Advertisement

Ransomware scares and fact-checking our intuitions

| 25 min read

Canada’s federal security agency for the IT sector recently reported a significant year-over-year rise in the number of ransomware attacks worldwide — including some infamous attacks on agribusiness. Dr. Janos Botschner of the Community Safety Knowledge Alliance explains how ransomware attacks happen – and why the ag sector specifically may have reason for concern ahead. Also: farmer Toban Dyck, a columnist for the Western Producer and Grainews, considers whether the decisions any of us make are always as rooted in logic and reason as we believe them to be. Hosted by Dave Bedard.

[podcast_transcript]

Dave Bedard: [00:00:07] Hi and welcome to Between the Rows, I’ll be your host this week, Dave Bedard, get set to hear more discussion about ransomware. We know how it can be used to throw a wrench into the works for huge corporations and cause hassles or hardships for millions of their customers. But the next important company it affects could be you.

Janos Botschner: [00:00:25] Everyone or every business is potentially vulnerable, you know, regardless of the size and, you know, being in and out of the way, rural location doesn’t mean that you’re necessarily secure.

Dave Bedard: [00:00:39] Also, we’ll be hearing some thoughts on on our decision making processes. Would we still be running our operations the same way if our every move was based strictly on logic and science? And are we doing so as much as we think we are?

Toban Dyck: [00:00:54] What is clear to me isn’t necessarily clear to you. What is obvious to you may not be obvious to me. I believe we, as farmers, settle into ways of doing things that over time create conditions for blind spots to emerge, and that not being aware of this keeps us from seeing the obvious and adapting to change

Dave Bedard: [00:01:17] Lots of food for thought this week on Between the Rows. And we’ll dig in right after this

Commercial: [00:01:22] At your Nutrien AG Solutions Retail. We take seed seriously. Getting it right for your farm requires the right knowledge. That’s why we operate the largest retail seed trial program in western Canada. Our local experts can provide you with advice for balancing maturity with disease traits and getting the best seed to your crop. After all, we take your harvest seriously to talk to your local retail today or visit NutrienAGSolutions.ca

Dave Bedard: [00:02:00] If it seems like hardly a week goes by these days without new reports about ransomware, we might want to get used to it. Just last week, the communications security establishment that’s essentially Canada’s federal Homeland Security Agency for the IT sector put out a report showing ransomware attacks worldwide were up by over one hundred and fifty percent in the first half of this year, compared to the same time frame last year. And from the start of the year to about mid-November, Canada alone is reported to have had about two hundred and thirty five such attacks, and that’s just the ones that CSC is aware of. Now, as we learn this year, after some rather infamous attacks on companies such as meatpacker JBS, the agricultural sector is far from immune. In fact, the AG and agrifood industries, including farmers, are considered critical infrastructure in Canada that could be at risk, so much so that Public Service Canada has commissioned the Community Safety Knowledge Alliance, a not for profit organization, to work with the sector to assess, reinforce and promote cybersecurity. Now that’s a four year project, and we’re not even done year one yet. But given the recent ransomware attacks on targets such as JBS and on U.S. grain companies such as New Cooperative in Iowa and Crystal Valley in Minnesota, it looks like they’ve got their work more than cut out for them. I recently spoke with Dr. Janos Botschner, the lead investigator on the project for CSKA. Of course, we started with the basic question What’s ransomware? But let’s start with the very basics. What what is ransomware exactly?

Janos Botschner: [00:03:28] Yeah, well, a general definition would be that it involves the use of, you know, some kind of exploit to, you know, encrypt or lock up digital data or processes and then hold them hostage until a ransom is paid. You know, usually in bitcoin, sometimes sensitive data are also removed, and that ups the ante, creating additional pressure on the victim to pay. Once the ransomware is paid, a decryption key would be provided so the organization can then, you know, unlock their systems and resume activity.

Dave Bedard: [00:04:01] Mm hmm. How does an infected computer system usually usually get this ransomware?

