From Colonial Pipeline’s fuel pipeline to a JBS meatpacking plant and grain cooperatives in Minnesota and Iowa, several key links in the supply chain have been put at risk this year by ransomware attacks. 


These types of cyberattacks are just as likely as those that do not risk affecting the supply chain because hackers generally attack any systems that are vulnerable, no matter what sector they belong to. As technology becomes more integral to agriculture and other food production, more organizations and businesses need to invest in staff training and protections for their systems, experts say.


The need to address gaps in cybersecurity protection among supply chain organizations is also made more important by the steady emergence of new methods of attack that can affect the central business, as well as all its customers or vendors, and the potential effects on the supply chain that could linger following a security breach.


The Business Record sought input, via email, from professionals in the cybersecurity and agricultural industries to discuss potential effects on the supply chain and how agricultural organizations can address system vulnerabilities. Responses have been edited and condensed for clarity.


Meet the participants: Cybersecurity

Brandon Potter

chief technology officer at ProCircular Inc., a cybersecurity services firm with headquarters in Coralville. He has more than 15 years of experience in systems and network administration, security architecture design and developing methodologies for in-depth cybersecurity assessments. He leads the company’s team of cybersecurity engineers in developing multilayered security approaches and tracks evolving cybersecurity threats and practices to better serve clients.


Jeremy Hoffmann

cybersecurity program chair and an associate professor of cybersecurity at Des Moines Area Community College. He works closely with all industries and programs at DMACC, including agriculture, giving guest lectures and assisting with workshops.


Doug Jacobson

director of the Iowa State University Center for Cybersecurity Innovation and Outreach as well as a professor of computer and electrical engineering. His work covers cybersecurity for critical infrastructure, design of cyber ranges, and cybersecurity education and literacy.

 

Several disruptive ransomware attacks have made the news this year, some of which affected supply chains. Give some context on how common cyberattacks are on organizations in the supply chain. Are there any recent changes in methods or technology used that have made these kinds of attacks possible or easier to execute?


Potter: Cyberattacks on supply chain organizations are not new. Companies in many industries face cyberthreats, and those intricate to the supply chain are no different. For years, attackers have been using third-party networks and systems to infiltrate other organizations.


Recent methods, such as those leveraged in the SolarWinds and Kaseya attacks, are a newer frontier, have drastically increased the attack surface, and have significantly increased the threat actor’s ability to mass infect additional companies. More careful and tactful techniques are used in order to circumvent detection and make their attack more fruitful when analyzing and targeting the top of the supply chain.


Hoffmann: Supply chain industries have been the focus of attacks as it is a way for nation-state actors and state-sponsored groups to disrupt and gain large monetary sums from their ransoms. Methodologies are always being adapted and targeted based on trends and new exploits being found every day. The human element is usually the greatest weakness to security infrastructure and is responsible for most successful attacks. Attackers send out malicious links or documents and users click on them or open them, causing the remote access to work.

 

Jacobson: Attacks on the supply chain are part of the overall focus on using ransomware to extort money. Ransomware targets have shifted from organizations that provide goods and services to the public, like hospitals, cities and businesses, to the supply chain. 


I can see a couple of reasons for this shift. First, potential victims learn what happened to others, which helps them better prepare for an attack. Second, attackers want to go after victims that cannot afford to stop production. The increase is partly driven by working from home, which forces companies to provide outside access to their systems. The ease at which attackers can access ransomware and the potential payoff has also caused a spike in the attacks. With more attackers and attacks, the chances of an organization making a mistake increases.


Describe how cyberattacks are able to affect supply chains. What would it take to cause a significant disruption? 


Potter: Given how intertwined supply chains are with our economy and life, any cyberattack that causes an outage or inability to access data or systems will result in some significant impact. Since we rely on multiple facets in the supply chain, if one is delayed or down, it will likely have a cascading effect of two, three or four layers deep. 


Take the JBS Foods and NEW Cooperative cyberattacks as an example; the downtime resulted in delayed food and agriculture products distribution. Given the potential for shortage, [this] affected product availability, increasing demand and resulted in price increases.


Hoffmann: Cyberattacks can disrupt key services needed to maintain the supply of services or goods by taking down servers and data necessary for continuity. Services are built upon digital databases and networked environments; all it takes is to take one part down to cause a failover situation. If that failover cannot handle the loads from the other servers that are offline, then the failure can become catastrophic. If you encrypt a database that has all the customer data and orders, you can effectively stop services as you have no way to access customer information and resolve orders or supplies to the customers. 


An example of supply chain disruption was the gas pipelines. If the attackers managed to change the pressure values and override sensor data, that could have blown up lines and caused damage for the entire infrastructure and surrounding areas. For the pipeline, it was more about making money, as that company supplied the whole eastern seaboard with gas and services.


Jacobson: The modern supply chain operates on a just-in-time model, which is especially true with perishable goods. For the supply chain to operate, we need to be able to produce goods, and we need to know the status of the goods and materials and how to move them. Computers are a critical part of both production and logistics. Cyberattacks have focused on both aspects of the supply chain. In the case of production, cyberattacks slow down or stop the companies’ ability to make the product. In the case of logistics, the company loses the ability to move its product. 


