Cybersecurity in the agri-food industry
As a new year begins, it is an ideal time to review the organisation’s cyberattack protection strategy and consider what investments in cyberattack protection might be most appropriate for 2024. In this article, we would like to draw the industry’s attention to the most relevant cyber security issues and share some thoughts on them, in the hope that they will be useful in taking a more realistic approach to this exercise.
The starting point for digitisation projects: cyber risk analysis
2023 has been a challenging year in socio-politico-economic terms. We have witnessed a continuous rise in production costs and, in addition, we have seen how the drought has caused a significant reduction in the production of many crops (such as cereals or fruit) and serious problems in extensive livestock farming. However, the processes of automation and digital transformation of companies, production plants and food processing plants have continued to advance at an accelerated pace. The technological race does not stop in the face of recessions or socio-political or bioclimatic problems and continues to advance steadily.
In such a highly competitive global market, digitalisation and automation of production processes are seen as necessary activities to ensure business continuity. As a logical consequence, the incorporation of new technologies in our processes expands what we call the “attack surface”. In other words, it introduces new elements (sensors, systems, probes, applications, connectors, etc.) which, due to their nature or immaturity, may present unrecognised vulnerabilities that open up potential security breaches which, if not properly identified and controlled, can be easily exploited by cybercriminals.
In short, any new digitalisation project must be accompanied by the corresponding cyber-risk analysis and the consequent deployment of the protection measures required both by the new elements introduced and by the systems, ICT platforms and software applications in operation which, previously installed, will communicate with these new elements.
Is the agri-food sector really cyber-threatened?
Analysing the situation of the sector, we can recognise that it is a sector that is really exposed to cyber-attacks. There are several reasons for this:
- First of all, we must consider that the agri-food industry is identified as a critical sector, with significant economic weight contributing 2.5% of GDP (in gross value added GVA) of the economy as a whole and 25.4% of the manufacturing sector (source: MAPA), which places it as the first industrial sector of the Spanish economy. For this reason alone, it is already being targeted by cyberattackers (both hacktivists and criminals with economic interests. Already in 2021, several cybersecurity observatories identified supply chain attacks as one of the main threats (Source: ENISA report, Threat-landscape-2021-2022). And, of course, this is still the case, as demonstrated by the attacks observed in this past year 2023.
- It is one of the sectors that currently does not have a high level of cyber-protection and, therefore, the level of impact and damage caused by cyber-attacks can be high; a clear attraction for cyber-criminals.
- The sector is undergoing rapid change. Many companies in the food chain, whether they are farms, food processing factories or supply and distribution companies, have just made the leap to digitalisation and are tackling projects supported by digital technologies and systems (precision agriculture or livestock projects, implementation of the digital field notebook, line automation, factory automation, warehouse digitalisation, telematic customer/supplier management…). These are times when the company is more exposed to certain types of attacks that take advantage of weaknesses arising from new platforms that are not properly secured, with possible vulnerable configurations, and which have not yet updated or implemented new security and operation policies against cyber-attacks, as a result of operators’ lack of knowledge of the new risks that they must consider when working with the new systems and tools implemented, etc.
- In the agri-food sector, the incorporation of new technology broadens the possible points and options for attacks on the company’s infrastructures. The following table shows some examples of potential risks associated with new technologies. It is advisable to carry out a cyber-risk analysis, adding new protection measures to those already existing in the organisation.
- Although the Spanish agri-food sector is made up of large companies, it is important to bear in mind that it is a sector made up mainly of SMEs and micro-SMEs. Cybercriminals have found in SMEs a niche in which their attacks have a high level of success as they do not have to overcome complex and robust security measures like those deployed in large companies. The result: 7 out of 10 cyber attacks in Spain targeted SMEs (source: Datos 101).
The following table (source: VPNAlert.com) shows that the most attacked companies in Spain are companies with between 1 and 10 employees.
| Organisation Size | Bulk Phishing Cyberattacks | Targeted Phising Attacks | Business Email Fraud | Email-Based Ransomware Attacks | SMS Phishing Attacks | Voice Phishing Attacks | Social Media Attacks |
|---|---|---|---|---|---|---|---|
| 0 | 11 % | 26 % | 23 % | 32 % | 43 % | 51 % | 45 % |
| 1-10 | 49 % | 32 % | 33 % | 37 % | 21 % | 22 % | 22 % |
| 11-25 | 17 % | 22 % | 19 % | 8 % | 21 % | 15 % | 12 % |
| 26-50 | 15 % | 5 % | 14 % | 8 % | 5 % | 6 % | 10 % |
| 51-100 | 2 % | 9 % | 4 % | 9 % | 6 % | 2 % | 8 % |
| Over 100 | 6 % | 5 % | 7 % | 5 % | 4 % | 4 % | 3 % |
*Fuente:VpnAlert.com
The situation of Spanish companies in terms of cybersecurity
Concern about security is becoming increasingly widespread among Spanish companies, which seem to be becoming aware of the seriousness of the problem: 71% of Spanish SMEs integrate cybersecurity into their corporate culture, as shown in the study carried out by SAGE: ”CyberSecurity for smbs: Navigating Complexity and Building Resilience”.
