The First Sixteen Podcast - EP 016

The First Sixteen is Agriculture and Agri-Food Canada's new podcast series that explores the freshest ideas in agriculture and food. Each episode explores a single topic in depth—digging deep into new practices, innovative ideas, and their impacts on the industry. Learn about Canada's agricultural sector from the people making the breakthroughs and knocking down the barriers! Farmers and foodies, scientists and leaders, and anyone with an eye on the future of the sector—this podcast is for you! A new episode is published each month.

Episode 016 - Cybersecurity and agriculture

Farmers and many others in our sector spend much of their time managing risk. In this episode we focus on a new risk to manage - cyber threats. Dr. Janos Botschner from the Community Safety Knowledge Alliance and Christine Beauchamp from the Canadian Centre for Cyber Security tell us some true cyber heist stories. And they share some solid advice on how we can up our cybersecurity game.

Transcript

Sara: With the First Sixteen we tell stories about good and positive innovators in the Ag sector. Today’s episode is a little different. The innovators we are talking about today are malicious innovators. And we all need to know about them.

Kirk: Con artists have gone digital. And they see the farming sector as a good target.

Janos: Let's think about that individual farmer. I mean, at the end of the day, it's the human element that ultimately creates the biggest vulnerability, but it's also where we can make some important gains around cybersecurity and cyber preparedness. And you know, farmers are thinking about weather, they're thinking about all kinds of different things. They're really by the nature of their work, good natural risk managers. But they haven't always made the connection between the security of their technology and information and the security and well-being of their farming operations, their families and their rural communities.

Kirk: Farmers, and many others in our sector spend much of their time managing risk. Today we focus on a new risk to manage - cybersecurity.

Sara: Farmers are increasingly reliant on digital technologies - from sophisticated combines, climate control systems in barns and processing machinery to weather and commodity apps on phones.

Kirk: We use a ton of technology in this sector.

Sara: We do. And, just like in other sectors, we need to think about cybersecurity. But there is a key difference in agriculture that makes it different than say a retail clothing business or health care.

Kirk: What do you mean?

Sara: On farms, there is not the same kind of divide as in other types of businesses or organizations. Our business tools and devices are mostly hooked up to our home networks and our personal phones.

Kirk: That’s right.

Sara: With all these connections and with social media, we leave information lying around and little digital doors open for enterprising people.

Kirk: Enterprising; good word choice.

Sara: They can bleed you for a few hundred or a few thousand dollars. The can take down your whole operation. They can also hold as hostage the financial operations of a supply chain or a whole subsector of farming. It’s really disturbing.

Kirk: It’s why we went looking for some experts on this topic. They told us some true cyber heist stories to illustrate how the cybercrimes are being committed. And they shared some solid advice on how we can up our cybersecurity game.

Sara: First up, we have Dr. Janos Botschner, who you heard at the start. He is a behavioral psychologist and public safety consultant. Dr. Botschner works with Community Safety Knowledge Alliance or CSKA, a not-for-profit organization in Saskatoon that is focused on various aspects of crime prevention and public safety. Dr. Botschner and CSKA is currently working on a initiative to improve cybersecurity specifically for the agriculture sector that is funded by Public Safety Canada.

Kirk: So, what’s interesting about Dr. Botschner is that he specializes in the psychology of crime and community safety. Beyond looking at the economic and law enforcement aspects of crime, he has insights into the motivating factors of criminals and the effects of victimization. 

Sara: We also spoke with Christine Beauchamp from the Canadian Centre for Cyber Security or the CCS. The CCS monitors foreign signals and foreign intelligence for the government of Canada. It has an equally important mission for cybersecurity – for all levels of Canadian government, industry and citizens. They have been in the cyber security game for over 70 years.

Kirk: To start, because cybercrime knows no borders, I asked Dr. Botschner to give us the big picture of cyber threats as pertains to the global ag sector.

Janos: So if we think about the AG food sector broadly, we can understand that it really constitutes a critical infrastructure in its own right as well as an essential workforce. It really sits at the intersection of multiple supply chains as well as other sectors. And so it's really part of a set of interdependent, critical infrastructures. They all flow into one another and they all flow out from one another. Last fall, the CrowdStrike organization reported a tenfold increase in 2020 in human involved intrusions affecting the ag industry.

