The last few months have seen a clamour of voices alerting companies to the increase in security incidents in the agrifood industry. In this rapidly developing sector, farms are embracing the concept of precision agriculture, while food factories are using highly automated processing and production lines. With so much connected equipment, cybersecurity has become an issue of key importance to the agrifood industry. We look back at 2021 – a year unlike any other for the agrifood sector.
Cyberattacks on the agrifood industry have been a reality since several years ago.
Could we have missed some weak signals?
But drowned out by the background noise and confusion of the health crisis, feedback and calls for caution have not been given the priority they deserve. And the need is indeed great, given the use of many connected tools in the modern agricultural sector. Farmers today use such technology as hygrometric sensors, GPS beacons and smart tractors to control the production of their smart farms with data collected by different tools, just as any other technological company would. And it’s the same story for agrifood groups; production and processing lines are now automated, and share data from all over the world within the same company. A host of devices; a host of targets for cybercriminals. This is even truer regarding operational equipment, which is online but too often undeclared, and – more importantly – uncontrolled. Welcome to the world of “Shadow OT”.
In July 2020, the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) published a recommendation for industries of vital interest (including the agrifood industry) concerning the “immediate need to reduce exposure to remote management tools” that could have a “very serious impact on critical infrastructure.” This recommendation referred in particular to all old-generation operational equipment (OE), and in particular to ICS/SCADA systems, which are the most commonly used monitoring systems in food processing plants, and must therefore be protected. In the same document, the NSA and CISA also listed a series of attack tactics and procedures:
- use of spear phishing techniques to gain illicit access to the traditional company network (IT) and then infiltrate the company’s production network (OT);
- connection to Internet-connected PLCs without prior authentication via industry-standard ports and protocols;
- corruption of the software publisher’s update mechanism;
- all with the aim of deploying malware (e.g. in the form of ransomware on both networks, in order to paralyse the production tool by encrypting the company’s data).
This document is important because it points to a change in attacker methodologies, which are now more complex than mere random and pre-scheduled releases. The result: more sophisticated, targeted and devious cyberattacks that have seriously impacted the agrifood industry.
The agrifood industry: a prime target for cyberattacks in 2021
And from 2021 onwards, large companies in the sector have been targeted by cyberattacks. In February, April and May 2021 respectively, the French company Lactalis, the French champagne producer Laurent Perrier and the American company Molson Coors – the second largest brewer in the United States – announced that they had fallen victim. The same month saw another particularly high-profile cyberattack, against Brazilian agrifood group JBS Foods. In terms of numbers, the group is the world’s largest producer of beef and poultry, as well as the second largest producer of pork. On 30 May 2021, the JBS Foods IT security team discovered that servers in North America and Australia had been targeted by cybercriminals. Having fallen victim to a ransomware attack, with responsibility claimed by the REvil group, the company was forced to halt its activities in the United States, Canada and Australia from 31 May to 9 June 2021. Some time later, the company revealed that it had paid a ransom of 11 million dollars to regain access to its data. This is a historic sum for a food industry player of this size, and a landmark episode demonstrating that agrifood companies are sensitive to cyber risks.
In September 2021, the list of victims grew further with grain cooperative New Cooperative, the 51st largest in the US, which was hit by the BlackMatter ransomware. At the same time, French wine and spirits distributor La Martiniquaise reported a cyber-attack involving data theft. And a few days later, another American cooperative – Crystal Valley – also announced that it had been hit by ransomware using a similar methodology to the attack against New Cooperative. A few weeks later, a two-pronged attack in France targeted Breton agrifood group Jean Floc’h and Parisian caterer Dalloyau, both of whom suffered an attack by the Conti ransomware. And just a few days later, it was the turn of the French agrifood group Avril to fall victim to a cyberattack, apparently following a phishing attack. The company then immediately cut off all employees’ access to email and all digital tools. Finally – once again in the United States – refrigerated food storage giant Americold announced that it had been hit by a cyberattack in November 2021.
Given this onslaught, British experts have publicly expressed alarm at the vulnerability of the country’s agrifood chain, which is only 50% self-sufficient in food production – and therefore dependent on imports. A targeted cyberattack on a single link in the supply chain could thus disrupt the entire industry and have far-reaching consequences that could prompt a call to reshape UK policy on the subject. And cyberattacks against the agrifood industry are likely to change in the months and years to come. The target: the many connected tools that agriculture is increasingly using today, in common with any other technology business. During the DEFCON 29 conference, a cybersecurity expert demonstrated the ability to remotely take control of a John Deere tractor. An act of this kind is as yet simply a demonstration at an event, yet it opens the door to new security incidents in future...
But for agrifood companies, which are by nature critical and vital players, how is it possible to respond to these cyber threats? Part of the answer lies in network segmentation and Intrusion Prevention System (IPS) and Endpoint Detection and Response (EDR) technologies, which form part of the cybersecurity protection mechanisms of several critical agribusinesses. In turn, EDR will identify abnormal or malicious behaviour on machines, such as escalation of privileges, or installation of malware. And combined with network segmentation and IPS, they will together provide effective protection against discovery and lateral movement attempts.
An industry facing cyberattacks... and global warming
Regarding threat potential, particular attention should also be paid to the hacking of Kaseya RMM and SolarWinds, opening up a new opportunity for cybercriminals to mass-distribute viral loads directly to each of these companies’ customers. In case the acronym RMM (for Remote Monitoring and Management) doesn’t ring a bell, the term refers to a tool for remotely monitoring and managing IT infrastructures. These tools are now widely used by IT service companies, offering flexibility and simplicity in infrastructure management, and – most importantly – are recognised as trusted tools by cybersecurity solutions. The compromise of these two market leaders has enabled cybercriminals to fly under the radar because the actions performed by these solutions are insufficiently scrutinised by cybersecurity authorities, due to their trusted status and the similarity between malware “installation” activities and their usual activities. Over the course of 2021, several thousand companies have been affected by these mass supply chain attacks via ransomware campaigns. In July 2021 in Sweden, the 800 food shops of the Coop chain suffered collateral damage from the Kaseya RMM incident. In all, no less than 130 of the company’s IT service providers were apparently impacted by the cyberattack.
In the wake of such cyberattacks, several consequences seem possible for the future of the agrifood sector. The first consequence that comes to mind is that of economic interference. By disabling food production or distribution, it would be possible to create a shortage leading to higher prices (and in an extreme case, serious food shortages). And while this scenario may sound like something out of a thriller, the impact of global warming could (further) amplify the consequences of such attacks. According to predictions by experts from NASA and the IFAD (International Fund for Agricultural Development), we can expect climate change to impact key commodities such as wheat, maize and rice, with yields and production set to fall drastically by 2030.
The sudden acceleration of cyberattacks on the agrifood industry in recent months suggests, therefore, that a systemic crisis is a possibility. As is the case in the field of health, it is imperative that agricultural and agrifood companies (large and small) become aware of the phenomenon and the issues at stake, and receive support in improving their cybersecurity.