Cybersecurity on the farm
Subscribe to the Successful Farming Podcast:
Jodi:
My first question is, why are we seeing cyber security on the rise?
Doug:
I think there's a couple factors. Biggest one is they figured out how to make money. They figured out it's fairly easy money to make with limited risk of any bad consequences. And in a part that's facilitated by things like Bitcoin, the ability to easily transfer money from one person to another anonymously. So that's why they're going after some of the big targets. Some of the big people who are going to pay millions of dollars to come back. And they still go after individuals, trying to get them to give up gift cards or other ways to do that payment, so. But motivation is driven by money.
Jodi:
Farmers in rural areas may think, "Ah, this isn't going to happen to me." But how are farmers being targeted by the cybersecurity attackers?
Doug:
Well, so sort of again, two categories, I think we look at everybody's being targeted in general. They don't care if you're a farmer.
Jodi:
True.
Doug:
You own a restaurant or whoever. So there's a group of them out there that are just going to cast a wide net and see who falls or whatever scam they're pushing at the moment. But we are starting to see, especially looking at the recent things with co-ops, et cetera, they've sort of discovered the ag sector. When you've seen this over the last several years.
Doug:
They moved from sector to sector as a sector starts to realize that they're after them, the sector starts to communicate and harden their defenses and people know, "Oh, the hospital down the street got hit. We need to be better prepared." And so they kind of drift, they were financial for a while. They're still in hospitals, but they played against hospitals. There was a period of time when they went after cities, municipalities, ag seems to be one that they're kind of waking up to when they go after the big organizations, the co-ops or the banks.
Jodi:
Who are they going after in agriculture right now, you think?
Doug:
And we've seen some cases recently especially if you look at the ransomware attack, which is the big money attack, they're going after people who they believe cannot function if their computer systems quit working, that's what makes ransomware work. And so it was JBS a while back and the big one, which wasn't ag, but the colonial pipeline is the perfect example of a kind of we are in the east coast for a week. Because what ransomware does is it stops your ability, use your computer systems.
Doug:
And so they're trying to figure out who's most impacted by that. They went after a couple co-ops here in Iowa that made the news and how successful things are really depends on how can you operate? Do you have a backup plan to operate without a computer system? I mean, co-ops are in a little better position to do that than a hospital can't operate without a computer. So they're just out of luck without computers. So part of it, is they're just kind of drifting around. Cause that's if you're looking at the big attacks they're still after anybody who falls for that.
Jodi:
Yeah. And a lot of that comes through our email system of course.
Doug:
Oh, yes.
Jodi:
So what are some tips that you have to prevent downloading this malware?
Doug:
Yeah, so it's a hard tip to tell people, but you tell people to be leery. We by our very nature like to be trusting. And so you want to be a little suspicious of anything that comes across unsolicited and email tends to be one of their biggest methods to do that. And now they're doing more of emails to get you to go somewhere or to actively participate in the download. We don't see as much sending the malware as an email attachment in part we have technology that does a pretty good job of stopping that. So now they're through social engineering trying to trick you convince you to download malware. And the bottom line is that if it's unsolicited be very suspicious of it, they tend to try to be trusted partner or they try to pretend to be your bank or something else.
Doug:
Know your bank will never tell you to do that. No legitimate business is going to tell you to come and download something. One of the things they play the game of, well, you need to download this viewer in order to see this content. No, you don't. There's no special content that needs a viewer. Bottom line is you basically don't really ever need to download anything that is an executable. It's okay to download a PDF file and look at it. But the other word of advice, your computers are pretty good at trying to stop you from doing bad things, they pop up the little messages and say, "Do you really want to open this? Do you really want to do this?" When it's asking you that question, it's trying to protect you. It's not trying to annoy you. So look at what it's saying. Think about what it's asking. Oftentimes the answer is no, but sometimes we get frustrated with the computer constantly doing that.
Jodi:
Can you explain what phishing emails are and how to identify one?