Janos Botschner: [00:04:06] Sure. Well, we don’t want to blame the victims. First of all, when things are so complex today and moving really, really quickly. But really, the fundamental weakness is usually the human side not, you know, maybe not having enough security controls and policy in place or, you know, succumbing to manipulation. You know, some people call it social engineering like, for example, clicking on an unverified email link. Cybersecurity experts continue to be concerned about the need for four basic cyber hygiene measures that can help, you know, prevent or in some cases detect suspicious activity. The people side is driving opportunities for ransomware attacks. For example, IBM’s Threat Intelligence Research has identified things like you know, credential stuffing, you know, using stolen credentials from one place like, you know, maybe a department store and try to exploit those to to gain access to a system somewhere else or what are called those phishing attacks where, you know, an email has a link embedded in it and you’re enticed in some way to click that link. And once you’ve clicked that link, you’ve enabled access to one or more critical systems.

Dave Bedard: [00:05:21] I’ve seen those sorts of attacks. I mean, I’ve seen things from companies are purporting to be from companies. I do business with all. Even all the links embedded within the email are mostly legit, except for the one. And it does sound like a pretty effective way for for a hacker to sort of monetize rather than just vandalize a system like, who are these people? I mean, the hackers, that is.

Janos Botschner: [00:05:42] Well, you know, the adversaries are really very well-financed. They’ve got a lot of resources that they can mobilize, and generally they’re part of of globalized criminal syndicates. And, you know, in some cases, these may have ties to nation states as well. You know, it can be a little bit muddy to to attribute all of those different connections, but it’s really a globalized criminal problem. And I think increasingly, people are understanding that ransomware is really what some people call ransomware as a service. So it’s part of the the criminal economy, a key business model, if you will. You know, last last October, for example, the group that was linked to the JBS attack declared that the ag sector was an upcoming target space for its activity. So it was pretty open about its intentions, you know, and these events, while unfortunate, are really helping people to better understand just how vulnerable critical infrastructures around the world are to cyber attacks. And you know, I think, you know, Ag producers and policymakers are awakening to the need to address these vulnerabilities. I think importantly, you know, outdated software is also a juicy target for ransomware, which tends to exploit vulnerabilities within older systems. So I guess one of the punch lines there is everyone or every business is potentially vulnerable, you know, regardless of the size and, you know, being in and out of the way, rural location doesn’t mean that you’re necessarily secure.

Dave Bedard: [00:07:28] Now, when there are so many animals and so few processors, it didn’t take long for that JBS situation to ripple through the supply chain. I asked Dr. Botschner to explain how a ransomware attack can lead to such disruption.

Janos Botschner: [00:07:41] Well, I think today you’ve got sort of a funnel of increasing automation. You know, certainly when we’re looking at at, at the meat industry. So you know where you have individual livestock producers who may not yet be making widespread use of automation, but you know, the more you move from them towards, you know, the feedlots and then the much smaller number of processors, you’re seeing a significant increase in the degree of automation across those systems. So if something goes wrong or if there’s a concern that something could go wrong because an adversary or a criminal has access to your system, you know it becomes very dicey to sustain operations in that kind of a situation. You want to try and shut things down and do your best to contain the movement of the attack across systems. And you know, that would be one reason for bringing things to a halt. Mm-hmm. You know, at the very least, you know, while you’re perhaps working with law enforcement to try and, you know, remedy the situation or while you’re negotiating, if you’re doing that. So that can really, you know where you have a whole supply chain that funnels towards a highly automated pinch point. You can see all of a sudden why, if that shuts down, it creates a potential for an enormous backlog.

Dave Bedard: [00:09:09] There’s been a couple of grain companies in the U.S. have been hit with these sorts of attacks. So what happened there?

