Cyber Security Risks: Not a matter of if, but when

Technology adoption in the farming sector is accelerating significantly as farms are looking for solutions to problems on the farm, from labour shortages to better animal health. Smart, connected devices of all kinds are collecting more data on-farm than ever before, and then analyzing that data to help farmers make better decisions and improve the productivity and performance of their operations.  

“With the labour-intensive nature of agriculture, you see a lot of technology to make things more efficient – like cameras and heat sensors to monitor poultry health and well-being,” says Steve Brown, senior manager of cyber security at BDO. “Through the Internet of Things (IoT), everything can now speak to everything.”

According to Rozita Dara, associate professor in the School of Computer Science at the University of Guelph, technology can serve as an early warning of possible health problems in the barn by detecting disease or a change in behaviour. It can also collect information from other places to get historical or other data help decision-making.  

“What this means is that you can take action to prevent disease introduction or spread – but you can also make better decisions to protect the supply chain, which is especially a problem for poultry due to Avian Influenza,” Dara says. 

Identifying cyber security risks on the farm
All that connectivity and data collection isn’t without risk, and incidents of cyber security breaches – from compromised data to a system being frozen until a ransom is paid – are mounting. Agriculture is a particularly vulnerable sector, and experts agree that it’s not a matter of if but when a farm business will have a cyber security problem. 

These can result in disruptions of farm operations, financial losses for farmers, unauthorized access to sensitive information, and challenges to Canadian food security if the issue impacts the broader supply chain. 

“There’s a lack of understanding of what hackers really want. They don’t care about your information but they know that you do so they’ll hold it so that you can’t use it and have to pay to get it back,” Brown says. “If you’re a farm that relies on payroll information or data on your livestock and you all of a sudden don’t have access to that system anymore because it’s a victim of a ransomware attack, that’s a problem.”

Although there is a lack of minimum cyber security standards in the sector, it’s not that cyber attackers are specifically going after agriculture, however; it’s that they will automatically go after the most vulnerable targets, notes Ali Dehghantanha, a University of Guelph Canada Research Chair in cyber security and threat intelligence.  

“If your systems are connected to any network, you will be of interest to attackers. They pick the easiest, quickest targets and use them as the basis to attack other users,” he says, adding that his research has shown that a small business that is compromised has an 80 per cent chance of closing permanently after a significant attack. 

The biggest vulnerabilities stem from: outdated, unmaintained systems, such as running old software that is no longer being updated; no data backups; lax approaches to who has access to systems on the farm; and a lack of awareness of things like phishing emails, where fake messages encourage users to click on potentially damaging links. 

“In 90 per cent of farming systems, the last software update was years ago, and the business has no patching or updating policy. This is very common and the most profound issue we see,” Dehghantanha says. 

To help get a better sense of cyber security readiness across the agriculture sector, the federal government is currently funding the multi-year Cyber Security Capacity in Canadian Agriculture project. It includes a literature review of digital systems in agriculture; interviews and focus groups with the ag sector; a producer survey; and resources specifically for farmers. 

“One of the things we found in our is that we have a relatively low perception of risk and that there is no widespread knowledge of the threat landscape in agriculture,” says the project’s lead investigator Dr. Janos Botschner. “It isn’t currently a top priority for producers and although generally there are cyber security practices in place, they are uneven and not as strong as they can be.” 

The project is entering its final year and a framework will be released shortly that focuses on opportunities to strengthen cyber resilience through partnerships, what Botschner refers to as a “cyber barn raising”. 

Building up your protection
What steps can farms and others in the agricultural supply chain do to protect themselves? These experts agree that the goal should be to minimize risk. Here are their recommendations:

• Understand your current situation. Make a checklist of all your current technology and make sure you’re using current software versions and that systems are up to date. Seek help if you’re not sure what to do or how to do it. 
• Educate the people using your systems. People are the number one risk, so this includes basic rules about what to do or not to do, and making sure people understand where threats come from. Free online videos are available for training.
• Have a plan. Operate under the assumption of “not if but when” and know what to do for disaster recovery and continuity. 
• Ask questions of your suppliers. When someone is setting up a new system, ensure it is set up properly. Ask what security the devices have and whether data is encrypted. 
• Change passwords regularly. Avoid a single password for all users and make sure passwords are updated when an employee leaves the business. 
• Back up your data. This can reduce data loss and down time in case of a problem.
• Install digital protections. This includes anti-virus software, firewalls and malware detection systems. Ensure you have a valid product license and that the programs are up to date.