March 9, 2023 • 48 mins
Technology on the farm yields great productivity and efficiency. However, with all this new data, how much do you need to worry about cyber attacks? It’s a threat that’s becoming more and more common. We talk to experts about Ag information security and what you need to do to protect yourself.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:13):
Hello and welcome.
It's a beautiful day foragriculture, and we're thrilled
to have you join us for TopconTalks Agriculture.
We delve into the fascinatingworld of farming and all that it
has to offer.
So let's get started today.
My name is Dan Hendricks, and Iam your host for today's
episode.
(00:33):
I serve as the senior businessdevelopment manager for Topcon
Agriculture, and I get thepleasure to work with an amazing
team of talented individuals wholove agriculture.
They enjoy technology, and theystrive to help farmers and
growers find solutions and feedour planet.
On today's episode, we are goingto talk about the importance of
(00:55):
cybersecurity on the farm.
Gone are the days in agriculturewhere the farm and his
operations are off the grid anddisconnected from pretty much
the rest of the world.
Technology and agriculture hasgrown to help producers
understand the benefits ofcollecting their data and using
it to make business decisions toincrease yield, become more
(01:18):
efficient, and get a betterreturn on their investment.
Many new pieces of equipmenthave the ability now to collect
data and share it with otheroperators, consultants, or back
to the home office.
And all of this data is usefuland helpful, but it puts the
operation in risk if it getsinto the wrong hands.
(01:38):
Now, I think all of this canagree that the overall
vulnerability of cyber attacksis on the rise.
Uh, if you're like me, you'regetting emails, text messages,
phone calls from predatorstrying to trick us into giving
them money, data, or access.
Here's a couple stats.
On September 1st, 2021, the F BI released a notification report
(02:01):
sounding the alarm on cybercriminals, increasingly
targeting the food and ag sectorcompanies due to the adoption of
smart technologies.
In the fall of 21, there weresix attacks against grain co-ops
in early 2022.
There were two ag-related cyberattacks that temporarily
disrupted seed and fertilizersupply.
(02:24):
So because of this increasedrisk and threat, we want our
listeners to protect their farm,their data, and their operation.
And so that's why we're havingthis important discussion on
today's episode.
We have two fantastic experts tojoin our podcast today.
The first is Arlen Sorenson.
He's the vice president ofecosystem evangelism for
(02:47):
ConnectWise in Iowa.
He is an Iowa State graduate.
Arlin is also the founder of H TS Ag, which sells precision ag
equipment, grain managementsystems, and also drones.
He is a part of a family farmingoperation in Iowa.
Arlen, welcome to the podcast.
Speaker 2 (03:07):
Thanks, Dan.
Good to be with you.
Speaker 1 (03:09):
Great to have you with us today.
Our second guest today is ChrisLair.
Chris is a graduate of OklahomaCity University.
He is currently the executiveVice President and the Chief
Technology Officer at Solace.
Chris is a cybersecurityprofessional with over 25 years
of experience helping companiesgrow while managing their
(03:30):
cybersecurity and operationalrisk.
He has spent a lot of timehelping companies with cyber
attacks, and he has family farmroots in Nebraska where their
family farm raises corn.
Chris, thanks for joining ustoday.
Speaker 3 (03:45):
Hey, thanks for having me, Dan.
It's a, it's a pleasure beinghere and talking to your
audience.
Speaker 1 (03:49):
Well, let me start off with a question directed
towards you, Chris.
What, what is cybersecurity andwhy is it important?
Speaker 3 (03:58):
Yeah, great question.
So first of all, I'd like to saythat cybersecurity is risk
management.
So it's just like any other formthat you're dealing with in any
type of business, whether it'sag or anything.
Yeah.
So why is cybersecurityimportant?
I think there's some obviousreasons why people know, right?
That, uh, cybersecurity'simportant cuz you get hacked.
But what, what exactly does thatmean in today's world, you know,
(04:19):
the first and most obviousanswer, but people don't really
understand it until theyexperience is interruption to
your operations.
And what does that mean?
And the, the, the quick and easything to say here is it never
happens at the right time.
You know, it could happen whensomeone's, Hey, you know, next
week we are about to replace allthat equipment, we're about to
(04:40):
upgrade and we're in the processof moving to the cloud.
All those kind of scenarios comeup.
Case came up at the end of thelast week and, and the CEO had
to cancel his annual buddiestrip to California for a golf
trip.
I mean, that's just how thesethings operate.
And so you always have to bethinking about what's that worst
case scenario, uh, where it'sjust the worst time of year for
something to happen and thendisruption to your operations.
(05:02):
And then the second piece Iwould like like to point out is
what, when a cyber attackoccurs, what happens to your
staff when that occurs?
What, what do they feel?
A lot of times their informationis compromised as a result of
that attack.
So they lose some trust and someconfidence in you as an
employer.
And some of these employeescould have been around a long
(05:24):
time and, and you built up a, astrong trust factor with them
and just one cyber attack anddent that severely.
And, and I would say those arethe, you know, the top two
things before we get into othertopics that I would put at the
top of the list for people to bethinking about.
Speaker 1 (05:37):
Thank you for that.
Chris Arlan, let me go to you.
Any, anything you want to add tothat?
Speaker 2 (05:43):
You, you know, the thing I would add is that when I
work with producers, a lot oftimes they feel like they're not
a target.
Why would somebody want to goafter me?
We're small, we don't have thatmuch information, but the
reality is that, uh, the badactors that are, that are in the
game are going after everybody.
And, uh, so they're not gonnadiscriminate necessarily because
(06:04):
of where you are or how big orsmall you are.
They're just out there lookingto, uh, take data and take
control of things.
It's all about numbers and, and,uh, volume and, and how they can
do that.
So everybody's at risk andmm-hmm.
risk is really thename of the game when it comes
to cyber.
Speaker 1 (06:23):
Okay.
Speaker 3 (06:24):
Yeah.
I'd like to add on to what Arlensaid, right there is, let's just
say you think that your industryor what you're in not a target.
Once one person becomes a targetand a threat actor finds
success, they're gonna findsimilar people in that industry
and start going after'em all.
And that's what we see.
We see it.
Whether you're a school, amunicipality, a law firm, it
doesn't matter what industry,once one person is successful,
(06:46):
the word spreads in that threatactor community or what we would
call the hacker community.
But we just talk to them, speakto them as threat actors.
And the word spreads in theattacks start wham bam, one
after the other.
Speaker 1 (06:59):
Arlen, let me ask you this question.
How can a cyber attack in anagriculture business lead to
financial loss or impact thefinances?
Speaker 2 (07:09):
Well, there's a number of ways that it can, can
certainly impact, uh, anoperation.
You know, data is really one ofthe most valuable things that
that farm operations have today.
And, you know, so the, thecollection and storage of that
data is, is essential to, uh,leveraging the tools out there
(07:29):
to plan for the next croppingseason.
Make adjustments to, to inputsand what's gonna be put on.
And if you lose that data, youlose the history, you lose the
ability to layer all thattogether and really leverage
that in making your operationmore efficient and more
profitable.
So, you know, they, they caneasily disrupt the value that
(07:49):
you've been trying to createover the last number of years.
The the, uh, other thing is thatyour actual financial
information can get taken and,uh, that, that certainly causes
disruption in being able tomanage the operation and, uh,
you know, do things you have todo like, uh, income tax filings
and things like that.
So there's a lot of ways thatfarm operations can be disrupted
(08:14):
by bad actors that take dataand, and lock things up.
Speaker 3 (08:19):
Yeah, I I would add that what a lot of people don't
take into account is theirrelationships with their third
parties, whether it becustomers, partners, suppliers,
whatever the case may be.
And the larger that thoseentities are, the more damage
that can be done.
There are a number of cases thatI work where, you know, a a
(08:39):
particular entity has a, a verystrong relationship with one
partner makes up maybe, youknow, a majority of their
revenue, and as soon as theyhave a cyber attack, that third
party cuts them off and says,Hey, look, we're not gonna do
any business with you until weare comfortable that your
environment is secure, thatyou're not going to affect us,
(09:00):
that there's no risk to us.
And until you prove that, we'renot turning the switch back on.
And I can, and I can bet in theag industry that could be
incredibly punitive, uh, forthat perspective.
And again, so a lot of peoplesay, Hey, they, that's great.
I've got this greatrelationship.
I'm making all this money offthis, you know, these larger
companies.
But when they start bringing intheir internal security staffs,
(09:21):
their attorneys, theircompliance and privacy people,
it can make a real mess of asituation.
And, and a lot of people are,are very taken by surprise when
that occurs.
Speaker 1 (09:31):
Right.
Well, I would think too, uh, andboth of you are are experts, but
I would think with agriculture,there's usually a time element.
There's a time when things needto be planted.
There's a time when harvestneeds to happen.
There's a time when you, uh,take harvest to the grain bin.
And, and if you disrupt that, it, it can have a lot of
consequences to a, a farmoperation like you were saying.
(09:54):
Chris, let me go back to you.
You mentioned earlier, uh, riskmanagement that, um, this is all
about risk management.
D do most farm operations, mostfarmers growers, do they
underestimate their risk?
Speaker 3 (10:09):
I I believe they do.
I think they're, they, they do agood job with risk management in
other areas of their business.
Uh, but either a, they, they,they just don't know that they
should be doing risk managementfrom a cybersecurity perspective
or they've trusted someone elseand just what we call outsource
the complete part of it, whichis wrong, right?
(10:29):
You typically, hey, you mightoutsource your accounting, but
that doesn't mean you just leaveit all in the hands of your
account and you never ask aboutthe finances, right?
In the same thing comes with,from a cybersecurity
perspective, even if yououtsource it, it's still your
decisions to make.
It's still your risk to manage.
