Topcon Talks Agriculture

Innovation at a Price: Cyber Security on the Farm | S06E10

March 09, 2023 Topcon Positioning Systems Season 6 Episode 10
Topcon Talks Agriculture
Innovation at a Price: Cyber Security on the Farm | S06E10
Show Notes Transcript

Technology on the farm yields great productivity and efficiency. However, with all this new data, how much do you need to worry about cyber attacks? It’s a threat that’s becoming more and more common. We talk to experts about Ag information security and what you need to do to protect yourself.

Speaker 1:

Hello and welcome. It's a beautiful day for agriculture, and we're thrilled to have you join us for Topcon Talks Agriculture. We delve into the fascinating world of farming and all that it has to offer. So let's get started today. My name is Dan Hendricks, and I am your host for today's episode. I serve as the senior business development manager for Topcon Agriculture, and I get the pleasure to work with an amazing team of talented individuals who love agriculture. They enjoy technology, and they strive to help farmers and growers find solutions and feed our planet. On today's episode, we are going to talk about the importance of cybersecurity on the farm. Gone are the days in agriculture where the farm and his operations are off the grid and disconnected from pretty much the rest of the world. Technology and agriculture has grown to help producers understand the benefits of collecting their data and using it to make business decisions to increase yield, become more efficient, and get a better return on their investment. Many new pieces of equipment have the ability now to collect data and share it with other operators, consultants, or back to the home office. And all of this data is useful and helpful, but it puts the operation in risk if it gets into the wrong hands. Now, I think all of this can agree that the overall vulnerability of cyber attacks is on the rise. Uh, if you're like me, you're getting emails, text messages, phone calls from predators trying to trick us into giving them money, data, or access. Here's a couple stats. On September 1st, 2021, the F B I released a notification report sounding the alarm on cyber criminals, increasingly targeting the food and ag sector companies due to the adoption of smart technologies. In the fall of 21, there were six attacks against grain co-ops in early 2022. There were two ag-related cyber attacks that temporarily disrupted seed and fertilizer supply. So because of this increased risk and threat, we want our listeners to protect their farm, their data, and their operation. And so that's why we're having this important discussion on today's episode. We have two fantastic experts to join our podcast today. The first is Arlen Sorenson. He's the vice president of ecosystem evangelism for ConnectWise in Iowa. He is an Iowa State graduate. Arlin is also the founder of H T S Ag, which sells precision ag equipment, grain management systems, and also drones. He is a part of a family farming operation in Iowa. Arlen, welcome to the podcast.

Speaker 2:

Thanks, Dan. Good to be with you.

Speaker 1:

Great to have you with us today. Our second guest today is Chris Lair. Chris is a graduate of Oklahoma City University. He is currently the executive Vice President and the Chief Technology Officer at Solace. Chris is a cybersecurity professional with over 25 years of experience helping companies grow while managing their cybersecurity and operational risk. He has spent a lot of time helping companies with cyber attacks, and he has family farm roots in Nebraska where their family farm raises corn. Chris, thanks for joining us today.

Speaker 3:

Hey, thanks for having me, Dan. It's a, it's a pleasure being here and talking to your audience.

Speaker 1:

Well, let me start off with a question directed towards you, Chris. What, what is cybersecurity and why is it important?

Speaker 3:

Yeah, great question. So first of all, I'd like to say that cybersecurity is risk management. So it's just like any other form that you're dealing with in any type of business, whether it's ag or anything. Yeah. So why is cybersecurity important? I think there's some obvious reasons why people know, right? That, uh, cybersecurity's important cuz you get hacked. But what, what exactly does that mean in today's world, you know, the first and most obvious answer, but people don't really understand it until they experience is interruption to your operations. And what does that mean? And the, the, the quick and easy thing to say here is it never happens at the right time. You know, it could happen when someone's, Hey, you know, next week we are about to replace all that equipment, we're about to upgrade and we're in the process of moving to the cloud. All those kind of scenarios come up. Case came up at the end of the last week and, and the CEO had to cancel his annual buddies trip to California for a golf trip. I mean, that's just how these things operate. And so you always have to be thinking about what's that worst case scenario, uh, where it's just the worst time of year for something to happen and then disruption to your operations. And then the second piece I would like like to point out is what, when a cyber attack occurs, what happens to your staff when that occurs? What, what do they feel? A lot of times their information is compromised as a result of that attack. So they lose some trust and some confidence in you as an employer. And some of these employees could have been around a long time and, and you built up a, a strong trust factor with them and just one cyber attack and dent that severely. And, and I would say those are the, you know, the top two things before we get into other topics that I would put at the top of the list for people to be thinking about.

Speaker 1:

Thank you for that. Chris Arlan, let me go to you. Any, anything you want to add to that?