Janos Botschner: [00:09:15] And well, one company was was based in Iowa New Cooperative. It’s owned by by corn and soy producers, and the other Crystal Valley in Minnesota sells farm supplies as well as, you know, excuse me, creating manufacturing fertilizer to farmers, and it also buys their crops. Now, notice that these events coincided with the fall harvest, so that’s a real pressure point as well, right? It’s creating urgency and pressure to resolve the situation. Crystal Valley owns grain elevators that can store tens of millions of bushels, and it’s in one of the biggest soybean producing states in the U.S.. So these are similar stories that appear to involve the same criminal organization, the Russian ransomware group Black Matter. In both cases, systems were locked up and a ransom was demanded. You know, as I mentioned a few moments ago, JBS earlier this summer, it’s the world’s biggest meat processor, and it experienced a massive cyberattack involving ransomware that severely disrupted operations in North America and elsewhere. In that case, the Russia linked group called Our Evil was was linked to the attack. Now what’s interesting here is they used a powerful type of ransomware called leak where that allows hackers to cause two kinds of harms, or it affects what’s called data confidentiality by threatening to publicize sensitive data. And it also impacts the availability of data by encrypting files and preventing them from being used until they’re decrypted. So those things are increasing the pressure on victims to pay a ransom.

Dave Bedard: [00:11:11] And there are other contributing factors too.

Janos Botschner: [00:11:15] Our supply chains have been optimized for efficiency, but that lack of redundancy can also create a vulnerability in, you know, in the event of some kind of an attack. So, you know, resilience and efficiency aren’t always friendly to one another. Sometimes you know you want to sacrifice a little bit of efficiency to gain a little bit of resilience, or at least have the capacity to switch to some kind of a viable alternative as part of careful recovery planning.

Dave Bedard: [00:11:55] Now, JBS agreed to pay a ransom in the equivalent of $13 million worth of bitcoin to get its systems unlocked and its plants back on stream. Dr. Botschner said a payoff like that can just encourage these books, and even when a company pays the ransom, that’s no guarantee that his problems are over. Botschner said that’s why it’s important for businesses to have plans in place to prevent such an incident, but also for how they’re going to manage one if they find themselves targeted.

Janos Botschner: [00:12:20] So it’s going to be really important for larger organizations to think about, you know, what are the steps are going to take from an incident management perspective to really deal with all of the implications of an attack like that? It’s also going to be really important to think about, Well, how are you going to connect with law enforcement to ensure that you’re making the most of the opportunities to investigate and, you know, recover data or recover payments that may have been made, but also from an information or, you know, network security perspective? What are the things that you have in place and what are the resources that you can draw upon to ensure that you’re doing your very best to identify and remove, you know, malware or other kinds of exploits that may have been part of the the initial attack that could still remain on your system? You know, very technical work, but very important to think about that, you know, the full spectrum from preparedness to response.

Dave Bedard: [00:13:32] Now, a lot of listeners might be thinking they’re too small to be a target, you know, why would they bother with you and they can go after big companies? Well, think again. Dr. Botschner says new technology is making it easier for criminals to cast bigger nets into shallower waters, and sometimes they aren’t after money.

Janos Botschner: [00:13:48] I think perhaps the bigger concern is going to be that with the rise of artificial intelligence enabled technology, you can expect that criminal organizations are going to make use of that to increase the scale of their activities. And that might include, you know, opportunistically casting really wide nets to see who they can kind of reel in. And you know, that could potentially involve smaller players as well, you know, automated exploits. You know, if you send out a million exploits and a few of them stick and those exploits are very low cost in terms of the financial component or low cost in terms of the the likelihood of being detected and prosecuted, then it may be worth their. While there could be other reasons for doing that that involve undermining trust in a sector or creating a degree of chaos within a broad set of supply chains that might make it worthwhile from either a large scale criminal perspective or, you know, sort of a geopolitical perspective when you’re talking about the ways that nation states kind of relate to one another. So there could be many different reasons, and I think the the likelihood is that as we go into the future, you’re going to have different kinds of combinations of things that involve different kinds of motivations. And sometimes, you know, different players being involved, in particular kinds of exploits or or attacks that give them different kinds of things that they want. So I guess the punch line there is that remoteness again, is not a guarantee that someone may not be vulnerable, but also there are things that individual operators can think about that can make a difference and can certainly, you know, reduce the likelihood that they might become a victim of something like this.

