FBI puts farms on notice: cyber risks are more than theoretical
It doesn’t get much more basic than food. Without it, everything else — the gadgets, toys, security, and conveniences of modern life — fades to irrelevancy. Food insecurity is health and life insecurity.
Which is why the nation’s agricultural industry is considered critical infrastructure. And which is also why, given that industry’s increasing reliance on software and internet connectivity, it is an increasingly attractive target for cyber criminals.
Criminals need leverage for their “business” to succeed, hence the truth of the snarky proverb that “you can get a lot more with a kind word and a gun than you can with a kind word.”
For ransomware attackers in the digital world, the “gun” is extortion: Pay up or all your data and files will remain encrypted — and useless — forever. Or, the hardware you’re using will be disabled. In the last couple of years, that leverage has started to include other forms of extortion. Attackers exfiltrate data, which usually include intellectual property and personally identifiable information, before they encrypt it, and threaten to publish it if the victim refuses to pay.
Even more recently, the Ragnar Locker ransomware group has threatened to publish data on its .onion site if a victim seeks help from law enforcement agencies like the FBI or data recovery companies.
Yet another form of leverage is the value of the target to society. While a threat to any organization is critical to those who operate it, not all are critical infrastructure. Taking down organizations that provide electricity, water, sewer services, fuel and food will impact more than a single company — it can put millions at risk.
Cyber criminals know this as well as anyone, hence the increasing number of ransomware attacks on critical infrastructure, including meat supplier JBS in May, which led to a major price spike.
Hacking the source
And there are indications that JBS is not an outlier — that the nation’s food supply is drawing more interest from cyber criminals because a threat to something that valuable yields major leverage. That includes the beginning of the food supply chain — the farms where crops are planted and harvested.
The vulnerabilities of the modern agricultural system, in which massive farm machinery is connected to the internet, have caught the attention of security researchers. An ethical hacker who goes by the name Sick Codes, in a presentationat DEF CON 29, in August, said he and fellow hackers had found “a tractor-load of vulnerabilities in the global food supply chain,” specifically in farming machinery that he said could allow attackers to shut them down at crucial times like planting or harvesting.
The presentation didn’t include documented reports on any actual hacks that affected farms. But according to the FBI, at least one happened earlier this year.
The agency, in a Private Industry Notification earlier this month, said a ransomware attack against an identified U.S. farm (although the notification didn’t identify it) “resulted in losses of approximately $9 million due to the temporary shutdown of their farming operations. The unidentified threat actor was able to target their internal servers by gaining administrator level access through compromised credentials.”
This doesn’t mean the nation’s entire food production industry is at immediate risk. There are thousands of smaller farms across the country that don’t use machines with online connections. But things are moving in that direction.
So, the risks of the nation’s food supply being disrupted at the source, while not yet widespread, are more than theoretical. And they highlight the reality that data, and the software that manages that data, are the lifeblood of most modern enterprises. That means a risk to software is a risk to the business.
The notification cited other food supply ransomware attacks besides JBS. One, in July, shut down the production, shipping and receiving of a bakery company for a week. The agency said the bakery was a victim of the Sodinokibi/REvil ransomware, deployed through software used by an IT support managed services provider.
In March, it said a ransomware attack on a U.S. beverage company “caused significant disruption to its business operations, including its operations, production, and shipping.”
But a major disruption at the source — planting, growing, and harvesting crops — could be the most damaging. Without food production, distributors have nothing to distribute.
And while it might seem counterintuitive to view farms as high-tech, software-driven enterprises, they are trending in that direction. So the owners and operators of those enterprises must confront the risks that come with connections to the online world.
Defense in depth
Fortunately, there are plenty of proven ways to minimize those risks. The FBI notification offers a list of mitigations that essentially summarize standards that have been around for decades but are still effective.
They include backing up data and keeping those backups offline with an air gap, keeping software up to date, multi-factor authentication, network segmentation, strong passwords, requiring administrative credentials to install software, and training employees in how to spot phishing attacks.
