Agriculture pays little attention to computer system security even though it will be an increasing threat as farms get larger, technology use increases and global actors look to disrupt food systems.
That means that agriculture is well behind other important sectors of the economy in protecting its computer networks, says a cybersecurity researcher.
The Agromart Group and their farmer customers recently came up against that reality when the personal information of farmers was posted for auction, after the company refused to pay a ransom after a hacker group locked down parts of its computer system.
Why it matters: Data thieves increasingly see agriculture as an opportunity area as more individual data collection sources show up on farms.
Ali Dehghantanha, director of the Cyber Science Lab at the University of Guelph’s School of Computer Science says farmers aren’t paying much attention to cybersecurity.
“I’ve talked with many farmers, very large farmers, who think that their internet service provider is responsible for security. They think that because they are a farmer in rural Canada, no one is attacking them.”
Lambton County farmer Eric Allaer found out how vulnerable his personal information is, when some of his information was posted to the internet by the hacker group Revil after it compromised the computer systems of the Agromart Group.
Parts of the Agromart Group’s computer system were breached and locked in late May by the Revil hacker group. Agromart refused to pay a ransom and the hackers then decided to auction off the data to the highest bidder.
“Hackers were asking for money to get our data back. The decision was made not to pay in according to our values and authorities’ recommendations,” said David Brand, Agromart’s general manager via email.
Brand says the data breach was contained to Agromart and didn’t affect any other connected businesses like its parent company Sollio.
He says Agromart was able to continue business operations, although they operated “manually” for a while and he expects “the situation will be back to normal shortly”.
Revil tried to sell the data on the dark web – a part of the internet not accessible by search engines and where business is conducted anonymously.
Revil posted some examples from the data it stole, including a mostly redacted credit application from Eric Allaer’s farm in the south end of Lambton County. The Agromart breach was widely reported by cybersecurity blogs and publications that monitor hacking and the dark web and some of them posted some of the example documents. Putting up data for auction is a new tactic for groups like Revil, which is why it was covered by the cybersecurity press.
Brand says Agromart customers were contacted about the data breach and have been offered a year of monitoring of credit from Equifax at no cost. The company also created an Equifax hotline for customers with any questions.
Allaer says that he was contacted quickly by his local SouthWest Agromart. They met with him and signed him up for the year of Equifax monitoring.
Not a top-of-mind concern
A survey of about 100 Canadian farmers looked at their cybersecurity preparations, says Dehghantanha. Most of the farmers weren’t willing to spend the money to install anti-virus software on their computer systems after a free trial had ended, he says.
“That’s quite disappointing and quite dangerous. Compared to other sectors like financial sector, the level and state of cybersecurity in agriculture is way behind,” says Dehghantanha.
That compares to a similar study in the Netherlands, where farmers were much more aware of computer hacking threats, possibly because of greater proximity to Russia where many of the threats originate.
He says that organizations in the financial and utilities sectors have been active in creating standards for individual businesses and organizations to follow relating to cybersecurity. Those sort of best practices don’t exist in agriculture and Dehghantanha says a sector organization needs to take the lead.
Steve Brown, senior project manager for cybersecurity practice at BDO, says that there are three areas to consider when looking at small and medium-sized business cybersecurity. They include:
People: Have they been trained, updated regularly and do they understand high risk data behavior?
Process: Do you have policies that are documented and can be referred to when a situation arises? Have they been reviewed and updated?
Technology: There may be data security technology that farmers and farm businesses can use, starting with antivirus software and moving to third-party monitoring of systems. Brown says that if the people and processes aren’t there, the technology won’t solve the problem.
Pandemic increases risk
The COVID-19 pandemic has opened up opportunity for hackers as workers were forced out from behind their corporate cybersecurity and into home offices, says Dehghantanha. That means less-protected home networks can give hackers an easier route to computer systems. That also means that a greater mix of personal computing and business computing on the same machines on a less-secure network can mean an easier route to business systems for hackers.
If a worker is using a work laptop for personal email and they accidentally open an email from a hacker, then that action could compromise not only their personal data, but also corporate data.
Mark Sangster, vice president and industry security strategist at eSentire, an Ontario cybersecurity company, says the pandemic removed cybersecurity from behind iron-clad business systems. He doesn’t expect that data management will go back to being centralized.
In many ways, farmers have always worked like many people are working now – from home and on decentralized systems that are used for business and personal information.
Sangster says that manufacturing became a target for hackers when they realized that a great number of individual machines were connected to the internet. The same is now true of farms and agriculture companies and that’s drawing attention.
“Farming and agro have been under their radar,” he said, but that’s changing. An example is the Talman Software hack in Australia which shut down the wool trade there, worth $80 million per week. Talman Software is used to trade 70 per cent of the wool in Australia and New Zealand.
“One thing I’ve said to farmers, if you make money and you can pay them, hackers will be interested in you,” says Dehghantanha.
Both Sangster and Dehghantanha say that as countries increase their aggressive cyber activities towards other countries, the food system would make an effective target. They could take control of systems and only use them when they want to create disorder. Think about the potential for closing down barn ventilation systems, says Dehghantanha.
Operations vs. IT
The growth in connected devices is driving a larger shift to decentralized computer security. That means the end point, or the device has to be secure.
Those devices are often in the trenches, working with farmers in fields and barns, far away from cybersecurity experts.
That’s a challenge, says Sangster, as the people doing the work with the device don’t have data security expertise, and the information technology people don’t understand what happens in day to day use of the device. It’s important to take the steps to bring both worlds together, he says.
Remember that hackers don’t have some giant computer bomb they send out to everyone and suck back in the data. Sangster says cybersecurity is all about “hands on keyboards”. The hackers get their information because someone has made a slip and given them a route into the system.
Unfortunately, that’s a scenario Allaer knows too well and had gone through before the Agromart Group attack. A scam email that looked like it came from a bank resulted in the theft of money from the farm. Information was passed on to thieves.
“A substantial amount of money was taken out of one of our bank accounts. It opened our eyes,” he says.
At the farm level, Allaer’s office staff are vigilant about any emails that are out of the ordinary and his bank has been informed. Now some of his personal information has been made public due to the Revil hack.
“There’s always a fear that something could happen,” he said. “The fact that Southwest came forward right away, said this is where we’re at with Equifax, they’re keeping an eye on it, the RCMP is involved in it and also a government ministry that deals with these things, so I kind of feel a comfort in all that.”
While the Agromart data breach has been a challenge for the company, Brand says “We are extremely far from high-profile cases which happen, sadly, too often in Canada. The investigation is well advanced, and we are confident that the scope of the event is minor.”
Good data hygiene
Almost everyone has raised their personal hygiene level during the pandemic with more handwashing and use of sanitizers. It could be time to increase data hygiene too.
Dehghantanha has several simple rules to reduce risk of losing data to hacking:
- Passwords should not be shared among multiple accounts.
- Having only one account to log onto a machine and many users who know the password is a risk. He says this is particularly a challenge with on-farm system logins shared among family members and employees.
- Change passwords every three months.
- Use antivirus software and personal firewalls.
- Push third party providers about their cybersecurity and question them about their liability if their systems are breached.
- Farmers now have numerous devices collecting data, both personal and for the farm. How is the data from those devices protected?
- “Farmers have to have enough cybersecurity at their own premise.” Talk to cyber security experts and to system vendors in order to identify preliminary cybersecurity gaps in day-to-day operations.
- If there’s any sort of a breach, get credentials and passwords changed. Dehghantanha says that even after a known breach, it can take three months before people get around to revising their passwords.