Vital infrastructure: securing our food and agriculture

Vital infrastructure: securing our food and agriculture

I don’t expect to hear any arguments on whether the production of our food is important or not. So why do we hardly ever hear anything about the cybersecurity in the food and agriculture sector?

Depending on the country, agriculture makes up about 5 percent of the gross domestic product. That percentage is even bigger in less industrial countries. That amounts to a lot of money. And that’s just agriculture. For every farmer, 10 others are employed in related food businesses.

In fact, the food and agriculture sector is made up of many different contributors—from farmers to restaurants to supermarkets and almost every imaginable step in between. They range in size from a single sheepherder to multinational corporations like Bayer and Monsanto.

With a growing population and a diminishing amount of space for agriculture, the sector has grown to rely on more advanced techniques to meet the growing demands for agricultural products. And these techniques rely on secure technology to function.

Precision agriculture

Precision agriculture is an advanced form of agriculture, and as such, it uses a lot of connected technology. This basically puts it in the same risk category as household IoT devices. When looking at these devices from a security standpoint, it doesn’t matter a whole lot whether you are dealing with a web printer or a milking machine.

The connected technologies that are in use in agriculture mostly rely on remote sensing, global positioning systems, and communication systems to generate big data, analytics, and machine learning.

The main threats to this type of technology are denial-of-service attacks and data theft. With limited availability of bandwidth in some rural areas, communication loss may be caused by other factors outside a cyberattack— which makes it all the more important to have something to fall back on.

Data protection and data recovery are different entities but so closely related that solutions need to account for both. Data protection mostly comes down to management tools, encryption, and access control. Recovery requires backups or roll-back technology, which is easy to deploy and the backups require the same protection as the original data.

Supply chain

The supply chain for our food is variable, ranging from farmer’s supplies to the supermarket where we buy our food. Depending on the type of food, the chain can be extremely short (farm-to-table) or quite long. You may find a pharmaceutical giant like Bayer as a supplier for a farmer, but also as a manufacturer that gets its raw materials from farmers. Recently, Bayer was the victim of a cyberattack, which was likely aimed at industrial espionage.

Given the sensitive nature of the food supply chain which directly influences our health and happiness, it is only natural that we want to control the security of every step in the process. In order to do so, we look at suppliers other than those of physical goods and systems.

Financial institutions, for example, are heavily invested in agriculture, since it is one of the largest verticals. Back in 2012, a hacking group installed a Remote Access Trojan (RAT) on the computer of an insurance agent and used it to gain access to and steal reports and documents related to sales agents, as well as thousands of sent and received emails and passwords from Farmers Insurance.

Traceability across the supply chain is increasingly in demand by the public and sellers of the end-products. They want to know not only where the ingredients or produce came from, but when the crop was harvested and how they were grown and treated before they ended up on stores’ shelves.

Physical protection

Besides disrupting the industry supply chain, cyberattacks could potentially be used to harm to consumers or the environment. An outbreak of a disease and the consequential fear of contamination could devastate a food processor or distributor.

Given the number of producers and their spread across the country, a nationwide attack as an act of war or terrorism seems farfetched. But sometimes undermining the trust of the population in the quality of certain products can serve as a method to spread unrest and insecurity.

We have seen such attacks against supermarkets where a threat actor threatens to poison a product unless the owner pays up. In Germany, for example, a man slipped a potentially lethal poison into baby food on sale in some German supermarkets in an extortion scheme aimed at raising millions of Euros.

In Mexico, a drug cartel used government information about one of the most lucrative crops, avocado, to calculate how much “protection money” they could ask of its farmers, implying they would kidnap family members if they didn’t pay.

Cybersecurity for food

In the food and agriculture sector, cybersecurity has never been a prominent point of attention. But you can expect the technology used in precision agriculture to become a target of cybercriminals, especially if resources become more precious. Whether they would hold a system hostage until the farmer pays or whether they would abuse connected devices in a DDoS attack, cybercriminals could take advantage of lax security measures if the industry doesn’t sit up and take notice.

The use of big data to enhance production and revenue makes sense, but with the use of big data comes the risk of data corruption or theft.

Meanwhile, the food and agriculture sector is operating in chains and is dependable on other chain organizations or third parties. What is true for any chain is that it is only as strong as its weakest link, which in this case tends to be single farmers or small businesses. And as in most sectors, budgets of small businesses are tight, and cybersecurity is somewhere near the bottom of the list in spending. Even though an attack on expensive farming equipment could be costly, Not to mention shutting a company down for a while in a ransomware type of attack.

You’ve got that backwards

As the farming equipment industry has no problem forcing farmers to have their maintenance done by authorized dealers, farmers have resorted to installing firmware of questionable origin on their tractors to avoid paying top dollar for repairs and maintenance. This opens up a whole new avenue for cybercriminals to get their malware installed by the victims themselves. Apparently, all you have to do is offer it up as John Deere firmware on an online forum. You can even get paid for selling the software and then collect a ransom to get the tractor operational again as a bonus.

Recommendations

While farmers are renowned to cooperate when buying and selling goods, and to exchange information about illnesses and diseases, there is no such initiative when it comes to sharing information about cyberthreats and how to thwart them. Setting up such an initiative might be a first step in the right direction.

In our society being able to track back where a product or its ingredients came from becomes more important. Implementing the traceability could be an ideal moment to couple it with data security.

For the same reason as with household IoT devices manufacturers should be held accountable for providing an acceptable level of security or the possibility to apply such a level into their products. No hardcoded credentials, hard to change passwords, or weak default security settings.

Stay safe everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.