The concept of the connected farm has been gaining traction in recent years, with more producers opting for technologies that link their systems and equipment with on-farm networks and the cloud. These developments have brought more efficiency, productivity and profitability to many farm businesses, but it doesn’t come without risk.
If not adequately protected, data and the software involved in operating business systems can be accessed and/or manipulated by malicious parties, which is why cybersecurity — protecting data and operating systems from ransomware and other cyberattacks — is getting more attention in farm circles.
Producers learned how to better protect their farm businesses in a webinar series early this year hosted by Glacier FarmMedia, which was based on an ongoing project aimed at enhancing cybersecurity capacity in Canada’s agriculture sector. The Community Safety Knowledge Alliance is involved in the four-year project, which ends in 2024, and is funded by Public Safety Canada’s Cyber Security Cooperation Program.
Read Also
The issue with scar tissue
Without a healthy amount of movement, friction and influence during the healing process, scar tissue may later disrupt how the body moves around it, so maintenance is needed as soon as an incision or wound heals over, Kathlyn Hossack writes.
A poll conducted in conjunction with the webinar series found that participants thought cybersecurity was a real farm business risk and a priority for producers. However, while participants noted cyberattacks are happening to people they know (and one participant had been the subject of a ransomware attack), they didn’t necessarily think an attack would happen to them. Poll participants also reported they didn’t always know where to start when it came to cybersecurity, and they needed more information about what to do to protect themselves.
During the series, cybersecurity expert Ritesh Kotak, Janos Botschner, lead investigator at the Community Safety Knowledge Alliance, and Lenore Newman, director of the Food and Agriculture Institute at the University of the Fraser Valley, discussed the threats posed by cyberattacks on agribusinesses and they offered some advice on how to deal with them.
Botschner acknowledges figuring out how to protect farm data and operating systems can be overwhelming for farmers, like any business owners. That’s why he urges producers to take things one step at a time.
“The survey showed that self-confidence among the participants in handling a cybersecurity attack is not very strong and that’s understandable,” he says. “This is a journey. Take practical steps and continue to deepen your awareness as time goes on so that you can be on the lookout for new potential challenges.”
Ransomware attacks
One challenge could be coping with ransomware, a software program that locks out access of a business or organization to its own data, with access to the data returned only when a ransom is paid in digital or untraceable currency. Kotak says ransomware attacks in the agri-food industry have become more common — the 2021 attack against international meat processor JBS is one example.
Kotak says until recently cybersecurity has been largely a reactionary concept. That is, businesses and institutions react to ransomware demands and other types of cyberattacks instead of actively working to prevent them. Because of the growing threat, however, business leaders throughout the food value chain are thinking much more about cybersecurity and putting more protections in place.
Most cyberattacks are financially motivated, but malicious parties may also be motivated to attack farm businesses for other reasons, like disrupting supply chains during international conflicts, or perhaps animal welfare activism, Kotak says.
The webinar panelists conclude large-scale agri-food businesses may be bigger targets for cyberattacks than most Canadian farm businesses, but they’re also more likely to have better cybersecurity. However, for less reward — but also less work — attackers are turning to smaller businesses in every sector, which may not have adequate protections in place. And that could include your farm.
If your farm business is struck by a ransomware attack, Kotak doesn’t recommend paying the ransom because there’s no guarantee you’ll get your data back if you do pay, and paying may encourage repeat ransomware attacks.
Kotak says a better strategy is to develop and implement a cybersecurity plan that includes contingencies for restoring farm business data from backup systems and patching the gaps the attack has revealed. Learn from the incident, he says, and continue to back up your data and take other actions to protect your farm business.
Phishing expeditions
We’ve all seen them — phishing emails that are very specific and authentic-looking, which ask you to do something you shouldn’t, like reveal login credentials or passwords. Phishing emails can come from an unknown email address or from familiar but hacked email accounts, which prompt you to click on a link. The link may prompt you to enter personal or financial information, or clicking it may allow ransomware or some other form of malware to access your systems.
Botschner says it’s critical to train yourself, your family and your employees to recognize phishing emails.
“Over 90 per cent of attacks rely on manipulating victims, such as clicking on a link in a phishing email or on human error, like failing to notice a threat,” he explains. “Always take time to read emails and ensure they are authentic, and that links are verified as safe. This is especially important at busy times of the year on the farm when you are distracted and tired. Everyone in your family and all of your employees should be doing the same.”
Botschner and Kotak point out a vendor’s email system can be hacked, and, therefore, the email address is recognizable, however, the email is from a malicious party. If you receive something like a request to input your data on a new payment platform, reach out to the vendor to ensure it’s a genuine request. Vendors may not be aware they have been hacked.
Any vendor websites where sensitive information from your farm business is shared or financial transactions are completed should have a padlock next to the URL or have a web address that begins with https (the letter h in https stands for secure).
Kotak suggests farmers should also ask their vendors about their cybersecurity levels. “When you sign up with a new service, one of the questions you want to ask is, ‘Who owns my data? That is, if I end up leaving the service, does the vendor keep copies of it, and, if so, where is it housed, or do I get my data back? Also, does the vendor have access control processes in place, and is data encrypted? Do they do third-party cybersecurity audits?’ If they are not upfront about their policies or say they are working on them, if they are not transparent, that’s a red flag.”
It’s important to preserve evidence of ransomware attacks and other cybercrimes and to alert law enforcement officials and others who will be affected by the breach, conclude the webinar panelists. While random phishing emails are common and can be deleted without further action, an email from a hacked business email account should be reported to local police and the Canadian Anti-Fraud Centre.
You could also consult with a lawyer or cybersecurity expert about additional action you should take to protect yourself legally — particularly if customer data you hold (like credit card information from a farm gate shop) has been breached, in which case you would need to file a breach report.
A moving target
Kotak stresses cybersecurity is an ongoing activity, not something where you can check a box and consider it done.
“It’s not an, ‘I’ve downloaded some sort of security software and I’m secure,’ situation,” he says. “You have to continually work on it. It’s a moving target. If you have some sort of antivirus software, good — but that’s where it begins, not where it ends. You have to think about the threat factors, think about data security and keep your systems up to date.”
The webinar panelists recommend producers try to put together an official cybersecurity policy and standard operating procedures for everyone involved in the farm business.
This can be as simple as a written plan that outlines important dos and don’ts, which could include things like phoning a vendor when a business email requests a change in payment method, instructions on how and how often you need to back up critical data and make sure software is updated, or the necessary steps to get your farm systems up and running after a disruption.
A few more steps farmers can take to beef up their cybersecurity include the following:
- Always update your software. Newer versions generally have better security features.
- Put a reputable antivirus software program in place.
- Consider using a VPN (virtual private network), which encrypts data, with your farm network and your mobile devices. Do not use public Wi-Fi for any personal or farm business use without protecting yourself (for example, by using a VPN).
- Understand what data and systems are critical to your business and start by focusing on these. Ensure you are making regular data backups and work with an IT company to understand how to access these backups to restore your data and systems should the need arise.
- Have a reliable IT company you can contact if you need help. For instance, consult with a company to ensure you have an adequate firewall for your computer network to protect you from fraudsters and hackers.
