Safety Net: A flock of chickens, held for ransom — Growing cyberattacks on Canada's food system threaten disaster
Ali Dehghantanha gets phone calls from farmers, sometimes in the middle of the night, looking for help with a cyberattack. In the last year, his squad of engineers and computer scientists has responded to dozens of reports of hacks inside farming and food production operations around southwestern Ontario. In some cases, it’s the garden variety hacking you’d expect, someone clicked a bad link in a sketchy email and now hackers want money to unlock a system or give back the farmer’s data.
In other cases, it’s more sophisticated. Twice, Dehghantanha has seen hackers break into a farm system and threaten to kill livestock — chickens in one case, cattle in another. And in about a third of the investigations his team as conducted over the past year, he has found evidence that state-sponsored hackers from Russia, China, North Korea and Iran have figured out how to quietly gain access to a control system inside a farm.
“That’s a lot,” he said.
Dehghantanha runs the Cyber Science Lab at the University of Guelph, about 100 kilometres west of Toronto in one of Ontario’s most important farming hubs. The lab has a group of specialists who make house calls to people and businesses who fall victim to cybercrimes. So over the years, Dehghantanha has visited banks, defence contractors and hospitals, and by virtue of working in a place like Guelph, he’s been called to farms as well. First, it was just farmer friends calling him in a crisis. But over the past four years, the calls have ballooned. Last year, he received at least 50 calls from the food industry. And in that time, he has realized that the domestic food production system may actually be one of the most glaring cracks in Canada’s national defences.
“They’ve just become so common. Every week, I would say, we are getting contacted by farmers or food companies,” he said. “It’s one of the soft bellies of our critical infrastructure.”
The idea of criminals or state-sponsored hackers breaking into systems and disrupting critical infrastructure, such as transportation or health care or food production, has become alarmingly plausible in recent years, particularly in the wake of Russia’s invasion of Ukraine. Last summer, the Communications Security Establishment (CSE) — Ottawa’s signals intelligence agency — warned that Russia-backed hackers are “exploring options for potential counterattacks” on critical infrastructure in Canada and other NATO allies that have supported Ukraine. And last month, Alia Tayyeb, deputy chief of signals intelligence at CSE, told a House of Commons committee that the severity of cybercrimes against Canada’s critical infrastructure is “growing exponentially.”
“I think we are all waiting for disaster,” Dehghantanha said.
Farms are now complex technical operations that use networks of remote monitors that measure soil moisture, or robotic milkers that can detect an infection in a single teat, or environmental control systems that maintain the precise indoor temperature and air filtration needs of a poultry barn. All that, theoretically, could be commandeered and held for ransom in a cyberattack. For example, a hacker could gain control of a thermostat and threaten to turn up the heat and kill an entire flock of chickens.
I think we are all waiting for disaster
“These are all systems that we explicitly depend on every single day, and they have become extremely vulnerable to manipulation of all sorts,” said Evan Fraser, the director of the Arrell Food Institute at the University of Guelph. “They’re vulnerable because we haven’t thought carefully about the security of how we set these systems up. I mean, it’s truly terrifying, to be honest.”
A 2018 report by the U.S. Department of Homeland Security identified several “hypothetical threat scenarios” where hackers could compromise agricultural operations. In one scenario, a terrorist steals data on the health of a large livestock herd. “They modify the data to look like the herds have foot and mouth disease, and dump the data on the internet,” the report said. In that case, it could take weeks for lab tests to confirm the outbreak was fake — not before causing trade issues and shaking public trust in the food supply. In another scenario, hackers manipulate moisture sensors in a farmer’s soil, triggering watering systems to flood the fields and destroy crops.
Attacking agricultural infrastructure has proven to be an effective part of the Russian playbook so far in its invasion of Ukraine. In June 2022, EU trade counsellor Maud Labat said Moscow has figured out how to wield food as a “geopolitical weapon.”
Russia’s attacks on transportation and grain storage infrastructure, along with its months-long blockade of Black Sea ports, choked off access to one of the world’s most important bread baskets and drove up global grain prices last spring. That intensified concerns about food shortages in the developing nations that depend on the region for imports.
“The interruption of the global food supply is not collateral damage from the war in Ukraine,” Yulia Klymenko, a Ukrainian MP who is first deputy chair of the transport and infrastructure committee, told Canadian lawmakers in June 2022. “It is a planned hybrid weapon to further massively destabilize the global economy and political order.”
Big game hunting
Not all hackers are interested in using their exploits to destabilize an economy, however. Mohamad Yaghi, agriculture and climate policy lead at the Royal Bank of Canada, said some are just interested in getting their hands on valuable data about new agriculture technologies or developments in seeds.