As with any complex system, there are weak points, which can change over time. While any disruption can cause problems, there is more damage when the attack is early in the supply chain. An additional concern is single points in the supply chain, where alternate sources cannot mitigate the disruption. 


What are possible supply chain and economic disruptions that Iowa could experience as a result of a cyberattack? Would it matter if the attack originated in Iowa versus a different state?


Potter: The effects of supply chain attacks are universal, regardless of geographical location. Whether it’s a pipeline that delivers fuel to the state or a state-headquartered corporation, the synergies and reliance across the country increase the risk when the supply chain is targeted. 


Product shortages and price increases may be the most common disruptions. However, if one corporation purchases products from an Iowa-based company, it reduces the funds coming in that help sustain our economy.


Hoffmann: Each state has different resources and services that can be disrupted. A large portion of Iowa’s energy comes from wind turbines, and they are just as susceptible to attacks as any other location, but because of the larger concentration it could be a real issue for Iowa’s energy sector. 


Farm equipment relies heavily on computers and electronics, and that is a possible attack point where damage to equipment and life is a possibility. We have a large sector of the health industry where a disruption in health care during a pandemic is another issue to be concerned about. 


We also must worry about grains, corn and livestock in Iowa as a possible disruption, [and whether] any of the ag service areas were down for an extended time, or all the processing factories. These aren’t unique to Iowa, but they are areas of concern when looking at potential attack scenarios.


Jacobson: This, of course, depends on what and when they attack. Attacks during critical times (planting and harvest) with a finite time window could cause localized disruption. Given the distributed nature of many aspects of ag, a large-scale disruption would need to focus on large processors. 


We have already seen these attacks against meat processing. This does not rule out a widespread coordinated attack against many different local suppliers, which could cause a massive disruption. Another disruption would be the transportation system, which would have a more significant impact than the ag sector.


The attacker can be anywhere in the world when they carry out a cyberattack. And while a lot of the ag supply chain is localized to Iowa and the Midwest, disruptions outside Iowa could cause problems. 


The hack of NEW Cooperative Inc. based in Fort Dodge resulted in the loss of source code for its SoilMap, software for testing and mapping soil. What are agricultural businesses at risk of losing, and are some tech-focused businesses like agtech startups more at risk of attacks?


Potter: Intellectual property, data and customer information are some of the main items at risk. Whether it’s hacktivism or a financially motivated crime, there are significant risks to either. The loss of the NEW Cooperative’s SoilMap source code may allow the attackers to identify vulnerabilities, which can be used to gain the initial access to others that use the technology.


Some startups think they’re not a big player, so they are less at risk. Contrary to that belief, they’re just as much of a target as the big player in their vertical. It’s common in the startup realm where the founders and initial team are designing, developing and running the company and wearing multiple additional hats, diluting 100% of their focus on supply chain and information security in general. They’re focused on successful growth and gaining traction in the market. All of these combined increases the risk of a successful attack. 


Hoffmann: There really isn’t one specific area that isn’t affected by cyberattacks as we are more reliant on digital data and networked infrastructure to manage and maintain our industries. Ag-specific businesses are at risk of stolen [intellectual property] and trade secrets where other manufacturers could “clone” or build equipment or services resulting in monetary loss. 


They can also reverse-engineer stolen source code and find vulnerabilities where they can manipulate pricing (in the case of market software) or manipulate the data streams from the software. Startups are always at risk due to financial restrictions and a pure focus on their product getting out as quickly as possible. They don’t always have the capital to spend on security and professionals to help ensure their environments are secure. Startups tend to rely heavily on cloud services and providers to help mitigate their risk. This is an advantage and can be an issue if they don’t have full understanding of their environments and security exposure.


Jacobson: Theft of data and intellectual property is a big issue facing the United States. The NEW Cooperative lost data as part of a ransomware attack, which, while bad, is something they discover as part of the attack. There are many cases where the attacker’s goal is to steal data, and they do not want to be discovered. The loss of data can result in customer data being released, which can be devastating to both the business and the customers. The loss of intellectual property can result in losing your competitive advantage even to the point of losing the business.


Name some of the key barriers to recovery from a cyberattack and if there could be any specific impacts for recovery among agricultural businesses.


Hoffmann: Not having current backups and offline recovery backups. Ag businesses are just like any other business model; they all need to have sound policies, disaster recovery plans and competent administrators. Key barriers are always money, updated policies and procedures, continuous testing of the environments, and teams who are cross-trained in SecDevOps methodologies. Agricultural businesses are no longer behind in technology and share the same risk factors as most industries. They just control a different supply chain: food.


Jacobson: Time is the key barrier to recovery. Before you can even start recovery, you have to know the extent of the damage, which takes time. With ransomware, that is what they are counting on. You do not have enough time to recover without paying the ransom. In ag, many processes cannot be delayed, so producers and processors do not have time to recover.


What is one thing you would like to see happen in Iowa to strengthen the defense against cyberattacks in the state?