However, we note that, although we are on the right track, Spanish companies have not yet done enough. We could interpret that, in many of them, there is a false sense of security or simply a lack of resources to tackle the problem, as the following data show:
- 32% of Spanish SMEs have suffered multiple attacks in the last few months. 3 out of 10 Spanish SMEs are regularly attacked (source: ituser.es).
- In 2022, the average cost of attacks on Spanish companies will increase by 42 % according to the Hiscox report “Ciberpreparación 2023”.
- As stated in the Google study “Current cybersecurity landscape in Spain: challenges and opportunities for the public and private sector”, it is estimated that the average annual cost caused by cyber-attacks for each SME has been €35,000, in addition to generating serious reputational damage, leading to the suspension of their activity in 6 out of 10 SMEs attacked in less than half a year.
- 21% of Spanish SMEs rely solely on basic controls (antivirus) for their protection (source: ituser.es).We must conclude, in view of the data evaluated, that cybersecurity must be one of the objectives of the company’s strategy for 2024.
Main threats and cyber-attacks in 2022-2023
It is useful to assess the main threats and cyber-attacks that have emerged in 2023 – characterised by their increasing sophistication and virulence – in order to get an idea of the scale of the problem.
The following graph, taken from the latest State of Cybersecurity in Spain report issued by Deloitte for 2022, whose trend continued in 2023, shows Phishing Ransomware and Malware as the main attacks suffered in Spain:
Ramsonware and phishing attacks were not only the most used in 2023, but also the attacks that, considering their impact, generated the greatest losses for Spanish companies.
The following table shows the types of attack that, particularly in industrial areas, have had the greatest impact in 2023:
| Cyber threat | Description |
|---|---|
| Phishing | Techniques used to impersonate a trusted third party, cause the disclosure of confidential information, induce an improper action or get the victim to click on a link. |
| Ramsonware | Data Hijacking. An attack that uses malicious software to block access to information on a system (usually by encrypting the contents) and demands a ransom in exchange for removing the blockade. The best known in the industrial world are the ransmoware Conti and LockBit 2.0. |
| Denial of Service DoS | Attack capable of reducing or annulling the capacity of servers or computer resources offering a service (blocking access, communications, etc.). |
| Exploitation of vulnerabilities | Attack based on taking advantage of a flaw in the technology to subsequently be able to carry out more dangerous actions.. |
| Brute Force Attack | Attacks to gain access to existing credentials or encrypted data using trial and error. |
What does 2024 hold for cyber-attacks and cyber-security?
The outlook for this new year has not improved. Year after year, we are witnessing an increase in the number of attacks. Moreover, they are becoming more and more sophisticated. Unfortunately, the advancement of technology also favours cybercriminals by providing them with highly advanced tools and techniques.
In 2024, the evolution of ransomware attacks, which we have already seen this year using new techniques to exploit vulnerabilities, is expected to continue and will likely shift from encrypting data for ransom to also stealing data for dissemination to third parties.
We must pay special attention not only to the new risks that the incorporation of new AI (Artificial Intelligence) tools in our corporate environment will bring us, and which will undoubtedly require a thorough vulnerability analysis, but also to the misuses that cybercriminals may make of it. In particular, we will need to be prepared to protect ourselves from expected “high intensity” threats arising from the use of generative AI used for the production of phishing documents and emails or for the development of malicious code (malware) developed with a speed and virulence never seen before. AI will also lead to a proliferation of attack techniques based on deepfake (identity theft in images, videos and real-time conferences), turning social networks and videoconferencing, already integrated into our business activities, into new attack vectors.
In short, a greater and more diverse growth in cyber-attacks is expected in 2024, a situation that will force both the implementation of new protection measures and technologies and the development and application of new regulations, standards and policies to maintain acceptable levels of security.
So… how can I protect my company?