Kirk: That’s a big increase. And in Canada, we have a modernized, high tech ag sector. So, we would naturally be a target for cybercriminals. Who exactly in our ag sector is facing this increased risk? And who needs to pay attention here?

Janos: Very large corporate operations appear to be tuned to the need for standard information security practices, but small and medium sized producers are generally not very focused on the risks they face from potential cyber events, nor have they traditionally been well positioned to respond in the event that a serious attack does occur, whether one involving their supply chains or in some cases, you know, should that attack target them directly.

This is a growing line of business, as you as you might imagine, because it's low risk and it's really profitable for cyber criminals and their sponsors. As Ray Boisvert from IBM's security strategy, recently observed the ransomware industry is expected to reach - and get this - up to 10 trillion U.S. dollars over the next five years. Think about that in terms of the GDP of some countries. Adversaries are very well financed. If we're talking about profits of that magnitude.

They're also emboldened when payments are handed out. So the more they disrupt, for example, a supply chain, the more likely it is that businesses might pay the ransom to get things back up running. It's notable that last October, the group that was linked to the JBS attack declared that the ag sector was an upcoming target for its activities. So it seemed to be true to its word.

Kirk: We have certainly had to adapt to a more digital way of doing business due to the pandemic. How has that effected cybersecurity? 

Janos: Digital transformation across the board as many of us have seen was accelerated during the pandemic. Despite having to contend with numerous challenges, you know, related to consolidation and highly efficient supply chains, Canada's food system was able to sustain its vital role with minimal disruptions. If we look ahead to the post-pandemic period, ongoing investments and transformation of Canadian agriculture and food production are really slated to propel recovery and strengthen Canada's international position, not only in trade, but also in terms of leadership related to food security and climate change. So with this growth of digitalization and the role of AG food as a key part of Canada's national and geopolitical well-being, it's reasonable that the sector is going to experience a rise in cybersecurity disruptions.

Kirk: So, everything points to a need for a new level of vigilance or a new way of thinking about our technologies.

Janos: I think the opportunity here is to start to say, OK, this is part of our new world. So how do we help people understand, communicate and act in ways that make awareness of all things digital part of our experience of being in the world in the 21st century? And so it's baking that into, you know, the way you run your business. You know, do you have backup of financial information? Do you know who your providers are? If you get an email from someone that looks a little bit fishy, why don't you just flip them a text or pick up a phone and say, “did you send me that?” You know, so it's just thinking a little bit differently.

But again, you know, if a farmer saw something behaviour that was a little bit different in a breeding sow or in a dairy cow, they would be attuned to that and that might mean that they're going to call their vet.

In a way, this is no different. It's just that what they need to notice is different, and it's not always physically tangible, but they're really good at noticing things, and they're really good at thinking about the big picture of how it all works together to look after, you know, their business, their family and their community.

Sara: From what you just said, I get the feeling that cyber security cannot be an island of its own. 

Janos: We have to think holistically. It's no longer enough just to say this is an IT Issue. If you look at it from a business perspective, it's an enterprise risk management issue. And so it's really important to have conversations with executives and boards of directors, so that they can then take reasonable steps related to mitigate those risks and to be able to adapt well and get business back up and running in the aftermath of an event. So if we think about, you know, if you if you live in a rural remote community where there's potential for extreme weather going back, you know, generations, you know, you'll know what to do to safeguard your farm, but also your family and other elements of your lifestyle, from tornadoes or from winter storms or from, you know, other severe weather events. So that's just kind of been baked into how you run your operation and how you live your life.

Kirk: There were some big cyberattack incidents recently. Can you talk to us about two in particular, the one with JBS, the multi-national meat processing company and then the Australian Wool Exchange?

Janos: Lets looks at these chronologically. The first, which happened back in February, was the attack on the Australian wool industry exchange system. So this particular type of software, which was used more than by more than, you know, three quarters of that industry across Australia and New Zealand experienced a ransomware exploit that shut down buying and trading for about a week with a weekly volume of around 80 million dollars or with a significant immediate cost, including interrupted cash flows for producers.

If we look at JBS Foods, it experienced a massive cyberattack involving ransomware that severely disrupted production operations in North America and Australia.

