Cybersecurity risks in agribusiness: the new high tech ‘cattle duffing’

Many Australasian agribusinesses have experienced some form of financial loss from illicit or illegal activities. The recent breach of information systems at JBS Foods, Australia’s and the world’s largest processor of beef and pork, highlights how advanced the risks to agribusinesses have evolved in a short space of time. Suspension of JBS Foods’ international operations due to a targeted malware attack by cybercriminals has cost JBS Foods reportedly tens of millions of dollars in lost productivity, damage to its reputation and a multi-million dollar payday for the hackers.

The integration of digital technologies and information systems into many agribusinesses now raises the question of how prepared they are to deal with these new threats and increased risks to operations.

Cyber threat landscape

The Australian Cyber Security Centre (ACSC) is the leading operational arm for the Australian Government, responsible for strengthening Australia’s cyber resilience, and for identifying, mitigating and responding to cyber threats. ACSC’s Annual Cyber Threat Report (July 2019 to June 2020) stated that “malicious cyber activity against Australia’s national and economic interests is increasing in frequency, scale and sophistication”.

In the 12 months to 30 June 2020, the ACSC responded to over 2,200 cyber security incidents, with approximately 70% of incidents being categorised as ‘Moderate’ or ‘Substantial’ incidents.

In addition to security incidents, over 59,000 cybercrimes were reported. There was an average of 164 cyber incidents per day, or one reported every 10 minutes. Approximately 40% of reported cybercrimes now involve fraud or deception through online means, with approximately 32% of reported cybercrimes incorporating theft and misuse of personal information.

What are hackers’ objectives?

As many businesses initially transitioned to digital and online forms of business, securing banking details and payment systems were the key focus to mitigate the risks of cybercrime. Stopping or preventing cash from being illegally or inadvertently transferred to unauthorised parties was paramount. However more recently, the opportunity and potential payout for cybercriminals has declined for this type of cybercrime.

As the JBS Foods and other recent cybersecurity breaches demonstrate, the objectives for cybercriminals have now changed, as has the prospective payout.

The ACSC 2020 report states that “ransomware has become one of the most significant cyber threats facing the operation of private sector organisations.” Accessing information and network systems is now the key goal for sophisticated and well-resourced cybercriminal groups. These groups seek to introduce software that disrupts, corrupts or locks a business’ information systems or data. At a certain point, ‘the hackers’ launch software, and the target is notified that their systems have been infiltrated and there is a ‘cost’ for the business to regain control or access to the systems and data.

The target then needs to weigh up the cost of paying the ransom, compared to the cost of disruption to its business.

The estimated cost to the Australian economy and industries of cybercrime incidents has been estimated at $29 billion annually.

In addition to the obvious risk of disruption, cybercriminals have also started to target business data as a key objective of any attack. Being able to steal intellectual property or personal information subject to privacy laws means the attackers can now extort payment for the non-public release of the stolen data.

What are the risks to agribusinesses?

The risks to agribusiness are significant. Australian Bureau of Agriculture and Resource Economies (ABARES) reports that in 2020, the Australian Agribusiness sector was worth $69 billion, with an estimated 89,400 agribusinesses in operation.

Cybercriminals follow the money. They are adept at identifying their opportunities and specifically tailoring their attacks.

A 2017 report prepared by Cotton Research and Development Corporation (CRDC) found that, “Digital agriculture in Australia is in an immature state in many parts including strategy, culture, governance, technology, data, analytics, and training.”

Whilst there have been advances in the adoption of digital information systems and efficiency gains in Australian Agribusiness since the CRDC report, ABARES estimate that there are potentially $20 billion of efficiency gains available to the agribusiness industry from a higher uptake of digital technologies and information sharing across the sector.

The prospect of greater implementation and reliance on information systems, automation, and digital information sharing in agribusiness to harness these efficiency and productivity gains will correspondingly increase the risk that cyberattacks and security incidents present.

Cybercriminals also know that the agribusiness industry is a lucrative target. In October 2020, a Russianspeaking YouTube channel called ’Russian OSINT’ published an interview with a representative from the Ransomware syndicate called REvil. This is the same group allegedly responsible for the recent JBS ransomware attack, and that claims to make a revenue of over $100,000,000 per year through these criminal endeavours. In the interview, it was revealed that Agriculture was highlighted as the most profitable sector and a target for future attacks.

Cybersecurity preparedness

Cybersecurity preparedness is not simply running a backup and updating current antivirus software.

As agribusinesses become more digitally integrated, both internally and with external counterparties, Australian Agribusiness must think more broadly and laterally around their information security protocols. Information systems should be secure to ensure:

• Confidentiality of data and information is maintained and accessed by only authorised users;

• Integrity of data stored in the information system is valid and accurate; and

• Availability of the data and services are accessible.

A Finnish study in 2020, “Requirements for cybersecurity in agricultural networks”, identified common issues associated with network systems in a number of farming enterprises that may increase the risk of cybersecurity incidents to agribusinesses. These issues included:

• Network equipment was typically for consumer use, with limited modifications to enhance security.

• Networks had been built to service one particular need, and had not evolved over time or with prior planning.

• Malware and antivirus software were installed in some, but not all, computers in networks and often with the ’best case’ rather than ’worst case‘ scenario in mind.

• Difficulties in ensuring full network protection, particularly where access was provided to third party proprietary systems.

These issues present many challenges to the Australian Agribusiness sector, however the most critical element is to understand the importance and value of securing networks, systems and data from cyber-attacks and breaches.

There may be costs associated with adapting to this threat, but the more pertinent question is, what is the cost of doing nothing?