Speaker 2:

You, you know, the thing I would add is that when I work with producers, a lot of times they feel like they're not a target. Why would somebody want to go after me? We're small, we don't have that much information, but the reality is that, uh, the bad actors that are, that are in the game are going after everybody. And, uh, so they're not gonna discriminate necessarily because of where you are or how big or small you are. They're just out there looking to, uh, take data and take control of things. It's all about numbers and, and, uh, volume and, and how they can do that. So everybody's at risk and mm-hmm.<affirmative> risk is really the name of the game when it comes to cyber.

Speaker 1:

Okay.

Speaker 3:

Yeah. I'd like to add on to what Arlen said, right there is, let's just say you think that your industry or what you're in not a target. Once one person becomes a target and a threat actor finds success, they're gonna find similar people in that industry and start going after'em all. And that's what we see. We see it. Whether you're a school, a municipality, a law firm, it doesn't matter what industry, once one person is successful, the word spreads in that threat actor community or what we would call the hacker community. But we just talk to them, speak to them as threat actors. And the word spreads in the attacks start wham bam, one after the other.

Speaker 1:

Arlen, let me ask you this question. How can a cyber attack in an agriculture business lead to financial loss or impact the finances?

Speaker 2:

Well, there's a number of ways that it can, can certainly impact, uh, an operation. You know, data is really one of the most valuable things that that farm operations have today. And, you know, so the, the collection and storage of that data is, is essential to, uh, leveraging the tools out there to plan for the next cropping season. Make adjustments to, to inputs and what's gonna be put on. And if you lose that data, you lose the history, you lose the ability to layer all that together and really leverage that in making your operation more efficient and more profitable. So, you know, they, they can easily disrupt the value that you've been trying to create over the last number of years. The the, uh, other thing is that your actual financial information can get taken and, uh, that, that certainly causes disruption in being able to manage the operation and, uh, you know, do things you have to do like, uh, income tax filings and things like that. So there's a lot of ways that farm operations can be disrupted by bad actors that take data and, and lock things up.

Speaker 3:

Yeah, I I would add that what a lot of people don't take into account is their relationships with their third parties, whether it be customers, partners, suppliers, whatever the case may be. And the larger that those entities are, the more damage that can be done. There are a number of cases that I work where, you know, a a particular entity has a, a very strong relationship with one partner makes up maybe, you know, a majority of their revenue, and as soon as they have a cyber attack, that third party cuts them off and says, Hey, look, we're not gonna do any business with you until we are comfortable that your environment is secure, that you're not going to affect us, that there's no risk to us. And until you prove that, we're not turning the switch back on. And I can, and I can bet in the ag industry that could be incredibly punitive, uh, for that perspective. And again, so a lot of people say, Hey, they, that's great. I've got this great relationship. I'm making all this money off this, you know, these larger companies. But when they start bringing in their internal security staffs, their attorneys, their compliance and privacy people, it can make a real mess of a situation. And, and a lot of people are, are very taken by surprise when that occurs.

Speaker 1:

Right. Well, I would think too, uh, and both of you are are experts, but I would think with agriculture, there's usually a time element. There's a time when things need to be planted. There's a time when harvest needs to happen. There's a time when you, uh, take harvest to the grain bin. And, and if you disrupt that, it, it can have a lot of consequences to a, a farm operation like you were saying. Chris, let me go back to you. You mentioned earlier, uh, risk management that, um, this is all about risk management. D do most farm operations, most farmers growers, do they underestimate their risk?

Speaker 3:

I I believe they do. I think they're, they, they do a good job with risk management in other areas of their business. Uh, but either a, they, they, they just don't know that they should be doing risk management from a cybersecurity perspective or they've trusted someone else and just what we call outsource the complete part of it, which is wrong, right? You typically, hey, you might outsource your accounting, but that doesn't mean you just leave it all in the hands of your account and you never ask about the finances, right? In the same thing comes with, from a cybersecurity perspective, even if you outsource it, it's still your decisions to make. It's still your risk to manage. They might be that outsourcer or outsourcers might be assisting you, uh, but that's really what occurs. And I also think it goes back to what Arlan said earlier, that, Hey, I don't think I'm a target. So they don't think they're a target in the agricultural industry. They may not be too many buddy stories happening where, Hey, did you hear about what happened to Tom last week? Or, or what happened down the road to that farm, or whatever the case may be. Uh, and so that's the, you know, that, that that's kind of harmful because in other areas in the country, there's enough word of mouth now about people being victimized by these criminals. Much different than we saw two years ago that people are scared from that reason. But I think in the ag business, it hasn't really hit that close to home yet.

Speaker 1:

Arlen, let me throw that out to you. Uh, any examples of financial loss for farms?