They might be that outsourcer oroutsourcers might be assisting
you, uh, but that's really whatoccurs.
(10:49):
And I also think it goes back towhat Arlan said earlier, that,
Hey, I don't think I'm a target.
So they don't think they're atarget in the agricultural
industry.
They may not be too many buddystories happening where, Hey,
did you hear about what happenedto Tom last week?
Or, or what happened down theroad to that farm, or whatever
the case may be.
Uh, and so that's the, you know,that, that that's kind of
harmful because in other areasin the country, there's enough
(11:12):
word of mouth now about peoplebeing victimized by these
criminals.
Much different than we saw twoyears ago that people are scared
from that reason.
But I think in the ag business,it hasn't really hit that close
to home yet.
Speaker 1 (11:23):
Arlen, let me throw that out to you.
Uh, any examples of financialloss for farms?
Speaker 2 (11:29):
Well, I think, Dan, that that one of the things
that, that a lot of growers arenot thinking about is the impact
of their data on the future.
Um, you know, as we move moretoward autonomy, as we move
toward more things that are,that are gonna be controlled by
data, the need to have that dataavailable and, and be able to
(11:51):
compile it and use it, it, itbecomes more and more important.
So certainly, you know, thereare incidents where, uh, uh,
organizations have been breachedand it may shut down the ability
of an elevator, for example, to,to issue checks or, or other
things for, for a period oftime.
So there are certainly breachesthat are happening that are
(12:12):
causing damage and, andcertainly slowdowns for folks.
But I believe that the biggestimpact is into the future, uh,
because as we go to moremechanization and more, you
know, controlled situationswhere operators may not even be
on equipment, that data is gonnabe the driving force.
And so it's really importantthat we protect that and make
(12:34):
sure that it's gonna beavailable for the future.
Speaker 1 (12:36):
So what I hear you saying is it's gonna be more and
more important as time goes, andas we absolutely use more
technology, Arlan, let's staywith you.
Uh, and let me ask, what aresome of the most common types of
cyber threats that you see inagriculture?
Speaker 2 (12:54):
So surprisingly, uh, the majority of breaches are
caused by people.
Um, you know, we wanna blametechnology, but at the end of
the day, it's all about peoplethat are making mistakes as they
use their technology.
And so, you know, I think it'simportant that, that we really
call that out.
(13:15):
You can prevent a whole lot ofissues if you just discipline
yourself in the way that you useyour technology.
Don't just click on thingswithout actually looking at what
they are.
Make sure that you are followingthe right policies and, and
protocols with how you manageyour passwords and other things.
But Chris, Chris, I'm sure willverify that, you know, if, if it
(13:38):
weren't for the people, we'dhave a lot less issues with,
with tech and, and security,
Speaker 3 (13:43):
I would say that, you know, what we call business
email compromised is probablythe most prevalent.
And that's simply wheresomeone's email gets compromised
by a threat actor group.
I cannot stress enough howorganized these threat actor
groups are.
These aren't individuals workingout of their grandma's garage.
These are very well organizedand, and they operate very much
(14:05):
like a company or business does.
But the point is, is you havethese well-organized groups that
have very mature processes toget into people's email and
leverage those emails to movemoney somewhere where it doesn't
belong.
And you can imagine in the agbusiness with the amount of
payments that are processed andreceived, that the volume is
incredibly high and the numbersare large.
(14:26):
And so all it takes is onepayment, you know, six figures,
seven figures, or even multiplepayments where that money stacks
up very, very quickly.
And that not only is that moneygone, but where that money was
should have gone, is gone aswell, meaning that somebody took
X amount of dollars and that xamount of dollars was for
someone else.
Well, guess what?
You still have to pay thatsomeone else.
(14:47):
So, uh, that's where you see alot of the financial losses and
those hit pretty hard, hard.
And, and just like Arlen said,those are human issues.
I mean, it's a simple thingwhere somebody just sends'em an
email and says, Hey, we'veupdated our, we changed our bank
account information.
Would you send this payment overhere?
No one asks any questions aboutthat.
No one picks up the telephoneand calls their point of contact
says, Hey, I got this email.
(15:07):
It said, changed your bankaccount information.
Did you in fact do that as thatincredibly simple step?
But these threat actor groupsare so good at convincing this
person, Hey, you don't need todo that.
I'm the boss.
Just do what I'm telling you todo.
Time is of the essence.
They operate underneath thatsentence of urgency, and people
still make those mistakes.
And I've seen people inorganizations that kind of
(15:29):
preach this stuff and theythemselves end up falling for
it.
And it's incredible.
I mean, it's, it's, it's adepressing situation to say the
least.
Uh, but that's where I would saywe'd see the, probably the most
attacks come through is throughthat email channel.
Speaker 1 (15:42):
So Chris, let me stay with you and ask a two-part
question.
How are cyber criminal stealingdata?
I mean, what are some examplesof it and how have their methods
evolved over the years?
Speaker 3 (15:55):
Yeah, that's a great question about data theft,
because it's just the number onegame.
So let's just stay on email andthen I'll, I'll move over to
more from a, a networkingperspective.
When these bad guys get intosomeone's email, and that's,
it's pretty easy to do.
They just trick somebody intheir username and password
because most people don't havethe right control, which is
(16:16):
called multifactorauthentication enabled.
The first thing they do isattach that mailbox and pull
everything down in that mailbox.
Speaker 1 (16:24):
They
Speaker 3 (16:24):
Wipe it out.
So if they've hit some, yeah,they've hit somebody in an
accounting or financial, maybethat person also does payroll.
Maybe that person was formallyand it's some type of HR
capacity, or they're the Jack orJill of all trades.
It doesn't matter.
Everything in that email hasbeen pulled down and there's no
getting it back.
And there's no way to arguethat, well, that person won't
care about that data, or not, itdoesn't matter from a legal
(16:46):
perspective.
And so that's the, that's thesimplest way On an email side,
if we're to kind of move over tothe data side of things, it's
gotten a, these guys have gottena lot better.
So there's one threat actorgroup out there.
They're, you know, they're knownin the security community, but
they're known as Lock Bit and,uh, lock Bit is very proud of
(17:08):
what they do.
And they stand behind their workand they compare their work to
other ransomware groups outthere, but they've actually
created their own software tosteal data.
And so a lot of people will go,Hey, look, uh, I don't think
they stole data.
We called our internet serviceprovider.
We looked at our graphs.
There's no real high bandwidthutilization at any time.
So they couldn't have takendata.
(17:29):
No, these guys are either usinga tool or developing their tool.
In the case of lockman, it'scalled Steel Bit.
And that is used to take dataand to do so in almost an
undetectable way over time.
And so it's amazing how muchdata people can get over time.
So if they're in your networkfor two weeks, three weeks, or
we've seen them even in therelonger, and they're using these
(17:50):
tools, you're not gonna see anypeaks on any type of fancy
graphs that you get from aninternet service provider.
They're gonna take all that dataand they're going to, either
they're gonna use that dataagainst you to get you to pay
them to not publish that data orsell that data, or if you don't
pay them, they're gonna turnaround and sell that data.
So if you think in the agbusiness, which maybe where this
(18:11):
is leading to is, you know, alot of that data in the ag
business could be extremelyvaluable, uh, to outside,
outside parties, um, more sothan in other industries.
You know, other industries aretaking social security numbers,
dates of birth, that type ofstuff.
You could argue that most ofthat stuff's out there already.
It doesn't have a lot of value,but in certain organizations it
(18:33):
does have a lot of value.
And if your business has anyconnections in to the
government, whether you'regetting government funding or
you're, you're attached tosomething of that nature, there
could be additionalramifications for you in that
particular case.
And the threat actors are nodummies.
Sometimes the threat actors willeven say, Hey, we have an
attorney on staff that isadvising us of these things, and
(18:56):
they'll use that as leverage toget paid.
So don't think that because youhave a slow internet connection
or you think that that datamight not be worth to somebody.
Believe me, they're gonna takeall that data.
And you're gonna find out prettyquickly once they do that, how
painful it is, uh, for them totake that data.
Speaker 1 (19:14):
Arlen, let me ask you this question.
Uh, talk to us about what arethe potential long-term impacts
of a successful cyber attack onan agricultural operation?
Speaker 2 (19:26):
Well, I, I think Chris alluded to it, that, you
know, these guys are patient.
So, um, there's been lots ofcases where they'll, they'll
infiltrate and, and get onto,uh, you know, a network and just
sit there and watch for a longperiod of time looking for where
the exact best attack vector is,what the most important data is.
(19:49):
And, uh, you know, they'll,they'll set up their, their
future, uh, breach based on alot of, of study and research.
So they're, they're patient,they've got a plan and a
strategy, and, and they workthat.
And, you know, those kind ofthings can, can really create
long-term issues for, for anoperation over time because, um,
(20:11):
you know, they'll, they'll,they'll determine what the most
valuable data is, who the mostprominent people are in the
organization.
And, and they'll selectivelygrab things, um, you know, in,
in the most damaging waypossible.
They're obviously trying tocreate a value proposition to
get you to write a check to getit back or, or I guess Bitcoin
(20:32):
probably in today's world to getit back.
Um, but, you know, they reallyhave, they have a strategy.
This is not, you know, toChris's point, some random
junior high kids sitting,sitting together playing games
and accidentally getting to yourdata.
These are, are professionalswith a, with a, a business plan
and an approach, and they'vebeen very successful and, and
(20:55):
will continue to be successful.
You can't stop'em completelywith, with tools.
It takes human intervention tobe part of that process.
And, uh, if we, if you don't dothat, they, they will eventually
get to you.
Speaker 1 (21:09):
Chris, let me ask you about the scale of cybersecurity
threats.