Indeed, that last mitigation could be one of the most important since the human factor, for good or ill, can trump the best technology. Attackers frequently succeed in breaching companies by tricking an employee into clicking on a malicious link in an email.
The FBI said a U.S.-based international food and agriculture business suffered a ransomware attack in November 2020 by the OnePercent Group, “which used a phishing email with a malicious zip file attachment. The cyber criminals downloaded several terabytes of data through their identified cloud service provider prior to the encryption of hundreds of folders.”
Jamie Boote, senior security consultant with the Synopsys Software Integrity Group, said maintaining trustworthy software requires each component of the so-called “CIA triangle” — confidentiality, integrity, and availability. For agriculture, availability is perhaps the most crucial leg of that triangle.
“Ransomware is a threat to a supply chain’s availability,” he said. “Industries that aren’t traditionally identified as being in the software business are now more reliant on networks, servers, and software. So these attacks on the physical world via software can impact entire sectors, not just individual businesses. Even if a business doesn’t consume products from one farm, a shutdown may lead to an increase in commodity prices as other farms struggle to meet the demand.”
How to confront and minimize that threat? Boote said farming has always had to deal with physical threats to availability, ranging from droughts to floods, soil depletion, insects, disease, natural disasters, bad seasons, and numerous others. So one way for those in the agriculture industry to manage the cyber threat is to use the same principles they have applied to physical threats for generations.
Apply physical to virtual
“Farmers have traditionally recognized and solved problems as needed,” he said. “It’s time for them to recognize the threat to the software they rely on as another problem they can solve by adapting their good farming practices into good software security practices.”
In the physical world, Boote said, “equipment, gear, and even boots that can track contaminated soil and disease from farm to farm are often inspected and cleaned either when departing one farm or entering another.” The digital version of that is to inspect and clean email, software installation, and USB sticks before they are allowed on the network. That, he said, can prevent “infections” from ransomware, worms, and viruses.
Then there is employee awareness training. “Often, experienced farmhands are the first line of defense in detecting problems or sickness on a farm, and they’re often in the right place at the right time to prevent it,” Boote said. “So train employees to inspect the links they click, the software they install, and the emails they get to prevent problems.”
His Synopsys colleague, applications engineer Antoine Benoit, agrees, noting that “end-user education” is essential in any enterprise driven by software. “Lots of attacks happen via social engineering rather than the exploits themselves,” he said.
There is also value in threat intelligence — something farmers have collected in the physical world for generations through weather forecasts and indicators of coming insect or disease infestations. Another of Boote’s colleagues, Synopsys security consultant Rory Sheldon, said the digital version of that means collecting information on where and how an online system is vulnerable, what kinds of tools attackers have, and preparing an incident response plan.
“Assuming you will be compromised, it’s good to have the capability to react and minimize the impact ASAP,” he said.
Another parallel is that while farmers may be fiercely independent, most know when they need outside help. “When regular farmhands aren’t enough, farmers bring in vets and other specialists to diagnose and treat problems,” Boote said. “The same goes for networks. It may be time to bring in specialized network security assessors to inspect the network for weak points and potential problems.”
Yet another crucial digital security practice, network segmentation, can mirror the physical way that good farms are laid out. “Crops and pens may have isolation and separation to contain disease,” he said. “Network isolation and segmentation may help to prevent the spread of ransomware, which can’t spread to a network it can’t communicate with.”
Finally, there is the backup plan. “The use of silos and grain reserves helps farmers get through tough times and have enough seed to replant in the spring after a bad harvest,” Boote said. “Similarly, a good information backup policy can allow companies to get through a bad ransomware attack by restoring lost data and systems.”
The bottom line is that if cyber attackers can shut down machinery or other operations, the damage can be just as severe as if that equipment had been stolen or destroyed, or if crops were destroyed by flooding. The digital can have physical results.
“Ultimately, as software continues to drive more of farming’s day-to-day activities, the risk to those software systems will threaten more of those same activities,” Boote said. “It’s time for farmers in the 21st century to deal with 21st-century risks.”