From farm-to-phish: hackers set their eyes on the agriculture sector

Hackers follow opportunity, and they’re increasingly finding it in agriculture and food production.

A combination of poor preparation, complex machinery and vulnerable supply chains is cooking up a dish that’s tempting for cyberattackers – but could be poison for your business. 

Agriculture and food production is an increasingly popular target 

Agriculture accounts for over half of Australian land use and could be worth $100 billion by 2030, according to the National Farmers’ Federation. Guess who wants in on the action? Cyber-crooks of course: the sector is the sixth most likely to record a data breach. 

Big-name ransomware attacks in the last few years have crashed the wool industry, putting 75% of brokers offline, and halting milk production. In 2021, 47 JBS abattoirs across Australia were forced to shut down operations for five days after the food processing giant was hit with ransomware. “The major organised crime groups that run these attacks have called out that they're targeting agricultural groups,” says Darren Hopkins, cybersecurity expert at McGrath Nicol. “Moving forward it's an area they're looking to actually disrupt more.” 
 

But it’s not just about the big guns 

These major ransomware attacks have made the headlines, but countless other incidents don’t. Smaller organisations often think they’ll escape cybercriminals notice, but in fact the opposite is often the case: many attacks are indiscriminate, and others may actively target businesses with poor defences. Overall attack numbers are rising, with a 13% rise in incidents reported year on year, according to the Australian Cyber Security Centre. 

So who’s coming for organisations in sectors such as agriculture, fishing and forestry, and why? 

• Cybercriminals who wish to profit from stolen data or commit fraud. 

• Sophisticated, state-linked gangs who want to sow disruption. 

• “Hacktivist” campaigners who wish to draw attention to issues by disrupting services or gathering data. 

• Insiders who see an opportunity to profit by working with the above groups. 

Agriculture organisations must understand the threats they face 

The industry is a choice target for these attackers partly because it often underestimates or misunderstands today’s threat landscape. Less than 20% of organisations surveyed by research group Agrifutures had completed a full risk assessment. It’s hard to build a functional cybersecurity strategy without an understanding of the value of your assets, the cost of protecting them and the impact of different attack types. 

Part of the problem, of course, is that the Australian agricultural sector is hugely diverse, spanning everything from small family farms to giant agricorps. Security procedures are unlikely to be standardised at smaller organisations, but even larger groups may have a legacy mindset that reflects a time when relatively few processes were networked. What’s more, when businesses do identify a threat, they’re often wrong: the survey found that many farmers identified hacktivists and rival organisations as their principal cyber threats, when attacks on supply chains are more likely. 

A security strategy is essential in our networked world 

The answer to the sector’s cyber conundrum will vary company by company: the largest organisations should hire a top CISO and security team, and resource them effectively. Smaller businesses might base their policies on industry security frameworks or outsource their cybersecurity to third-party specialists. 

The need is pressing because farming has been transformed in the last few decades. Tasks that might have been done by hand are automated and controlled by Internet of Things (IoT) devices that offer cost savings and efficient controls – but also offer multiple points of weakness for criminals to attack.  

Drones, sensors and violent tractors: attackers can weaponise almost anything 

Remote sensors, drones, robotics, farm management and GPS systems that are open to the internet can all be hacked, whether for blackmail, data theft or pure disruption – the latter such a serious risk to the country that food production is included on the government’s Critical Infrastructure list, meaning the reporting of serious cyber incidents is mandatory. 

The ways in which IoT machines can be disrupted was illustrated in 2022, when a security researcher installed the 90s shoot-em-up Doom on a Jon Deere tractor. The hack aimed to put pressure on the manufacturer to revise its restrictive proprietary controls, but was also a vivid illustration of how common machines can be hacked and misused. 

Hackers may strike at your supply lines or data, with disastrous effects 

Security controls are often relatively informal in the sector, with a lack of staff cyber awareness training, limited use of more secure techniques such as Multi-Factor Authentication (MFA) for employees and poor preparation for an attack (only around 10% of businesses in the sector have an incident response plan). 

As technology has grown more advanced, supply chains have often become more distributed and data-heavy – yet many businesses have little visibility on the risk suppliers, hardware manufacturers, packagers and other partners may bring to their data or business. 

The results of these attacks can be cataclysmic, and may include: 

• Immediate disruption to business critical operations 

• Reputational damage 

• Fines from regulators if privacy is breached 

• Legal action and remediation costs 

• Ransom payments 

• Damaged relationships with partner organisations 

• Compromised trade secrets 
   

How your business can manage cyber risk 

So how can agricultural businesses stay safe? The good news is that, while the sector faces unique problems, security approaches are not too different to those adopted by other sectors, particularly IoT-heavy businesses such as manufacturing. 

As we’ve noted, depending on your organisation’s size or maturity, you may be best-served by joining with third-party cyber specialists or running your own team. Government guidelines and maturity frameworks such as Essential Eight can help companies develop a solid security plan. While no policies can guarantee cybersecurity, there are some key measures to help manage risk: 

• Formalise data controls surrounding password use, data sharing and asset management. 

• Audit your data, consider where it is stored and whether unused data can be deleted. 

• Set awareness training for employees, and ensure it is frequent and relevant to their roles. 

• Use appropriate anti-virus software or firewalls, and ensure software is promptly updated and patched. 

• Use structured cyber risk management to assess vulnerabilities across your business, and ensure IoT and personal devices are included in it. 

• Set up incident response and disaster recovery plans covering different threat scenarios, with contact details and next steps, and ensure it is frequently updated and stakeholder-approved. 

• Assess vulnerabilities within your supply chain, which is only as secure as its weakest link. 

• Consider different technologies: many organisations benefit from moving to cloud storage and security, while blockchain technology can track your materials and products and is harder to hack. 
   

Hackers are making hay – it’s time to fight back 

In the face of threats from ransomware gangs, state disrupters and hacktivists, many agriculture organisations are playing catch-up with their security. Thankfully, despite supply chain vulnerabilities and the risk associated with increasingly sophisticated IoT devices, basic cybersecurity procedures can help safeguard farms, fisheries and food producers. There’s no one-shot solution, and your response will depend on the size and nature of your business. But, as threats gather, the time to tighten your controls and educate your staff is now.