Dave Bedard: [00:16:07] There are steps everyone can take to protect themselves and to speed up their recovery if they’re targeted. The first step is understanding how you might be at risk.

Janos Botschner: [00:16:17] So you know they can focus on what people call hygiene. Just like you think about animal hygiene right at the front end and back up and response capacity at the back end. So, you know, it can be really helpful to make sure all of their hardware and software and it’s been updated with patches and that they have basic physical and electronic safeguards in place. Understanding the different devices, sensors, computers, et cetera, that are all sort of connected that can help to identify potential vulnerabilities. They can also think about, well, who are the suppliers they deal with? And you know, what are the services that involve points of electronic contact with on farm systems? Or, you know, who who do you deal with from the standpoint of billing or financial services? What do you want to be on the lookout for? What kinds of policies do you have for yourself if you get a request to send payment to a new address or if you receive an urgent request to do something? What’s the typical way that you would be communicating with these vendors or with these service providers? And what mechanisms do you have in place to verify that a request is a real request? Also understanding the psychological dimension here. So, you know, some of these attacks capitalize on on, you know, a sense of urgency or the, you know, the authority of the sender. So you know, you get an email from someone who looks like your accountant with an urgent request to click a link to a portal to verify some payments that Canada Revenue Agency requires. You know, in the midst of a busy day, you might be tempted to click on that link, but maybe the better thing to do is pick up the phone and phone your accountant and to make sure that that’s an actual, legitimate request.

Janos Botschner: [00:18:22] And if it’s asking you to do something you don’t ordinarily do with that party, then that should kind of create a little bit of a flag. So, you know, pausing to kind of take a breath, think about what is this I’m being asked to do? How is this coming to my attention? Is this typical or not typical? And even if it’s typical, do you have a way that you can use to verify that it’s a legitimate request? So it’s really taking time to understand how things typically should work, but also understanding the kinds of information that you know for you as an individual business is really critical to your operations where that information sits and how it moves or how your processes work, and what would happen if if things are disrupted or not available, what would you do to get things up and running again? You know, for example, pork and poultry operations have a pretty small time frame to prevent big financial losses and and animal welfare issues if something goes wrong with their environmental control systems. You know, there’s some good I.T. providers out there. And so reaching out to them and, you know, engaging in that dialog can be helpful. And then finally, just to make the point again, that businesses of all kinds really benefit from recovery planning and larger organizations really should consider the value of incident response plans along with scenario based exercises to ensure they know what to do when something does happen.

Dave Bedard: [00:19:54] Mm-hmm. With all that in mind, I mean, how prepared do do businesses in the in the AG and food sectors currently in Canada? At the very least, how prepared do they judge themselves to be?

Janos Botschner: [00:20:04] Well, this is a question that our project will be looking at. Some of our conversations so far suggests that, you know, there are different umbrella organizations who are looking very carefully at the data that they hold and the processes that they use. But that doesn’t necessarily mean that individual operators are looking at things in the same way. So we’re really investigating that as as part of what we’re doing in Australia. A joint project conducted by agri futures and BDO found that rural industries there seem to, you know, in general, have a bit of a misplaced sense of risk. So they found that there’s been perhaps too much focus there on activist based threats and too little on other, more likely cyber threats. So, you know, if you think that your main threat is going to come from over here, you’re not looking over there. And if? In fact, it’s more likely that you’re going to be attacked from over there. All of the measures you’re putting in place to defend against one kind of threat are going to be for naught. So it’s really important to appreciate, I guess, that while there are understandable reasons for perhaps looking at one kind of threat and being taking steps to to to make those threats less likely, for example, physical security of your farm operations, not sharing information about where your farm is located or what the nature of your all of your activities are. You also need to be aware that increasingly, you know, human based exploits like, you know, financial fraud and ransomware through phishing attacks are the things that are more likely to happen to most of us than, you know, activist based attacks.

