Activists attacked an Ontario hog farm with ransomware this spring. But instead of cash, the attackers demanded the family publicly admit to what the activists claimed were instances of livestock mistreatment.
For Ali Dehghantanha, a cybersecurity expert and professor at the University of Guelph, the occurrence was both unique and alarming.
Why it matters: The agriculture sector is lagging behind other industries when it comes to cybersecurity readiness and implementation of cybersecurity standards. Cyber risks are growing and changing as malicious actors seek to cause market disruptions at multiple levels.
Read Also
Ontario Sheep Field Day returns with focus on welfare tech and productivity gains
Veterinary demos, including Solvet’s pain-reducing Lidoband castration, highlight innovation for commercial sheep producers at Ontario Sheep Field Day
Dehghantanha is head of the university’s Cyber Science Lab, which offers a for-fee support service to those dealing with cyberattacks. While the number of cybersecurity incidents across Ontario’s agriculture industry has been rapidly increasing overall, he says the cashless ransomware attack against the family hog business – an incident he and his colleagues helped the family resolve – highlights what could become a wider trend in tactics used by special interest actors.
According Dehghantanha, the attack perpetrators claimed to have incriminating evidence showing animal abuse on the farm, including camera footage taken from what they claimed was a now-compromised surveillance system.
To release their hold on the farm’s network, the attackers wanted a public statement, from the business owners, admitting to animal abuse.
No such footage existed and claims of compromised cameras were false. Except for the demand for self-incrimination, the attack proved to be a standard, easily manageable ransomware attack.
“This was the first time working in this specific industry we have seen ransomware not asking for money. That would make our job much more difficult as we are dealing with adversaries whose motivation is not money,” says Dehghantanha, adding transfer of cash is often the riskiest part for those committing ransomware attacks because the movement of funds can be tracked.
“Prior to this we were not concerned with these small family food businesses…There was not a playbook for these kinds of situations.”
More accessible ransomware
Dehghantanha says his lab has been engaged with 20 cybersecurity issues reported from southern Ontario in the first half of 2023 alone – up from a mere handful in 2019. Awareness of cyber risk has likely played a role in higher reporting, but it’s also getting easier for bad actors to acquire harmful attack tools, including ransomware.
The agriculture and food sectors are underprepared for such threats. Dehghantanha says they lag other sectors, notably energy and health, by approximately five years. Remedying the problem would begin by establishing a committee or another body of industry representatives, technology experts, and others to design cybersecurity standards “rooted in the reality of the industry.”
“We must identify steps for farmers and businesses that can be gradually achieved to get to the same level. This has happened in energy and health sector so there’s no reason it can’t happen in agriculture sector,” says Dehghantanha.
“We need to identify a body responsible for receiving these standard reports from farmers trying to evaluate them and give feedback and work with them… If a farmer knows they are level two, level three, or whatever level they are, it would make it much easier for them to understand and improve.”
Awareness and practice
Stakeholders in the agriculture sector, such as Ontario Pork, say they are raising awareness about the ever-growing need for better cybersecurity. In an email received July 12, Ken Ovington, general manager for Ontario Pork, says the commodity group “routinely meets with cybersecurity experts and researchers to gather knowledge that can be used to create awareness and provide informational tools that are valuable to pork producers and the provincial pork industry.
“These types of cyberattacks are undeniably on the rise. As technology usage increases, so does the methods and sophistication of cyber criminals, so it’s crucial that producers, agricultural organizations and government continue to prioritize cybersecurity measures, stay vigilant, and collaborate to prevent future cyberattacks,” says Ovington.
Strategies used to prevent issues within the organization were listed as well, including cybersecurity training for employees. No comment on specific incidents, such as the ransomware attack on the family hog operation, was provided.
Julie Kuiack, Ontario’s Pork’s manager of marketing and communications, says her organization has not seen a noticeably higher trend in reports of cyberattacks from membership. She also says the organization is not aware of other ransomware attacks against individual hog operations, but the case outlined by Dehghantanha is concerning.
Awareness of and preparedness for cyber threats has generally improved in the agribusiness community, according to Russel Hurst, executive director for the Ontario Agri Business Association. That said, he divides the sector into three rough categories – those with well developed cybersecurity plans, those who have made little or no investment, and the “mushy middle” where improvements have been made, but further action is required.
Hurst says looking at the issue and remedial actions as a collective, sector-wide problem will be increasingly important, particularly if the goals of malicious cyber actors are explicitly designed to cause market chaos.
Easy steps to reduce personal and organizational risk include changing passwords, initiating two-step verification, and knowing which individuals have access to critical login credentials, such as bank accounts. Hurst says there is also value in having outside experts analyze and audit networks for cybersecurity readiness.
“OABA had an expert come in and audit our system. I think that’s a good thing – to understand where you’re vulnerable,” he says. That investment is tiny compared to what a cyberattack could cost.
“There’s a lot of money flowing through the sector. It would not be uncommon for a significant [farm] to be doing $4 or $5 million in sales…
“That’s where I would be really concerned. It’s a lot of cash, business transfers being done online. As the pace of business e-commerce has evolved, some of those businesses need to do a checklist (to) understand where vulnerabilities are, if there are any, and work with someone who does this every day.”
Like Hurst, Dehghantanha encourages greater awareness and preparedness. Establishing standards would help the agriculture sector improve overall security and potentially bring spinoff benefits like lower insurance rates for higher cybersecurity scores.
But individuals and organizations must also pay attention to the threat posed by cyber criminals focused on industry disruption over money.
“We don’t need to wait for a standard to work on awareness. If you have livestock, you could be on a target list.”
How to reduce risk
Cathy Lennon, general manager for Ontario Federation of Agriculture, described a number of simple but effective steps farm businesses can take to reduce their vulnerability to cyberattacks in a post on the organization’s website:
1. Make a checklist of all your current technology and ensure you’re using current software versions and systems.
2. Establish basic rules for your team to recognize where threats come from and what to do – or not do. Free online videos are available to help with training.
3. Ensure new systems or devices are set up properly. Ask suppliers what security the devices have and whether data is encrypted.
4. Don’t share passwords. Ensure passwords are strong, and update login credentials when an employee leaves the business.
5. Back up data and install valid anti-virus software, firewalls and malware detection systems. Keep these systems up to date.
“Ultimately, we need to think about cybersecurity on the farm like we do biosecurity – an investment into a best practice that, while not foolproof, will go a long way to minimizing or even avoiding risk,” writes Lennon.
“Yes, it can be tedious and there is some cost involved, but every day, week or year that we protect our businesses and prevent problems is invaluable.”
