GIAC Cyber Security Discussion Paper

Summary

From the OECD-FAO Agricultural Outlook (OECD, 2023), global population is projected to grow from 7.9 billion in 2022 to over 8.6 billion people in 2032.  To keep up with the growing population, global agriculture is witnessing the rapid implementation of new digital-based technologies to increase agriculture and food production. In respect to Agriculture 4.0, the expansion of new technologies such as robotics, aerial imaging, digital mapping of seeds, and GPS are just a few examples of the expansion of technology in agriculture. Consistent with an increased use of digital tools, there is a need to maintain and update protections for food and agricultural products from farm to table, not just physical protections, but also digital protections via cybersecurity. New digital technologies enable opportunities for more advanced agriculture production but also provide multiple platforms for cyber-attacks. What role should USDA AMS play in helping defend critical infrastructure and ensure viable supply chains in the U.S. grain industry?

Background

Concerns and Challenges of Data Security in Agriculture

While cyber-attacks are a challenge across many industries, agribusinesses are particularly vulnerable due to lack of preparedness to address these threats. Cyber-attacks can severely disrupt agricultural operations, leading to issues of the integrity of food supply chains, as well as severe economic losses. Several factors contribute to the heightened risk of cyber-attacks in agribusinesses.

Hackers and cyber attackers are targeting agribusinesses due to the value and wealth the sector holds. The nature and abundance of agricultural data, including information ranging from crop cultivation and harvest schedules to financial records, makes agribusinesses targets for ransom demands. Advanced farming techniques like precision farming have led to an increase in the volume of data at risk, further broadening the sector's vulnerability to breaches. Precision farming employs modern advancements like sensors, drones, and data analysis software to enhance resource productivity and farm management decisions. The vast data collected by these technologies has led to growing concerns regarding the privacy of farmers’ information (Kaur et al. 2022).

The widespread adoption of internet-connected devices in agriculture, known as the Internet of Things (IoT), provides valuable insights for farmers but also creates significant security vulnerabilities. Many IoT devices lack strong security measures, making them easy targets for various cyber threats like data theft and denial-of-service attacks. Industry 4.0, the fourth industrial revolution is supposed to be bringing new structural and corporate changes that are based on digital technologies, including Artificial Intelligence (AI), IoT, cloud computing, CV, AR, autonomous robots, Big Data, and cybersecurity (Silva et al. 2023). The use of AI tools in farming, such as smart collars for livestock monitoring and automated decision-making systems, brings a new area with potential for cyber-attacks. These AI-driven technologies, including precision farming tools, may be targeted by hackers aiming to disrupt operations by tampering with data or machinery. 

As the nature of agricultural information storage becomes more data-driven and connected, farmers rely heavily on third-party providers like agricultural technology companies (ATPs) for crucial services such as data analysis and payroll management. However, this shift has further raised worries about the security and privacy of data in the supply chain that cyber attackers could potentially exploit.

In addition to insider data leakage and cloud data leakage, another form of cyber-attack trend observed in agribusinesses are instances such as false data injection, where the hackers falsify data via real-time information to tamper with decisions and results; and misinformation attacks leading to issues involving data integrity. In this attempt they would release misinformation such as disease outbreaks which requires significant investment of time, effort and money to disprove the released report (Gupta et al. 2020).

Recent Incidences of Cybersecurity Attacks in Agriculture

The use of digital technologies has been viewed as part of the solution to challenges such as rising costs of inputs, climate change, and labor shortages, and they offer opportunities for value-addition, access to transactions, and improved traceability, among others. However, as agriculture adopts data-driven technologies, cloud-based storage, open-sourced software, and proprietary management tools, cyber-attack opportunities expand. The United States Agency for International Development (USAID) has pinpointed greater cybersecurity risks for agriculture and food security with the increasing reliance on Internet-enabled devices and data-driven technologies that involves the generation and use of large volumes of data. In fact, several incidents have been recorded in recent years across the world vis-à-vis data and systems breaches in the food and agriculture industry, across a broad spectrum of small and large companies, farms, and cooperatives. Most cyber-attack incidents aim to slow or shut down the agricultural and food production and distribution systems for ransom payments or, in some cases, to disrupt prices or to get proprietary information from a specific company. Some attacks have been notably timed to coincide with critical periods in the farming calendar, such as planting and harvest seasons. The impact of these cyber-attacks is multifaceted and extends beyond immediate financial losses.

