The cyberattack against Fleury Michon in France seems to support what had previously been suspected: that agri-food industries are the new targets for cyberattackers. And this is no coincidence, given their strategic nature. Issues, risks and counter-measures: we review the situation.
The date is 15th April 2019 and, on a fairly chilly Spring Monday, Fleury Michon is gradually finding its feet again following a cyberattack that brought production to a halt for five days. “During the night of 10th to 11th April, Fleury Michon’s computer systems were hit by an electronic virus. As a precautionary measure, all systems were disconnected to prevent it from spreading. Our factories and our logistics unit were shut down on Friday 11th April at 2:00pm”, the group revealed in a statement.
No more information is available about the origins of this virus, or how it managed to get into Fleury Michon’s computer system. Nor do we know the financial cost to the business of a five-day plant shutdown. “The impacts are currently being quantified, but will be limited and covered by an insurance policy taken out for this purpose”, the group advised. So does the story end there? Not quite. This cyberattack is a vindication of the warning issued at the start of the year by Kaspersky: agri-food industries are the new targets for cyberattackers... and the consequences could be serious.
Professional, organised cyberattackers
Forget about script kiddies. The cyberattackers targeting the agri-food industry are on a different level. “The parties attacking this industry are no mere amateurs. Given the underlying economic, health and governance issues, we’re more likely dealing with a group of well-coordinated information pirates, or perhaps even a mafia-style or state organisation”, warns Robert Wakim, Stormshield Offers Manager.
With very specific motivations. “An attack can have consequences on multiple levels: disrupting the continuity of service, damaging consumer trust, harming the company’s image, financial consequences on profitability, impeding innovation and directly hitting competitiveness”, points out Tiphaine Leduc, Cybersecurity Leader at Bretagne Développement Innovation, in an article published in the Revue de l’Observatoire des Industries AgroAlimentaires.
Where there used to be a pair of human eyes on guard, nowadays the front line is manned by a machine. If a silo’s measurement sensor is sufficiently compromised, for example, it could be made to feedback incorrect information about the quantity of wheat it contains. And this raises several possible scenarios: a silo that is thought to be empty - but isn’t - will prompt a reduction in production for the time the wheat order takes to arrive, but will also have an effect on deliveries, as the lorry (which is unable to unload) will then leave full and cannot continue its rounds. Conversely, a silo that is wrongly believed to be full will cause production machines to run while empty, and wear out – because, with no product to process, they may overheat and seize up the entire production line. Results: major losses in revenue, but also a loss of credibility.
To say nothing of attacks which could take control of machines to change a product’s recipes or quality. “If someone changes the recipe of my fizzy drink and it tastes different, people will stop buying it. If they alter a probe to prevent it from detecting an allergen or harmful substance, I’m putting consumers at risk. And if my production lines are slowed or halted, I may not be able to meet demand”, Robert Wakim explains.
But that’s not all. Cyberattackers may also benefit from market speculation on food stocks or commodities. “It isn’t out of the question that some parties may have been betting on falls in Eurofins shares following a cyberattack”, he continues. “A new form of insider trading.”
Agri-food: a highly strategic industry
“There’s nothing new about attempts to cause damage using agriculture or food. For decades now, we have seen attacks using biological or chemical contamination against cattle, plantations, fruit and vegetables”, explains Florian Bonnet, Stormshield’s Director of Product Management. “However, for a long time, the fairly unspectacular nature of such attacks meant that they raised no particular concern.”
That is, until Allied forces uncovered thousands of scientific documents on US agriculture among the papers of a certain... Osama bin Laden. Post 9/11 America is now aware that attacks on the agri-food sector could have terrible consequences on human lives and on the country’s economy. In 2003, in the aftermath of the Twin Towers attacks, the WHO published recommendations for governments and players in the agri-food industry, and ex-US President Barack Obama signed the Food Safety Modernization Act – covering the entire agri-food chain – in 2011. The concept of agro-terrorism, born almost a century ago, is now entering the era of cyber-terrorism.
