https://www.cbc.ca/newsinteractives/features/agri-food-canada-hacking

Ask most Farmers “what is the greatest threat to their operation?”, and you will receive answers like, commodities markets, climate change, operational costs, and labour shortages. However more and more Farmers (especially livestock farmers) will reply Ransomware.

Another week brings another attack on the Canadian Food and Farming sector. With the increasing volume of ransomware news coverage, the narratives are usually explainers about “What is ransomware?”. If we are going to mount a successful defence we need to stay focused on what is important: our Food and Farming sector is not secure and our defensive capacity is inadequate. As a Farmer who pivoted to pursuing a career in cybersecurity, I am deeply concerned about the future. This post is not meant to incite fear or paranoia, this is a Call to Action.

The foundational 2022 report by the Community Safety Knowledge Alliance, “Cyber Barn Raising” (https://t.ly/6WoBS) explores and reflects on the landscape of agriculture cybersecurity and recommends a well-reasoned response framework. This report echos Government of Canada publications (https://t.ly/l1mqF) and the amazing work of the Cyber Science Lab (https://cybersciencelab.com/about-us/) that aim to inform and support the Food and Farming sector.

The Cyber Barn Raising framework for resilience rests on 4 pillars:

• Take a producer-centred approach to strengthening on-farm cybersecurity
• Develop workforce capacity
• Build and support public-private partnerships
• Strengthen legislation and governance to strengthen trust within the agricultural value chain

From my perspective this is the most well-reasoned and appropriate approach that mirrors previous successful efforts from other sectors. Now that we have a great framework, let’s get down to business! In my agriculture career, when I needed help with new crops or diseases, I could call OMAFRA and receive resources to assist with problems I experienced. This extension model needs to be expanded to include a cybersecurity division, staffed with agents that directly assist Farmers with the full suite of security measures that are available to other sectors like finance. We already have a model for successfully assisting Farmers and modern solutions for cyber defence already exist – we just need to marry these existing solutions and forge a talent development pipeline to build a fully staffed, highly skilled Food and Farming cyber defence workforce.

This requires everything described in the “Cyber Barn Raising” report and more – this is not a wait-and-see moment, we need to make this a watershed moment where everything downstream creates a more resilient, robust and secure Food and Farming sector. This means we require Food and Farming specific:

• Digital forensics and incident response (DFIR)
• Cybersecurity extension agents
• Managed Service Providers
• Bold and robust legislation to support this entire effort

As a thought experiement, if we replaced “Food and Farming” with “Financial sector” or “Health Care”, what would the response look like? There are already many companies providing every necessary service to respond to and prevent attacks from nation-state backed advanced persistent threats (APTs) and the same threat actors are attacking our other essential services regularly. In the business and financial sector there are proactive teams of ethical hackers that are paid by companies to find vulnerabilities before they are exploited. These teams are essential to the payment card industry and many other business sectors, so why not Food and Farming?

I propose the founding of an Agriculture Purple Team (blue: defence + red: attack = purple), who’s mission is to protect our essential Food and Farming sector. The responsibility of protecting such a vast network of businesses and systems is far beyond the scope of a single government office or small group of ethical hackers. This will require hundreds of people, trained in agriculture-specific cybersecurity tactics and with offices in every province, staffed with teams ready to respond to incoming requests and who proactively engage with the Food and Farming sector to increase defensive capacity.

A younger Farmer me, out tending fields of apple trees and garlic, would never conceived that I would be writing an article like this. But times have changed and we must adapt- for my part, I paused my Farming career to pursue a cybersecurity diploma so I can be part of the effort to defend our food system. The groups cited in this post are doing amazing, essential work but they are small teams with nowhere near enough resources to tackle this issue on a national scale.

Stay tuned for my upcoming posts where I deep-dive on each area of this Call to Action. I also am working on vulnerability assessments, STRIDE models of common Farming equipment and more.

– Brian Tammi