I mean, we, we may havelisteners that would think,
well, I've not heard of anybodythat I know that has this, or
maybe this, this is just somevery common, like, help us
understand, um, like where we'reat now, where we were five years
ago and where you see this goingin the future.
Speaker 3 (21:31):
Yeah, well, I'll start off with if you're in the
United States or Canada, the badguys see you as, you know, the
biggest war chest.
Uh, they see the mus most moneyto be earned.
And I always say that these guysare in the highest reward,
lowest risk business.
Cuz if you think about it, it'svery hard to find them to begin
with.
(21:51):
And are you, they actually gonnaget apprehended?
Are they actually gonna getextradited indicted?
You know, they actually get overhere and they get thrown in jail
a slap on the wrist, and are youever gonna see that money again?
Probably not.
Now, there has been some casesrecently where some of these
funds have been clawed back, butit's two or three years later
when that happens.
Uh, but let's, let's talk aboutscale.
(22:13):
You know, throughout the lastfour or five years when I've
been working cases, I've seenjust about every shape or size
of case come in.
I mean, I've seen very smallnonprofits that focus on a
helping domestic abuse victims.
Do you think the bad guys caredone ounce about what that
organization did, their missionor the fact that they were
(22:34):
taking money away that could beused to help for those causes?
Absolutely not.
They don't care.
The deal with this is, is youhave these larger organized
groups and they use what, andthen they usually focus on the
big fish, and then they havewhat's called affiliates that
work for them.
And think of affiliates ascontractors.
And the affiliates are what I goout and do the, do the work, uh,
(22:56):
and, and, and when whatevermoney they gather, they give a
cut to the, to the biggerorganization.
At the same time, there's awhole marketplace of activity
going on.
There's different groups thatare out there stealing PE that
trying to figure out ways tosteal credentials and gain
access to a network, and thenthey turn, they in turn sell
that to these other groups thatdidn't do the ransomware.
(23:17):
And so there's just literallythousands upon thousands of
individuals out there that haveall the time in the world
because the, the payoff is hugefor them to sit down and just
like Arlen said, be patient anddo this work.
And then, hey, look, you thinkthey back off at one little, you
know, one little defensemechanism?
(23:38):
Heck no.
A lot of times they see, youknow, if somebody gets involved,
they see something standing intheir way, they're gonna figure
out how to get around it.
I mean, we deal with that allthe time.
We deal with people that call'em, say, I, hey, I'm seeing some
weird activity in my networkright now.
We have to jump in and it's abattle going back and forth.
We can't just scare these guysoff.
It's not like somebody comingonto your property, you turn the
(24:00):
lights on, you know, shoot, putyour shotgun in the air, and
they, and they, they run away.
It doesn't happen in the cyberworld.
These guys see it as a challengeand they'll continue to fight.
So sometimes those fights can godays on and even weeks to, to
finally get those bad guys outtathe network and do those things.
So again, at at scale, theseguys pick on the small to medium
(24:20):
and the large, but the small andthe, on the, and on the smaller
scale of the medium sizeorganizations are the ones that
they love the best because thebig boys can handle it.
Like they can handle it from a,they can take an outage, their
financial ability, they havefinancial abilities to do their
capabilities to do that.
At the same time, they haveinvested money in ways to just
(24:42):
recover their environments realquick and all that type of
stuff.
Small guys don't have thatluxury.
And so when they get attacked,the bad guys know, Hey look,
we've put them in a veryprecarious position.
A lot of these organizationshave one owner, and that owner's
been around forever and sees hisor her business flash between
flash, you know, in front oftheir eyes and they're ready to
(25:03):
kind of, um, they're ready topay or do whatever it takes to
get their thing, their businessback up and running.
And the bad guys know that.
So it's gonna continue to growbecause most of this activity
occurs in Russia and, and aroundRussia.
And there's nothing going overthere today, especially with the
situation going on with Russiaand Ukraine now, where no one's
(25:23):
caring about the, what thesecyber criminals are doing to the
us.
And I always argue, I said, ifyou're Russia, just think about
the amount of wealth that'sbeing transferred from the US to
Russia.
It's not in your best interestto put a stop to it either.
Speaker 1 (25:36):
If they, if there isn't a cyber attack, you find
that there's not a lot ofgovernment intervention or
there's not a lot of things thatlaw enforcement are gonna be
able to do to help you
Speaker 3 (25:45):
Not there, there, yeah, this was, um, this is a
topic that's come up lately.
It's interesting.
Law enforcement, local lawenforcement typically is not
gonna be involved at all.
Uh, really a as I, and then thisis not disparaging anybody, it's
just the size of theorganization really, New York
City is the only one with thepolice force large enough to
have a unit that can specializein this.
(26:06):
And they do a good job.
Uh, normally the F B I does getinvolved and they have task
force all around the countrythat are focused on that.
But they're not gonna be like,they're not gonna walk into your
shop and run the show.
They're gonna be sitting on thesidelines waiting for you, uh,
to provide them information.
The only difference is if itcomes down to critical
infrastructure, if you'reconsidered critical
(26:27):
infrastructure, uh, then the f bi, even the Secret Service and
some other entities will getinvolved and they'll get
involved very actively.
Or maybe whatever's happening toyou also happened to ha ha
happened to somebody in, incritical infrastructure.
Then the f b I might be moreengaged and willing to figure
things out.
(26:48):
But, um, typically if you'rekind of the smaller fish, law
enforcement is gonna just belooking for you as a provider of
information to help them in kindof the greater, the greater
cause of what they're doing.
But they're, they're not gonnabe involved, uh, like maybe one
would think they would
Speaker 1 (27:04):
Be.
So Chris, I mean, what you'resaying is it's just so critical
to be on the front side of this,the front end of it and be
proactive then to just wait forsomething to happen.
Um, so Arlan, let me ask you,tell us about the advantages of
cyber security of doing, doing,taking steps to keep this thing
(27:26):
from happening.
Speaker 2 (27:27):
Well, you, you wanna be proactive for sure, and you
know that that has to happen onmultiple fronts.
Certainly there are tools andtechnologies that you can
implement, you know, to helpprotect your, your, uh, data and
your systems.
And it's really important thatyou have those, uh, tools in
place that they're current, thatyou keep'em updated because it's
(27:50):
a never ending and constantlychanging, uh, environment.
And so there, there certainlyare things that you can do to
help slow down at least theprogress that, that, uh, these
bad actors might make.
But the bigger side of it,really, Dan is the people side.
And so it's coming down, youknow, it comes down to creating
(28:12):
the right policies and, andprocedures and training people
on those things.
I mean, that's one of the bigvectors of, of penetration is
that companies may have, orthere, there may be a set of
standard operating procedures,but people aren't trained on'em.
They're not tested on'em,there's no, no actual
(28:32):
enforcement to make sure that,that if they're operating that
way.
And so, you know, if you, if youput the right tools and the
right uh, people issues inplace, you can, you can put up a
pretty good fight, uh, withthese bad actors, but it really
does require an ongoingapproach.
And you know what, what we findwith a lot of small businesses,
(28:53):
uh, farms included, is that theydon't have budget for this.
They don't understand why theyshould make those kind of
investments.
It's not inexpensive for sure,but, uh, it's certainly cheaper
than the alternative of havingto engage solace to come and,
and recover.
Speaker 1 (29:11):
Uh, are there any cybersecurity myths that we
should know about?
Speaker 3 (29:15):
Well, that tools solve all the problems.
Uh, that's one thing.
Uh, the other thing is, I, I usethis quote whenever I do pre
presentations, and it comes froma gentleman by the name of Brian
Krebs, who's a journalist andcyber expert.
And, and it is basically thelight at the end of the tunnel
is an oncoming train.
And that's what you have tothink about.
Cybersecurity.
You're not done.
(29:35):
I mean, Arlen headed towardsthat just a few minutes ago.
You could go out and spend,spend some money on
cybersecurity and unfortunatelysix months, a year from now,
that stuff may need to betweaked, even replaced or
whatever the case may be.
That's just the reality of this.
Uh, there are tools that werethe top of the list of the best
(29:56):
tools five years ago that Iwouldn't be caught de dead using
today.
Uh, I, I, and I think that's,that, that's a lot of it.
And, and the other myth we'vetalked about is not gonna happen
to me, but what I would say iswhat people have, the, the
biggest struggle is they justlet their data and their
networks grow out of controlthings.
(30:17):
They just, things they don'tunderstand you.
I say, Hey, we, all of ourpayroll and everything we, that
takes place in this third party.
Well, fantastic, but somebodyexported some data.
Somebody, you know, came with,they have a big spreadsheet full
of 401K information and that'sall it took to trigger, trigger,
sorry, trigger a number of legal, uh, legal things to happen as
(30:38):
a result of that data gettingtaken.
So I mean, that would be the topof my list.
And I think one more that wehaven't really touched upon that
could probably, you know, getits own segment is I don't need
cybersecurity insurance.
And I think that's, uh, that's akind of ridiculous thought in
these days.
Yeah.
You know, we, a lot of peoplethink, Hey, buy so much
insurance, we're insurance poor,whatever the case may be.
(31:01):
But in the, in the grand schemeof things and everything you pay
insurance on, and yes,cybersecurity insurance has
increased in years because a lotof claims are being paid.
It's still incredibly importantto have, because it covers you
for things like businessinterruption loss, it covers you
for legal expenses, it coversyou for litigation.
If someone decides to sue you,it covers you.
For a company like Solace beinginvolved in, in doing the work,
(31:24):
those are the things it does.
And so a lot of people says,well, I don't need that
insurance either.
I've got it covered, I'll payfor it out of pocket if it
happens.
No, you won't want to do thatbecause I'll tell you the one
real important thing is whenyou're under a cyber attack and
you need help someone likeourselves or someone similar,
you don't wanna be having tocount pennies and nickels.