Subsequent work attributed this to a Russian linked hacking group. They use the powerful type of ransomware called LEAK. It allows attackers to cause two kinds of harms: The first is to impact the availability of data by encrypting files and preventing them from being used until they're decrypted. That's what we're most familiar with. The other thing it can do is to affect what's called data confidentiality by threatening to publicize sensitive data. This raises pressure on victims to pay a ransom. Now, of course, if someone steals your data, there's no guarantee if they're a criminal organization that they're not going to sell it down the road to somebody else. But it really turned this into more of a pressure cooker than it already would be. So JBS apparently responded by paying 11 million in cryptocurrency ransom to make sure its customers didn't experience supply shortages and, you know, presumably to also prevent the leak of confidential information.

And we can imagine that, you know, when you're also dealing with intellectual property, that can be a pretty big concern because it can impact your competitive advantage.

Sara: I imagine some of the victims of a cyber-attack don’t feel great sharing the fact that they were compromised. It’s embarrassing. How does that effect information sharing to combat these attacks?

Janos: Your point is such an important one as well. There can be embarrassment, but I think the the truth of it is that all of us probably have been, uh, in some ways attacked. We may not have been victimized yet, but people are trying all the time and botnets are trying all the time. So it's very commonplace. And you know, I think a guideline for most organizations is, you know, it's not if, it's when. And so how what are you going to do to make it less likely or less impactful? And what are you going to do to be able to get things up and running again as quickly as possible?

There could be business reasons for why an organization does not want to disclose this, and that's for their consideration. But certainly, you know, when things like this happen, I think there's a really important opportunity for mutual aid and basic person-to-person support to help us get over the difficulty because it's very stressful. And if we want to think about the well-being of our individual farmers and their families and their rural communities, if we can build the capacity to support one another in the face or in the aftermath of adversity, we're also doing some really important work.

Janos: Well, I think, you know, there are some important examples out there. When Maersk shipping was attacked, it said it was attacked. It had good relationships with its competitors. It had a bit of luck on its side. It had some data infrastructure in an African country that had experienced a brownout. So it wasn't affected by the cyber attack and it was able to recover some of its data infrastructure from there. But it also had good relationships with its competitors. And so they lent some infrastructure to help Maersk rebuild its system after the attack occurred. And in some ways, it's really an exemplar case study of how to do things well.

Kirk: That support capacity Janos speaks about is really important. We have access to it right here in Canada. The Canadian Centre for Cyber Security (Cyber Centre) is Canada’s authority on cyber security.

Christine: My name is Christine Beauchamp, I'm the director of client engagement and incident detection within the Canadian Centre for Cyber Security. We are a centralized group that provides information and expertise and support to Canadians and Canadian organizations with regards to cybersecurity incidents and questions and concerns.

Kirk: Christine, we got a global picture from Dr. Janos Butschner with regards to the threats to the ag sector. But your organization is at the frontline of cybersecurity. Can you give us an idea of the overall threat here in Canada?

Christine: In Canada the biggest threat when it comes to Cybersecurity is cyber crime. Cyber crime is rampant. It is widespread. Cybercriminals don't discriminate. They cast a wide net. They try to attack as many accounts and individuals and organizations as possible because they hope that just a few will fall victim to their to their scheme and to their attacks. The only numbers that I could provide to you that are, I guess concrete is if we look at just the government of Canada on its own. So the government of Canada goes through over a billion attempts of compromise every day. So that's those are staggering numbers. They're bigger than the mind can comprehend. And that is why it is essential for people to have good cyber hygiene on the one hand, but also have robust systems that can stop the compromised attempts before they start.

Sara: wow…You know we all see these emails or get these calls, but do you have an example of a story you could share of how these end up working?

Christine: Recently, there was a an association that I was in contact with, a small organization, not necessarily a very, very big business with a lot of money, but it was well, I guess it was discovered that there was a there was a president of the organization who reached out to people on the board of directors, and someone created a fake email account and claimed to be that president and asked in an email, Oh, could you please make these purchases on our behalf? And this will go for a group of volunteers and we want to thank them and give them gift cards. And because the email came with the name of the president, the individual didn't check to see if that was normal email address that the president actually used.

And so the individual did buy all these gift cards online and said, Here you go, here are all the gift cards. You may send that to all your volunteers. And it was actually a fake account created by a cybercriminal. So unfortunately this individual lost all their money by getting caught in this. This actually happens regularly. The vast majority of all compromises actually come from very simple attacks and the phishing attempts, the links in emails is actually the number one way that cybercriminals actually gain access to your information and your accounts. The

Sara: So, that’s what we mean by social engineering. It’s building a complex story based on relationships. How are they getting that type of relationship information?