Speaker 2:

Well, I think, Dan, that that one of the things that, that a lot of growers are not thinking about is the impact of their data on the future. Um, you know, as we move more toward autonomy, as we move toward more things that are, that are gonna be controlled by data, the need to have that data available and, and be able to compile it and use it, it, it becomes more and more important. So certainly, you know, there are incidents where, uh, uh, organizations have been breached and it may shut down the ability of an elevator, for example, to, to issue checks or, or other things for, for a period of time. So there are certainly breaches that are happening that are causing damage and, and certainly slowdowns for folks. But I believe that the biggest impact is into the future, uh, because as we go to more mechanization and more, you know, controlled situations where operators may not even be on equipment, that data is gonna be the driving force. And so it's really important that we protect that and make sure that it's gonna be available for the future.

Speaker 1:

So what I hear you saying is it's gonna be more and more important as time goes, and as we absolutely use more technology, Arlan, let's stay with you. Uh, and let me ask, what are some of the most common types of cyber threats that you see in agriculture?

Speaker 2:

So surprisingly, uh, the majority of breaches are caused by people. Um, you know, we wanna blame technology, but at the end of the day, it's all about people that are making mistakes as they use their technology. And so, you know, I think it's important that, that we really call that out. You can prevent a whole lot of issues if you just discipline yourself in the way that you use your technology. Don't just click on things without actually looking at what they are. Make sure that you are following the right policies and, and protocols with how you manage your passwords and other things. But Chris, Chris, I'm sure will verify that, you know, if, if it weren't for the people, we'd have a lot less issues with, with tech and, and security,

Speaker 3:

I would say that, you know, what we call business email compromised is probably the most prevalent. And that's simply where someone's email gets compromised by a threat actor group. I cannot stress enough how organized these threat actor groups are. These aren't individuals working out of their grandma's garage. These are very well organized and, and they operate very much like a company or business does. But the point is, is you have these well-organized groups that have very mature processes to get into people's email and leverage those emails to move money somewhere where it doesn't belong. And you can imagine in the ag business with the amount of payments that are processed and received, that the volume is incredibly high and the numbers are large. And so all it takes is one payment, you know, six figures, seven figures, or even multiple payments where that money stacks up very, very quickly. And that not only is that money gone, but where that money was should have gone, is gone as well, meaning that somebody took X amount of dollars and that x amount of dollars was for someone else. Well, guess what? You still have to pay that someone else. So, uh, that's where you see a lot of the financial losses and those hit pretty hard, hard. And, and just like Arlen said, those are human issues. I mean, it's a simple thing where somebody just sends'em an email and says, Hey, we've updated our, we changed our bank account information. Would you send this payment over here? No one asks any questions about that. No one picks up the telephone and calls their point of contact says, Hey, I got this email. It said, changed your bank account information. Did you in fact do that as that incredibly simple step? But these threat actor groups are so good at convincing this person, Hey, you don't need to do that. I'm the boss. Just do what I'm telling you to do. Time is of the essence. They operate underneath that sentence of urgency, and people still make those mistakes. And I've seen people in organizations that kind of preach this stuff and they themselves end up falling for it. And it's incredible. I mean, it's, it's, it's a depressing situation to say the least. Uh, but that's where I would say we'd see the, probably the most attacks come through is through that email channel.

Speaker 1:

So Chris, let me stay with you and ask a two-part question. How are cyber criminal stealing data? I mean, what are some examples of it and how have their methods evolved over the years?

Speaker 3:

Yeah, that's a great question about data theft, because it's just the number one game. So let's just stay on email and then I'll, I'll move over to more from a, a networking perspective. When these bad guys get into someone's email, and that's, it's pretty easy to do. They just trick somebody in their username and password because most people don't have the right control, which is called multifactor authentication enabled. The first thing they do is attach that mailbox and pull everything down in that mailbox.

Speaker 1:

They

Speaker 3:

Wipe it out. So if they've hit some, yeah, they've hit somebody in an accounting or financial, maybe that person also does payroll. Maybe that person was formally and it's some type of HR capacity, or they're the Jack or Jill of all trades. It doesn't matter. Everything in that email has been pulled down and there's no getting it back. And there's no way to argue that, well, that person won't care about that data, or not, it doesn't matter from a legal perspective. And so that's the, that's the simplest way On an email side, if we're to kind of move over to the data side of things, it's gotten a, these guys have gotten a lot better. So there's one threat actor group out there. They're, you know, they're known in the security community, but they're known as Lock Bit and, uh, lock Bit is very proud of what they do. And they stand behind their work and they compare their work to other ransomware groups out there, but they've actually created their own software to steal data. And so a lot of people will go, Hey, look, uh, I don't think they stole data. We called our internet service provider. We looked at our graphs. There's no real high bandwidth utilization at any time. So they couldn't have taken data. No, these guys are either using a tool or developing their tool. In the case of lockman, it's called Steel Bit. And that is used to take data and to do so in almost an undetectable way over time. And so it's amazing how much data people can get over time. So if they're in your network for two weeks, three weeks, or we've seen them even in there longer, and they're using these tools, you're not gonna see any peaks on any type of fancy graphs that you get from an internet service provider. They're gonna take all that data and they're going to, either they're gonna use that data against you to get you to pay them to not publish that data or sell that data, or if you don't pay them, they're gonna turn around and sell that data. So if you think in the ag business, which maybe where this is leading to is, you know, a lot of that data in the ag business could be extremely valuable, uh, to outside, outside parties, um, more so than in other industries. You know, other industries are taking social security numbers, dates of birth, that type of stuff. You could argue that most of that stuff's out there already. It doesn't have a lot of value, but in certain organizations it does have a lot of value. And if your business has any connections in to the government, whether you're getting government funding or you're, you're attached to something of that nature, there could be additional ramifications for you in that particular case. And the threat actors are no dummies. Sometimes the threat actors will even say, Hey, we have an attorney on staff that is advising us of these things, and they'll use that as leverage to get paid. So don't think that because you have a slow internet connection or you think that that data might not be worth to somebody. Believe me, they're gonna take all that data. And you're gonna find out pretty quickly once they do that, how painful it is, uh, for them to take that data.

