Agriculture and Cyber—Made for Each Other

2021/2022 Cyber Attacks Involving Agriculture

According to "FBI Security Alert on Ag Cyberattacks" in Progressive Farmer by Victoria Meyers, April 20, 2022, two attacks, one in February 2022 and the other in March, directly went after grain processors and feed mills. The February incident was a ransomware attack on a feed milling service, but it was stopped before encryption took place. The March attack, on the other hand, was a LockBit 2.0 ransomware attack by hackers on a multistate grain company that provides seed, fertilizer, and logistical services. The Federal Bureau of Investigation provided no further details nor identification of the victim companies.

In September 2021, Crystal Valley, a Minnesota-based grain cooperative, was hit by a cyber attack. This happened during harvest in the fall of 2021. (How well-prepared is your account for a cyber attack, especially during the busy season?) While there was a ransom demand, it is reported that Crystal Valley did not pay it. The firm stated that it was unable to fulfill orders for livestock feed but that local cooperatives were able to assist. Due to this attack, everything needed to be processed by hand.

According to an article from the Des Moines Register, "Iowa Grain Cooperative Says It's Working To Restore Automated Operations, but Remains Silent on Cyberattack Ransom," by Donnelle Eller, October 6, 2021, NEW Cooperative in Iowa suffered through a ransomware attack in September 2021. They were able to still operate utilizing "paper tickets" as opposed to their normal computer-driven manner of tracking deliveries and such. NEW Cooperative announced that its critical infrastructure was "intertwined with the food supply chain." Further, should they not have had a timely recovery, then there would have been "public disruption to the grain, pork and chicken supply [chains]" as some 40 percent of grain production runs on its software and the feed schedules of 11 million animals rely on them.

In Canada, Maple Leaf Foods had a cyber incident in November 2022, according to an article by Howard Solomon of IT World Canada, "Maple Leaf Foods Confirms It Was Hit by Ransomware, Won't Pay Attackers," November 25, 2022. It evidently caused a temporary system outage and other operational disruptions. Maple Leaf Foods is Canada's largest prepared meats and poultry producer. According to the news article, a ransom was demanded but not paid.

Should Small Companies Worry about Cyber Attacks?

Let's focus on the smaller risks that may not have the significant challenges to recovery that these larger operators have: the low-hanging fruit of farms and agriculture (all puns intended).

First, a thought—How often have you heard this from your client: "I'm not a target. No one cares about my systems. I don't have time to do this. What are the odds?" Do you want your client to be the poster child for the next cyber incident? Do you think they want to hear from you or a claims adjuster: "Well if you would have had cyber coverage, we might have been able to help. But you don't."

Precision agriculture is not some dreamy-eyed concept; it is here today and growing at a rapid rate. An April 20, 2022, release by CID Bio-Science and written by Scott Trimble, Precision Agriculture Policy and Adoption Outlook 2023, estimates that up to 40 percent of large farms in the United States use precision agriculture. In fact, the United States is the largest and earliest adopter of precision ag. Is there any reason to think that this number will not continue to grow? With multiple labor challenges, the rising costs of inputs, and more, precision ag is on a significant upward growth pattern. Smaller farming operations will need to adapt it sooner rather than later just to remain competitive in the marketplace.

Look at the daily operations of what farmers currently use: autosteer technology, GPS guidance, sprayer section controls, row control for planters and seeders, yield monitoring and mapping, remote and in-field sensing, telematics, and the coming flood of robotics (think of automated crop-picking robots, self-driving equipment, and precision weeders) and drones. If they are not a part of your farmers' operations today, they will be tomorrow. Almost all of these items utilize the Internet of Things to varying degrees.

How well-protected is your farm operator from an untimely attack on any of these systems? Most of these systems are reliant on their interface with other systems of the farmer; that is a recipe for disaster if not addressed properly. Rarely does a cyber attack come in through the proverbial "front door" of an insured's operation. More often than not, they attack the softest, most vulnerable areas, which are also the least protected.

