KANSAS CITY, MISSOURI, US — Agribusiness is increasingly incorporating internet-enabled technologies and data-driven solutions into farm production, food processing, supplier industries, logistics, client communications and sales marketing. Farming operations that have adopted precision farming are even more dependent on advanced technology to carry out their day-to-day business.
Improving internet access is making it easier for agriculture businesses to adopt efficiencies and reduce costs through enhanced technology, but it also widens the cyber-attack surface and threat landscape.
As the industry utilizes cloud-based storage for large data sets, open-sourced or cloud-based software and corporate management of proprietary software, there will be more opportunities for data access and malicious activity by unauthorized users.
Agriculture is now more vulnerable than ever to phishing campaigns that house malicious links and attachments; ransomware that leads to lost revenue and business disruption; exposure of confidential data; and even data integrity issues due to negligent security.
Ransomware’s costly impact
- In 2020 and 2021 there were several major cyber incidents that had an impact on agricultural businesses of all sizes, from large corporate farms to small- and mid-size operations. The US Federal Bureau of Investigation noted a few of the larger breaches:
- In July 2021, a US baking company lost access to its server, files and applications, halting production, shipping and receiving as a result of Sodinokibi/REvil ransomware. It was deployed through software used by an IT support managed service provider. The baking company was shut down for approximately one week, delaying customer orders and damaging the company’s reputation.
- In January 2021, a ransomware attack against a US farm resulted in losses of approximately $9 million due to the temporary shutdown of operations. The unidentified threat actor was able to target their internal servers by gaining administrator level access through compromised credentials.
- In November 2020, a US-based international food and agriculture business reported it was unable to access multiple computer systems tied to its network due to a ransomware attack conducted by OnePercent Group. The threat actors used a phishing email with a malicious zip file attachment and were able to download several terabytes of data through their identified cloud service provider prior to the encryption of hundreds of folders. The company did not pay the $40 million ransom and was able to successfully restore its systems from backups.
- Minnesota agricultural firm Crystal Valley Cooperative was targeted in a ransomware attack in September 2021 and was forced to take systems offline due to cybersecurity incidents. The attack left Crystal Valley unable to mix fertilizer or fulfill orders for livestock feed.
- Russian hackers leveled a ransomware attack on an Iowa farming co-op in September 2021, demanding $5.9 million to unlock the computer networks used to keep food supply chains and feeding schedules on track for millions of chickens, hogs and cattle. New Cooperative in Fort Dodge, Iowa, US, was forced to take its computer network offline to isolate the incursion and shuttered its soil-mapping software as a precaution.
Why is agriculture a target?
The interdependency of information technology and bio-data output of agribusinesses provides ample opportunity for biosecurity threats. Cyber criminals can earn a significant profit exploiting this industry because of its foundational importance in the economy, the value of new bio-automation techniques and the desperation companies could face when business-critical data are held hostage.
Globalization has created an extended supply chain that is far more difficult to secure, and that often results in partnering with and relying on companies that may lack proper cyber security.
Agriculture has had a traditional focus on performance and safety — not security — and that can lead to major cybersecurity gaps in the entire production and distribution chain.
The growing complexity of precision agriculture makes it difficult to manage and secure critical data and functions.
Information firms specializing in agriculture are a potentially vulnerable point of attack.
Methods of attack
Cyber criminals attack agriculture in a variety of ways. They include:
Business email: Using email to impersonate someone the farmer may know and trust and convince them to make an urgent payment or to change their account details.
Text and phone scams: Phishing calls and scam texts attempt to trick targets to reveal personal information or click on a link that downloads malware.
Phishing emails: Cyber criminals can now convincingly mimic branding and content of well-known organizations, which means many people blindly trust them.
Costly technology risks
There are two kinds of precision agriculture businesses: ones that have been hacked and ones that will be.
Being highly connected and successfully handling information flow represent the two key factors that create a successful digitally managed farm operation. But these best practices also become the highest vulnerability to cyberattack to disrupt food production.
Cybersecurity in agribusiness isn’t something that should be assumed is simply an IT function or a task outsourced to a vendor. It’s a way of doing business that needs to start at the top and permeate the entire organization for cybersecurity to work.
Larger operations may be able to weather cyberattacks such as phishing, but small farms or businesses are often unable to absorb that kind of financial loss. The US House of Representatives Small Business subcommittee on health and technology has reported that 60% of small businesses in the United States fail after a cyberattack.
