The Central Valley of California, the area between Bakersfield and Santa Rosa, represents only 1% of the nation’s farmland but is responsible for producing 25% of the nation’s food supply. Growing up in an agricultural family teaches early lessons about the importance of managing risk and dealing with crises. Drought and pests are constant concerns in the Central Valley. A farmer’s ability to identify risk and come up with innovative solutions is key to managing crises and has driven the agricultural sector towards increasing reliance on technology to keep up its extremely high levels of production. However, threats like ransomware have shown that this reliance on technology can be a double-edged sword as recent cyberattacks drive a new crisis for an already overly stressed agricultural supply chain.
The sense for risk identification and innovation has driven advances in farming automation, remote sensing and data analytics that have helped lead a revolution in practices like precision agriculture, increasing crop production while decreasing input expense. However, as with any new innovation, technology also carries new risks. From the genetic intellectual property in drought-resistant seed to the OT networks controlling livestock management, threats to agricultural IT systems from cybercriminals are growing more and more important as the agricultural sector becomes more reliant on technology and automation.
Key Risk Trends
At Resilience, we work with a range of agricultural clients, large and small, on reducing their IT risk so that they can maximize their effective use of technology. Two key risk trends that we focus on are ransomware and nation-state espionage.
1. Ransomware is impacting every major industry that manages “just-in-time” delivery schedules but the agriculture sector has become a prime target due to a traditionally lower focus on cybersecurity and its critical role during the pandemic. The FBI recently released a critical alert, warning that ransomware actors are targeting the U.S. agriculture sector because the sector is “increasingly reliant on smart technologies, industrial control systems and internet-based automation systems.” In one example, Iowa-based New Cooperative Inc. reported having to take its network offline after the ransomware group BlackMatter locked its computer systems demanding $5.9M to bring them back online. This follows an $11M extortion payment by major meat-producing firm JBS, whose systems were crippled by a Russian-based ransomware gang.
2. Theft of sensitive intellectual property has also been a traditional concern in agriculture, one that has accelerated with the rise in cybercrime. With U.S. leadership in innovative crop genetics and chemical processes, nation-state espionage has remained a top concern for years. The U.S. National Counterintelligence and Security Center (NCSC) and the Department of Defense’s Center for Development of Security Excellence (CDSE) recently published a guide for mitigating IP theft risk from foreign adversaries that seek to leverage partnerships or client relationships. They specifically cite cases targeting Dupont, Pioneer, and Monsanto that allowed trusted insiders to use their corporate network access to steal sensitive seed and chemical processes.
While the agriculture sector faces complex risks from their growing use of technology and increased threats from criminal actors looking to profit off the sector, this period of increased attention also presents an opportunity for companies to work at raising their cybersecurity maturity. In their recent ransomware alert to the agriculture sector, the FBI lays out an excellent IT action list that every company should look into. More than playing “whack-a-mole,” agriculture companies should start to look at cyber threats like they look at drought, disease, or pests and apply a risk-based approach to understanding their vulnerabilities and resourcing against threats.
A risk-based approach begins with leadership looking at what digital vulnerabilities exist to their core business. Some questions agricultural leaders should ask include:
- Is your operation heavily reliant on industrial automation? If yes, what manual backups are in place, and when were they last tested?
- Can your organization easily restore its payroll, client orders, and email systems from backups? If not, do you have funds set aside for incident response and business interruption?
- Do you rely on sensitive technology that is export controlled? If yes, do you have an insider threat program and limit unnecessary access to R&D systems?
From here, IT leaders can better understand what threats they are defending against and work at addressing vulnerabilities on a recurring basis with regular penetration testing, patch management, and corporate-level security training and exercises.
About the Author
Co-Founder and Vice President of Policy
Davis Hake is the co-founder and vice president of policy at Resilience. Prior to co-founding Resilience in 2017, Hake managed cybersecurity strategy for Palo Alto Networks, served on the National Security Council, and was a lead author of cybersecurity legislation in the U.S. Congress. Hake is an adjunct professor of risk management at the University of California, Berkeley, and is a term member of the Council on Foreign Relations. He holds a master’s in strategic security studies from the National Defense University and a bachelor’s in international relations and economics from the University of California, Davis. He also grew up in Bakersfield, CA.