And cuz that slows down theprocess and it makes my job and
(31:46):
my team's jobs incrediblydifficult.
Having an insurance policy thereallows people to do the work
they need to do at the pace thatit needs to be done without
somebody constantly every hoursaying, well, how much money
does I spend in the last hour onyou guys?
And that type of thing.
Speaker 1 (32:03):
Right.
I see.
Arlen, anything you want to addto that about myths?
Speaker 2 (32:08):
Yeah, I I would say, uh, a lot of people think that,
you know, if something happensto me and my data, it's not
really gonna hurt anybody else.
Um, you know, this, this stuffhas a lot of, of, uh, tentacles
to it.
And, uh, depending on the kindof data that gets, gets
breached, you know, there are,there are all kinds of laws
(32:28):
protecting, you know, medicaldata and, and other kinds of
things that there can be a lot,uh, a huge risk, uh, from what
seems to be pretty normal andnot that important data to you,
but if it gets out into thewild, it can be a significant,
uh, financial and, you know,compliance burden.
(32:49):
So it, it, it does matter.
It's not just going to impactyou, but, you know, third party
connections like Chris talkedabout earlier, you know, there's
just a lot of potential riskthat's related to that and, and
you wanna do all you can to, toprevent that.
Speaker 1 (33:04):
So Chris, let's get practical for a second.
If, if there's someone thatthat's an owner operator that's
listening to this podcast andthey ask themselves where, well,
where should I start?
What would you go down the listof like, here's some steps that
you should take to protect yourfarm with cybersecurity?
(33:25):
Where do they begin?
Speaker 3 (33:27):
Yeah, Dan, there's a number of resources that you,
you can go and look, I wouldtell you it's pretty tough to do
your own research on the, on thematter.
You're, you're gonna need tofind somebody that you can trust
to give you some advice andpoint you in the right
direction.
Somebody that's willing to knowyour operation and to just kind
of look around and say, okay, I,I can see where you're at, how
many people you have working foryou at this time of year,
(33:49):
seasonally, whatever the casemay be.
Understand that and, and be ableto draw up that roadmap.
If you, if you call on somebodyand they dump a 20 page proposal
and say you need a hundredthings at one time, you know,
that's not somebody sittingthere helping you, uh, manage
the risk.
And so I think that's the firstthing to do.
But there's, there's some otherresources out there.
(34:09):
There's the c i s top 18controls, and I think that is
one that, uh, that's, that'snothing you have to pay for.
Uh, you can go out there andread it.
I think it's pretty digestiblefor someone to understand.
You don't have to be a, atechnology expert to understand.
Uh, and there's some other,there's some other resources out
there.
(34:29):
The government's doing a lot ofwork on around the site helping
small and medium size business.
Uh, but I think that theirdocumentation is, some of the
things coming out of NIST as anexample can be a pretty heavy in
the technical jargon.
So I, I would sit there andstart with, uh, the c i s but
definitely just don't go on iton your own.
You, you need to find somebodythat's willing to help you and
(34:50):
understand and help you at yourlevel.
And again, not trying to, uh,sell you a bunch of stuff and,
and, and make you believe thatyou're secure more about
understanding really how tobuild a program is what we call
it.
And, and manage that programover the life of your operation.
Speaker 2 (35:05):
Yeah, I I I would add that, you know, agriculture is,
uh, is one of those, uh,industries where there's a lot
of people moving around with alot of different equipment and,
uh, sometimes I, I find thatgrowers don't even recognize
that, that certain pieces ofequipment are, are on the
internet or, or are potentiallybreached targets.
(35:28):
They're outside of the, youknow, office network, but
there's, you know, wirelessconnections out in, in their
tractors and in their combinesand all over the place.
And, and so you, you really doneed to find a professional that
can help you look at the entirerisk por uh, you know, exposure
because it's not just containedin that office, it's, it's all
(35:49):
over the vehicles and, andlaptops and other things that
people are carrying with themall over the place.
Speaker 1 (35:56):
I think we found out during covid just how delicate
the supply chain can be.
So let me ask the two of you aquestion about that.
Have you seen examples of wherea cyber attack can happen at
some point in a supply chain orfood supply chain and it affects
(36:16):
like upstream and downstream andlike what the implications are
of that?
I'll start with you, Arlan.
Have you seen examples of that?
Speaker 2 (36:26):
Oh, I think I'll defer to Chris on this one
because, uh, he sees the realdeal up close.
Speaker 3 (36:32):
Yeah, I've definitely seen where it's disrupted supply
chains, you know, notnecessarily so much in, in the
food side of things.
I've seen it more inmanufacturing sides of things.
And what's interesting aboutthat is you can see an
organization that, let's saythey, they're a supplier to a
much larger organization and,and that much larger
organization ends up dictatingthe rules, which those rules may
(36:55):
not be what, what the victimthemselves actually wants to
live by, but they have to dowhat they're told as a result.
So I've seen organizationscompletely get wiped out by an
attack, and they, if they paidthe attacker, uh, the attacker
would given them the means torestore their environment and be
back up and operational.
However, their client or theircustomer says, no, we don't pay
(37:19):
threat actors ever.
We don't pay criminals.
You're not gonna do it either.
And so that organization has tobuild everything from scratch.
So I've seen that happen, uh,I've seen those things happen
and, and which, which isinteresting because in some of
those industries, covid slowedthings down where I think that
was probably, if it was in moreof a robust economic setting,
(37:40):
that would've been incrediblypainful.
It was still painful, but it'dbeen much, much more painful.
Uh, but I, yeah, I, I'vedefinitely seen, I think the
other part is, is in, forexample, in the, in the medical
side, this word gets reallyhairy when you're dealing with
patient information.
And this is really just to usean example there, you know,
patient records get moved fromplace to place to place for
(38:01):
legitimate reasons.
And if one point of that processgets hit, it can be very
disruptive to everybody else.
And then everybody else isgetting involved saying, you
need to tell us this.
You need to tell us this.
Why did this happen?
Why did that happen?
And that can be incrediblydisruptive.
And so, uh, I can tell youthough, in the cases where,
like, let's take the, the, oneof the bigger attacks that's
(38:22):
happened in recent history hasbeen on the colonial pipeline.
And that, uh, you know, that wasa big deal because that did, uh,
impact, you know, especially onthe northeast and impacted the
ability to deliver gasoline.
And, and what what wasinteresting about that attack is
the pipeline itself wasoperational.
It was the financial backendthat was impacted.
And so the pipeline itselfcouldn't bill, they couldn't do,
(38:45):
they couldn't.
That's what really shut thatpipeline down.
The attackers didn't find a wayto cut off the supply.
They just felt, you know, thebackend.
And that goes back to all thesekind of interoperabilities and
all these things that areattached.
And you might think, Hey, myoperation out in the field can
work fine, but what if you, whatif your financial stuff is down,
your accounting stuff is down,how long can you operate in the
(39:06):
field that way?
So yeah, I mean, on the supplychain stuff, it's weird how all
this stuff works and, and itjust gets, um, it just gets
worse.
I mean, we see organizationsthat start to have a global
footprint and something mighthappen in a completely different
country, but since it's stilltheir same company, it, you
know, it makes its way over, notfrom an attack perspective, but
(39:26):
from a legal or regulatorycompliance perspective.
So there's many different waysthat I've seen this, you know,
kind of supply chain getaffected by just one, one
attack.
That probably took a a few daysfor the bad guys to actually do.
Speaker 1 (39:39):
Arlen, let me ask you this.
What can our listeners do tolearn more about how to take
cybersecurity seriously fortheir operation?
Wh where do they go?
Speaker 2 (39:49):
Well, there's, there's a lot of information
obviously available out on, onthe, on the web, but, but I
think to Chris's earlier point,you, you need to find a trusted
professional that you can sitdown and work with.
This is, this is not ado-it-yourself kind of
environment.
Um, you need to, you need to sitdown and do a risk assessment.
(40:09):
You need to identify what assetsyou have, you know, that you're
using in your operation that areconnected and where those points
of of attack might happen from.
And, uh, then you need to getreally good guidance in how do
we create the right proceduresand policies?
How do we train our people?
How do we implement the righttech?
(40:31):
But, uh, it's not like you cango out to the website and just
punch it in and it'll give youthe list.
Every, every operation is uniqueand different, different risks.
And it really gets down to wherewe started from.
You gotta identify your riskprofile and how you can protect
that the best way possible withthe budget you have available.
Speaker 3 (40:50):
I would say there's another resource out there, uh,
sans, s a n s, they produce anewsletter that you can
subscribe to for free calledOuch, O U C h, uh, exclamation
point.
And that one is really directedto the layperson and it's, it,
(41:11):
it, it's business purpose andpersonal purposes, but every
month they have a differenttopic that they go on.
And I think it's really, IM, youknow, that's an easy one to
learn from.
Outside of that.
Everything else that, uh, Arlenand I spoke about with, with
bringing that in, I don't, Ialso think it wouldn't be a bad
idea that if you have peers thatyou, you know, exchange ideas
(41:33):
and, and work with, there's nota problem bringing an expert in,
uh, to talk to with you all ofyou, right?
If you have things in common todo it that way.
One thing that I would warrantagainst, and I have seen this,
uh, in the ag businessspecifically, is please do not
share infrastructure with peoplethat are not legally attached to
(41:55):
you.
And I have seen this happen morethan once where we see, uh,
somebody comes in, they've beenattacked, and then we find out
that it's three, four, or evenfive companies using the same
servers, the same directory, youknow, all that kind of stuff.
And it really makes thingscomplicated, right?
And so I think you can go in itfrom a joint perspective, but
(42:16):
you have to have the problemsolved for each individual and
don't go in and pitch in moneyto save money on, on
infrastructure.
That's not the right way to goabout it.