“There’s a lot of innovation happening in ag in Canada,” he said. “So we are at risk from foreign-backed espionage.”
In its latest National Cyber Threat Assessment report, CSE said it believes state-sponsored hackers aren’t likely to disrupt or destroy critical infrastructure, unless Canada enters into direct hostilities with that state. Short of that, those hackers are more likely to break into Canadian systems to collect information or “pre-position” in case of a future conflict. The CSE report, released last fall, also said adversaries could use cyberattacks as a form of “power projection” and intimidation.
“In the absence of a significant escalation in international hostilities, we assess it is unlikely that state-sponsored actors will intentionally seek to disrupt Canadian critical infrastructure and cause major damage or loss of life,” CSE spokesperson Kyla Borden said in an email in late February.
John Hewie, a national security officer at Microsoft Corp., said on top of state-sponsored hacking, the cybercrime landscape now includes sophisticated crime syndicates that focus on “big-game hunting” — the sort of attacks where a hacker takes control of a system or data from a major business and asks for a steep ransom to get them back.
“This is organized crime,” he said. “These folks have HR departments. They have employees of the month awards. This is big business.”
The Canadian food industry alone experienced a series of high-profile incidents late last year, including a “cybersecurity incident” at Maple Leaf Foods Inc., one of the country’s largest meat packers, in November. Around the same time, Empire Co. Ltd. — Canada’s second-largest grocery chain that includes Sobeys, Safeway, IGA and Farm Boy — experienced what it described as a cybersecurity “intrusion” that snarled operations and is expected to cost the company $25 million.
But so-called big game, such as Maple Leaf or Empire, isn’t the only vulnerability in the food chain. Even attacks on single farms could have an impact, Hewie said, if a cyberattack targets enough of them.
“They weren’t necessarily designed with security in mind,” he said. “If you manipulated a temperature sensor or an HVAC system in a huge industrial greenhouse, or a poultry farm and all of a sudden destroy all that livestock and you’re able to do that across a bunch of different systems, that could disrupt the food supply.”
Steve Brown, a senior manager in the cybersecurity practice of the professional services firm BDO Canada LLP, said he’s hearing more complaints from agricultural clients who have been attacked. And he’s noticed that those attacks tend to ramp up during periods when hackers know farmers will be distracted, during the spring plant or the harvest in late summer.
“You’ll find you don’t hear a lot about breaches in the agriculture industry,” Brown said. “Doesn’t mean it’s not happening.”
These folks have HR departments. They have employees of the month awards. This is big business
John Hewie, national security officer, Microsoft
It doesn’t have to be as dramatic as threatening to kill livestock, Brown said. Sometimes the target of ransomware attacks can be as simple as financial data that a hacker steals and refuses to give back without a fee. The payouts can range from thousands to hundreds of thousands of dollars. In Brown’s experience, the cyberattacker has monitored the operation for months before they strike, so they know precisely how much the farm can afford in ransom.
“It’s not a spur of the moment thing,” he said.
But the attackers Brown has seen aren’t the state-sponsored hackers that the Canadian intelligence community is so concerned about. The ones he has dealt with are common criminals, or animal rights “hacktivists,” bent on disrupting operations for livestock farms they don’t agree with.
Conor Russell, a researcher at the University of Guelph, has been trying to better understand what cyberattacks on Canadian farms look like, where they come from, and how often they happen. It hasn’t been easy. Farmers are reluctant to talk about falling victim to one of these attacks, and there’s currently no requirement to report them to a federal body. What’s clear is that farmers often aren’t following the same strict protocols as operators in other critical sectors that would help guard against hacking.
“It is underprepared, underdeveloped,” Russell said. “Other sectors had time to engage, prepare and experience these things. But this is a pretty fresh one. So it’s kind of like fresh meat on the cyber-warfare market.”
Public Safety Minister Marco Mendicino introduced legislation last year that would require some sectors that are “vital to national security” to report cyberattacks to the federal government. Those sectors included telecommunications, nuclear energy and banking, but not food production — though Ottawa has designated food as one of the top 10 critical infrastructure sectors.
Janos Botschner is the the lead investigator of the Cyber Security Capacity in Canadian Agriculture, a project partially funded by the federal government, who has been conducting surveys to quantify exactly how many farms have been impacted by an attack. He spoke to about 170 farmers, and from that sample, he believes approximately four to 11 per cent of Canada’s farms have at least had an cyberattack attempted on their operations. But he stressed that the survey was rough; not a representative enough sample to be considered generalizable, just an initial, exploratory look at the problem.
“This is very much an estimate,” he said. “But it’s probably also an under-report.”
• Email: firstname.lastname@example.org | Twitter: jakeedmiston