Speaker 1:

Arlen, let me ask you this question. Uh, talk to us about what are the potential long-term impacts of a successful cyber attack on an agricultural operation?

Speaker 2:

Well, I, I think Chris alluded to it, that, you know, these guys are patient. So, um, there's been lots of cases where they'll, they'll infiltrate and, and get onto, uh, you know, a network and just sit there and watch for a long period of time looking for where the exact best attack vector is, what the most important data is. And, uh, you know, they'll, they'll set up their, their future, uh, breach based on a lot of, of study and research. So they're, they're patient, they've got a plan and a strategy, and, and they work that. And, you know, those kind of things can, can really create long-term issues for, for an operation over time because, um, you know, they'll, they'll, they'll determine what the most valuable data is, who the most prominent people are in the organization. And, and they'll selectively grab things, um, you know, in, in the most damaging way possible. They're obviously trying to create a value proposition to get you to write a check to get it back or, or I guess Bitcoin probably in today's world to get it back. Um, but, you know, they really have, they have a strategy. This is not, you know, to Chris's point, some random junior high kids sitting, sitting together playing games and accidentally getting to your data. These are, are professionals with a, with a, a business plan and an approach, and they've been very successful and, and will continue to be successful. You can't stop'em completely with, with tools. It takes human intervention to be part of that process. And, uh, if we, if you don't do that, they, they will eventually get to you.

Speaker 1:

Chris, let me ask you about the scale of cybersecurity threats. I mean, we, we may have listeners that would think, well, I've not heard of anybody that I know that has this, or maybe this, this is just some very common, like, help us understand, um, like where we're at now, where we were five years ago and where you see this going in the future.

Speaker 3:

Yeah, well, I'll start off with if you're in the United States or Canada, the bad guys see you as, you know, the biggest war chest. Uh, they see the mus most money to be earned. And I always say that these guys are in the highest reward, lowest risk business. Cuz if you think about it, it's very hard to find them to begin with. And are you, they actually gonna get apprehended? Are they actually gonna get extradited indicted? You know, they actually get over here and they get thrown in jail a slap on the wrist, and are you ever gonna see that money again? Probably not. Now, there has been some cases recently where some of these funds have been clawed back, but it's two or three years later when that happens. Uh, but let's, let's talk about scale. You know, throughout the last four or five years when I've been working cases, I've seen just about every shape or size of case come in. I mean, I've seen very small nonprofits that focus on a helping domestic abuse victims. Do you think the bad guys cared one ounce about what that organization did, their mission or the fact that they were taking money away that could be used to help for those causes? Absolutely not. They don't care. The deal with this is, is you have these larger organized groups and they use what, and then they usually focus on the big fish, and then they have what's called affiliates that work for them. And think of affiliates as contractors. And the affiliates are what I go out and do the, do the work, uh, and, and, and when whatever money they gather, they give a cut to the, to the bigger organization. At the same time, there's a whole marketplace of activity going on. There's different groups that are out there stealing PE that trying to figure out ways to steal credentials and gain access to a network, and then they turn, they in turn sell that to these other groups that didn't do the ransomware. And so there's just literally thousands upon thousands of individuals out there that have all the time in the world because the, the payoff is huge for them to sit down and just like Arlen said, be patient and do this work. And then, hey, look, you think they back off at one little, you know, one little defense mechanism? Heck no. A lot of times they see, you know, if somebody gets involved, they see something standing in their way, they're gonna figure out how to get around it. I mean, we deal with that all the time. We deal with people that call'em, say, I, hey, I'm seeing some weird activity in my network right now. We have to jump in and it's a battle going back and forth. We can't just scare these guys off. It's not like somebody coming onto your property, you turn the lights on, you know, shoot, put your shotgun in the air, and they, and they, they run away. It doesn't happen in the cyber world. These guys see it as a challenge and they'll continue to fight. So sometimes those fights can go days on and even weeks to, to finally get those bad guys outta the network and do those things. So again, at at scale, these guys pick on the small to medium and the large, but the small and the, on the, and on the smaller scale of the medium size organizations are the ones that they love the best because the big boys can handle it. Like they can handle it from a, they can take an outage, their financial ability, they have financial abilities to do their capabilities to do that. At the same time, they have invested money in ways to just recover their environments real quick and all that type of stuff. Small guys don't have that luxury. And so when they get attacked, the bad guys know, Hey look, we've put them in a very precarious position. A lot of these organizations have one owner, and that owner's been around forever and sees his or her business flash between flash, you know, in front of their eyes and they're ready to kind of, um, they're ready to pay or do whatever it takes to get their thing, their business back up and running. And the bad guys know that. So it's gonna continue to grow because most of this activity occurs in Russia and, and around Russia. And there's nothing going over there today, especially with the situation going on with Russia and Ukraine now, where no one's caring about the, what these cyber criminals are doing to the us. And I always argue, I said, if you're Russia, just think about the amount of wealth that's being transferred from the US to Russia. It's not in your best interest to put a stop to it either.

