As information tech becomes more entrenched in all things agricultural, it’s attracting the attention of cybercriminals and the industry needs to up their game to protect their operations.
For Brennen Schmidt, a cybersecurity consultant based in Regina, this means doing a full inventory of not only all connected tech on the farm, but also the communications infrastructure it connects to. It’s a job for the farmer, the municipality and the province.
“I think we do need to look at this holistically and think of it less as usernames and passwords and more around the three tenets of cybersecurity,” he said.
Read Also
Manitoba Parkland research station grapples with dry year
Drought conditions in northwestern Manitoba have forced researchers at the Parkland Crop Diversification Foundation to terminate some projects and reseed others.
These tenets are confidentiality (encryption and sign-in protocols), integrity (making sure no one has altered the data), and availability (keeping the website up and broadband working, for instance).
Schmidt, who speaks on cybersecurity issues across North America, has reached out locally to municipal organizations to explore the questions of access and threats to it. This includes threats posed by humans, and environmental issues such as the forest fires that interrupted internet service in parts of Saskatchewan in 2014.
Farmers can help here by working to prevent accidents with tillage or grain-handling equipment. For their own operations, Schmidt recommended having a backup for physical systems, such as battery backup to keep the broadband tower up and running when the power goes out.
He also advocated creating an inventory for all information technology on the farm, from tractors and combines to tablets and smartphones. This includes a management plan to prioritize equipment and a schedule on when to rotate old machines out of service.
“I’m thinking back on some of the farms I’ve been on where you’ve got the cattle information system or whatever, it’s on the desktop, it’s been collecting dust for 10 years and it never gets shut off,” Schmidt said. “And it works, until all of a sudden, ransomware happens, or let’s say… Microsoft no longer supports that operating system and they’re not patching it.”
How big is the risk? Last year, an ethical or “white hat” hacker who goes by the online name Sick.Codes and some of his fellows turned their attention on the systems of some of the largest agriculture equipment manufacturers, including John Deere, Case IH and AGCO.
With little effort, they were able to get access to individual user accounts including real-world personal information. They could also get access to individual pieces of equipment, which would have allowed them to change software at will. This August, Sick.Codes showed the results of his latest intensive effort over the last year to “jailbreak” a John Deere tractor computer system. At the annual DefCon hacker conference, he played the video game “Doom” on the system to demonstrate his total control.
While this might conjure nightmare scenarios of tractors suddenly making a hard left turn across a busy highway or misapplying spray to damage land, this is unlikely, according to the Communications Security Establishment (CSE), the federal agency tasked with identifying cyberthreats to Canada and its economy.
“Agriculture (food) as a whole is a critical infrastructure sector, as identified by Public Safety Canada,” the CSE wrote in response to an email request. “However, in the absence of a significant escalation in international hostilities, we assess it is unlikely that state-sponsored actors will intentionally seek to disrupt Canadian critical infrastructure and cause major damage or loss of life.”
More likely, the email said, are run-of-the mill cybercriminals armed with ever-more-sophisticated hacking tools that install ransomware. This malicious software encrypts a system and makes it impossible to use until the victim pays a fee to get the encryption key.
Cybercriminals cast a wide net looking for victims but favour businesses that are particularly vulnerable and large enough to pay significant ransoms, something called “big game hunting.”
“This means very carefully targeting large enterprises that cannot tolerate disruptions and are likely willing to pay large ransom amounts to restore their operations,” the CSE writes.
This would apply to a large operation anywhere in the supply chain in the middle of seeding or harvest. For Schmidt, it’s a vulnerability brought into stark contrast by the pandemic.
“Now we have this huge reliance on just-in-time delivery and in a lot of cases we’ve just found out that just-in-time is just-too-late,” he said.
Strengthening cybersecurity will take effort all along the supply chain. For equipment manufacturers, Schmidt said an effective tack would be to install multifactor authentication on their systems. This protocol is familiar with systems such as banks, where one signs in online, then must enter a code sent to one’s mobile device. He does acknowledge this might be impractical or expensive to implement but it does offer a high level of security.
Sick.Codes, for his part, has been frustrated by the response to the work of he and his colleagues. It took some doing to get through to the manufacturers to alert them to their vulnerabilities, although they did eventually accept the information and plug the security holes.
He said there is also little incentive to help further. Ethical hackers do their work for the joy of “picking a lock,” but they also have to pay the bills. Technology companies often have programs that these outside players can enroll in and collect “bounties” for identifying problems. Sick.Codes said Microsoft, for example, sent him $20,000 for identifying a vulnerability in their products. So far, ag equipment manufacturers have not followed suit.
For farmers both in Canada and the United States, governments provide tools and services to help assess vulnerabilities to cyberattack and what measures to take. The U.S. National Institute of Standards and Technology (NIST) provides a list of assessment and auditing resources on its website. The CSE also provides online in its “Baseline cyber security controls for small and medium organizations.” It also offers direct help.
“We encourage agriculture enterprises, including independent farming businesses, to contact the Cyber Centre if they have any questions, or wish to receive more tailored cyber threat information.” The email is contact@cyber.gc.ca.