Doug:
Yeah, well phishing, and there's actually several flavors of phishing. So if we look at just general phishing, those are the emails that are pretty generic in nature. They'll pretend to be your bank. They'll have a backstory of why you should do something. Usually it's your account's been compromised, sometimes it's you've won a prize. So the whole two sides of that, if it's too good to be true. Yes, it probably is. The other side is the banks and they aren't going to send you messages like that, telling you things have been compromised. If something's been compromised, they'll reach out with you over a phone call.
Doug:
So phishing is really this idea of trying to convince you to do something. And then the phishing gets, they talk about spear phishing. They talk about phishing that gets more focus. So that would be, they know you're a farmer and now they're going to pretend to be a co-op versus they don't know who you are. And half the time you may even get an email from a bank you don't even do business with. So they don't even know anything about you. So they range from they're just trying to get anybody who will answer to. Yeah, I know this person is likely a farmer. Therefore, I'm pretending to be a co-op in the area or I'm pretending to be something a little more generic and trying to again, convince you to do something.
Jodi:
Despite your best intentions, sometimes you still can fall a victim to a very cleverly crafted email. Doug, what do you do if you fall victim to malware or a phishing email?
Doug:
A little bit depends on what you fall victim to. The phishing emails try to typically get you to do one of two things, download the malware. And if you have fallen victim and download malware, basically you want to unplug your computer from the network and then find expert advice to help get it back. I mean, if you've gotten ransomware on your computer, you're going to need to turn to professionals to help you work through that. You should have backups, et cetera ahead of time.
Doug:
So if you have Cloud based backups. Yeah, it's chances of coming back are pretty good for an individual. The other things they try to do a lot of is they'll get your username and password to something. So they'll pretend to be your bank. You'll log into your, what they say is your bank. And you give up your username and password. If you fallen victim to that, then you need to contact the bank. You need to go in and change usernames and passwords. And if you've used that password anywhere else, you better change it everywhere else you've used it.
Jodi:
Let's talk about the importance of strong passwords. How do you create one? What is a strong password and where do you store them? I mean, everybody needs a password for this or that and the other thing, it gets to be quite a pain.
Doug:
Yeah, it is quite a pain. Depending on how many you have let's start with where do you store them? I mean, I use an electronic storage mechanism for my passwords. It's a monthly charge to do that. But when I think about an electronic storage, I'm actually worried about two issues with my passwords. One is I can't remember them. But the other is in the case of something really bad happening, how does my family recover from me not being there anymore? So many of these password systems have the ability to have multiple users. So you got that whole, what if something really bad happens? If you have a smaller number of passwords, it's actually not terrible to write them down in a notebook and put them in your desk in your locked house. That's not a terrible thing.
Doug:
It's just, you get to the point where there's so many of them and it becomes kind of unwielding. Good passwords, it's really about how long they are more than how weird they are. So if you think about guessing a password, either through just guessing, because I know your cat's name is Fluffy, verses guessing because I'm going to try all the possible words in the English dictionary. If I make a password that is long made up of multiple words, even if they're just all normal words that becomes a strong password. Cause I can't guess it.
Doug:
Now some places force you to add upper lower case and special characters, but really length is the most important thing we talk about. Cause there's two sides to losing your password. There is somebody guesses Fluffy. The other is that your passwords are stored on various places and they can get broken into and they will lose the passwords. Now the passwords are designed in such a way that they can't get them without guessing all possible combinations against that. So you have to guess Fluffy, but they can guess Fluffy with a piece of software. So again, that's why you want a really long password because their software can't guess that.
Jodi:
You alluded to a saving what's on your computer earlier. What are your tips for backing up your data?
Doug:
Various Cloud storage is a good mechanism. If you feel comfortable with that, Google Drive, any of those Google or any service like that, if you feel comfortable with doing it yourself, hard drives you go by at your favorite store cost almost nothing. A little external hard drive. The downside of an external hard drive is again in disaster recovery. So we kind of also worry about disaster and cyber recovery. If my hard drive is sitting next to my laptop and a tornado blows through, like happens periodically and wipes out my house, my hard drive goes away too. So the beauty of the Cloud storage is that it's stored somewhere.
Jodi:
And none of us know where it is.
Doug:
Yeah, right.