According to the 2023 Internet Crime Complaint Center (IC3) Report of the Federal Bureau of Investigation (FBI), a total of 2,825 ransomware complaints were filed across all sectors, amounting to about $59.6 billion losses. Of this, 1,193 complaints belong to 16 identified critical infrastructure sectors, which includes the food and agriculture industry. Recently, agricultural cooperatives have been targeted by a variety of cyber-attacks due to their crucial role in the food supply chain and the time-sensitive nature of their operations. An attack during peak seasons could significantly disrupt the supply of essential goods such as seeds and fertilizers, thereby affecting planting schedules and ultimately, the food supply chain. The FBI has observed such patterns of attacks, with several incidents reported during the fall 2021 harvest and ahead of the 2022 planting season. With the pressure to maintain supply chain integrity, these cooperatives might be perceived as having a higher willingness to pay the ransom, making them lucrative targets for ransomware actors (FBI, 2021, 2022).

Other countries are also vulnerable to cyber security attacks, with high-profile incidents being reported across continents. Another form of cyber-attack is the Business Email Compromise (BEC), which targets companies, particularly those with international suppliers or those that regularly perform wire transfer payments. This form of attack involves cybercriminals gaining access to or impersonating corporate email accounts to deceive a particular company, its customers, employees, or business partners out of money or for sensitive information, distinguished with the use of domain names of the companies but with slight variations. The FBI IC3 report revealed approximately $2.4 billion financial losses due to BEC in 2021, including incidents targeting the agriculture sector. Some of the reported major cybercrime incidents, encompassing ransomware attacks, phishing attempts, and BEC, from 2020 to 2023 are listed in Appendix 1 of this report. Other documented cyber-attacks involving the food and agriculture sector can also be found in Kulkarni et al. (2024).

Next Steps

In response to these growing threats, there is an urgent need for robust cybersecurity measures within the food and agriculture sector, especially the grain industry. This includes implementing best practices such as regular security audits, employee training on recognizing phishing attempts, and adopting more secure technologies. Collaborations between governmental agencies, industry stakeholders, and cybersecurity experts is also crucial to developing strategies to mitigate these risks. Furthermore, the development of international standards and regulations can help enhance cybersecurity postures across the grain sector, ensuring that food and agricultural systems can withstand and quickly recover from cyber-attacks, and that supply chains are not disrupted.

References

Bowcut, S. (2024, January 15). Shielding the supply: Cybersecurity in food and agriculture. Retrieved from https://cybersecurityguide.org/industries/food-and-agriculture/#attacks

Federal Bureau of Investigation. (2021, September 1). Cybercriminal actors targeting the food and agriculture sector with ransomware attacks (Report Number: 20210901-001). Retrieved from https://www.cisa.gov/sites/default/files/publications/PIN_20210901.pdf

Federal Bureau of Investigation. (2022, December 15). Criminal actors use business email compromise to steal large shipments of food products and ingredients (Report Number: AA22-340A). Retrieved from https://www.ic3.gov/Media/News/2022/221216.pdf

Flowers, B. & Gomes, N. (2022, May 6). AGCO ransomware attack disrupts tractor sales during US planting season. Reuters 

Gatlan, S. (2023, May 9). Food distribution giant Sysco warns of data breach after cyberattack. Bleeping Computer 

Ghosh, S. (2020, November 11). Apparent data breach at BigBasket reveals the need for e-commerce players to bolster cybersecurity measures. CSO Online

Haddon, H. (2021, June 11). McDonald’s hit by data breach. The Wall Street Journal

Kulkarni, A., Wang, Y., Gopinath, M., Sobien, D., Rahman, A., & Batarseh, F. A. (2024). A Review of Cybersecurity Incidents in the Food and Agriculture Sector. arXiv preprint arXiv:2403.08036.