It’s possible to weaken an entire country by attacking its agri-food industry.Robert Wakim, Offers Manager Stormshield
Some foodstuffs are even considered “critical”. In France, water and food management form part of 12 sectors of vital importance listed in the French Military Planning Act. And could the 249 identified Operators of Vital Importance (OIVs) potentially include a number of agriculturalists? Given that the healthcare sector is a major consumer of starch (from potatoes), anything is possible.
“The industry is critically important to our survival. But it’s also a globalised, hyper-competitive industry, concentrated in the hands of just a few multinationals, with very large sums of money at stake. These are the characteristics that increase its exposure than any other”, emphasises Robert Wakim. Attacks on this industry are also attacks against a country itself. “It’s possible, for example, to weaken a country by compromising its ability to produce a particular foodstuff”, he continues. This helps to weaken the health of the entire country; firstly nutritionally, but also economically – especially if the targeted agriculture is vitally important to the population or to GDP.”
This is a logical moment to stop and take a deep breath. Yes, the cybersecurity risks faced by the sector are truly staggering. But now, what can we do to protect this industry without curbing its activity?
Secure the whole chain
Like any industry, agri-food has specific issues to deal with: “remaining a competitive industry in a globalised market, in which innovation is an everyday fact of life and food safety is the absolute priority”, Tiphaine Leduc warns.
Like any industry, it is weakened by its chain-like structure. Between the producer and the consumer lie a series of overlapping players (from harvesting to processing, via distribution), with varying levels of cybersecurity. The problem is: each link in the chain is responsible for its own cybersecurity. If any link fails, the entire chain could be compromised.
“The supply chain concentrates risks: automation introduces new gateways that, if not clearly identified from the start, may become back doors”, adds Wakim. Speaking in 2018 through Patrick Bigeard, its delegate for digital security in the Île de France region, at an event hosted by antivirus producer ESET, France’s ANSSI cybersecurity agency noted a drop in attacks targeting OIVs and a rise in attacks targeting... their suppliers!
Numerous controls and recommendations have been implemented to combat this fact. In 2017, France’s AFNOR standards organisation updated its “Methodological Guide to Food Defense”, in partnership with various players in the agri-food sector, including insurers. Also worthy of mention: the Electronic Health Guide and the recommendations on “Cybersecurity in industrial systems”, produced by ANSSI.
Strengthening workstation protection
Systems for protecting workstations, networks and even data are essential. Indeed, OIVs are even subject to a special protection requirement. “The first protection is to improve your digital hygiene”, insists Robert Wakim. “This primarily takes the form of updates to systems and good habits within companies. Apart from the development of a corporate cybersecurity culture, the protection of workstations – especially those which are exposed to non-internal personnel, such as providers – must be improved. And of course, there needs to be network protection around functionalities such as segmentation, filtering and order control...”
Some players have decided to take the lead. Having been targeted by “incidents” (which were halted in time), agricultural co-operative Triskalia recently embarked on a preventive cybersecurity strategy affecting all of its employees, business lines and factories. “All staff, participating farmers, suppliers and customers have received awareness training”, says Denis Saout, CISO for the co-operative, which employs 4,800 staff.
After all, we need to bear in mind the universal cybersecurity problem: an attack will always target the weakest link. “All security levels need to be increased at more or less the same speed”, insists Robert Wakim. “There’s no point in putting an armoured door on a wire fence. Cyberprotection lies in the ability to strengthen your defences from all sides.”
Although the subject may provoke anger or fear, industry needs to face up to the fact that one day it may be the target of a cyberattack. Florian Bonnet believes that “the next step is to work on your cyber-resilience; that is, the ability to recover from an attack and resume your business activity as quickly as possible. This calls for considerable efforts in background auditing of your existing equipment (condition, age, internal security level). It means starting from the assumption that one day we will fall victim to an attack, and anticipating its impacts (zero, minor, major or critical). A company needs to be able to manage each of these impacts. They are measured not in days of work lost, but in hard financial loss.”
And don’t forget to get your entire ecosystem on board, insisting that your providers operate the same level of cybersecurity that you do. Because in a cybersecurity protection chain, the weakest link is the one that will be attacked first.