If the hackers haven’t targeted you yet, they probably will soon. The ag and food industries aren't immune, and it’s best to be ready.
That’s the message from cybersecurity experts for those in the food and agriculture industry, who are now on high alert because of recent ransomware attacks targeting the Colonial Pipeline and JBS, the nation’s largest meatpacker.
JBS ended up paying $11 million in Bitcoin to end the attack, The Wall Street Journal reported, a decision it made even though “the vast majority of the company’s facilities were operational,” the company said June 9. It was a “difficult decision,” JBS USA CEO Andre Nogueira said. But JBS said it chose that route “to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”
Ransomware is akin to blackmail: Pay and the hackers will give you a key to get your data back. The FBI defines it as “a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return.”
But money’s not the only object of hackers’ desires; Paris Stringfellow — a vice president at the Cybersecurity Manufacturing Innovation Institute (CyManII) and a researcher at Clemson University in South Carolina — and other experts note they may also be in search of customer data or want to gain control of processing or farming equipment to “quietly modify your product quality, to hurt your reputation, or they might even want to steal your Intellectual property.”
Jay Felton, head of the agribusiness and food industry group at the Lathrop GPM law firm, also said “operational technology” security is a major focus — “someone coming in and taking control of your assembly line or shutting down your power, so you literally can't get in your building.”
Attacks are increasing. The Washington Post, in a lengthy report Sunday, said its analysis shows ransomware attacks “more than doubled from 2019 to 2020.” The newspaper also said experts estimate hackers got $412 million in payments last year.
Whether they are criminals out to make money or hackers sponsored by nations such as Russia to cause havoc, cyberattackers have the benefit of time to choose their victims and billions of connected devices worldwide ripe for exploitation.
“There's a large opportunity to make money and a small likelihood that they’re going to get caught,” said Scott Algeier, executive director of the Information Technology-Information Sharing and Analysis Center. “In other words, until we change that equation, ransomware will continue to be a threat.”
IT-ISAC is a nonprofit that provides member companies with threat intelligence and allows them to share information on cyber threats. Its board include Bunge, Corteva Agriscience, Cargill and ConAgra.
The food and ag industry, as an essential sector of the economy and society, is especially vulnerable, experts say. And the push toward more transparent supply chains can enhance that risk, Stringfellow said.
“Some of the biggest kind of vulnerabilities come from the connectivity of [companies’] supply chains, and that's only growing,” she said, as people seek to know where their products are sourced. “And that requires supply chains to be transparent and to share data, which, if left unprotected, begins to exponentially open us up to vulnerability.”
Anything connected to the internet — a computer in a tractor cab or a temperature sensor that’s part of the manufacturing process, for example — can serve as a doorway for hackers to get into a system and wreak havoc. A few years ago, hackers used a sensor in a fish tank to gain access to a Las Vegas casino.
Or, they can just wait. “The classic thing is that attackers go in and lurk, sometimes for very long periods of time, and maybe exfiltrate data,” said Molly Jahn, a plant geneticist at University of Wisconsin-Madison who was undersecretary of research, education and economics at USDA in 2009 and 2010 and has done extensive research on cybersecurity. Jahn is currently on loan to the Defense Advanced Research Projects Agency (DARPA) but spoke to Agri-Pulse in her personal capacity as an expert.
Large manufacturers seem to have gotten the message, experts say. ”If you're working for a GE or a Siemens, you are a technology company” and understand the risks, Stringfellow said
Archer Daniels Midland’s CEO Juan Luciano, speaking at The Wall Street Journal Global Food Forum last month, said the company regularly runs “tabletop exercises” simulating such attacks, which it has had to fend off in the past. The company has a ransomware task force.
“Most of them (the hackers) are trying to get money,” and they gained access through “phishing” emails impersonating someone else, he said. “They haven’t impacted our operations,” he said.
ADM is “a company that is based on risk management, on having redundancies, on having multiple sources for the same customer,” he said, mentioning its array of transportation options, including barges, railcars and trucks.
“We have multiple locations so if you cannot deliver to one elevator, you can deliver to another,” he said. “We are not, of course, completely invulnerable to an attack, but we feel very good about all our levels of protection.”
Smaller companies may not feel concerned about becoming targets, but they should be, Stringfellow said. “We find that the small- to medium-sized manufacturers, they're the ones where we really notice a lack of urgency.”
One reason may be that companies in the business of making food products may not think of themselves as technology companies. But any company with an internet connection is at risk, as the universe of “Internet of Things” devices continues to grow. The phrase refers to the myriad devices that today are connected to the Internet — refrigerators, thermostats and home security systems, for example.
Interested in more coverage and insights? Receive a free month of Agri-Pulse West
Attacks “can come from anywhere,” Stringfellow says. “They can come from insider threats” — people who work within the company or have a connection to someone there. There also are companies that are purely in the business of committing cybercrime — “they call it ransomware as a service,” she says.
“The threat is real and it's growing,” she says. “And every day you buy a new web application to help you manage your inventory or buy a new smart tractor, add a new component to your system, you are increasing your threat landscape,” Stringfellow said.
Part of the problem is that hackers are always becoming more sophisticated in ways that companies are not able to anticipate. “Many of the ransomware attacks that are happening now, people did not realize that they can be attacked like that,” said Sajal Das, a professor of computer science at Missouri University of Science and Technology who specializes in cybersecurity, cyber-physical systems and large-scale smart environments.
What can companies do to prevent attacks? Jahn said “it’s all the usual stuff everybody always says” — strong passwords, not using the same password over and over, two-factor authentication, and “backup, backup, backup” of critical information “in a secure place where it would be protected from any conceivable attack.”
Security patches and software updates also should be installed immediately, experts say.
“You can pretty much imagine any system under digital control that is not secured, potentially could be either interrupted or hacked so that it no longer performs adequately,” Jahn said.
Jahn also points to materials available from the FBI and the Cybersecurity & Infrastructure Security Agency to help companies address security and what to do in the case of an attack. CISA has a raft of tools to help companies assess their vulnerabilities, and the FBI’s cybercrimes unit also has advice on protection.
Stringfellow said CyManII is trying to persuade the manufacturing industry to address cybersecurity at all levels of its organization — “all the way from the CEO down to every single employee, and to consider baking cybersecurity into all of their business processes from the beginning.”
Companies also need to look at whether their insurance policies cover cyberattacks, says Tedrick Housh, a partner at Lathrop GPM.
“This is a very fluid area,” he said. He advises companies to “have a plan and regularly update that plan to make sure that you're prepared to respond to a situation if you do have one come to pass, and to make sure that you have insurance in place to protect yourself if you are hit.”
And if you are hit, “the first thing a company subject to this type of attack should do is contact the FBI,” Jahn said.
For more news, go to www.Agri-Pulse.com.