A 2022 speaker at Def Con 3 in Las Vegas (Def Con is a hacking conference) touted his ability to hack into John Deere products and showed at the conference how he had accomplished it, according to "A New Jailbreak for John Deere Tractors Rides the Right-To-Repair Wave" by Lily Hay Newman of WIRED, August 13, 2022. More importantly, he described tractor (equipment) access as three items, all of which act to control the other. Those three are 1) the screen display, 2) the gateway (i.e., Wi-Fi, radio, and satellite), and 3) the actual ag equipment, which all work together to control the machine. Because of their interactions with each other, access to one is access to all.

How much would your farm operators be willing to pay in ransomware to get their operations back and running? What if, as most scenarios expect, it happens when the insured is most vulnerable or can least afford the disruption (e.g., harvest time)? Would they rather have an insurance company assist them with that payment, or would they rather try to take it out of their operating account? How long will they be shutdown? What other damage to their systems might the hacker leave in their wake? Might your operators have a hacker steal confidential information from them and provide it to a competitor (or threaten to)?

As Beth Daley surmised in her article, "Rise of Precision Agriculture Exposes Food System to New Threats," for the Conversation, August 8, 2022, "an attacker could look to exploit vulnerabilities within fertilizer application technologies, which could result in a farmer unwittingly applying too much or too little nitrogen fertilizer to a particular crop." Not only could the resultant waste of additional fertilizer cost the farmer dollars, but it could also affect their yields. What if so much was applied that they now have on their hands a situation with environmental ramifications? What if so little was applied that they have a significantly reduced harvest?

At a Cyber Crime and Agriculture conference in Lincolnshire, England, a UK government agency warned that "the increased use of email, online accounting tools, online payment systems as well as automated farming equipment means that it's increasingly important for farmers and rural communities to look at their growing exposure to cyber risks," according to "Cyber Guidance for the Agriculture and Farming Sector," Cyber Resilience Centre for the East Midlands, May 10, 2022.

Among the Challenges

There are many reasons why cyber is not at the forefront for agricultural producers. The following are a few of them.

• They do not see cyber as a significant threat.
• They haven't truly been educated on the potential threats.
• They are distracted by other challenges like floods, drought, pests, hail, etc.
• They have heard that it is expensive.
• They do not see themselves as a target.
• The government, to date, has not made it a priority for farm/ag.

Homeland Security, Threats to Precision Agriculture

In 2018, the Department of Homeland Security issued a very informative 25-page white paper, Threats to Precision Agriculture. It is a relatively brief read, and unlike many government-issued papers, it is understandable! I encourage everyone to read it.

Among some of the valuable takeaways, the paper specifically addresses the bedrock principles of information security and how they apply to precision ag. Those three principles are the following.

• Confidentiality
• Integrity
• Availability

As stated in the report, "the danger is not just cyber-attacks per se, but any danger which could negatively affect CIA [confidentiality, integrity, and availability].… Key threats, unique to precision agriculture or where an impact would be magnified by precision agriculture adoption, have been identified under each principle in the CIA model."

They then describe these key threats. Under confidentiality, they illustrate the following.

• Intentional theft of data collected through decision support systems or the unintentional leakage of data to third parties
• Intentional publishing of confidential information from within the industry, such as from a supplier, to damage the company or cause chaos
• Foreign access to unmanned aerial system data
• Unscrupulous sale of confidential data

In regard to integrity, they provide these issues.

• Intentional falsification of data to disrupt crop or livestock sectors
• Introduction of rogue data into a sensor network that damages a crop or herd
• Insufficiently vetted machine learning modeling

Finally, when it comes to availability, the following are their specific concerns.

• Timing of equipment availability
• Disruption to positioning, navigation, and timing (PNT) systems—space-based
• Disruption to PNT systems—ground-based
• Disruption of communication networks
• Foreign supply chain access to the equipment used in precision agriculture
• Smart livestock production facility failure

Going Forward

If you have heard me speak before on this topic or the related topic of risk management, then you have heard me state a core belief of mine: farmers are among the best risk managers that we get to work with. On a daily basis, they juggle many demands and concerns. Because of these demands, they take an approach, while perhaps not viewed as a formal one of determining threats to their operations and how to best manage them, where they are constantly considering the ramifications of their decisions. They are always seeking ways to do so in an affordable and manageable manner.

Risk management principles teach us that when a threat to an operation is "severe," yet its occurrence is "infrequent," those are among the best threats to transfer to others. More often than not, that means a transfer to an insurer.

Cyber is one such issue.