But, um, but there, uh, there's,there's plenty of people, you
know, especially in those, youknow, ag areas of the country
that are, that are willing tohelp and, and that know that
business.
Well,
Speaker 1 (42:35):
Let's say one of our listeners finds themselves with
an attack on their business, uh,within their network.
What would you suggest that theydo?
Speaker 3 (42:48):
The first thing is, is don't take steps on your own,
because that could cause harm tothe whole situation.
And I'll explain that in asecond.
If you have cyber insurance, andwe've talked about that earlier,
that's your first call, youshould make, typically the cyber
insurance carrier is going topoint you to the right, in the
(43:10):
right direction with the rightexperts, typically that's gonna
be a, an attorney thatspecializes in these matters,
and b, an incident response firmthat also specializes in these
matters.
It's important to have both ofthose people there for you
because number one, the attorneyis gonna be your legal expert
and give you attorney-clientprivilege coverage, which you
(43:30):
need.
And any work performed by theincident response firm is going
to be covered under thatprivilege as well.
And why do you want those twogroups working with you versus,
you know, your IT person or yourIT consultant or whatever,
because the i IR firms instantresponse firms do this all the
time and they know exactly thesteps to take to make sure that
(43:52):
thing that not only can youroperation return, but also from
a, from a forensics and legalperspective, that things can
take place cuz you need thosesteps to be taken successfully.
If not, depending on whereyou're at, man, things can
happen.
And what I mean by that is,let's just take a ransomware
attack.
A lot of this happens whereransomware attack occurs.
(44:12):
People start unplugging things,rebooting things, or they just
tell their IT company, restoremy data.
Then guess what?
An incident response firm comesin and says, okay, what
happened?
They explain what happened andgo, oh, okay, we need to grab
data off of those systems so wecan understand what exactly
happened.
Because legally you need toknow, well, if all that
(44:33):
forensics data was destroyed,well guess what?
You have to assume the worsthappened, which, which may not
be the case and which you likelyisn't the case.
And so from a legal perspective,that puts you at a much larger
risk than it did before.
The other thing you just wannaknow is sometimes we've seen
people restore data, and guesswhat?
(44:53):
They just turn around and getattacked again.
They don't fix the problem andbring in an instant response
firm in as well, gives you theability to identify what
happened so you can then correctit.
So when you come backoperationally, you're not
repeating the same steps andhave that bad threat actor in.
And then from a legalperspective, a lot of people
worry about when am I supposedto tell my staff?
When am I supposed to tell mycustomers, my suppliers,
(45:15):
whatever.
That's what that attorney isthere for.
And they're going to help youand they're gonna bring in
experts in each particular area.
Like I talked about earlier.
If you have any kind ofrelationship with the
government, that's where theattorneys are gonna come in and
tell you this is, Hey, you needto, you need to report this
right now or you need to wait,or you have employees that live
in five states, so we need todeal with five attorneys
(45:37):
general.
So that's the thing.
So call your insurance carrierif you don't have insurance,
reach out to, I would reach outto an incident response firm
that's, that's reputable.
Uh, I'll name myself at the topof the list, but, uh, solace,
uh, but we will, we will thenengage a, a law firm, you know,
on your behalf and bring one inthat we think, uh, best suits
(45:58):
you.
I mean, I get in a lot ofsituations where, you know,
based on what industry you'rein, what size you are, maybe
even your personality that aparticular law firm or even a
particular attorney will workbest for that situation.
So that's what we bring to thetable.
So that would be, um, mysuggestion.
And Arlen, I dunno if you haveanything else.
You, you've arlen's beeninvolved in some of these,
(46:20):
whether he likes it or not, notof his own doing, just because
he's so well connected.
People call him a lot as well.
Speaker 2 (46:27):
Yeah, I mean, you just have to resist the urge to
just go fix it, you know, asfast as you can because there
are, there are certainly stepsthat need to be taken and, you
know, if insurance is involved,that's where it has to start.
They're gonna call the shots andmake the decisions.
So think before you act.
Same thing with preventing thinkbefore you click.
(46:48):
Um, you know, people are wherethe problems happen and, uh, if
we slow down and just thinkthat'll be a big step in the
right direction.
Speaker 3 (46:56):
A lot of people wanna be heroes in these situation and
that those are the, those arethe ones we gotta kind of say,
Hey, hold on, take a deepbreath.
We're gonna get through this,but we need to do it the right
way.
Speaker 1 (47:06):
Well, we appreciate that practical advice from the
two of you.
Well, Chris and Arlen, uh, thankyou for, for sharing, you know,
this information, this is a veryimportant topic that, um, our
listeners and owner operators,you know, need to listen to.
And he, to and I, I wannaencourage all of our listeners
to implement, uh, at least onething or or more that they've
(47:29):
heard today and help securetheir data and their operation
on their farm.
Um, as both of our guests havestated, it's a lot easier to be
proactive and protect things onthe front end than to have to be
reactive and have to deal with adata breach and have to clean
things up.
So Arlen and Chris, I want tothank you for your time, for
your expertise, uh, to sharewith our listeners.
(47:51):
And I'm grateful for thepractical wisdom that you've
shared with us today.
Speaker 2 (47:55):
It's been good to be with you, Dan.
Speaker 3 (47:57):
Appreciate the opportunity.
Dan
Speaker 1 (47:58):
And I want to thank each of our listeners for tuning
in today.
Topcon appreciates all of ourfriends and agriculture who work
so tirelessly to put food on ourtables and we believe that
farmers are the best.
If you enjoyed this episode,remember to like, to share, to
subscribe to Topcon TalksAgriculture on Spotify, apple
(48:18):
Podcasts, Amazon Music, orwherever you get your podcasts.
Please tell your friends aboutus, we'd love for you to follow
Topcon Agriculture on socialmedia.
Thanks again for joining ustoday.
See you next time.
Go out and make it a great day.
Hello and welcome.
It's a beautiful day foragriculture, and we're thrilled
to have you join us for TopconTalks Agriculture.
We delve into the fascinatingworld of farming and all that it
has to offer.
So let's get started today.
My name is Dan Hendricks, and Iam your host for today's
episode.
(00:33):
I serve as the senior businessdevelopment manager for Topcon
Agriculture, and I get thepleasure to work with an amazing
team of talented individuals wholove agriculture.
They enjoy technology, and theystrive to help farmers and
growers find solutions and feedour planet.
On today's episode, we are goingto talk about the importance of
(00:55):
cybersecurity on the farm.
Gone are the days in agriculturewhere the farm and his
operations are off the grid anddisconnected from pretty much
the rest of the world.
Technology and agriculture hasgrown to help producers
understand the benefits ofcollecting their data and using
it to make business decisions toincrease yield, become more
(01:18):
efficient, and get a betterreturn on their investment.
Many new pieces of equipmenthave the ability now to collect
data and share it with otheroperators, consultants, or back
to the home office.
And all of this data is usefuland helpful, but it puts the
operation in risk if it getsinto the wrong hands.
(01:38):
Now, I think all of this canagree that the overall
vulnerability of cyber attacksis on the rise.
Uh, if you're like me, you'regetting emails, text messages,
phone calls from predatorstrying to trick us into giving
them money, data, or access.
Here's a couple stats.
On September 1st, 2021, the F BI released a notification report
(02:01):
sounding the alarm on cybercriminals, increasingly
targeting the food and ag sectorcompanies due to the adoption of
smart technologies.
In the fall of 21, there weresix attacks against grain co-ops
in early 2022.
There were two ag-related cyberattacks that temporarily
disrupted seed and fertilizersupply.
(02:24):
So because of this increasedrisk and threat, we want our
listeners to protect their farm,their data, and their operation.
And so that's why we're havingthis important discussion on
today's episode.
We have two fantastic experts tojoin our podcast today.
The first is Arlen Sorenson.
He's the vice president ofecosystem evangelism for
(02:47):
ConnectWise in Iowa.
He is an Iowa State graduate.
Arlin is also the founder of H TS Ag, which sells precision ag
equipment, grain managementsystems, and also drones.
He is a part of a family farmingoperation in Iowa.
Arlen, welcome to the podcast.
Speaker 2 (03:07):
Thanks, Dan.
Good to be with you.
Speaker 1 (03:09):
Great to have you with us today.
Our second guest today is ChrisLair.
Chris is a graduate of OklahomaCity University.
He is currently the executiveVice President and the Chief
Technology Officer at Solace.
Chris is a cybersecurityprofessional with over 25 years
of experience helping companiesgrow while managing their
(03:30):
cybersecurity and operationalrisk.
He has spent a lot of timehelping companies with cyber
attacks, and he has family farmroots in Nebraska where their
family farm raises corn.
Chris, thanks for joining ustoday.
Speaker 3 (03:45):
Hey, thanks for having me, Dan.
It's a, it's a pleasure beinghere and talking to your
audience.
Speaker 1 (03:49):
Well, let me start off with a question directed
towards you, Chris.
What, what is cybersecurity andwhy is it important?
Speaker 3 (03:58):
Yeah, great question.
So first of all, I'd like to saythat cybersecurity is risk
management.
So it's just like any other formthat you're dealing with in any
type of business, whether it'sag or anything.
Yeah.
So why is cybersecurityimportant?
I think there's some obviousreasons why people know, right?
That, uh, cybersecurity'simportant cuz you get hacked.
But what, what exactly does thatmean in today's world, you know,
(04:19):
the first and most obviousanswer, but people don't really
understand it until theyexperience is interruption to
your operations.
And what does that mean?
And the, the, the quick and easything to say here is it never
happens at the right time.
You know, it could happen whensomeone's, Hey, you know, next
week we are about to replace allthat equipment, we're about to
(04:40):
upgrade and we're in the processof moving to the cloud.
All those kind of scenarios comeup.
Case came up at the end of thelast week and, and the CEO had
to cancel his annual buddiestrip to California for a golf
trip.
