What, me worry? That may be the response of some specialty crop produce company operators, including farm owners and managers, when the subject turns to cybersecurity risks impacting agricultural operations.
The agricultural industry has for a long time been viewed as low risk from potential cyberattacks. However, with more and more farms and food processing plants adopting new technologies to streamline production and integrate with supply chain services, cybercrime is becoming an increasingly severe threat to agribusiness. The number of attacks is on the rise.
It’s become apparent that many businesses, including farm entities of all sizes, have a problem with the storage and management of personally identifiable information (PII). However, fostering a culture where PII is protected and effectively managed should be a core best practice for modern businesses.
“Every ag company is dependent upon technology,” said Greg Gatzke. “Technology can be used to gain a competitive advantage for your organization, but it can also introduce risk without the foundation of security, maintenance and support. Make sure your company and suppliers have the proper protections and processes to ensure that we can continue producing the food that America needs.”
Gatzke is the president of ZAG Technical Services, an award-winning IT consulting firm and managed services provider based in San Jose and Salinas, California, as well as Boise, Idaho. Gatzke founded ZAG 22 years ago, calling on his extensive experience with the aerospace manufacturing corporation and defense contractor McDonald Douglas and as a consultant with the Network Technology Group. Gatzke has an MBA from Pepperdine University.
Gatzke’s background in farming in Wisconsin has contributed to shaping ZAG’s specific expertise in the agribusiness and fresh produce sectors. ZAG consults with organizations to provide high-end architecture in areas such as cloud computing, virtualization and systems management, as well as a full breadth of managed services.
Security investment essential
“Agriculture is an industry that makes a profit on the decimal points,” Gatzke told Vegetable Growers News. “It operates on high volume, low margins. That doesn’t bode well for IT security. But they are depending on these systems just like a tractor. (Agricultural operators) have to mature when it comes to the technology impact.”
“We work with companies on two main areas – how to keep criminals out, and how to recover once they get in,” Gatzke said. “There are a lot of things we can do that are not that expensive.”
Ransomware attacks targeting the food and agriculture sector disrupt operations, cause financial loss and negatively impact the food supply chain. Ransomware may impact businesses across the sector, from small farms to large producers, processors and manufacturers, and markets and restaurants. Food and agriculture businesses victimized by ransomware suffer significant financial loss resulting from ransom payments, loss of productivity and remediation costs.
“All (food) processors are technology companies,” Gatzke said of one of the more vulnerable sectors of the ag world. “You can’t print a label on a Post-it note.”
Companies may also experience the loss of proprietary information and PII, and may suffer reputational damage resulting from a ransomware attack.
Pursue the basics
“There’s a need across agribusinesses to create minimum, baseline security standards to strengthen technology systems,” Gatzke said.
“The recent ransomware attacks on Colonial Pipeline and JBS affected the supply chain and consumers directly, highlighting the risks these cyberattacks bring. There’s a need across agribusinesses to create minimum, baseline security standards to strengthen technology systems.”
At a minimum, Gatzke said in a column he wrote for Western Growers, companies must:
1. Implement security standards.
Security solutions that protect an organization’s network, such as antivirus systems and advanced firewalls, along with ongoing software updates and vulnerability tests, are necessary elements of a company’s security strategy. Organizations must also require multi-factor authentication (MFA) for all remote and email access. MFA is a process that authenticates the identity of a person through two or more methods before allowing access to specific applications or accounts. MFA implementation is not foolproof, but it is an essential step in strengthening an organization’s security posture.
2. Be able to recover fast.
Organizations must plan for the worst and be able to recover quickly. If criminals get access to your network, can they destroy your backups? They’ll often succeed. They must be protected. Organizations must have advanced storage that allows them to use snapshots to recover instantly.
3. Make sure your desktops are protected.
Too many IT people think about restoring the servers in the data center. It is our comfortable place. Ask them how they will recover if every desktop is encrypted. This can be more significant than the loss of the servers.
4. Have a formal disaster recovery, incident recovery and business continuity plan.
IT must have a formal disaster recovery plan that explains how they will recover systems should disaster strike. In a disaster, the whole business must know how to respond.
An incident response (IR) plan is critical to guide:
- How communications will occur throughout the company when systems are down.
- Will a ransom be paid?
- How the event will be communicated to customers and vendors.
- When and if law enforcement, insurance and other agencies will be engaged.
Finally, a business continuity plan must be created to instruct the business on operating in a disaster. This includes questions like:
- How will product be produced without computers?
- How will orders be communicated?
- How will product be picked, labeled and shipped?
An IR plan is not for IT; it involves the entire organization and is key to a successful outcome should an intrusion occur.
5. Determine if suppliers pose a risk.
The old adage is that organizations are only as strong as their weakest link. The new reality is that they are only as strong as their weakest supplier. If your suppliers are compromised and can’t deliver, your organization can be shut down. Companies should manage their suppliers to ensure they have protections in place, and that they are secure. Examples of these protections include secure remote access methods, a secure internet presence, email protections to stop phishing attacks and ensuring they do not have exposed logins/ passwords on the DarkWeb.
6. Remain vigilant.
Every ag company is dependent upon technology. Technology can be used to gain a competitive advantage for your organization, but it can also introduce risk without the foundation of security, maintenance, and support. Make sure your company and suppliers have the proper protections and processes to ensure that we can continue producing the food that America needs.
— Gary Pullano, editor