Christine: How do they get at that information? Well they can get it online from your website, for example, depending on how much information an organization will put online about who they are and who's who and their organizational structure? But they can also find it from individuals who just post a lot of things online. If you think about all the information you post about yourself on social media and think what could a cyber criminal learn about me by just going through all my social media posts, you would be surprised at just how much you've revealed about yourself and how much munition you've given a cyber threat actor to use and try to impersonate you with someone else.

Kirk: I take your point. We need to develop cyber-street smarts. And where do we start if we want to improve our security?

Christine: There's no single method of making sure we are 100% safe online. What we promote is security through layers. What does that mean? That means doing a number of small steps that once they are all packaged together, will give you strong security. The number one thing we tell people is passwords. Put a password on everything you can and try to make it unique and different for every time and every account. Now this gets complicated because we have hundreds of accounts. How can we remember or find a trick to make sure that we use a different password every time? Well, we can use password managers. There are some very good ones on the market. It does help that way. You know, you only save them in one single place and it's secure and you don't have to remember all of them. We have another trick, though, is we tell people to use passphrases rather than passwords, and by passphrases, we mean use three or four random words with or without spaces up to about 15 characters.

It could be, you know, table chair, camera TV. And those are actually quite difficult to crack, so they're easier to remember, but they are difficult to guess. We talked about a little bit about patching and updating software devices. Please don't neglect those whenever you get that little ping on your phone, on your computer, saying this must be updated, you must reboot to update this particular software. Essentially, that is a message telling you we've identified a weakness that could be exploited by cyber criminals or cyber threat actors. Please fix it now.

The other thing we also promote quite a lot is multifactor authentication, so whenever you do create an account and they ask you, Oh, thank you for your username and password, can we have a phone number perhaps to send you a, you know, a text with it with a specific code. Activate those, they are not made to make your life more complicated. It actually does increase security quite a bit because it makes it a lot more difficult for a cyber threat actor to have both pieces while if they can get your username and password, they can't get your digital print, for example. So that added layer of security will lock down your accounts a lot stronger.

Sara: Those are some good tips. So say something happens, what do I do?

Christine: The very first step you're going to take is make sure you take all of your devices offline immediately so that they stop transmitting any information over the internet. If you believe that you've been victim of a cyber crime, you are encouraged to call the RCMP or the police of jurisdiction to report it as a cyber crime. You can also get in touch with the Canadian Anti-Fraud Centre to report it. And if you aren't sure and you are afraid of the damages that it could have made to your greater organization by all means, please report the cyber incident to the cyber center. We have an incident reporting page is very easy to use online at Cyber.gc.ca, and we have a team of professionals that can walk you through the steps to take to make sure that we clean this up as quickly as possible.

Or that if an organization or group of individuals have specific questions and that they can't find the answer on in our available tools, they are always welcome to contact the Cyber Centre directly through our contact email, which is contact@cyber.gc.ca and a team of professionals at the Cyber Centre will be more than happy to hook you up with the right subject matter expert to answer your questions.

Sara: You know that clean up Christine talks about isn’t the last step if something happens. You have start everything up again. Dr. Butschner ended by really emphasizing the importance of a recovery plan. You need to rebuild your digital infrastructure once something happens. Backups might just be the most important part.

Janos: How do you get things up and running? So the more you can think about that, the better off you're going to be because you're anticipating you're taking active steps to try to address that to the very best of your ability. And you know, that's going to be psychologically important. I would suggest as well because it allows you to have a little bit more peace of mind knowing that you've done all that you could to be able to respond should something happen.

So it's all part of that holistic picture. And I think, you know, the question of, you know, do we say this is cybersecurity? Do you say this is security? Maybe in the next few years, we'll end up thinking about things a little bit differently and talking more about security in a digital world that involves a bunch of different components and really often starts and ends with people.

Kirk: More peace of mind. Buy it. Get it. We need more of it.

Sara: So, what do we need to do?

Kirk: Create new passwords for all our devices…

Sara: And after you’ve done that remember to subscribe to this podcast series. We have new episodes every month about innovators and innovations in the ag and food sector.

If the podcast player does not work in your browser please try this version of Episode 016.

Episode 016 - Cybersecurity and agriculture

Subscribe on Apple, Spotify or Google