I mean, that's just how thesethings operate.
And so you always have to bethinking about what's that worst
case scenario, uh, where it'sjust the worst time of year for
something to happen and thendisruption to your operations.
(05:02):
And then the second piece Iwould like like to point out is
what, when a cyber attackoccurs, what happens to your
staff when that occurs?
What, what do they feel?
A lot of times their informationis compromised as a result of
that attack.
So they lose some trust and someconfidence in you as an
employer.
And some of these employeescould have been around a long
(05:24):
time and, and you built up a, astrong trust factor with them
and just one cyber attack anddent that severely.
And, and I would say those arethe, you know, the top two
things before we get into othertopics that I would put at the
top of the list for people to bethinking about.
Speaker 1 (05:37):
Thank you for that.
Chris Arlan, let me go to you.
Any, anything you want to add tothat?
Speaker 2 (05:43):
You, you know, the thing I would add is that when I
work with producers, a lot oftimes they feel like they're not
a target.
Why would somebody want to goafter me?
We're small, we don't have thatmuch information, but the
reality is that, uh, the badactors that are, that are in the
game are going after everybody.
And, uh, so they're not gonnadiscriminate necessarily because
(06:04):
of where you are or how big orsmall you are.
They're just out there lookingto, uh, take data and take
control of things.
It's all about numbers and, and,uh, volume and, and how they can
do that.
So everybody's at risk andmm-hmm.
to cyber.
Speaker 1 (06:23):
Okay.
Speaker 3 (06:24):
Yeah.
I'd like to add on to what Arlensaid, right there is, let's just
say you think that your industryor what you're in not a target.
Once one person becomes a targetand a threat actor finds
success, they're gonna findsimilar people in that industry
and start going after'em all.
And that's what we see.
We see it.
Whether you're a school, amunicipality, a law firm, it
doesn't matter what industry,once one person is successful,
(06:46):
the word spreads in that threatactor community or what we would
call the hacker community.
But we just talk to them, speakto them as threat actors.
And the word spreads in theattacks start wham bam, one
after the other.
Speaker 1 (06:59):
Arlen, let me ask you this question.
How can a cyber attack in anagriculture business lead to
financial loss or impact thefinances?
Speaker 2 (07:09):
Well, there's a number of ways that it can, can
certainly impact, uh, anoperation.
You know, data is really one ofthe most valuable things that
that farm operations have today.
And, you know, so the, thecollection and storage of that
data is, is essential to, uh,leveraging the tools out there
(07:29):
to plan for the next croppingseason.
Make adjustments to, to inputsand what's gonna be put on.
And if you lose that data, youlose the history, you lose the
ability to layer all thattogether and really leverage
that in making your operationmore efficient and more
profitable.
So, you know, they, they caneasily disrupt the value that
(07:49):
you've been trying to createover the last number of years.
The the, uh, other thing is thatyour actual financial
information can get taken and,uh, that, that certainly causes
disruption in being able tomanage the operation and, uh,
you know, do things you have todo like, uh, income tax filings
and things like that.
So there's a lot of ways thatfarm operations can be disrupted
(08:14):
by bad actors that take dataand, and lock things up.
Speaker 3 (08:19):
Yeah, I I would add that what a lot of people don't
take into account is theirrelationships with their third
parties, whether it becustomers, partners, suppliers,
whatever the case may be.
And the larger that thoseentities are, the more damage
that can be done.
There are a number of cases thatI work where, you know, a a
(08:39):
particular entity has a, a verystrong relationship with one
partner makes up maybe, youknow, a majority of their
revenue, and as soon as theyhave a cyber attack, that third
party cuts them off and says,Hey, look, we're not gonna do
any business with you until weare comfortable that your
environment is secure, thatyou're not going to affect us,
(09:00):
that there's no risk to us.
And until you prove that, we'renot turning the switch back on.
And I can, and I can bet in theag industry that could be
incredibly punitive, uh, forthat perspective.
And again, so a lot of peoplesay, Hey, they, that's great.
I've got this greatrelationship.
I'm making all this money offthis, you know, these larger
companies.
But when they start bringing intheir internal security staffs,
(09:21):
their attorneys, theircompliance and privacy people,
it can make a real mess of asituation.
And, and a lot of people are,are very taken by surprise when
that occurs.
Speaker 1 (09:31):
Right.
Well, I would think too, uh, andboth of you are are experts, but
I would think with agriculture,there's usually a time element.
There's a time when things needto be planted.
There's a time when harvestneeds to happen.
There's a time when you, uh,take harvest to the grain bin.
And, and if you disrupt that, it, it can have a lot of
consequences to a, a farmoperation like you were saying.
(09:54):
Chris, let me go back to you.
You mentioned earlier, uh, riskmanagement that, um, this is all
about risk management.
D do most farm operations, mostfarmers growers, do they
underestimate their risk?
Speaker 3 (10:09):
I I believe they do.
I think they're, they, they do agood job with risk management in
other areas of their business.
Uh, but either a, they, they,they just don't know that they
should be doing risk managementfrom a cybersecurity perspective
or they've trusted someone elseand just what we call outsource
the complete part of it, whichis wrong, right?
(10:29):
You typically, hey, you mightoutsource your accounting, but
that doesn't mean you just leaveit all in the hands of your
account and you never ask aboutthe finances, right?
In the same thing comes with,from a cybersecurity
perspective, even if yououtsource it, it's still your
decisions to make.
It's still your risk to manage.
They might be that outsourcer oroutsourcers might be assisting
you, uh, but that's really whatoccurs.
(10:49):
And I also think it goes back towhat Arlan said earlier, that,
Hey, I don't think I'm a target.
So they don't think they're atarget in the agricultural
industry.
They may not be too many buddystories happening where, Hey,
did you hear about what happenedto Tom last week?
Or, or what happened down theroad to that farm, or whatever
the case may be.
Uh, and so that's the, you know,that, that that's kind of
harmful because in other areasin the country, there's enough
(11:12):
word of mouth now about peoplebeing victimized by these
criminals.
Much different than we saw twoyears ago that people are scared
from that reason.
But I think in the ag business,it hasn't really hit that close
to home yet.
Speaker 1 (11:23):
Arlen, let me throw that out to you.
Uh, any examples of financialloss for farms?
Speaker 2 (11:29):
Well, I think, Dan, that that one of the things
that, that a lot of growers arenot thinking about is the impact
of their data on the future.
Um, you know, as we move moretoward autonomy, as we move
toward more things that are,that are gonna be controlled by
data, the need to have that dataavailable and, and be able to
(11:51):
compile it and use it, it, itbecomes more and more important.
So certainly, you know, thereare incidents where, uh, uh,
organizations have been breachedand it may shut down the ability
of an elevator, for example, to,to issue checks or, or other
things for, for a period oftime.
So there are certainly breachesthat are happening that are
(12:12):
causing damage and, andcertainly slowdowns for folks.
But I believe that the biggestimpact is into the future, uh,
because as we go to moremechanization and more, you
know, controlled situationswhere operators may not even be
on equipment, that data is gonnabe the driving force.
And so it's really importantthat we protect that and make
(12:34):
sure that it's gonna beavailable for the future.
Speaker 1 (12:36):
So what I hear you saying is it's gonna be more and
more important as time goes, andas we absolutely use more
technology, Arlan, let's staywith you.
Uh, and let me ask, what aresome of the most common types of
cyber threats that you see inagriculture?
Speaker 2 (12:54):
So surprisingly, uh, the majority of breaches are
caused by people.
Um, you know, we wanna blametechnology, but at the end of
the day, it's all about peoplethat are making mistakes as they
use their technology.
And so, you know, I think it'simportant that, that we really
call that out.
(13:15):
You can prevent a whole lot ofissues if you just discipline
yourself in the way that you useyour technology.
Don't just click on thingswithout actually looking at what
they are.
Make sure that you are followingthe right policies and, and
protocols with how you manageyour passwords and other things.
But Chris, Chris, I'm sure willverify that, you know, if, if it
(13:38):
weren't for the people, we'dhave a lot less issues with,
with tech and, and security,
Speaker 3 (13:43):
I would say that, you know, what we call business
email compromised is probablythe most prevalent.
And that's simply wheresomeone's email gets compromised
by a threat actor group.
I cannot stress enough howorganized these threat actor
groups are.
These aren't individuals workingout of their grandma's garage.
These are very well organizedand, and they operate very much
(14:05):
like a company or business does.
But the point is, is you havethese well-organized groups that
have very mature processes toget into people's email and
leverage those emails to movemoney somewhere where it doesn't
belong.
And you can imagine in the agbusiness with the amount of
payments that are processed andreceived, that the volume is
incredibly high and the numbersare large.
(14:26):
And so all it takes is onepayment, you know, six figures,
seven figures, or even multiplepayments where that money stacks
up very, very quickly.
And that not only is that moneygone, but where that money was
should have gone, is gone aswell, meaning that somebody took
X amount of dollars and that xamount of dollars was for
someone else.
Well, guess what?
You still have to pay thatsomeone else.
(14:47):
So, uh, that's where you see alot of the financial losses and
those hit pretty hard, hard.
And, and just like Arlen said,those are human issues.
I mean, it's a simple thingwhere somebody just sends'em an
email and says, Hey, we'veupdated our, we changed our bank
account information.
Would you send this payment overhere?
No one asks any questions aboutthat.
No one picks up the telephoneand calls their point of contact
says, Hey, I got this email.
(15:07):
It said, changed your bankaccount information.
Did you in fact do that as thatincredibly simple step?
But these threat actor groupsare so good at convincing this
person, Hey, you don't need todo that.
I'm the boss.
Just do what I'm telling you todo.
Time is of the essence.
They operate underneath thatsentence of urgency, and people
still make those mistakes.