Speaker 1:

If they, if there isn't a cyber attack, you find that there's not a lot of government intervention or there's not a lot of things that law enforcement are gonna be able to do to help you

Speaker 3:

Not there, there, yeah, this was, um, this is a topic that's come up lately. It's interesting. Law enforcement, local law enforcement typically is not gonna be involved at all. Uh, really a as I, and then this is not disparaging anybody, it's just the size of the organization really, New York City is the only one with the police force large enough to have a unit that can specialize in this. And they do a good job. Uh, normally the F B I does get involved and they have task force all around the country that are focused on that. But they're not gonna be like, they're not gonna walk into your shop and run the show. They're gonna be sitting on the sidelines waiting for you, uh, to provide them information. The only difference is if it comes down to critical infrastructure, if you're considered critical infrastructure, uh, then the f b i, even the Secret Service and some other entities will get involved and they'll get involved very actively. Or maybe whatever's happening to you also happened to ha ha happened to somebody in, in critical infrastructure. Then the f b I might be more engaged and willing to figure things out. But, um, typically if you're kind of the smaller fish, law enforcement is gonna just be looking for you as a provider of information to help them in kind of the greater, the greater cause of what they're doing. But they're, they're not gonna be involved, uh, like maybe one would think they would

Speaker 1:

Be. So Chris, I mean, what you're saying is it's just so critical to be on the front side of this, the front end of it and be proactive then to just wait for something to happen. Um, so Arlan, let me ask you, tell us about the advantages of cyber security of doing, doing, taking steps to keep this thing from happening.

Speaker 2:

Well, you, you wanna be proactive for sure, and you know that that has to happen on multiple fronts. Certainly there are tools and technologies that you can implement, you know, to help protect your, your, uh, data and your systems. And it's really important that you have those, uh, tools in place that they're current, that you keep'em updated because it's a never ending and constantly changing, uh, environment. And so there, there certainly are things that you can do to help slow down at least the progress that, that, uh, these bad actors might make. But the bigger side of it, really, Dan is the people side. And so it's coming down, you know, it comes down to creating the right policies and, and procedures and training people on those things. I mean, that's one of the big vectors of, of penetration is that companies may have, or there, there may be a set of standard operating procedures, but people aren't trained on'em. They're not tested on'em, there's no, no actual enforcement to make sure that, that if they're operating that way. And so, you know, if you, if you put the right tools and the right uh, people issues in place, you can, you can put up a pretty good fight, uh, with these bad actors, but it really does require an ongoing approach. And you know what, what we find with a lot of small businesses, uh, farms included, is that they don't have budget for this. They don't understand why they should make those kind of investments. It's not inexpensive for sure, but, uh, it's certainly cheaper than the alternative of having to engage solace to come and, and recover.

Speaker 1:

Uh, are there any cybersecurity myths that we should know about?

Speaker 3:

