Ag industry put on alert after series of cyberattacks

Jun. 12—A recent surge in cyberattacks on ag companies during critical planting and harvest seasons has prompted a warning from the FBI and efforts within the industry to develop stronger individual and shared defenses.

The agency pointed to ransomware attacks on six grain cooperatives during the fall harvest, plus two attacks earlier this year that could have hurt planting by disrupting seed and fertilizer supplies.

"Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production," the FBI's April 20 notification stated.

"Although ransomware attacks against the entire farm-to-table spectrum of the (food and agriculture) sector occur on a regular basis," it continued, "the number of cyberattacks against agricultural cooperatives during key seasons is notable."

There can be a perception among growers that, because their operations are largely manual labor, that they can always go back to pen and paper. While that's true on many levels, functions like labeling, shipping and even quality assurance revolve around data. That leaves critical operations vulnerable to cybercrime.

The FBI noted attacks on ag have in different circumstances slowed processing and interrupted email and website administration. It raised concerns ranging from supply chain problems to commodity trading and stock price impacts.

"An attack that disrupts processing at a protein or dairy facility can quickly result in spoiled products," the agency added, "and have cascading effects down to the farm level as animals cannot be processed."

The list the FBI released of recent cyberattacks on ag focused on ransomware attacks, in which data is stolen or encrypted such that it can't be used and the criminal or criminals demand payment to return access. One of the incidents, in July, spread from a business management software company to the computer systems of clients including ag cooperatives.

Ransomware is not the only kind of cyberattack hitting ag lately, said President Greg Gatzke of ZAG Technical Services Inc., a managed services and information security company based in San Jose.

Another strategy used by criminals, he said in an interview, is trying to trick a company into sending what appears to a vendor payment to a new account that is actually the criminal's bank.

Cyber-thieves may also work to gain access to a company's computer system so it can gather personally identifiable information, such as Social Security numbers, Gatzke noted. Criminals sometimes post that information for sale online. Companies whose systems have been compromised are required to file paperwork and put out notifications, and they may be exposed to class-action lawsuits.

Depending on when the attacks hit, unprotected companies may be at the criminals' mercy.

"It's just the nature of the speed at which ag operates," he said. "So, the impact is much higher to (farmers)."

Ag operators who think they can switch to paperwork at a moment's notice are sometimes in for a surprise, Gatzke said. Invoicing, recording measurements, labeling — "all those things use computers," he said.

Hardening their systems against cybercrime is especially hard for ag companies working on slim profit margins. But Gatzke said protective measures, some of them free, are being taken by individual operators, and groups of companies are looking at building common defenses. In his opinion, more needs to be done.

"I will say the industry is not ready" to fully repel the threat, he said, adding he has seen losses between $40,000 and $200,000 caused by cyber-thieves. He advised against paying criminals to restore data and noted that cyber-insurance can be hard to get because of recent losses.

Employees should be trained so they go from being a company's weakest link to standing as its first line of defense, Gatzke said. Multifactor authentication is a must, he said, and computer passwords should be strong. He recommended barring web browsers from visiting certain kinds of sites.

"Defense wins championships," he told participants in a webinar ZAG put on Thursday.