Different types of exposure
Errors by well-intentioned (but often under-trained) employees can cause serious harm, as can direct attacks by disgruntled, rogue employees. Phishing attacks are prevalent, especially during the COVID-19 pandemic. Scams can range from the obvious “Nigerian Prince” attacks to falsified invoices from supposedly real vendors to what is known as “Spear Phishing,” which is highly targeted attacks that appear to be from a trusted source such as the company president.
All agricultural organizations have health care data stored for employees and independent contractors as well as being access points for third-party data. This information is highly regarded by cybercriminals, even more so than credit card information.
Furloughed employees who have become disgruntled with the company may use their own social media accounts to defame their employer as well as distributing sensitive or even false information. While this may create a media liability risk, some cyber insurance policies will cover it.
Corporate social media accounts can be hijacked to spread misleading claims about the organization. That could produce a negative image, especially if the company is well-known or publicly traded.
Both the European Union’s GDPR (General Data Protection Regulation) and the CCPA (California Consumer Privacy Act) requires any company that collects and shares data to get user consent, provide transparency regarding use of the data, and protect that data. Penalties for non-compliance or breach of privacy are steep, so all companies, including agriculture-related businesses, need to provide additional safeguards for sensitive information as well as update and monitor data collection, retention and removal protocols.
Are agribusiness firms prepared?
The most recent MMA Cyber Survey showed that 56% of all respondents ranked cybersecurity as a top-five risk management priority, down from the last survey.
Eighty percent were confident in their organization’s ability to manage and respond to a cyber event, which is a significant increase from the last survey. Eighty-two percent believe they are prepared to prevent such an attack, yet only 45% of respondents said they actually had a plan in place.
As mentioned previously, less than 20% are confident that their data — and the data from connected sources — are secure. About 87% of all agribusinesses did not have a contingency plan to manage security breaches.
Preparing for and managing cyber risk
Just as the goal of food safety regulations is to protect human health, prioritizing cyber security in agriculture is a significant protective step to secure a food supply. The first step is to identify sources of potential risk. This should include conducting audits to fully understand how employees access and use critical and sensitive data. The audit should determine who has access to information and critical systems and examine existing capabilities for monitoring inappropriate system access and potential security vulnerabilities.
Next, institute formal, written policies on the use of corporate networks, and ensure that access to sensitive data is restricted only to parties that require it.
Agribusinesses should also:
- Develop and test a detailed data breach response plan to help the organization act swiftly, decisively, and effectively
- Encrypt all sensitive data and the devices that house that data
- Use secure back-ups for critical data and ideally encrypt, segregate and regularly check the function of those backups
- Use a secure email service that filters for potentially malicious activity
- Implement Endpoint Detection and Response (EDR) software to manage threats
- Train employees and educate suppliers on how to identify, avoid, and report potentially malicious activity on corporate networks, like phishing scams.
- Limit access to sensitive information with privileged access management
- Protect against unauthorized access with frequent password changes and multi-factor authentication
- Regularly review and update software, firewalls and security patches
- Assess the cybersecurity processes of any third parties that access or retain critical data
- Build favorable “hold harmless” agreements into contracts with third-party vendors.
The Council of Insurance Agents and Brokers (CIAB) calculates that the average breach costs nearly $4 million across all sectors.
To help plan for and mitigate the risk of a cyberattack, cyber insurance can serve as a means of protection on both the back end to help cover the costs of a breach and also on the front end. Outside consultants can help bolster cybersecurity and work with employees to help raise awareness of vulnerabilities and the importance of good cybersecurity practices.
There are still unanswered questions around regulatory enforcement and how organizations are prepared for investigations and claims of financial injury from consumers and the ever-creative plaintiffs’ bar, regardless of whether a security or privacy breach occurred. The cyber security insurance marketplace can help address this evolving risk with many carriers providing affirmative coverage for wrongful collection events (although the current cyber insurance marketplace typically requires a security or privacy incident trigger).
According to the 2019 NetDiligence Claims Study Report, which analyzes actual paid claims, small- to mid-size companies have been hit with an average of $178,000 per breach, with crisis services costing $112,000 and legal costs averaging $181,000.
Lost income for small and mid-sized firms averaged $343,000 and the expense to recover systems and files cost an average of $45,000. Equally as bad, there were an average of 280,000 records exposed to hackers, which produces a per-document cost of $234 on average.
Hannah Hoeflinger is national cyber risk operations leader for Marsh & McLennan. She may be reached at Hannah.Hoeflinger@MarshMMA.com.