By Raleigh Butler
You may not think that agriculture and cybersecurity, both themes of the Midwest Big Data Innovation Hub, are linked, but recent events demonstrate there are connections between the two that pose risks to our food security.
The “food and agriculture” industry is publicly defined as a critical infrastructure sector by the U.S. Department of Homeland Security. The Cybersecurity & Infrastructure Security Agency (CISA) states that food and agriculture is one of sixteen essential critical infrastructure sectors that provide “the essential services that underpin American society and serve as the backbone of our nation’s economy, security, and health. We know it as the power we use in our homes, the water we drink, the transportation that moves us, and the communication systems we rely on to stay in touch with friends and family.” Those statements highlight the urgency of building robust cyberinfrastructure to prevent massive disruptions to crucial public services.
A recent cyberattack targeting an Iowa-based agriculture company called New Cooperative illustrates the severity and consequences of those incidences. The group claiming responsibility—BlackMatter—deals in blackmail, Reuters reports. The hackers from BlackMatter locked New Cooperative’s access to data that support the food supply chains and detail the feeding schedule of the livestock. In order to get access to the decryption key for its data and reinstate their farming activities, New Cooperative was ordered to pay $5.9 million.
As Bobby J. Martens, an associate professor of Economics at Iowa State University was quoted as saying, “This event wasn’t long enough to cause a change in the commodity price, but certainly it will have ramifications in terms of the food supply system. If they do it to this company, they could do it to one of the majors. They can block the food chain. They attacked in the heartland of all agriculture. It’s a new form of terrorism.”
Regardless of the source, and whether it is purposeful or accidental, a failure in any other critical sector could be life threatening for US citizens. For example, Water and Wastewater Systems is a related sector on CISA’s list, and in fact, water system attacks did occur early in 2020, the most prominent being the Oldsmar, Florida attack of February 16. While the breach nearly allowed a mass poisoning to occur, the mayor viewed the event as a “success.” According to ProPublica, cybersecurity experts view the breach not as a success, but instead as a “frightening near-miss.” Retired Admiral Mark Montgomery, a panelist on the MBDH Water Data Forum webinar on water and cybersecurity in May 2021, was quoted as saying, “Frankly, they got very lucky. They averted a disaster through a lot of good fortune.”
Nontechnical companies are extremely vulnerable to cyberattacks. According to the 2020 state of ransomware report, manufacturing, government, services, and healthcare are among the top sectors prone to cyberattacks. This link leads to this report from a company called BlackFog, a leading company in ransomware protection.
Moving forward, it is possible for businesses and governmental sectors to make cybersecurity an integral part of their practices. Even seemingly trivial data maintenance, such as regularly backing up data in multiple storage devices and encrypting data during transfer, can improve data security in the long run. The key is to operate under the mindset of protecting data and to be more intentional about data protection at any point. The U.S. National Institute of Standards and Technology (NIST) and CISA developed the NIST Cybersecurity Framework, a comprehensive approach to security for critical infrastructure, and there are subsets of that work to support small businesses and other organizations with cybersecurity risks that may not have extensive resources.
On the management level, designated information security officers can build more secure databases and data management systems. The information security officers can also perform routine testing for weaknesses in the existing systems. They could also work with the risk managers to develop preventative measures in case of cyberattacks. Other preventive measures include purchasing cyber insurance.
An additional benefit of developing systems for monitoring and collecting data is the ability to assess the impact of other external events. We previously published a story on how researchers were assessing the spread of COVID-19 by examining the relative levels of the virus in wastewater systems. Since many infrastructure systems, such as agriculture, water, and food, are an interconnected web of dependencies, threats to one can have cascading impacts across others. For academic organizations that manage research data repositories, the MBDH and its partners developed a guidance document on data security for open science, through our Trustworthy Data Working Group.
Do you have a cybersecurity success story or case study to share from your organization? Contact the Midwest Big Data Innovation Hub if you’re aware of other people or projects we should profile here, or to participate in any of our community-led Priority Areas. The MBDH has a variety of ways to get involved with our community and activities.
The Midwest Big Data Innovation Hub is an NSF-funded partnership of the University of Illinois at Urbana-Champaign, Indiana University, Iowa State University, the University of Michigan, the University of Minnesota, and the University of North Dakota, and is focused on developing collaborations in the 12-state Midwest region. Learn more about the national NSF Big Data Hubs community.