Well, that tools solve all the problems. Uh, that's one thing. Uh, the other thing is, I, I use this quote whenever I do pre presentations, and it comes from a gentleman by the name of Brian Krebs, who's a journalist and cyber expert. And, and it is basically the light at the end of the tunnel is an oncoming train. And that's what you have to think about. Cybersecurity. You're not done. I mean, Arlen headed towards that just a few minutes ago. You could go out and spend, spend some money on cybersecurity and unfortunately six months, a year from now, that stuff may need to be tweaked, even replaced or whatever the case may be. That's just the reality of this. Uh, there are tools that were the top of the list of the best tools five years ago that I wouldn't be caught de dead using today. Uh, I, I, and I think that's, that, that's a lot of it. And, and the other myth we've talked about is not gonna happen to me, but what I would say is what people have, the, the biggest struggle is they just let their data and their networks grow out of control things. They just, things they don't understand you. I say, Hey, we, all of our payroll and everything we, that takes place in this third party. Well, fantastic, but somebody exported some data. Somebody, you know, came with, they have a big spreadsheet full of 401K information and that's all it took to trigger, trigger, sorry, trigger a number of legal, uh, legal things to happen as a result of that data getting taken. So I mean, that would be the top of my list. And I think one more that we haven't really touched upon that could probably, you know, get its own segment is I don't need cybersecurity insurance. And I think that's, uh, that's a kind of ridiculous thought in these days. Yeah. You know, we, a lot of people think, Hey, buy so much insurance, we're insurance poor, whatever the case may be. But in the, in the grand scheme of things and everything you pay insurance on, and yes, cybersecurity insurance has increased in years because a lot of claims are being paid. It's still incredibly important to have, because it covers you for things like business interruption loss, it covers you for legal expenses, it covers you for litigation. If someone decides to sue you, it covers you. For a company like Solace being involved in, in doing the work, those are the things it does. And so a lot of people says, well, I don't need that insurance either. I've got it covered, I'll pay for it out of pocket if it happens. No, you won't want to do that because I'll tell you the one real important thing is when you're under a cyber attack and you need help someone like ourselves or someone similar, you don't wanna be having to count pennies and nickels. And cuz that slows down the process and it makes my job and my team's jobs incredibly difficult. Having an insurance policy there allows people to do the work they need to do at the pace that it needs to be done without somebody constantly every hour saying, well, how much money does I spend in the last hour on you guys? And that type of thing.

Speaker 1:

Right. I see. Arlen, anything you want to add to that about myths?

Speaker 2:

Yeah, I I would say, uh, a lot of people think that, you know, if something happens to me and my data, it's not really gonna hurt anybody else. Um, you know, this, this stuff has a lot of, of, uh, tentacles to it. And, uh, depending on the kind of data that gets, gets breached, you know, there are, there are all kinds of laws protecting, you know, medical data and, and other kinds of things that there can be a lot, uh, a huge risk, uh, from what seems to be pretty normal and not that important data to you, but if it gets out into the wild, it can be a significant, uh, financial and, you know, compliance burden. So it, it, it does matter. It's not just going to impact you, but, you know, third party connections like Chris talked about earlier, you know, there's just a lot of potential risk that's related to that and, and you wanna do all you can to, to prevent that.

Speaker 1:

So Chris, let's get practical for a second. If, if there's someone that that's an owner operator that's listening to this podcast and they ask themselves where, well, where should I start? What would you go down the list of like, here's some steps that you should take to protect your farm with cybersecurity? Where do they begin?

Speaker 3:

Yeah, Dan, there's a number of resources that you, you can go and look, I would tell you it's pretty tough to do your own research on the, on the matter. You're, you're gonna need to find somebody that you can trust to give you some advice and point you in the right direction. Somebody that's willing to know your operation and to just kind of look around and say, okay, I, I can see where you're at, how many people you have working for you at this time of year, seasonally, whatever the case may be. Understand that and, and be able to draw up that roadmap. If you, if you call on somebody and they dump a 20 page proposal and say you need a hundred things at one time, you know, that's not somebody sitting there helping you, uh, manage the risk. And so I think that's the first thing to do. But there's, there's some other resources out there. There's the c i s top 18 controls, and I think that is one that, uh, that's, that's nothing you have to pay for. Uh, you can go out there and read it. I think it's pretty digestible for someone to understand. You don't have to be a, a technology expert to understand. Uh, and there's some other, there's some other resources out there. The government's doing a lot of work on around the site helping small and medium size business. Uh, but I think that their documentation is, some of the things coming out of NIST as an example can be a pretty heavy in the technical jargon. So I, I would sit there and start with, uh, the c i s but definitely just don't go on it on your own. You, you need to find somebody that's willing to help you and understand and help you at your level. And again, not trying to, uh, sell you a bunch of stuff and, and, and make you believe that you're secure more about understanding really how to build a program is what we call it. And, and manage that program over the life of your operation.

Speaker 2:

Yeah, I I I would add that, you know, agriculture is, uh, is one of those, uh, industries where there's a lot of people moving around with a lot of different equipment and, uh, sometimes I, I find that growers don't even recognize that, that certain pieces of equipment are, are on the internet or, or are potentially breached targets. They're outside of the, you know, office network, but there's, you know, wireless connections out in, in their tractors and in their combines and all over the place. And, and so you, you really do need to find a professional that can help you look at the entire risk por uh, you know, exposure because it's not just contained in that office, it's, it's all over the vehicles and, and laptops and other things that people are carrying with them all over the place.

Speaker 1:

I think we found out during covid just how delicate the supply chain can be. So let me ask the two of you a question about that. Have you seen examples of where a cyber attack can happen at some point in a supply chain or food supply chain and it affects like upstream and downstream and like what the implications are of that? I'll start with you, Arlan. Have you seen examples of that?