And I've seen people inorganizations that kind of
(15:29):
preach this stuff and theythemselves end up falling for
it.
And it's incredible.
I mean, it's, it's, it's adepressing situation to say the
least.
Uh, but that's where I would saywe'd see the, probably the most
attacks come through is throughthat email channel.
Speaker 1 (15:42):
So Chris, let me stay with you and ask a two-part
question.
How are cyber criminal stealingdata?
I mean, what are some examplesof it and how have their methods
evolved over the years?
Speaker 3 (15:55):
Yeah, that's a great question about data theft,
because it's just the number onegame.
So let's just stay on email andthen I'll, I'll move over to
more from a, a networkingperspective.
When these bad guys get intosomeone's email, and that's,
it's pretty easy to do.
They just trick somebody intheir username and password
because most people don't havethe right control, which is
(16:16):
called multifactorauthentication enabled.
The first thing they do isattach that mailbox and pull
everything down in that mailbox.
Speaker 1 (16:24):
They
Speaker 3 (16:24):
Wipe it out.
So if they've hit some, yeah,they've hit somebody in an
accounting or financial, maybethat person also does payroll.
Maybe that person was formallyand it's some type of HR
capacity, or they're the Jack orJill of all trades.
It doesn't matter.
Everything in that email hasbeen pulled down and there's no
getting it back.
And there's no way to arguethat, well, that person won't
care about that data, or not, itdoesn't matter from a legal
(16:46):
perspective.
And so that's the, that's thesimplest way On an email side,
if we're to kind of move over tothe data side of things, it's
gotten a, these guys have gottena lot better.
So there's one threat actorgroup out there.
They're, you know, they're knownin the security community, but
they're known as Lock Bit and,uh, lock Bit is very proud of
(17:08):
what they do.
And they stand behind their workand they compare their work to
other ransomware groups outthere, but they've actually
created their own software tosteal data.
And so a lot of people will go,Hey, look, uh, I don't think
they stole data.
We called our internet serviceprovider.
We looked at our graphs.
There's no real high bandwidthutilization at any time.
So they couldn't have takendata.
(17:29):
No, these guys are either usinga tool or developing their tool.
In the case of lockman, it'scalled Steel Bit.
And that is used to take dataand to do so in almost an
undetectable way over time.
And so it's amazing how muchdata people can get over time.
So if they're in your networkfor two weeks, three weeks, or
we've seen them even in therelonger, and they're using these
(17:50):
tools, you're not gonna see anypeaks on any type of fancy
graphs that you get from aninternet service provider.
They're gonna take all that dataand they're going to, either
they're gonna use that dataagainst you to get you to pay
them to not publish that data orsell that data, or if you don't
pay them, they're gonna turnaround and sell that data.
So if you think in the agbusiness, which maybe where this
(18:11):
is leading to is, you know, alot of that data in the ag
business could be extremelyvaluable, uh, to outside,
outside parties, um, more sothan in other industries.
You know, other industries aretaking social security numbers,
dates of birth, that type ofstuff.
You could argue that most ofthat stuff's out there already.
It doesn't have a lot of value,but in certain organizations it
(18:33):
does have a lot of value.
And if your business has anyconnections in to the
government, whether you'regetting government funding or
you're, you're attached tosomething of that nature, there
could be additionalramifications for you in that
particular case.
And the threat actors are nodummies.
Sometimes the threat actors willeven say, Hey, we have an
attorney on staff that isadvising us of these things, and
(18:56):
they'll use that as leverage toget paid.
So don't think that because youhave a slow internet connection
or you think that that datamight not be worth to somebody.
Believe me, they're gonna takeall that data.
And you're gonna find out prettyquickly once they do that, how
painful it is, uh, for them totake that data.
Speaker 1 (19:14):
Arlen, let me ask you this question.
Uh, talk to us about what arethe potential long-term impacts
of a successful cyber attack onan agricultural operation?
Speaker 2 (19:26):
Well, I, I think Chris alluded to it, that, you
know, these guys are patient.
So, um, there's been lots ofcases where they'll, they'll
infiltrate and, and get onto,uh, you know, a network and just
sit there and watch for a longperiod of time looking for where
the exact best attack vector is,what the most important data is.
(19:49):
And, uh, you know, they'll,they'll set up their, their
future, uh, breach based on alot of, of study and research.
So they're, they're patient,they've got a plan and a
strategy, and, and they workthat.
And, you know, those kind ofthings can, can really create
long-term issues for, for anoperation over time because, um,
(20:11):
you know, they'll, they'll,they'll determine what the most
valuable data is, who the mostprominent people are in the
organization.
And, and they'll selectivelygrab things, um, you know, in,
in the most damaging waypossible.
They're obviously trying tocreate a value proposition to
get you to write a check to getit back or, or I guess Bitcoin
(20:32):
probably in today's world to getit back.
Um, but, you know, they reallyhave, they have a strategy.
This is not, you know, toChris's point, some random
junior high kids sitting,sitting together playing games
and accidentally getting to yourdata.
These are, are professionalswith a, with a, a business plan
and an approach, and they'vebeen very successful and, and
(20:55):
will continue to be successful.
You can't stop'em completelywith, with tools.
It takes human intervention tobe part of that process.
And, uh, if we, if you don't dothat, they, they will eventually
get to you.
Speaker 1 (21:09):
Chris, let me ask you about the scale of cybersecurity
threats.
I mean, we, we may havelisteners that would think,
well, I've not heard of anybodythat I know that has this, or
maybe this, this is just somevery common, like, help us
understand, um, like where we'reat now, where we were five years
ago and where you see this goingin the future.
Speaker 3 (21:31):
Yeah, well, I'll start off with if you're in the
United States or Canada, the badguys see you as, you know, the
biggest war chest.
Uh, they see the mus most moneyto be earned.
And I always say that these guysare in the highest reward,
lowest risk business.
Cuz if you think about it, it'svery hard to find them to begin
with.
(21:51):
And are you, they actually gonnaget apprehended?
Are they actually gonna getextradited indicted?
You know, they actually get overhere and they get thrown in jail
a slap on the wrist, and are youever gonna see that money again?
Probably not.
Now, there has been some casesrecently where some of these
funds have been clawed back, butit's two or three years later
when that happens.
Uh, but let's, let's talk aboutscale.
(22:13):
You know, throughout the lastfour or five years when I've
been working cases, I've seenjust about every shape or size
of case come in.
I mean, I've seen very smallnonprofits that focus on a
helping domestic abuse victims.
Do you think the bad guys caredone ounce about what that
organization did, their missionor the fact that they were
(22:34):
taking money away that could beused to help for those causes?
Absolutely not.
They don't care.
The deal with this is, is youhave these larger organized
groups and they use what, andthen they usually focus on the
big fish, and then they havewhat's called affiliates that
work for them.
And think of affiliates ascontractors.
And the affiliates are what I goout and do the, do the work, uh,
(22:56):
and, and, and when whatevermoney they gather, they give a
cut to the, to the biggerorganization.
At the same time, there's awhole marketplace of activity
going on.
There's different groups thatare out there stealing PE that
trying to figure out ways tosteal credentials and gain
access to a network, and thenthey turn, they in turn sell
that to these other groups thatdidn't do the ransomware.
(23:17):
And so there's just literallythousands upon thousands of
individuals out there that haveall the time in the world
because the, the payoff is hugefor them to sit down and just
like Arlen said, be patient anddo this work.
And then, hey, look, you thinkthey back off at one little, you
know, one little defensemechanism?
(23:38):
Heck no.
A lot of times they see, youknow, if somebody gets involved,
they see something standing intheir way, they're gonna figure
out how to get around it.
I mean, we deal with that allthe time.
We deal with people that call'em, say, I, hey, I'm seeing some
weird activity in my networkright now.
We have to jump in and it's abattle going back and forth.
We can't just scare these guysoff.
It's not like somebody comingonto your property, you turn the
(24:00):
lights on, you know, shoot, putyour shotgun in the air, and
they, and they, they run away.
It doesn't happen in the cyberworld.
These guys see it as a challengeand they'll continue to fight.
So sometimes those fights can godays on and even weeks to, to
finally get those bad guys outtathe network and do those things.
So again, at at scale, theseguys pick on the small to medium
(24:20):
and the large, but the small andthe, on the, and on the smaller
scale of the medium sizeorganizations are the ones that
they love the best because thebig boys can handle it.
Like they can handle it from a,they can take an outage, their
financial ability, they havefinancial abilities to do their
capabilities to do that.
At the same time, they haveinvested money in ways to just
(24:42):
recover their environments realquick and all that type of
stuff.
Small guys don't have thatluxury.
And so when they get attacked,the bad guys know, Hey look,
we've put them in a veryprecarious position.
A lot of these organizationshave one owner, and that owner's
been around forever and sees hisor her business flash between
flash, you know, in front oftheir eyes and they're ready to
(25:03):
kind of, um, they're ready topay or do whatever it takes to
get their thing, their businessback up and running.
And the bad guys know that.
So it's gonna continue to growbecause most of this activity
occurs in Russia and, and aroundRussia.
And there's nothing going overthere today, especially with the
situation going on with Russiaand Ukraine now, where no one's
(25:23):
caring about the, what thesecyber criminals are doing to the
us.
And I always argue, I said, ifyou're Russia, just think about
the amount of wealth that'sbeing transferred from the US to
Russia.
It's not in your best interestto put a stop to it either.
Speaker 1 (25:36):
If they, if there isn't a cyber attack, you find
that there's not a lot ofgovernment intervention or
there's not a lot of things thatlaw enforcement are gonna be
able to do to help you
Speaker 3 (25:45):
Not there, there, yeah, this was, um, this is a
topic that's come up lately.
It's interesting.
