Shortly after Russia’s invasion of Ukraine, I advocated in a BBC news article and North American technology podcast (The Feed) that we should regard parts of the UK’s agriculture and agrifood system as critical national infrastructure.
What does it mean to be critical national infrastructure, and why is it so important in this industry?
We all eat. In the UK, we produce only 60% of the food and drink we consume and import the remainder along supply chains that are often long and complex. When food production and supply chains don’t function smoothly, it can cause real pain to millions of people. The pandemic has demonstrated how small shocks in far-flung places or close to home can lead to severe problems in fulfilling basic needs, whether this is providing enough glass phials to vaccinate billions of people, creating sufficient carbon dioxide for safe food packaging and transport, or unblocking the shipment of $60bn of goods through the Suez Canal.
Challenges in the Agrifood Sector
The cybercriminal business model is to exploit any fragility or dependency for financial gain, and many have taken notice of how disrupting interconnected supply chains such as the food system can cause serious harm and potentially threaten national security. A 600% increase in cyber attacks on the agriculture and agrifood industry in 2020 alone makes this sector the 7th most targeted industry for cyber attacks.
There are huge rewards to be made illicitly, through stealing personal data and selling individual records for the price of a pizza or extorting millions of pounds from public and private sector organisations by shutting down their operations through ransomware attacks. When the UK’s National Health Service (NHS) was hit by the WannaCry ransomware in 2017, it caused up to £100m of damage across at least 80 of the 236 NHS trusts. Below are two key cyber security challenges faced by the agrifood sector today
1. Threats from Hostile Nation-States
Hostile nation-states have the resources, the will, and the time horizons to use cyber techniques as asymmetric warfare both to steal intellectual property and compromise important economic infrastructure to destabilise economies and political institutions.
Critical national infrastructure – facilities necessary for the country to function and upon which daily life depends – are clear targets. In the energy sector, it is natural to consider each nuclear power station as critical national infrastructure, and we can imagine the consequences of a hostile nation-state either shutting one down or worse still driving one out of control. Such facilities run publicly or by private organisations need extra attention and resources to protect them from cyber-attacks.
It is surely realism and not scare-mongering to state that hostile nation-states are constantly and actively seeking ways to compromise such critical national infrastructure. Consider that the Stuxnet worm was released around 2010 specifically to attack Iran’s nuclear programme by causing gas centrifuges to spin at irregular speeds, undetected until the centrifuges destroyed themselves. This cyberattack was purportedly carried out by Israel, collaborating with the USA, so from Iran’s viewpoint hostile nation-states attacked their critical national infrastructure. Stuxnet demonstrated that whilst it may not be easy, it is completely feasible for threat actors to alter or take over critical control systems in operational production facilities.
2. Technology Revolution Within the Agricultural Industry
Many people don’t realise the technological revolution underway within agriculture, which promises to sustainably increase food and farming productivity. Myriad internet-of-things (IoT) devices and sensors, autonomous robotics and drones, AI-driven and automated decision-making, GPS-enabled precision application, and ubiquitous connectivity increasingly at 5G network speeds are becoming the norm. But all this technology vastly increases the attack surface of vulnerable points for hostile actors to exploit. Consequently, cyber security in the supply chain has become mission-critical.
The food and farming sector has generally been rather slow to recognise the threat, so many organisations aren’t addressing the inherent security vulnerabilities from this proliferation of technology. Some remain oblivious, perhaps through a lack of comfort with anything that smacks technology and data. Others may simply underrate the potential threats and their impact, for instance feeling that the data that they process is not particularly valuable. It is also tempting to think that the sector, being very fragmented, is resilient to shocks and can cope with disruption to individual organisations. However, there are many places within the sector where there is a concentration of control. At worst, these are single points of failure for the system – bringing one down could severely disrupt an entire sub-sector of our food system for weeks or months.
Let’s Imagine Some Scenarios…
Consider the control systems of farm machinery manufacturers. Machinery such as GPS-guided, driverless tractors can in larger farming operations, swarm autonomously to perform as efficiently as possible farming operations such as planting, spraying, and harvesting. Such machinery has control systems linked to the manufacturer’s centralised control and processing facilities. Could a hostile nation-state take over these centralised systems and, at a critical time in the season, cause widespread disruption?
