Canada's ag industry would benefit from 'cyber barn raising' to protect farmers from online attacks: experts
'If farmers are under threat, then so are the rest of us,' researcher Janos Botschner says
Cathy Lennon can't recall the last time she met a farmer who didn't have a cellphone.
"Whether that is sort of your modern-day farmer or your traditional even Mennonite farmer, they have cellphones and smartphones in their pocket," Lennon, the general manager of the Ontario Federation of Agriculture (OFA), said in a phone interview from her office in Guelph, Ont.
She said there's an increasing amount of technology and data on farms and in the agricultural sector. But as farm equipment becomes more advanced and connected to the internet, there also are concerns they'll become targets for cyberattacks, something that could also put Canada's food security at risk.
Ali Dehghantanha is a computer scientist at the University of Guelph and the Canada Research Chair in cybersecurity and threat intelligence.
His Cyber Science Lab focuses on cybersecurity, digital forensics, threat hunting and threat intelligence. In the past year, it has been called to investigate 11 cases of cyberattacks involving the farm industry. Dehghantanha said that a significant number.
He said the most common attacks involve ransomware, where the attacker gains access to a computer system and data, then asks for payment to release it back to the individual.
"We have seen quite a few cases of the data leaks … and we normally find these data leakage as they are becoming available in the dark web for selling," Dehghantanha said.
In some cases, it's individuals doing the hacking. In other cases, it can be state-sponsored hacking, he said.
He said the majority of cyberattacks reported to his lab are conducted by criminal groups in Eastern Europe that are specifically attacking North American targets.
LISTEN | Expert says the agriculture industry needs to do more to protect tech and data.
Unsecure devices 'easy targets'
Hackers may not always be looking at the targets, but people — farmers or otherwise — who don't keep their devices up to date or have security measures in place are "weak targets," Dehghantanha said.
"Unfortunately, due to lack of any security standard or security guideline in [the agriculture] field, we are seeing so many unpatched devices … they are easy targets for the hackers."
Janos Botschner is the lead investigator for the Cyber Security Capacity in Canadian Agriculture project through the Community Safety Knowledge Alliance, a non-profit that looks at ways to improve community safety and well-being.
The project is looking to help the sector prevent cyberattacks, but also develop tools to help build cybersecurity in Canadian agriculture. Over the last two years, the first-of-its-kind project has surveyed Canadian producers about cybersecurity.
"Digital ag cybersecurity is still in its infancy globally. So it's both a weakness and an opportunity for accelerated capacity building within the sector," Botschner said.
He said for many, the level of awareness around cybersecurity is "not a priority among most producers" at this point, but it needs to be.
He pointed to recent cyber threats to the sector, including a warning from the U.S. Federal Bureau of Investigation (FBI) in April this year that included the United Kingdom and Australia. It warned agriculture co-operatives to be on high alert for ransomware attacks.
The threat of a cyberattack also hit home for farmers in Quebec last month when L'Union des producteurs agricoles (UPA), a farmers' union, announced it was the victim of a ransomware attack on Aug. 7.
A statement on the union's website said it's still reviewing the scale of the attack and possible ways to restore its computer systems. The UPA noted "day-to-day activities" of agricultural businesses were not compromised and it was doing all it could to protect people's personal information.
Farm, family networks often connected
For many people, a ransomware attack impacts them on an individual level. But the attack can be a bigger problem for farmers, Botschner said.
"Farm businesses are not like other businesses."
An attack "could have an impact on their farm business as well as on their farm family, because … many networks are not segregated between the home and the agricultural operation."
Lennon said she's also heard from farmers who reported a company they do business with had been attacked.
"People have had their names, addresses and credit cards hacked when a local business was attacked, and that certainly caused concern and awareness on the farm level about making sure that you are protecting that information."
An attack could also 'sow mistrust'
But Botschner said cyberattacks can be more than ransomware or phishing for information. There could be attacks where information, rather than physical computer systems, is disrupted, he said.
"You could see information being contaminated to either mask an event like an emerging biosecurity threat like a virus," Bortschner said.
"Or you could see information being contaminated to suggest that something's happening that has contaminated a commodity in order to sow mistrust in a critical part of our ag food system. You could also see disinformation campaigns being rolled out to undermine trust in Canada's food system."
Those kinds of attacks may not happen quickly — it could take years as part of a strategic campaign.
He said people should think of food security as national security.
"If farmers are under threat, then so are the rest of us."
Tips for farmers
Lennon said the OFA offers tech safety tips to members, including:
- Use strong passwords and a password manager.
- Be careful about sharing personal information on social media.
- Keep devices up to date.
The federation is planning an in-person annual general meeting in November, when it will hold a workshop on protecting farmers from cyberattacks.
She said a key message to all farmers is that any device can be compromised.
"There's folks that have highly technical equipment in the barn or in their computers at home. GPS technology. It's the full range, but if you are connected to the internet, then the risk exists."
Government, tech companies can do more
Dehghantanha said while farmers themselves need to ensure they're protecting their data and devices, regulators also have a role to play.
There's a need for a standard cybersecurity guideline for the agriculture industry "so different people, farmers, technology providers, service providers are at least aware of what [is the] security standard, what security activities they should do and they should follow."
Botschner agrees.
"Canadian producers are very adaptable. They're very good risk managers. They're good at noticing things that might involve risks and threats," he said.
"But there are other things that need to be done to support farmers because they shouldn't be in it alone."
He said governments and major tech companies can work together to help farmers improve their safety online while focusing on ensuring critical infrastructure is safeguarded from threats.
It's a sort of "cyber barn raising," he said, "to help one another tackle this important challenge in ways that make sense for producers and that really help the sector as a whole to be more resilient."