Speaker 2:

Oh, I think I'll defer to Chris on this one because, uh, he sees the real deal up close.

Speaker 3:

Yeah, I've definitely seen where it's disrupted supply chains, you know, not necessarily so much in, in the food side of things. I've seen it more in manufacturing sides of things. And what's interesting about that is you can see an organization that, let's say they, they're a supplier to a much larger organization and, and that much larger organization ends up dictating the rules, which those rules may not be what, what the victim themselves actually wants to live by, but they have to do what they're told as a result. So I've seen organizations completely get wiped out by an attack, and they, if they paid the attacker, uh, the attacker would given them the means to restore their environment and be back up and operational. However, their client or their customer says, no, we don't pay threat actors ever. We don't pay criminals. You're not gonna do it either. And so that organization has to build everything from scratch. So I've seen that happen, uh, I've seen those things happen and, and which, which is interesting because in some of those industries, covid slowed things down where I think that was probably, if it was in more of a robust economic setting, that would've been incredibly painful. It was still painful, but it'd been much, much more painful. Uh, but I, yeah, I, I've definitely seen, I think the other part is, is in, for example, in the, in the medical side, this word gets really hairy when you're dealing with patient information. And this is really just to use an example there, you know, patient records get moved from place to place to place for legitimate reasons. And if one point of that process gets hit, it can be very disruptive to everybody else. And then everybody else is getting involved saying, you need to tell us this. You need to tell us this. Why did this happen? Why did that happen? And that can be incredibly disruptive. And so, uh, I can tell you though, in the cases where, like, let's take the, the, one of the bigger attacks that's happened in recent history has been on the colonial pipeline. And that, uh, you know, that was a big deal because that did, uh, impact, you know, especially on the northeast and impacted the ability to deliver gasoline. And, and what what was interesting about that attack is the pipeline itself was operational. It was the financial backend that was impacted. And so the pipeline itself couldn't bill, they couldn't do, they couldn't<laugh>. That's what really shut that pipeline down. The attackers didn't find a way to cut off the supply. They just felt, you know, the backend. And that goes back to all these kind of interoperabilities and all these things that are attached. And you might think, Hey, my operation out in the field can work fine, but what if you, what if your financial stuff is down, your accounting stuff is down, how long can you operate in the field that way? So yeah, I mean, on the supply chain stuff, it's weird how all this stuff works and, and it just gets, um, it just gets worse. I mean, we see organizations that start to have a global footprint and something might happen in a completely different country, but since it's still their same company, it, you know, it makes its way over, not from an attack perspective, but from a legal or regulatory compliance perspective. So there's many different ways that I've seen this, you know, kind of supply chain get affected by just one, one attack. That probably took a a few days for the bad guys to actually do.

Speaker 1:

Arlen, let me ask you this. What can our listeners do to learn more about how to take cybersecurity seriously for their operation? Wh where do they go?

Speaker 2:

Well, there's, there's a lot of information obviously available out on, on the, on the web, but, but I think to Chris's earlier point, you, you need to find a trusted professional that you can sit down and work with. This is, this is not a do-it-yourself kind of environment. Um, you need to, you need to sit down and do a risk assessment. You need to identify what assets you have, you know, that you're using in your operation that are connected and where those points of of attack might happen from. And, uh, then you need to get really good guidance in how do we create the right procedures and policies? How do we train our people? How do we implement the right tech? But, uh, it's not like you can go out to the website and just punch it in and it'll give you the list. Every, every operation is unique and different, different risks. And it really gets down to where we started from. You gotta identify your risk profile and how you can protect that the best way possible with the budget you have available.

Speaker 3:

I would say there's another resource out there, uh, sans, s a n s, they produce a newsletter that you can subscribe to for free called Ouch, O U C h, uh, exclamation point. And that one is really directed to the layperson and it's, it, it, it's business purpose and personal purposes, but every month they have a different topic that they go on. And I think it's really, IM, you know, that's an easy one to learn from. Outside of that. Everything else that, uh, Arlen and I spoke about with, with bringing that in, I don't, I also think it wouldn't be a bad idea that if you have peers that you, you know, exchange ideas and, and work with, there's not a problem bringing an expert in, uh, to talk to with you all of you, right? If you have things in common to do it that way. One thing that I would warrant against, and I have seen this, uh, in the ag business specifically, is please do not share infrastructure with people that are not legally attached to you. And I have seen this happen more than once where we see, uh, somebody comes in, they've been attacked, and then we find out that it's three, four, or even five companies using the same servers, the same directory, you know, all that kind of stuff. And it really makes things complicated, right? And so I think you can go in it from a joint perspective, but you have to have the problem solved for each individual and don't go in and pitch in money to save money on, on infrastructure. That's not the right way to go about it. But, um, but there, uh, there's, there's plenty of people, you know, especially in those, you know, ag areas of the country that are, that are willing to help and, and that know that business. Well,

Speaker 1:

Let's say one of our listeners finds themselves with an attack on their business, uh, within their network. What would you suggest that they do?