This is not about hijacking one tractor, which could be relatively straightforward, but instantly detectable, as demonstrated by routine attempts to hack self-driving vehicles. Instead, the aim of a hostile nation-state could be to destroy crops or ruin soils on a regional or national basis, for instance by directing machinery to plant all seed too deep so the crop struggles to emerge or applying chemicals in a way that under sprays some areas but over sprays others leading to crop disease and soil health issues, or by simply shutting down operations so machinery cannot harvest the crop.
Although governments surely want to protect critical operations as securely as possible, they do not always put their best foot forward. In the arms race with threat actors, it requires infinite resources to be 100% bullet-proof.
Across the UK there are many government departments, agencies and certification bodies that process food and farming data and provide oversight on the state of the nation. Some of these organisations, such as the Food Standards Agency and the Livestock Information Service, exist specifically to protect the UK economy from widespread disruption of animal or plant disease, or from food-related public health outbreaks. Could a hostile nation-state attack such important banks of provenance and traceability data, perhaps when a serious disease outbreak like foot and mouth disease is in progress? The more disruptive threat might not be to make systems unavailable, but instead to change records so that measures to identify and control disease spread could be thrown into disarray.
In certain sub-sectors, there has been consolidation at key points in the supply chain, so that only a handful of key operators control the vast majority of that market’s production. For instance, across the UK, two organisations control the majority of the whole grain industry’s seed crushing and oil seed processing. Could a hostile nation-state target these two companies to severely disrupt the supply of important food produce from grains, our staple crop?
How Can the Agrifood Sector Withstand Cyber and Supply Chain Threats
1. Recognising the Food and Farming Sector as a Target for Cyber Threats
Organisations can start to address cyber threats by first waking up to the fact that the food and farming sector is a target. Only 39% of UK businesses reported a cyberattack in 2021, but the truth is that most organisations simply aren’t aware that they are being constantly attacked through automated scanning of their networks by threat actors looking for vulnerabilities, perhaps because they aren’t monitoring for such activity, or that cyber attacks have succeeded but not left a trace.
2. Government and Industry Leaders Must Prioritise Cyber Security Education and Risk Management
The government must lead by example in how it tackles cyber threats, especially in designated public and private organisations and facilities as being critical national infrastructure and investing in their protection. Government and farmer organisations such as the National Farmers Union should invest in educating the sector and raising awareness of the threats and how to mitigate them.
Senior leaders need to put cyber and information risk management on their Board agenda and seek to protect the data that they process, as well as protect the continuity of their day-to-day operations that now rely heavily upon real-time access to information technology and data. The basics of tightening your security posture to address vulnerabilities could involve:
- Increasing cyber security awareness among staff
- Strengthening passwords and user authentication
- Mandating the use of antivirus software
- Ensuring all software and infrastructure are patched so it is up to date
- Introducing security monitoring services
- Taking backups of data, software, and infrastructure so these can be rebuilt in the event of loss through ransomware.
As a policy point, consider taking out an appropriate level of cyber insurance and assess if your organisation would pay, if hit by ransomware. Get the Cyber Essentials Plus certification as a baseline, but if you have significant technology and data operations consider attaining the ISO 27001 certification for information security management.
3. Approach Supply Chain Cyber Security as a Collective Responsibility
A chain is only as strong as its weakest link so, given the use of integrated technology and shared data up and down supply chains, organisations need to treat supply chain cyber security as a shared responsibility and assess their suppliers and their partners’ efforts to combat cyber threats. You may already perform a level of supplier verification, so adding cyber and information security to the list of expectations and checks is a must.
Cyber threats across agriculture and the agrifood system are real. When a criminal is casing a row of houses, the one that is least protected is the one that is targeted. Recognise that you’ve got something that is valuable to cybercriminals and possibly to hostile nation-states, and don’t let your organisation be that easy target.
Additional ISO 27001 Resources
ISO 27001 Documentation Guide & Checklist
Learn what documentation and policies are required to achieve certification.
ISO 27001:2022 Transition Guide
Excellerate your implementation and/or transition to ISO 27001:2022 with guidance on the new standard.
ISO 27001 Certification Case Study
Read how Risk Crew helped a Agrifood organisation achieve and maintain ISO 27001 certification.