same is now true of farms and agriculture companies.
“Farming and agro have been under their radar,” he said.
That’s changing, however. Earlier this year, the Talman Software hack in Australia shut down the wool trade, valued at $80 million per week. Talman Software is used to trade over 70 per cent of the wool in Australia and New Zealand.
“One thing I’ve said to farmers, if you make money and you can pay them, hackers will be interested in you,” Dehghantanha said.
Both Sangster and Dehghantanha say that as countries increase their aggressive cyber activities towards other countries, the food system would make an effective target. They could take control of systems and only use them when they want to create disorder. Think about the potential for closing down barn ventilation systems, Dehghantanha said.
Operations versus IT
The growth in connected devices is driving a larger shift to decentralized computer security. That means the end point, or the device has to be secure.
Those devices are often in the trenches, working with farmers in fields and barns, far away from cybersecurity experts.
That’s a challenge, says Sangster, as the people working with the device don’t have data security expertise, and the information technology people don’t understand what happens in day-to-day use of the device. It’s important to take the steps to bring both worlds together, he said.
Remember that hackers don’t have some giant computer bomb they send out to everyone and suck back in the data. Sangster says cybersecurity is all about, “hands on keyboards.” The hackers get their information because someone has made a slip and given them a route into the system.
Unfortunately, that’s a scenario Allaer knows too well and had gone through before the Agromart Group attack. A scam email that looked like it came from a bank resulted in the theft of money from the farm. Information was passed on to thieves.
“A substantial amount of money was taken out of one of our bank accounts. It opened our eyes,” he says.
At the farm level, Allaer’s office staff is vigilant about any emails that are out of the ordinary and his bank has been informed. Now some of his personal information has been made public due to the Revil hack.
“There’s always a fear that something could happen,” he said. “The fact that Southwest (Agromart) came forward right away said, ‘This is where we’re at with Equifax,’ they’re keeping an eye on it, the RCMP is involved in it and also a government ministry that deals with these things, so I kind of feel a comfort in all that.”
While the Agromart data breach has been a challenge for the company, Brand says that, “We are extremely far from high-profile cases which happen, sadly, too often in Canada. The investigation is well advanced, and we are confident that the scope of the event is minor.”
Good data hygiene
Almost everyone has raised their personal hygiene level during the pandemic with more handwashing and use of sanitizers. It could be time to increase data hygiene too.
Ali Dehghantanha, director of the Cyber Science Lab at the University of Guelph’s School of Computer Science, has several simple rules to reduce risk of losing data to hacking:
Passwords should not be shared among multiple accounts.
Having only one account to log on to a machine and many users who know the password is a risk. This is a particular challenge with on-farm system logins shared among family members and employees.
Change passwords every three months.
Use antivirus software and personal firewalls.
Push third-party providers about their cybersecurity and question them about their liability if their systems are breached.
Farmers now have numerous devices collecting data, both personal and for the farm. How is the data from those devices protected?
“Farmers have to have enough cybersecurity at their own premise.” Talk to cybersecurity experts and to system vendors in order to identify preliminary security gaps in day-to-day operations.
If there’s any sort of a breach, get credentials and passwords changed. Dehghantanha says that even after a known breach, it can take three months before people get around to revising their passwords.
– This article was originally published in Farmtario.