Doug:
Well, but the point is that they then take care of backing up redundancy, et cetera. And the Cloud isn't in one place. It literally is all over the country. And so your data is very well protected by being part of the Cloud. And for most people we don't have enough data to really have it cost a whole lot. Most Cloud services have a pretty low cost for quite a bit of data. Same with your phone. My phone is automatically backed up to the same Cloud storage that I have my computer connected to for all the pictures and stuff. I don't want to worry about losing my pictures on my phone. And so they're in the Cloud. The beauty of that too, is that I can also get at them from my computer. So I can see my phone pictures on my computer, which is kind of nice.
Jodi:
Are you seeing cybersecurity issues with machinery technology at all?
Doug:
We're not seeing it in the ag sector yet and especially at a farm level. Cause most of it's not highly automated. You see some automation at processing facilities, but even like a JBS who got hit most of their factory floor is fairly straightforward and mechanic. I mean it's conveyor belts moving at a fixed rate. You get into people that are doing more of a distillery or more of a complex chemical process, but they've done a good job of segmentation. Your factory floor is not on the internet. It's all by itself.
Jodi:
Okay. So then a farmer who has advanced technology in his tractors, he's going through the field. Doesn't have to worry about a hacker getting into that and messing with all his data.
Doug:
Messing with the tractor probably not, the little kid somewhere is not going to take over control your tractor. But if you start to store all of your field data, et cetera in your Cloud account, then you want to make sure you have multifactor authentication in front of your accounts. Everybody hates it, username password, and then it sends you a text message. But that was a word of advice for anything that's important. You want to talk about making your passwords secure, multifactor does that. I can give you my password to my bank. Won't do you any good unless you have my cell phone. And so any of that critical data and most data services, some of them force you. I can't deal with my bank on unless it's multifactor, they won't let me. So worrying about any of that critical data that you're storing use multifactor use your cell phone as your second factor, because that's really where the threat is losing that data.
Jodi:
Doug, are there any other tips that you'd like to pass along for keeping farmers up to date on any cyber security issues?
Doug:
Well, we've focused a lot on things coming in through the email. You need to be also very leery of they're using text messages, they're using the telephone. As we teach people or people learn how to not do this, that doesn't stop them. They just figure out a new something to do to you. And so the text messages have actually been on the increase using the links to web pages. And so inside text messages, they will do some amount of phone that kind of ebbs and flows because it costs them a lot, not in money, but time to interact with you and basically they're trying to convince you to download malware when they talk to you on the phone. All though there have been cases where they try to play the game, "Grandson has been arrested for OWI and you need to give us money." And those things.
Doug:
We see some of that, but we're also seeing a willingness for them to interact more with you. We've seen some simple emails go back and forth. The, "Hey are you free? Do you have a minute." Pretending to be one of your friends. And that typically eventually leads to them, trying to get gift cards out of you. I don't know by you, but I don't think I have any friends who would send multiple emails back and forth to get gift cards from me. If they needed money from me, they would pick up the phone and call me and I'd gladly give them money.
Jodi:
Yeah and I'd call them back to make sure it was really them.
Doug:
Yes, exactly. But we're not going to play 15 emails back and forth to give $500 worth of gift cards that just ain't going to happen.
Jodi:
All right. Well thank you very much, Doug. And I guess the words here are, if it's too good to be true, it probably is. So coming through something like that.
Doug:
Yeah. I mean, it really is the fact, I mean the computer in some sense is almost the perfect vehicle for this to happen. Because we don't associate it with people. It's our, we only bought the thing. It's ours, it's sitting on our desk, it's in our house. What we don't understand is all this is a way for people to talk to us and it's no different than the stranger walking up to on the street with the trench coat and all the watches. But we, for some reason and right probably, we disassociate the person on the other end because the computer's there. And so we will do things, say things we'll even post things that we would never do say face to face to somebody.
Doug:
So I always, and this is more when I'm dealing with the younger people, but I always use what would grandma think if you posted that, if you did that or would you do this? If somebody walked up to you face to face and asked you to do this, would you? And if the answer, no, then it's probably should be no across the computer.