Bad Seed: Cybercriminals Storm Agriculture

Jun 03, 2022

By Will Rodger

Cyber security expert Stephen Streng is worried about your co-op. And your trucking company, your tractor, your combine—and, well, everything from the field to the dining room table that connects to the internet. Cyberattacks keep increasing, and the good guys are having trouble keeping up.

“They're all connected to the internet, right?” Streng says. “In the cab of the tractor, the combine, or whatever is connected to the internet, there are probably multiple devices in there that are connected to the internet and to the world. And those are all windows to their operations that didn't exist 20 years ago—windows that somebody could climb into uninvited.”

Streng is a researcher at the University of Minnesota’s Food Protection and Defense Institute. He says the average farmer may not worry his tractor will get hacked anytime soon, but that shouldn’t be cause for complacency.

The tales from 2021 alone are chilling.

In October, large dairy processor Schreiber Foods was paralyzed for close to five days after a criminal gang infected its systems with ransomware. Schreiber, like most victims, paid an undisclosed amount.

In September, Minnesota agricultural firm Crystal Valley Cooperative fell victim to a ransomware attack the same week the Russian hacker gang Black Matter stole data from Iowa’s NEW Cooperative Inc. NEW shut down its network entirely to clean up the damage and buttress its defenses.

Crystal Valley, which sells supplies like fertilizer to farmers and buys their crops, took its systems down Sunday, Sept. 19. Payments took a hit, as they no longer had connection to major credit card companies. The co-op operates eight grain elevators that can store 25 million bushels in total.

In late May, meatpacking company JBS closed at least one Iowa pork processing plant as well as all nine of its U.S. beef plants before paying hackers $11 million in ransom.

“The food and agriculture sector has been behind in terms of cybersecurity, behind other sectors and in part because other industries got the wake-up call earlier because they were targeted earlier,” Streng says.

“The financial sector banks, the retail sector, the big retail corporations like Target,

health companies, hospitals, schools—as those industries harden their defenses, then attackers are going to start looking for softer targets, and the food and ag sector is, I think, probably one of the softest targets still out there. And agricultural production is the softest in the whole supply chain.

“Food processors and manufacturers—their transformation into digital operation also occurred a lot earlier, too. That also holds true for equipment manufacturers.”

Surveillance—but why?

There’s no doubt: Ransomware is the most common of all attacks launched today. But that won’t likely be the end of it for agriculture. The Chinese government, in particular, employs untold numbers of cyber vandals who break into western networks and conduct extensive mapping expeditions to discover the ins and out of their networks and provide quick entry and exit when needed. Spies and criminals use those maps for a variety of purposes, intellectual property theft among the most prominent. Food and ag networks have been probed, too.

Still Vulnerable: Hacking for hire

Ari Schwartz is managing director for cybersecurity at the Venable law and consulting firm in Washington, D.C. He was formerly special assistant to the President and senior director for cybersecurity on the United States National Security Council Staff.

Big players beyond China, he says, are involved. He’s as worried about Russian agents as he is about anyone else. The intruders are often known criminals “hired” in lieu of serving lengthy prison sentences at home or abroad. The Russians decide for how long they work for them. The hackers have monetary interests, but the Putin dictatorship—its interest is also geopolitical.

“The Russians have a strange structure for this,” Schwartz says, “After all, the government is truly a kleptocracy…and there is some work that's being done by the Red Army. But there's a lot that is done by people that are criminals during the day.”

Schwartz points to Alexsey Belan, a member of the FBI’s 10 Most Wanted list, dubbed the most dangerous hacker in all of Russia.

Belan’s rap sheet includes the Democratic National Committee hack of 2016, as well as a massive Russian Federal Security Service-sponsored 2014 Yahoo hack, which exposed the emails of other people Russian intelligence wanted to track, such as the former minister of economic development of a country bordering Russia and staff at a Swiss Bitcoin wallet provider.

Hacking the tractor

Cyberattacks are on the rise and your trucking company, your tractor, your combine—nothing is off limits. But experts say there are steps growers can easily take on their own to protect themselves.

An old maxim goes like this: “Easy to use software is not secure. Secure software is not easy to use.”

And the easiest-to-use software of all? The stuff we all use—whether it’s on our desktop, tractor, in our pocket or on a tablet—end-user technology, is the simplest to compromise.

That everyday stuff was put on trial last August at the DefCon computer security conference, arguably the most prestigious of conferences for the often wild and woolly hacker (both good and bad) community.

So-called white hat hackers look for vulnerabilities in software and often push other software developers to do better. They commonly respond to bounty programs that pay programmers to discover and fix problems before criminals discover them.

At the 2021 conference, one white hat hacker known as “Sick.Codes” asserted he could have taken control of any John Deere tractor, combine or other large implement via the company’s centralized operations center just months before.

"We could literally do whatever the heck we wanted with anything we wanted on the John Deere Operations Center, period," he told the crowd. As it turned out, Sick.Codes had first disclosed the vulnerabilities to John Deere, which reportedly fixed the problems within days.

Quick action from John Deere kept the vulnerabilities discovered by Sick.Codes simply theoretical. Then again, no software is provably secure. The best anyone can hope for, experts say, is to stay one step ahead of the bad guys. People like Sick.Codes help. In the end, though, it’s on all of us to watch our computers and the networks they connect to, because if we don’t, someone else will.

Who Ya Gonna Call?

Scott Algeier heads the Information Technology-Information Sharing and Analysis Center (IT-ISAC), which gives large organizations the opportunity to share details of attacks they have suffered without worrying about retaliation or legal liability. It includes a special interest group devoted to food and agriculture.

Cybersecurity is massively complex in the details, but Algeier says growers can do most, if not all, of the things they need on their own.

Here is a list of the most important ones:

  • Install antivirus software.
  • Keep all software updated, automatically when possible.
  • Use multi-factor authentication in addition to strong passwords.
  • Use a password manager when you have many different passwords to juggle.
  • Stop and think before clicking on a link or an attachment or responding to a text or email that seems even just a little unusual.
  • Call when in doubt: If you aren’t sure with whom you are dealing, call the person who contacted you and make sure everything is legitimate, since phishing remains the primary way systems become compromised.
  • Back up all your data with an automated routine—and then try to restore it to make sure you understand the process thoroughly for when trouble comes knocking.
  • Have a contingency plan. If bad guys hacked your network to pieces, what would you do? How would you communicate? When?
  • Finally, hire a professional if you lack confidence or get stuck. While security pros aren’t cheap, even a large farm can be protected for not a lot of money. Everyone has different needs and desires. It’s oftentimes easier and cheaper to hire someone who can help.