The question is not whether Russia and other “persistent threat” nations (China, Iran and North Korea are the others classified as such) have hacked into the U.S. agricultural system and other critical infrastructure with the potential to wreak havoc.
The real question is how deep does it go and how much damage could result? And the answer to that, experts say, is way too deep for comfort.
Without question those systems have been compromised to the point that vulnerabilities impacting national security are a given. Russia could disrupt American agriculture at any time — and may already be doing so – or could take the system off the grid at a moment’s notice, along with power, water and other key infrastructure.
That’s the verdict of ongoing research by Dr. Bob Norton, chair of the Auburn University Food System Institute’s Food and Water Defense Working Group. He is a long-time consultant to the U.S. military and federal and state law enforcement agencies and editor of Bob Norton’s Food Defense Blog.
“We’re in a time where the complexities are starting to kind of compound. We are facing some tough times probably, certainly some challenging times in the next few months and years,” Norton told SPW.
“Obviously there is this issue, there are a number of adversarial countries that are probing our critical infrastructure — agriculture, food, water, electricity, those are all being poked at by these countries. These critical infrastructures are attached to each other – we can’t think of food as being isolated in and of itself – it touches all of these other critical infrastructures.”
There is good news, though. As good as America’s enemies are at hacking around and creating disruptions, the U.S. is even better at it. And at thwarting threats from outside.
So how might the Russians – or other enemies – use this positioning to hurt U.S. agriculture?
“As we’ve looked at things like agri-terrorism in the past, we’ve thought of pathogens — foot and mouth disease, some adversary pushes it into the country and it all breaks loose. Now we’re having to think in terms of an attack from maybe something other than a pathogen,” Norton said. “It could start with a cyber-attack. We are also increasingly concerned about things where the interface between critical infrastructures creates a cascading effect.
Persistent Threat Nations Can Wreak Havoc
“In the [produce] industry, you’ve got to have all kinds of inputs to create the [produce] that then becomes an output. You could have an attack on the electrical power grid that could affect the industry either directly or indirectly. You could have a cyberattack that would cascade into the water system that could then cascade into the industry.”
An attack anywhere in American infrastructure is an attack on agriculture, with potentially devastating consequences.
“The persistent threat nations are going to be our adversaries for a very long time. Any one of those countries is capable of doing major damage to critical infrastructures under certain circumstances – not across the board, but they could do some damage,” Norton says.
“The good news is, critical infrastructures are very aware of that and countering [hackers’] capabilities. As systems become more and more robust on our side, it makes it harder and harder for those persistent threat nations to attack us. Over time we’re getting more capable in our defense.”
Institutions like Norton’s Auburn defense group are critical in advancing that knowledge.
“What we’re trying to do is really understand the complexities of the system. There are not a lot of experts out there who transcend domains; we’ve got a lot of subject matter experts who know pieces of the puzzle but very few who actually understand the big picture and how all those pieces fit together. It’s getting harder to get your arms around the whole picture,” Norton said.
Big Concern Is What You Don’t Know
How deep does it go?
“It’s hard to tell right now,” Norton allowed. “The FBI is looking at this very carefully and there are a number of cases FBI are involved in. The federal government is aware of this situation and doing, I think, a good job in tracking down some of these cases and really getting a handle on what’s going on.
“The big concern is the things that you don’t know. That is, we have a modicum of understanding as to the full spectrum of threat. But when you’re talking about threats that may originate in one place and end up in your backyard, those are far more problematic to investigate.”
We all remember October 2016, when hackers exploited vulnerabilities in home appliances to cause a day-long shutdown of Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, PayPal and other sites. Bluetooth-enabled appliances – like copiers and microwaves and refrigerators, which aren’t designed with complex security systems – opened a door that hackers walked right through.
More recently, a Vegas casino was hacked through a temperature control system for an aquarium. Fortunately, the casino was prepared and looking for threats and was able to halt the attack in its tracks.