Lyngaas, S. (2023, February 22). Cyberattack on food giant Dole temporarily shuts down North America production, company memo says. CNN Business

OECD/FAO (2023), OECD-FAO Agricultural Outlook 2023-2032, OECD Publishing, Paris, https://doi.org/10.1787/08801ab7-en.

Salaria, S. (2020, October 16). Food major Haldiram’s attacked by ransomware, hackers demanded USD750,00 for decryption. Times of India

Staff, T. (2020, July 17). Cyber-attacks again hit Israel’s water system, shutting agricultural pumps. The Times of Israel. 

USAID (United States Agency for International Development). (2023, October 17). Cybersecurity briefer: Agriculture and food security. Retrieved from https://www.usaid.gov/digitaldevelopment/cybersecurity/agriculture-food-security-briefer

Walla. (2023, April 9). Cyber-attack leaves irrigation systems in upper Galilee dysfunctional. Jerusalem Post

Whittaker, Z. (2020, May 20). Home Chef confirms breach after 8 million user records found on the dark web. Retrieved from https://techcrunch.com/2020/05/20/home-chef-data-breach/

Acknowledgements

The author wishes to thank the students at Iowa State University who assisted in compiling this report.

Appendix 1. Summary of reported cybercrimes involving the food and agriculture sector

Date

Industry

Details of attack

Estimated Loss

Reference

May 2020US-based food distributor (Harvest and Sherwood Food Distributors)Confidential information of the two companies, including proprietary vendor information, cash flows, insurance, and even drivers’ license images, were stolen. The hackers demanded $7.5 million in ransom payments from the company in exchange to not leaking their confidential information to the publicBowcut, 2024
May 2020US-based start-up delivery service (Home Chef)The company experienced data breach, with private information, including credit card numbers and mailing addresses, of their customers being sold in the dark web marketplace Although this type of type of security breach does not have direct effect on the company, the customers’ sensitive information was put at riskWhittaker, 2020
July 2020Water infrastructure in IsraelTwo cyber-attacks targeting Israel’s agricultural water pumps occurred in 2020, amidst escalating tensions between Israel and Iran. Fortunately, the attacks did not cause significant harm as the affected drainage installations were promptly repaired by local authorities. Staff, 2020
July 2020Snacks manufacturer in India (Haldiram)The Indian-based snack manufacturing company suffered a major data breach, with hackers having access to their sensitive files, applications, and systems$750 thousand ransom demand for the stolen data was asked by the attackers.Salaria, 2020
August 2020US-based non-profit food provider (Loaves and Fishes)Third-party software and management system provider (Blackbaud) was hacked, and crucial information of the organization’s donors were put at riskedBlackbaud had to pay ransom demand of the cyber attackers to prevent them from leaking protected information of their clients, which includes Loaves and FishesBowcut, 2024
October 2020Indian-based online grocery platform (BigBasket)Considered as the largest loot in Indian cyberspace, the data breach on an e-grocery platform in India resulted to leakage of personal information of about 20 million users on the dark web.The attackers put on sale the personal data obtained from the BigBasket server for about $35 thousand Ghosh, 2020
November 2020International food and agriculture business Ransomware attack using phishing email with malicious zip file attachmentThe company was asked with a $40 million ransom, but the company was able to restore their system using their backups without paying the ransomFBI, 2021
January 2021US farmRansomware attack through compromised credentials, leading to access in the farm’s internal servers $9 million production loss from the temporary shutdown in the operationsFBI, 2021
March 2021US beverage companyRansomware attack causing disruption in the operations, production, and logistics

 

FBI, 2021
May 2021Global meat processing company (JBS)Ransomware attack leading to data exfiltration and shutdown in operationsThe temporary shutdown drove a shortage in the supply and spike in the prices of meat, estimated at 25% in wholesale price. The company had to pay $11 million in bitcoin to the attackers to mitigate further lossesFBI, 2021
June 2021Global restaurant chain (McDonald’s)Incidents of system breach in McDonald’s US, South Korea, and Taiwan were reported in 2021, with cyber attackers gaining access to customers’ and employees’ personal information

