Lactanet and Ontario Pork are two recent victims of ransomware attacks, joining other agri-food businesses such as JBS, Sollio Agriculture and Maple Leaf Foods.
According to Canada Research Chair in Cybersecurity and Threat Intelligence Ali Dehghantanha, a key reason attacks on agriculture are increasing is on the rise is the industry’s increased data reliance, the Internet of Things and cybercriminals looking for easy, profitable targets.
“If it takes attackers 10 minutes to compromise your infrastructure, get into your network, initiate ransomware and ask you to pay for it — they won’t hesitate.”
He said most cybercriminals are opportunistic. They initiate a data breach, then monetize information on the dark web and extort the target to release encrypted information. It doesn’t matter if you’re a small producer or a multimillion-dollar health care, financial or agricultural operation — if your system is vulnerable, eventually you will be a target, said Dehghantanha, who’s also an associate professor at the University of Guelph.
At the university’s Future of Cybersecurity in Agriculture event last month, he shared a story of how an Ontario dairy farmer called him one night at 10 p.m. because his IT system wouldn’t function. Dehghantanha found that 80 (ITremove) servers were encrypted, indicating previous attacks. The producer admitted he’d paid hackers twice already, but the increase to a ransom of $25,000 this time was too much.
During containment, eradication, and recovery, Dehghantanha assessed that the first sign of attack was three years ago, with increased activity over the last year and several “backdoors” integrated into the system. “(Ransomware is) usually the very last stage of the attack,” because, Dehghantanha explained, before executing an attack, hackers thoroughly assess a system, install ransomware and backdoors for re-entry.
The client refused Dehghantanha’s offer of a free cybersecurity program in exchange for a few weeks of monitoring as part of an efficacy case study. Within 20 days, his entire system, including the RFID reader, robots and backup system was encrypted and a US$9.999 million ransom demand was made.
He’s now part of the monitoring system. State-sponsored hacking teams from countries such as Russia or China are less visible and focus more on disrupting systems, said Dehghantanha. For example, hackers could compromise the Canadian dairy system by accessing and reconfiguring software to falsify poor results when uploading milk quality reports.
“We were either lucky or well-prepared to face that situation, so there was minimal disruption in the grand scheme of things,” said Daniel Lefebvre, Lactanet COO and Centre of Expertise director.
“We had a bit of disruption in our client access to our system, but in a preventative way while we were investigating.” Recognizing that cyberthreats were ubiquitous, Lactanet employed KPMG two years ago to run cyber-risk assessments, gradually implementing the recommendations. This included hiring a 24/7 Managed Detection and Response (MDR) team to work with staff cybersecurity experts. Lactanet’s cybersecurity education and training program includes running fake phishing campaigns that redirect employees to training modules after clicking on a potentially harmful link before granting system access.
“We’ll beef up those requirements following this attack to make sure it doesn’t happen again,” Lefebvre said, adding that compromised client credentials pose a negligible risk unless robots share the Lactanet password. “Then that’s another story.”
After acquiring an employee’s stolen credentials, where a work-related password was used for Amazon or a bank account, hackers gained system access via the Virtual Private Network (VPN). “I think it’s a pretty sophisticated ecosystem; there’s a market on the dark web for credentials,” he said. “When they buy a dataset of those credentials, they look at what are the companies involved or even specific employees.”
Initially, the changes to administrative passwords, server configuration and inactivation of protection mechanisms didn’t trigger an alert because they were within the compromised employee’s range of movement.
The brute force used to guess the IP phone system password exceeded the suspicious activity threshold, triggering the detection teams to monitor activity and respond to the threat. “They worked for about three hours together on the phone to monitor and look at what they were doing while the hacker was active,” Lefebvre explained. The hacker’s IP address was identified and blocked, the employee’s computer disconnected, and because the hacker remained active, the team initiated a preventative system disconnection from the internet and conducted a forensic system assessment.
Lefebvre said the attackers encrypted two servers holding source code for older system applications but failed to significantly impact the six server farms housing 300 servers on a mix of physical and virtual platforms. Additionally, Lactanet maintains three comprehensive backup levels housed separately, which allowed for a seamless reboot after a hack eight years ago. “We conduct disaster recovery simulations on a regular basis to make sure they work well,” he said.
“Backups are a crucial part of our protection because cybersecurity is one thing, but there are other risks related to data loss; it could be fire, flood or malfunction of hardware.”
Lefebvre said the company easily spends north of $150,000 a year on cybersecurity protection, as recovering from a day or two of service disruptions is manageable compared to the six weeks a European counterpart dealt with. “That’s at least a month of revenue that’s gone out the window, in addition to all of the service disruptions to customers.”
Lefebvre pondered if the industry should assess the benefits of shifting away from fragmented data systems towards a collaborative and co-operative centralized aggregated data system. He said it would be costly and take time but has proven successful in Denmark. “When you have events like this, it comforts the thought of spending all that money because not having it would put us in a much worse situation.”
Ontario Pork chair Tara Terpstra said that despite ongoing staff cybersecurity training, the in-depth education cybersecurity experts provided after the organization’s breach was eye-opening.
“(At the time) it was just trying to stay calm and listening to what they were advising us to do and what steps to take. We were learning constantly.”
She said the experts simplified hacker communications and advised on safeguards to protect the organization’s system in the future. Because risk levels and protection perceptions fluctuate between individual producers, organizations or commodities, Terpstra said it is challenging to create blanket solutions for the agriculture industry.
Like biosecurity protocols, cybersecurity prevention could differ from operation to operation, with some employing basic standards and others engaging a more robust system. “We have to protect our farms and farm businesses from cybersecurity threats, not just disease threats, (and) it’s just one more thing we have added to how we run our every day,” she said.
Ontario Pork’s new cybersecurity protocol with multi-factor authentication protects the organization but providing producers with farm and business threat mitigation tools is a priority.
“We can give them tools on what to do, but we can’t force them to adopt them,” explained Terpstra. “Whether it’s a cultural thing or an age thing for those maybe a little more resistant to technology, they have to decide for their family farm.” Attacks on agriculture and agri-food operations are happening faster than Terpstra ever imagined, and with hacker technology advancing rapidly, all organizations will continuously invest in safeguarding their systems.
“I think it’s going to always just be this ongoing concern for us now,” she said. “(We) have to evaluate different things when it comes to cybersecurity planning, which is essential going forward in the world we’re living in.”
Source: Farmtario / Diana Martin