Is Cyber Security a Black Swan in Ag?

Ag companies compromised, Ransomware, John Deere cybersecurity investment and more

Join 6000 ambitious agribusiness professionals from around the world and subscribe to Upstream Ag Insights to receive essential news and analysis right to your inbox every Sunday!

The more high-tech we become, the more vulnerable we become. And ag is becoming ever reliant on technology.

David Kohl, Professor Emeritus of Agricultural Finance, Virginia Tech University, has said:

Cyber attacks on agricultural technology could be a black swan facing the agricultural industry over the next decade.

This past week there were two news items related to cyberattacks on USA based farm cooperatives.

The first was Iowa based co-op, New Cooperative:

An Iowa grain cooperative has been attacked by a Russian-linked hacker seeking a multimillion dollar ransom, just as the state's farmers are rolling into corn and soybean fields to begin the fall harvest.

New Cooperative, a farm services business with headquarters in Fort Dodge, was targeted by a Russian-backed ransomware group called BlackMatter who was demanding a $5.9 million ransom. 

The second was Minnesota based Crystal Valley Co-op:

Crystal Valley Cooperative, a farm supply and grain marketing organization, was hit with a ransomware attack that has infected computers and disrupted operations.

These events lead US agriculture secretary John Vilsack to urge ag cooperatives to “harden” defenses against cyber attacks.

This news comes on the heels of the JBS cyberattack in June that seen JBS pay out $11 million to a “likely Russian based” ransomware group.

So what is ransomware?

a type of malicious software (malware) designed to block access to a computer system until a sum of money is paid.

In a world that is increasingly digital, these types of attacks grow in likelihood, and impact. And impact is an important word when looking at who gets targeted.

There are other forms of cyber security risk, but ransomware presents one of the costliest: Predictions show the damage caused by ransomware could cost $265 billion by 2031 worldwide and will be approximately $20 billion this year, a 57x jump from 2015. 

I am not an expert in this space, but in doing some research it was apparent that who to target comes down to the impact and opportunity as major parts of the formula.

Opportunity might be focused on smaller organizations because they have a lower level of security, making it easier to penetrate their defenses.

The second is impact because of the likelihood they will pay the ransom. For instance law firms and other organizations with sensitive data may be willing to pay to keep news of a compromise quiet, or organizations that have high value operations and need to have their infrastructure running to operate their business effectively, like a grain terminal or meat packing plant. This is especially apparent when we look at the importance of food.

This report, Cybersecurity in Smart Farming, from August 2020 sheds light on the topic too. A few quotes that stood out:

Agriculture is one of the smaller cybersecurity markets, however, accounting for approximately 2-3% of the total spend in 2019, or $1.1-1.6 billion in North America.

To put this into context though, in the USA ag and food is 5.2% of GDP according to the USDA, and 7.4% in Canada according to Ag Canada, indicating a potential mismatch in cyber security spend within the industry.

In 2018, the US Council of Economic Advisers reported the agricultural sector experienced 11 cyber incidents in 2016. Compared to other sectors, such as transportation or manufacturing, the agricultural sector experienced a relatively low number of reported cyber incidents. While historical data show lower “likelihoods” of such attacks in the agricultural sector, the externalities of insufficient cyber protection, spillovers of attacks on linked sectors, and the growing implementation of cyber devices in general and in the agricultural sector, in particular, suggests that the severity of any such incident or attack could be more profound in the near future.

The risk doesn’t stop at infrastructure to run facilities and ransomware, it also gets into tractors themselves and the data and information associated, or in control of (eg: autonomous equipment could literally lead to safety issues).

In August Vice published this article: Hacker Says He Found a ‘Tractorload of Vulnerabilities’ at John Deere

Security researchers found multiple vulnerabilities in the systems of John Deere and Case New Holland, two of the country's largest agriculture tech companies, according to a presentation at the Def Con hacking conference. In the wrong hands, they warn that these weaknesses could put consumers and the global food supply chain at risk.

These weren’t just small weaknesses either (emphasis mine):

We could literally do whatever the heck we wanted with anything we wanted on the John Deere operation center, period. And that's when we pretty much stopped because we pretty much had rope on the whole organization.

John Deere says this was exaggerated. They also stated they’ve increased spending on security "by about 750% in the past seven years."

However, it still shows the risk that is there in an ever digital world. And this can go beyond tractors yet to, to impacting input manufacturing trialling initiatives, traceability/sustainability initiatives, marketing capabilities and even corporate espionage!

So what can agribusinesses do?

According to this security group, much the same as other industries. A few examples:

  • Encrypt/ secure critical technologies (eg: laptops, smartphones)

  • Train employees to identify issues

  • Build incident response plans

  • Back-up data

These are basics, but it seems that the need to spend on this area, and discuss the topic, is going to be one top of mind for organizations in the future, especially as we continue to see digitization in ag.

One final comment: With there being more and more 3rd party digital systems being used by agribusinesses too, it is prudent to understand security protocols of your digital suppliers.

Share Upstream Ag Insights