Speaker 3:

The first thing is, is don't take steps on your own, because that could cause harm to the whole situation. And I'll explain that in a second. If you have cyber insurance, and we've talked about that earlier, that's your first call, you should make, typically the cyber insurance carrier is going to point you to the right, in the right direction with the right experts, typically that's gonna be a, an attorney that specializes in these matters, and b, an incident response firm that also specializes in these matters. It's important to have both of those people there for you because number one, the attorney is gonna be your legal expert and give you attorney-client privilege coverage, which you need. And any work performed by the incident response firm is going to be covered under that privilege as well. And why do you want those two groups working with you versus, you know, your IT person or your IT consultant or whatever, because the i IR firms instant response firms do this all the time and they know exactly the steps to take to make sure that thing that not only can your operation return, but also from a, from a forensics and legal perspective, that things can take place cuz you need those steps to be taken successfully. If not, depending on where you're at, man, things can happen. And what I mean by that is, let's just take a ransomware attack. A lot of this happens where ransomware attack occurs. People start unplugging things, rebooting things, or they just tell their IT company, restore my data. Then guess what? An incident response firm comes in and says, okay, what happened? They explain what happened and go, oh, okay, we need to grab data off of those systems so we can understand what exactly happened. Because legally you need to know, well, if all that forensics data was destroyed, well guess what? You have to assume the worst happened, which, which may not be the case and which you likely isn't the case. And so from a legal perspective, that puts you at a much larger risk than it did before. The other thing you just wanna know is sometimes we've seen people restore data, and guess what? They just turn around and get attacked again. They don't fix the problem and bring in an instant response firm in as well, gives you the ability to identify what happened so you can then correct it. So when you come back operationally, you're not repeating the same steps and have that bad threat actor in. And then from a legal perspective, a lot of people worry about when am I supposed to tell my staff? When am I supposed to tell my customers, my suppliers, whatever. That's what that attorney is there for. And they're going to help you and they're gonna bring in experts in each particular area. Like I talked about earlier. If you have any kind of relationship with the government, that's where the attorneys are gonna come in and tell you this is, Hey, you need to, you need to report this right now or you need to wait, or you have employees that live in five states, so we need to deal with five attorneys general. So that's the thing. So call your insurance carrier if you don't have insurance, reach out to, I would reach out to an incident response firm that's, that's reputable. Uh, I'll name myself at the top of the list, but, uh, solace, uh, but we will, we will then engage a, a law firm, you know, on your behalf and bring one in that we think, uh, best suits you. I mean, I get in a lot of situations where, you know, based on what industry you're in, what size you are, maybe even your personality that a particular law firm or even a particular attorney will work best for that situation. So that's what we bring to the table. So that would be, um, my suggestion. And Arlen, I dunno if you have anything else. You, you've arlen's been involved in some of these, whether he likes it or not, not of his own doing, just because he's so well connected. People call him a lot as well.

Speaker 2:

Yeah, I mean, you just have to resist the urge to just go fix it, you know, as fast as you can because there are, there are certainly steps that need to be taken and, you know, if insurance is involved, that's where it has to start. They're gonna call the shots and make the decisions. So think before you act. Same thing with preventing think before you click. Um, you know, people are where the problems happen and, uh, if we slow down and just think that'll be a big step in the right direction.

Speaker 3:

A lot of people wanna be heroes in these situation and that those are the, those are the ones we gotta kind of say, Hey, hold on, take a deep breath. We're gonna get through this, but we need to do it the right way.

Speaker 1:

Well, we appreciate that practical advice from the two of you. Well, Chris and Arlen, uh, thank you for, for sharing, you know, this information, this is a very important topic that, um, our listeners and owner operators, you know, need to listen to. And he, to and I, I wanna encourage all of our listeners to implement, uh, at least one thing or or more that they've heard today and help secure their data and their operation on their farm. Um, as both of our guests have stated, it's a lot easier to be proactive and protect things on the front end than to have to be reactive and have to deal with a data breach and have to clean things up. So Arlen and Chris, I want to thank you for your time, for your expertise, uh, to share with our listeners. And I'm grateful for the practical wisdom that you've shared with us today.

Speaker 2:

It's been good to be with you, Dan.

Speaker 3:

Appreciate the opportunity. Dan

Speaker 1:

And I want to thank each of our listeners for tuning in today. Topcon appreciates all of our friends and agriculture who work so tirelessly to put food on our tables and we believe that farmers are the best. If you enjoyed this episode, remember to like, to share, to subscribe to Topcon Talks Agriculture on Spotify, apple Podcasts, Amazon Music, or wherever you get your podcasts. Please tell your friends about us, we'd love for you to follow Topcon Agriculture on social media. Thanks again for joining us today. See you next time. Go out and make it a great day.