Potter: We need help from the legislation within Iowa. Although federal guidelines exist, there are too many to follow, and most differ depending on several factors. We need something specific to Iowa, built by Iowans, to ensure it has the state’s best interest in mind. I’d encourage the federal guidelines to be used, as it’s a great starting point, but deviation from standards and new rules will make it more challenging to adopt as both state and federal requirements will need to be followed. Keep it simple and leverage the basics; the guidelines and conditions need to be simple yet effective for mass adoption.


Hoffmann: More training and awareness as well as a more holistic approach to prevention and responses. We have some great cyber conferences and a great security group, which meet regularly. More businesses should get involved with SecDSM and SecIC in the state as well as ISSA and the Secure Iowa conferences. These are excellent ways to meet community experts and network and learn. 


Developing more internship programs where entry-level students can get experience and help fill roles ... but [the students also benefit] from training. Work with community colleges and programs to strengthen their cyber training programs.


With today’s cyberthreat-scape, businesses are needing to invest in their workforce for training and updating skills for all employees. IT is just one link in the chain of defense; the users and general population must care more about cyber risk. You can have the best security in the world, but all it takes is one person to slip up and everything can go sideways.


Jacobson: The state should focus on enabling information sharing and cooperation. The attackers share information and often cooperate.

_______________________

Meet the participants: Agriculture

Scott Meredith

senior client executive at Associated Computer Systems, a Des Moines-based technology services firm that works with many of the Iowa Institute of Cooperatives’ members on their cybersecurity plans and practices. He is also involved with multiple regional and national agricultural organizations.

 

Chad Hart

extension economist and a crop markets specialist for Iowa State University and teaches in the economics department. He regularly interacts with farmers, landowners and agricultural interest groups

 

How are those in the agriculture industry reacting to recent cyberattacks affecting the supply chain? What are their top concerns surrounding cybersecurity?

 

Hart: The recent cyberattacks have highlighted that the businesses being targeted can be of any size and in any vocation. I think many companies and farmers feel at risk, but aren’t sure how to defend their systems. I think the ag community is like much of the general community, hoping technology companies will continue to create and manage tools to deal with the threats.

 

Meredith: The agriculture industry is now taking a more proactive approach to security. They are evaluating their current security posture, identifying gaps and trying to close those gaps. The industry is realizing that a layered approach to security and protection is necessary. Top concerns are loss of data, data [being] stolen, data not being accessible, or systems being down completely.

 

What are the barriers keeping organizations from investing in or implementing cybersecurity measures? Detail any that are specific to the ag industry.

 

Hart: I think the largest barrier in general is the cost/benefit viewpoint. While the cost of a cyberattack is high, the probability is still quite low, meaning that many see less benefit from investing in cybersecurity measures.

 

Meredith: Budget is always a concern. The ag industry, like all industries, must weigh the cost of having their systems down versus the necessary spending needed to secure their systems. The bottom line is how much are they willing to spend to mitigate their risk.

 

What concerns are top of mind for you in terms of how a cyberattack targeting the supply chain could affect the agriculture industry and rural and farming economies?

 

Hart: My main concerns have already been highlighted by previous attacks, that the food supply chain can be seriously impacted or even shut down by an attack. Ag is like many sectors of the economy where technology has created a rapid, efficient production, processing and merchandising system, but the reliance on that technology has opened up new risks within the industry that we are just now facing.

 

Meredith: The inability to buy and sell products, from seed to feed to fertilizer. Delays in harvest, planting or availability of feed to livestock producers can have a tremendous effect on our regional and national food supply.

 

What are the important lessons for agricultural organizations and other food producers to take away from recent supply chain attacks like the ones on JBS meatpacking or NEW Cooperative Inc.?

 

Hart: The attacks remind us of counterparty risk, the risks that you face when doing business with others. Their risks become your risks. For example, we use a piece of software from a company, the security flaws in that software are not just the software company’s problem, they become your problem as well.

 

Meredith: Be proactive in your approach to your security posture, have a business continuity plan, a disaster recovery plan and an incident response plan. These plans need to be updated and tested annually. 

 

Are there any specific reasons why hackers may target organizations like meatpacking plants or agricultural organizations?

 

Hart: I don’t think ag is unique here, but I think ag is among a core group of sectors (energy, medical, etc.) that are targeted not just for money, but also for notoriety. 

 

Meredith: There is really nothing unique. Hackers target industries and organizations that are vulnerable. However, they may target industries like the food supply chain to create a more impactful message to the world.

 

What is one thing you would like to see happen in Iowa to strengthen the defense against cyberattacks in the state?

 

Hart: A quick move would be to develop programming within the state to help Iowa’s businesses and even individuals assess their risks to cyberattacks and point to simple ways to address some of those risks. It’s hard to fix a problem unless you understand it first.

 

Meredith: It’s really up to each company to be proactive in strengthening their defense. Everyone must be diligent. The state can provide increased awareness to everyone regarding the potential risk and potential mitigation. Sharing of information regarding attacks among companies is important as well.