 

Haddon, 2021
July 2021US bakery companyRansomware attack which led to loss in access in the internal server of the companyThe company was shut down for about a week, which resulted to delays in orders and eventual damage in the company’s reputation FBI, 2021
July 2021Agricultural cooperativesA business management software company was infiltrated, which led to secondary ransomware attacks on its clients, including various agricultural cooperatives$30 million ransom demand was asked by the attackers FBI, 2022
September – October 2021Grain cooperativesSix grain cooperatives, including Iowa’s NEW Cooperative, Minnesota’s Crystal Valley, and Sandhills Global, suffered ransomware attacks in the fall of 2021 which resulted to loss of administrative functions and complete halt in operationsShut down of operations, including an online platform for auctioning of farm equipment, and disruption on the supply of production inputs such as seeds and fertilizers. The attack on Iowa’s NEW cooperative also impacted about 40% of US grain producers FBI, 2022
February 2022Food manufacturerFour cases of fraudulent bulk orders of whole milk powder and non-fat dry milk were supplied by a food manufacturer using real employee names and slight variation in the domain name of the companiesOrders amounting to $600 thousand were released without payment by the food manufacturerFBI, 2022
February 2022Feed milling companyThe company reported unauthorized access into its system, a precursor for an attempted ransomware attackEncryption was prevented as the attempts were detected and stopped in timeFBI, 2022
March 2022US-based multi-state grain company The company's operations consist of grain processing and provision of essential services such as seed, fertilizer, and logistics suffered a ransomware attack during preparation for spring planting season 

 

FBI, 2022
April 2022Grain producer in UkraineRussian military intelligence unit reportedly put a file encryptor on the network of Ukraine-based grain producer during the early part of the ongoing Ukraine-Russia warAlthough the file encryptor was not yet activated during the report, it will be at risk especially with the importance of food supply in the regionUSAID, 2023
April 2022US food manufacturer and supplierThe supplier received a web request from another food company, using the name of their president, for bulk order of whole milk powder. The supplier refused to release the second shipment without payment, only to find out the slight variation on the email address used by the cyber criminals. The supplier released first of two shipments, amounting to $100 thousandFBI, 2022
May 2022Worldwide manufacturer and distributor of farming equipment based in France (AGCO)AGCO, a major provider of farming equipment in the US, reported several incidents of ransomware attacks and data exfiltration causing disruption in the production of their affected sites, including a tractor assembly facility. Temporary shutdown of operations lasting for about two weeks resulting to production lossesFlowers & Gomes, 2022
August 2022US sugar supplierThe sugar supplier received an online order for a truckload of sugar to be purchased through credit from another US-based company. The request contained grammatical errors and was sent from an email address with an extra letter in the domain name, prompting the supplier to verify from the actual company, therefore preventing the scam

 

FBI, 2022
August 2022Multinational snack food and beverage companyA food distributor received an email request for two truckloads of powdered milk from a multinational food and beverage company, using the name of the chief financial officerThe company had to pay $160,000 to the supplier after responding to the fraudulent requestFBI, 2022
February 2023Global fruit and vegetable producer (Dole)Systems of Dole company in North America were temporarily shut down following a ransomware attack in its production facilitiesThe breach affected 3,885 U.S. employees, and the financial impact during the first quarter was approximately $10.5 million. Lyngaas, 2023
April 2023Israel’s irrigation systemsIsrael's irrigation system was targeted by another cyber-attack, resulting in damage to the water controllers that manage field irrigation in the Jordan Valley and the control systems of the Galil Sewage CorporationThe attack left irrigation systems dysfunctional in the Upper Galilee region, highlighting the vulnerability of critical infrastructure to cyber threats.Walla, 2023
May 2023Global food distribution company (Sysco)Unauthorized access and system breach were reported by Sysco, with attackers stealing data from the company’s system including payroll and social security number of their employeesA total of 126,243 employees were put at risk due to the cyber attackGatlan, 2023