“You never would have thought your refrigerator might have been the point of entry for hackers into your system,” Norton said. “Whether you’re producing corn or lettuce or whatever, you may be thinking in terms of your information being taken ransom – but you probably are not thinking about the refrigerator in the breakroom or the phone control system for the lights in the building. There are a lot of gaps in understanding where all these threats reside.
Even Tractors Can Be Hacked
“If you’re a lettuce grower, wheat grower, whatever you’re working in, you don’t think about the tractors you’ve got in the field — those things could be hacked. With precision agronomy, a tractor could be hacked, you could have imprecise spraying of pesticides and fertilizers, it can be disastrous. You lose control of your process. It’s imperative that everyone involved in precision agriculture is acutely aware of this and strengthening their systems to prevent it.”
So what can you do to protect your business and home? You could just unplug it all, like SPW’s Editor & Publisher recently did.
Better yet, you can be prepared.
How prepared is up to you, Norton says, but he recommends going big.
Companies “have to decide for themselves what kind of risk they’re going to tolerate. Most of them understand the need to secure at the highest level they can afford,” Norton said. “I could go into a food company and say, ‘I can improve your cyber security system by 50 percent today but it will cost a million dollars – is that something you want to do?’ Companies are having to decide.
“With the FSMA rule, for instance, what do we have to do to [enact] what the government says we have to do and, more importantly, what do our insurance carriers say we have to do? In agriculture, the profit margin is so narrow on so many commodities that if you bump it a few pennies per unit, then you’ve severely damaged that profitability.
“It’s a balancing act. We are obviously in a very connected work and we just have to learn how to take best advantage of the things that we can do at the level we can afford. Most every company can handle the minor adversaries, the local hackers, the hackers trying to do mischief; most of those can be handled pretty simply.
“But when you get into sophisticated adversaries, you’re going to need to bring in experts. Because it is becoming increasingly complex, it is imperative that you be working with a security company. If you can afford it, got to one of the top 10 – they are going to have a better grasp of what the problems are today that may be different from yesterday and can better help you protect systems and the data in your systems.”
‘Bad Guys Are Lazy…’
So the simple answer to the question of how much security is enough is, How much can you afford?
“A small corporation does not need to have the level of security or expenditures a large corporation does, that’s unreasonable to think that can be done. But the bottom line is, you’re going to have to protect yourself. The government is not going to protect you,” Norton says.
“But bad guys, just like good guys, tend to be lazy. What you want to do is make [cyber-security] as robust as possible because then they’ll look at it and go, ‘Why be bothered with this when I can go down the street and hit a less robust company?’ Strengthen your systems to the point where it’s just not worth it to try to attack you.”
And understand that the U.S. will always have homefield advantage when it comes to countering cyber-threats, because so much of the world’s web infrastructure originates and is housed here.
“It is often presented in the press that we are helpless, that we are just victims,” Norton said. “That’s not an accurate depiction. The United States can strike back on any nation in ways that we don’t talk about. We have got the capability of punching back. Let’s say worst-case scenario a war breaks out between the United States and Russia – who would come out on top? The United States. The Russians are very good at things, but we have capabilities they don’t have and we’re better.
Internet’s Backbone Is In The U.S.
“Not that I’m trying to challenge them. In an actual cyberwar, there would certainly be damage, but I think in the end the United States would probably come out on top. It doesn’t mean it wouldn’t cost billions of dollars to the U.S. economy, but it wouldn’t be an existential threat where suddenly nobody’s got any food – it’s too complex and we generate too much internally – but you could certainly see a major hit to the food supply or a scenario in which a particular foodstuff becomes exceedingly expensive or unavailable.
“Basically everything related to the cyber-realm at some place touches the United States, so it all comes through here – a big portion of the backbone is in the United States. Does that mean you can reach out and touch other nations? Absolutely, and those other nations know it. They’re going to try to counter everything we do.
“It’s a never-ending circle. We counter things, and there are many things happening virtually every minute of every day that the public is not aware of. It’s not like the United States is just sitting by being pummeled and unprepared and a victim.”