Dave Bedard: [00:22:16] So in a nutshell, assess your risk, practice good cyber hygiene by keeping your software and hardware up to date, view urgent or unusual request with suspicion, even if they appear to be coming from someone you know and take time to verify that who you’re dealing with on the other end of the virtual trail is legit.

Janos Botschner: [00:22:34] Enhancing cybersecurity among Canadian producers inevitably is going to involve some degree of practice change, so it’s going to be really important to understand things from their perspectives. It’s also going to be important to think about the roles that different stakeholders may have in strengthening the ability of this sector to deliver on the promise of Canada as a global powerhouse of high quality, sustainably produced food. So, you know, the idea of thinking more broadly about collective defense capacity, I suspect, may be something that we will want to look at, you know, in more detail as a sector and as a country, as things go forward, particularly when you think about the magnitude of things like ransomware attacks, which I think IBM security has projected will reach and get this a level of ten point five trillion dollars over the next several years globally. So it’s it’s an unbelievable magnitude of, you know, profit from crime, you know, even if it’s half that. And when you think about the supply chain disruptions we’ve already seen and, you know, really they’ve been dealt with quite quickly. But you know, this starts to paint a picture of the importance of looking across public private, thinking about not just what’s happening within a sector, but across sectors. All of these are things that we’re going to be looking at.

Dave Bedard: [00:24:18] Mm hmm. So this will be something that that businesses and firms can think about when they’ve when, when, when you come calling with the survey later, this later.

Janos Botschner: [00:24:25] Absolutely, absolutely.

Dave Bedard: [00:24:27] Dr. Botschner, thank you very much for your time today.

Janos Botschner: [00:24:29] Pleasure, as always, Dave. Nice to talk to you.

Dave Bedard: [00:24:31] Dr. Janos Botschner is the lead investigator with the Community Safety Knowledge Alliance in Guelph. You’re listening to Between the Rows. I’m your host this week, Dave Bedard. Now about that survey, the Community Safety Knowledge Alliance will be distributing a survey this winter to evaluate the current state of preparedness for cyber threats in the farming community. We’re going to let you know more about that in the coming weeks, and you’ll get to hear more from Dr. Botschner on this topic, as well as from another cybersecurity expert, Ritesh Kotak, by attending some upcoming webinars hosted by Glacier Farm Media early next year. Now mark January 20th and February 17th on your calendars and watch for your opportunity to register. And. So we’re going to move on now to the notion of patching a whole different kind of vulnerability in agriculture with Toban Dyck. He is a southern Manitoba farmer and journalist, and he’s got some thoughts here on how farmers sometimes see things differently than the rest of the non farming world.

Toban Dyck: [00:25:46] My canola has sold for twenty three dollars and 17 cents. I didn’t have a lot of it, though. Like many farmers, my fields didn’t get enough water. But that’s not what I’m here to talk about today. I’ve just started writing columns for the Western producer. There will be plenty of opportunities to discuss the nitty gritty of crop production on my farm. In the meantime, I’ll let you in on a little secret. Typically, when I write a column, I sit at my desk, take deep breaths until I feel focused and present. Then I ask myself if I had your undivided attention for a few minutes today. What would I say? It’s been a while since I’ve written a regular column. The pandemic has been divisive and it has brought out the worst in some of us for a period. The egg industry’s pulse was one I didn’t want to take. Since March of 2020, I have also found it difficult to distinguish the specific challenges facing the ag industry from the general challenge of staying positive and sharp during a time where it’s hard to do either. I’m sitting taking deep breaths, and what I wish to say to you is something I have thought about a lot since the lockdowns began. It’s about our minds and what it takes to change them. It’s taken me a while, arguably too long to realize that my own mental scaffolding, the way I structure arguments, form thoughts and behave is not the same as everybody else’s. Others think differently than I do. I live in an area that is routinely making news for its high COVID cases and its resistance to comply with measures.

