In June, the US government issued new ransomware guidance and urged businesses to “take immediate steps” to protect themselves against cyberattacks, amid a significant increase in the number and size of ransomware incidents.
FeedNavigator interviewed Rachel Ratcliff, senior managing director at cyber security firm Stroz Friedberg, to find out what cyber threats the feed industry faces and what organizations can do to safeguard against attacks.
Ratcliff said that in recent years the feed industry and cybercrime had evolved in parallel in a way that has produced the “perfect storm”.
“The globalization of the feed industry has seen the creation of supply chains all over the world. There are so many more links in the chain than there used to be and every link is a potential vulnerability. These links can be anywhere in the world – in places like China, Russia and Africa that are known to be hotbeds for cyber threats and where companies might not have boots on the ground,” she told this publication.
She said the risks introduced by globalized supply chains had been compounded by the modernization of the industry.
“What may have been done with filing cabinets and paper not terribly long ago is now done on connected networks. Systems that may have been contained within a factory now have connections to many other places.”
At the same time, she said that cyberattacks had evolved and were now capable of more sophisticated campaigns.
“Five years ago attackers had a heavy focus on finding data that they could monetize, like credit card information and personal information. However, attackers have evolved and worked out that they can make money more quickly via other means.”
She continued: “Unfortunately, the ‘means’ that makes my phone ring every day is ransomware. Ransomware has changed the game from the monetization of stolen data to business interruption and extortion and in doing so, opened up the floodgates of potential victims. Companies who felt like they weren’t targets before are now very squarely in the crosshair of these attackers.”
Feed, she said, was one of the industries that hadn’t necessarily felt pressed to make necessary security changes as it wasn’t perceived as a target in the same way as healthcare, financial services and retail.
The perfect storm
“This creates the perfect storm of an industry that has seen a lot of growth and change and has not caught up with security as it could and should have,” said Ratcliff.
Although attackers have become more advanced in their methods, phishing is still the number one way they gain access to an environment, according to Ratcliff.
“Phishing has been around forever because it is very effective. A lot of the time we see attackers use phishing as an entry point, distribute malware, move around a network and then quickly deploy ransomware that can encrypt systems within the environment,” said Ratcliff.
The other way in which attackers are gaining entry is through supply chain breaches.
“Attackers are finding vulnerabilities within IT management software such as Kayseya and Microsoft Exchange and are leveraging these to get into more and more companies. So we’ve got to worry about protecting our own house and the houses of others.”
Grains case study: CGB
The case of US grain and transportation company, CGB, illustrates Ratcliff’s points about the industry’s perception that it is not a target and shows that cyberattacks can be launched on any business, with paralyzing effects.
“We were a mid-sized company with several rural locations and about 2500 employees when this happened. We were just like you,” said Greg Beck, senior vice president, grain division, at CGB Enterprises, addressing the 2020 National Grain and Feed Association Country Conference.
“Management was always pushing back against IT. They would talk about multi-factor authentication. Our response was that we didn’t want to go to a new system where you have to type in numbers. Some of us would even say, we’re just a grain business, what information do we have that anyone would care about?”
Bolt out of the blue
One morning at around 2am in June 2020, CGB was hit by a ransomware attack.
“They had been in our system for a while - IT had seen someone moving around. By 5am our scales were inoperable. We couldn’t dump trucks, print checks or hedge,” recalled Beck.
By 7am, IT implemented a system shutdown and everything had to be done manually.
“That was a slow process. Over 20 years we had migrated to an online CMS that employees could access from anywhere and we had quit making hard copies of anything. We didn’t have hard-printed logs, phone numbers or email addresses and we couldn’t find customer balances and storage obligations. Farmers were trying to deliver grain but we didn’t have any manual tickets to give them,” said Beck.
Although CGB thought that all of its computers were unplugged, Beck said there was still “pinging”.
“There were still computers hooked up sending information that the ransomware attackers could use,” he said.
Stroz Friedberg helped CGB trace this to some old computers that “no-one cared about”. They were running very old software and didn’t have the latest virus protection but were hooked up to the network for running scales, cameras and PLCs.
CGB did not pay any ransom, but rebuilding its digital systems was an expensive eight-week process.
“We ordered 344 new laptops for employees and IT had to rebuild the digital controls scale by scale,” Beck said.
“In hindsight, we should have insisted that if an employee failed a phishing test, they should have their privileges to use computers suspended,” said Beck.
Lessons learned
Other lessons he said CGB has learned from the incident are: have a handle on where your sensitive data is kept and who has system access; have back-up manual scale checks and tickets, maintained by head office; separate PLCs from the network so that if an infection comes through them, it won’t damage the network; never use old computers to run equipment; be diligent on IT phishing and spyware training.
Ratcliff advises that at the very least, feed industry businesses should implement EDR (Endpoint Detection & Response) solutions and multi-factor authentication, keep back-ups of critical data, identify outside counsel they can call on in the event of a security breach and consider a risk transfer solution such as cyber insurance.
“Even though the retention costs have risen, when you consider that companies who fall victim to cyberattacks may be shelling out millions of dollars for interruption, investigation and ransom payments, the transfer fees are put into context very quickly,” she said.
At a high level, Ratcliff said that a mindset change was needed to focus on proactive security.
“Attackers work in two big buckets: there are the very sophisticated, often state-sponsored actors who are very difficult to mitigate against. However, the majority fall into the other group of attackers who are financially motivated and are taking a ‘splatter’ approach to see where they can get a foothold. With that type of actor there are various things you can do to avoid being the slowest antelope on the Serengeti; having a corporate mindset that focuses on active security is at the helm of that.”