As mentioned, to protect against these threats, we must be aware of the levels of risk, taking into account the activity and business structure of each company. The dynamics of attacks are highly changeable; therefore, it is very important for companies to carry out regular cyber-risk assessments.
We have many means at our disposal to reduce the level of risk to acceptable levels. We now have highly advanced technologies based on artificial intelligence and machine learning with high accuracy in early threat detection and the ability to detect and respond effectively to cyber-attacks. The market offers us an endless number of technologies and tools that we can deploy independently, collaboratively or in an integrated way, working in our facilities or from cloud environments. We are talking about very diverse technology and solutions that complement the protection already provided by the antivirus installed on workstations and servers together with the firewalls installed on the corporate network. Many of them (SIEM, UEBA, ERT, DLP`s, NG IDP, Theat Hunting, among others) already base their operations on AI engines (a key technology for the development of cybersecurity strategies in the coming years). New SaaS subscription-per-use protection platforms are expected to emerge, offered from the cloud at low prices, making advanced cybersecurity services available to SMEs that are currently only within the reach of large corporations.
Given the high complexity and rapid evolution of the technology associated with cybersecurity, companies specialising in this field will play an important role, providing cyber-surveillance, incident response and forensic analysis services from their SOC (Security Operation Center) facilities. It will also be highly advisable to rely on the support services of these specialised cyber security service providers to carry out security audits and consultancies on each asset and process of the organisation and to define the best protection solution in a proportionate and sufficient manner.
Insurance companies are also expected to develop products that are more tailored to the needs and possibilities of companies, proposing affordable cyber insurance that can be incorporated into risk and business continuity plans just like any other insurance taken out by the company.
To protect against cyber-attacks, let’s start at the beginning…
As the company plans its security strategy, we propose to start by reviewing, adopting and securing certain measures that are likely to be available to all companies.
These simple measures may seem obvious, but in the analysis of many organisations to which we have had access, they are not implemented correctly or in their entirety. Reviewing them will help to reduce the risk of most of the threats to which companies are exposed.
Let us remember that the best practice in a cybersecurity plan is to adopt preventive measures. We propose to review this set of actions, which are considered fundamental in any company:
1. Train employees. Employees should know and implement a series of security rules and protocols regarding the use of computers, e-mails, databases, applications, remote access, etc. Training should be continuous so that they are always alert to potential cyber threats.
2. Use multi-factor authentication. Multi-factor authentication is a security technique that requires the user to provide two or more forms of identification to access a system. This can include a password, a temporary access code, a fingerprint, etc.
3. Perform regular backups. Backups are an effective way to protect company data in the event of a cyber attack. It is important that they are made on a regular basis and stored in a secure location.
4. Create strong internal controls. Internal controls are measures that are put in place to ensure that the company’s processes are secure and efficient. This may include implementing security policies, reviewing security systems, conducting internal audits, etc.
5. Third party security responsibilities. If the company works with third parties, it is important that clear responsibilities for data security are established. This may include signing confidentiality agreements, implementing additional security measures, etc.
6. Keep systems up to date. It is important that the company’s systems are kept up to date with the latest security patches and software updates. This can help prevent known vulnerabilities that cybercriminals can exploit.
7. Install an antivirus on every computer. Anti-virus is a necessary security tool not only for PC workstations. Do not neglect corporate servers or mobile devices such as smartphones and tablets.
8. Install a state-of-the-art firewall. Firewalls are essential security equipment that can help protect company computers against malware and many types of cyber-attacks through security add-ons that complement the traditional firewall function.
Conclusion: the best defence is to invest in cybersecurity and adopt best business practices
The agri-food industry in Spain faces a growing cyber threat that should not be underestimated.
Investing in cybersecurity and adopting best practices are essential to protect production processes, data integrity and business reputation in this critical sector.
The hyperconnection of production and corporate environments, remote control and remote management, the digitisation of business processes and the introduction of AI platforms and new platforms for factory automation are projects that must be accompanied by a parallel security management process. Let’s not forget that every new system we introduce in our corporate environment can entail new risks and security breaches.
Collaboration with cybersecurity experts will help companies to implement measures appropriate to the real needs of each company and to monitor emerging trends in cyber threats, assessing the risk they pose at all times.
Consider, in addition to renewing the company’s protection systems, having monitoring and incident response services from specialised third-party companies, as well as taking out appropriate cyber-insurance.
The goal, as always, will be to stay one step ahead of cybercriminals.
 | José Manuel Fresno. Director of UN Digitalisation at artica+i. Specialist in Systems and Cybersecurity- CISA and CISM (ISACA), with more than 30 years of experience in the ICT sector. |