Toban Dyck: [00:27:27] What is clear to me isn’t necessarily clear to you. What is obvious to you may not be obvious to me. I believe we, as farmers, settle into ways of doing things that over time create conditions for blind spots to emerge, and that not being aware of this keeps us from seeing the obvious and adapting to change. I have blind spots, holes in my logic. Others can see, but I cannot. Beliefs and behaviors that are ideologically driven, but that I believe are based on reason alone. The actual contents of the slurries that form the foundations of our beliefs and behaviors are often elusive. I like to think of it as the glue that keeps life interesting. We assume that all city dwellers and lawmakers need in order to consider Ag more favorably is to see an active farm, observe what it is a farmer does on a regular basis and read the science supporting our practices and products. We assume that if people were exposed to these things, they would change their minds. What is clear to you may not be clear to others. To change a mind is possible, but difficult. I’m stubborn and often unwittingly an unnecessarily defensive. My mind does not change very easily when it happens, it’s not clear how it did. It’s certainly not science alone. We’d all lead different lives and change our farming practices if we were actually driven and convinced by the same logic and science that we so desperately want lawmakers and our adversaries to take seriously.

Toban Dyck: [00:29:12] When I returned to the farm in 2012, environmental issues were not as front and center as they are now. Carbon sequestering, net zero farming and emissions reduction targets, we’re mere whispers often dismissed as murmurings from anti AG environmentalists. In other words, the farm I was raised on and the farm I came back to almost 10 years ago didn’t operate with these guiding principles. This is not a judgment, I don’t think many farmers did this, the scaffolding at the time didn’t include concerns over emissions or climate change. Rather, it elevated machines and advances in chemistries and genetics as the conduits through which agricultural progress could be realized. This has changed. The world has changed the farm as it is today, including its machines and genetics, and all that stuff is still defensible and important, but it will need to change. Our minds need to change our scaffolding the way we think about things, slurries, goo and all will need to be reevaluated. And this isn’t a bad thing. You don’t have to be on board with everything I’ve said here. It would be suspicious if you were. But I’m pleading with you to believe this. Our beliefs and attitudes towards things are made up of messier things than just pure science or absolute logic. I’ll make a pact with you. I’ll keep an eye out for my blind spots if you’ll keep an eye out for your own. I’m Toban Dyck here on my farm in southern Manitoba.

Dave Bedard: [00:31:04] You’ve been listening to Toban Dyck, a farmer in southern Manitoba and a columnist for the Western Producer and GrainNews, and overall, you’re listening to Between the Rows. I’m your host this week, Dave Bedard.

Commercial: [00:31:29] At your Nutrien AG Solutions Retail, we take seeds seriously. Getting it right for your farm requires the right knowledge. That’s why we operate the largest retail seed trial program in western Canada. Our local experts can provide you with advice for balancing maturity with disease traits and getting the best seed to your crop. After all, we take your harvest seriously to talk to your local retail today or visit NutrienAGSolutions.ca.

[/podcast_transcript]

About Between The Rows

Between The Rows

Between The Rows is a weekly podcast that gives you an in-depth look at the latest agricultural news and market insights. Produced by the editorial team of Glacier FarmMedia, this program taps into the expertise of our staff, drawing from over 20 print and online brands to provide you with detailed analysis of the most significant developments in agriculture today. Each 25-30 minute episode features a rotating group of hosts, including Laura Rance, Glacier FarmMedia Editorial Director; Gord Gilmour, Manitoba Co-operator Editor; Ed White, Western Producer Reporter & Analyst; Dave Bedard, AGCanada.com Daily News Editor; and Robert Arnason, Western Producer Reporter. Together, they bring you comprehensive coverage of two or more of the week’s most critical ag stories, with an expert market analysis from one of our top analysts. Between The Rows takes you beyond the printed page, offering deeper insights into the issues that directly affect today’s producers.

Listen on

Youtube Podcasts Button Feed Button