Law enforcement, local lawenforcement typically is not
gonna be involved at all.
Uh, really a as I, and then thisis not disparaging anybody, it's
just the size of theorganization really, New York
City is the only one with thepolice force large enough to
have a unit that can specializein this.
(26:06):
And they do a good job.
Uh, normally the F B I does getinvolved and they have task
force all around the countrythat are focused on that.
But they're not gonna be like,they're not gonna walk into your
shop and run the show.
They're gonna be sitting on thesidelines waiting for you, uh,
to provide them information.
The only difference is if itcomes down to critical
infrastructure, if you'reconsidered critical
(26:27):
infrastructure, uh, then the f bi, even the Secret Service and
some other entities will getinvolved and they'll get
involved very actively.
Or maybe whatever's happening toyou also happened to ha ha
happened to somebody in, incritical infrastructure.
Then the f b I might be moreengaged and willing to figure
things out.
(26:48):
But, um, typically if you'rekind of the smaller fish, law
enforcement is gonna just belooking for you as a provider of
information to help them in kindof the greater, the greater
cause of what they're doing.
But they're, they're not gonnabe involved, uh, like maybe one
would think they would
Speaker 1 (27:04):
Be.
So Chris, I mean, what you'resaying is it's just so critical
to be on the front side of this,the front end of it and be
proactive then to just wait forsomething to happen.
Um, so Arlan, let me ask you,tell us about the advantages of
cyber security of doing, doing,taking steps to keep this thing
(27:26):
from happening.
Speaker 2 (27:27):
Well, you, you wanna be proactive for sure, and you
know that that has to happen onmultiple fronts.
Certainly there are tools andtechnologies that you can
implement, you know, to helpprotect your, your, uh, data and
your systems.
And it's really important thatyou have those, uh, tools in
place that they're current, thatyou keep'em updated because it's
(27:50):
a never ending and constantlychanging, uh, environment.
And so there, there certainlyare things that you can do to
help slow down at least theprogress that, that, uh, these
bad actors might make.
But the bigger side of it,really, Dan is the people side.
And so it's coming down, youknow, it comes down to creating
(28:12):
the right policies and, andprocedures and training people
on those things.
I mean, that's one of the bigvectors of, of penetration is
that companies may have, orthere, there may be a set of
standard operating procedures,but people aren't trained on'em.
They're not tested on'em,there's no, no actual
(28:32):
enforcement to make sure that,that if they're operating that
way.
And so, you know, if you, if youput the right tools and the
right uh, people issues inplace, you can, you can put up a
pretty good fight, uh, withthese bad actors, but it really
does require an ongoingapproach.
And you know what, what we findwith a lot of small businesses,
(28:53):
uh, farms included, is that theydon't have budget for this.
They don't understand why theyshould make those kind of
investments.
It's not inexpensive for sure,but, uh, it's certainly cheaper
than the alternative of havingto engage solace to come and,
and recover.
Speaker 1 (29:11):
Uh, are there any cybersecurity myths that we
should know about?
Speaker 3 (29:15):
Well, that tools solve all the problems.
Uh, that's one thing.
Uh, the other thing is, I, I usethis quote whenever I do pre
presentations, and it comes froma gentleman by the name of Brian
Krebs, who's a journalist andcyber expert.
And, and it is basically thelight at the end of the tunnel
is an oncoming train.
And that's what you have tothink about.
Cybersecurity.
You're not done.
(29:35):
I mean, Arlen headed towardsthat just a few minutes ago.
You could go out and spend,spend some money on
cybersecurity and unfortunatelysix months, a year from now,
that stuff may need to betweaked, even replaced or
whatever the case may be.
That's just the reality of this.
Uh, there are tools that werethe top of the list of the best
(29:56):
tools five years ago that Iwouldn't be caught de dead using
today.
Uh, I, I, and I think that's,that, that's a lot of it.
And, and the other myth we'vetalked about is not gonna happen
to me, but what I would say iswhat people have, the, the
biggest struggle is they justlet their data and their
networks grow out of controlthings.
(30:17):
They just, things they don'tunderstand you.
I say, Hey, we, all of ourpayroll and everything we, that
takes place in this third party.
Well, fantastic, but somebodyexported some data.
Somebody, you know, came with,they have a big spreadsheet full
of 401K information and that'sall it took to trigger, trigger,
sorry, trigger a number of legal, uh, legal things to happen as
(30:38):
a result of that data gettingtaken.
So I mean, that would be the topof my list.
And I think one more that wehaven't really touched upon that
could probably, you know, getits own segment is I don't need
cybersecurity insurance.
And I think that's, uh, that's akind of ridiculous thought in
these days.
Yeah.
You know, we, a lot of peoplethink, Hey, buy so much
insurance, we're insurance poor,whatever the case may be.
(31:01):
But in the, in the grand schemeof things and everything you pay
insurance on, and yes,cybersecurity insurance has
increased in years because a lotof claims are being paid.
It's still incredibly importantto have, because it covers you
for things like businessinterruption loss, it covers you
for legal expenses, it coversyou for litigation.
If someone decides to sue you,it covers you.
For a company like Solace beinginvolved in, in doing the work,
(31:24):
those are the things it does.
And so a lot of people says,well, I don't need that
insurance either.
I've got it covered, I'll payfor it out of pocket if it
happens.
No, you won't want to do thatbecause I'll tell you the one
real important thing is whenyou're under a cyber attack and
you need help someone likeourselves or someone similar,
you don't wanna be having tocount pennies and nickels.
And cuz that slows down theprocess and it makes my job and
(31:46):
my team's jobs incrediblydifficult.
Having an insurance policy thereallows people to do the work
they need to do at the pace thatit needs to be done without
somebody constantly every hoursaying, well, how much money
does I spend in the last hour onyou guys?
And that type of thing.
Speaker 1 (32:03):
Right.
I see.
Arlen, anything you want to addto that about myths?
Speaker 2 (32:08):
Yeah, I I would say, uh, a lot of people think that,
you know, if something happensto me and my data, it's not
really gonna hurt anybody else.
Um, you know, this, this stuffhas a lot of, of, uh, tentacles
to it.
And, uh, depending on the kindof data that gets, gets
breached, you know, there are,there are all kinds of laws
(32:28):
protecting, you know, medicaldata and, and other kinds of
things that there can be a lot,uh, a huge risk, uh, from what
seems to be pretty normal andnot that important data to you,
but if it gets out into thewild, it can be a significant,
uh, financial and, you know,compliance burden.
(32:49):
So it, it, it does matter.
It's not just going to impactyou, but, you know, third party
connections like Chris talkedabout earlier, you know, there's
just a lot of potential riskthat's related to that and, and
you wanna do all you can to, toprevent that.
Speaker 1 (33:04):
So Chris, let's get practical for a second.
If, if there's someone thatthat's an owner operator that's
listening to this podcast andthey ask themselves where, well,
where should I start?
What would you go down the listof like, here's some steps that
you should take to protect yourfarm with cybersecurity?
(33:25):
Where do they begin?
Speaker 3 (33:27):
Yeah, Dan, there's a number of resources that you,
you can go and look, I wouldtell you it's pretty tough to do
your own research on the, on thematter.
You're, you're gonna need tofind somebody that you can trust
to give you some advice andpoint you in the right
direction.
Somebody that's willing to knowyour operation and to just kind
of look around and say, okay, I,I can see where you're at, how
many people you have working foryou at this time of year,
(33:49):
seasonally, whatever the casemay be.
Understand that and, and be ableto draw up that roadmap.
If you, if you call on somebodyand they dump a 20 page proposal
and say you need a hundredthings at one time, you know,
that's not somebody sittingthere helping you, uh, manage
the risk.
And so I think that's the firstthing to do.
But there's, there's some otherresources out there.
(34:09):
There's the c i s top 18controls, and I think that is
one that, uh, that's, that'snothing you have to pay for.
Uh, you can go out there andread it.
I think it's pretty digestiblefor someone to understand.
You don't have to be a, atechnology expert to understand.
Uh, and there's some other,there's some other resources out
there.
(34:29):
The government's doing a lot ofwork on around the site helping
small and medium size business.
Uh, but I think that theirdocumentation is, some of the
things coming out of NIST as anexample can be a pretty heavy in
the technical jargon.
So I, I would sit there andstart with, uh, the c i s but
definitely just don't go on iton your own.
You, you need to find somebodythat's willing to help you and
(34:50):
understand and help you at yourlevel.
And again, not trying to, uh,sell you a bunch of stuff and,
and, and make you believe thatyou're secure more about
understanding really how tobuild a program is what we call
it.
And, and manage that programover the life of your operation.
Speaker 2 (35:05):
Yeah, I I I would add that, you know, agriculture is,
uh, is one of those, uh,industries where there's a lot
of people moving around with alot of different equipment and,
uh, sometimes I, I find thatgrowers don't even recognize
that, that certain pieces ofequipment are, are on the
internet or, or are potentiallybreached targets.
(35:28):
They're outside of the, youknow, office network, but
there's, you know, wirelessconnections out in, in their
tractors and in their combinesand all over the place.
And, and so you, you really doneed to find a professional that
can help you look at the entirerisk por uh, you know, exposure
because it's not just containedin that office, it's, it's all
(35:49):
over the vehicles and, andlaptops and other things that
people are carrying with themall over the place.
Speaker 1 (35:56):
I think we found out during covid just how delicate
the supply chain can be.
So let me ask the two of you aquestion about that.
Have you seen examples of wherea cyber attack can happen at
some point in a supply chain orfood supply chain and it affects
(36:16):
like upstream and downstream andlike what the implications are
of that?
I'll start with you, Arlan.
Have you seen examples of that?
Speaker 2 (36:26):
Oh, I think I'll defer to Chris on this one
because, uh, he sees the realdeal up close.
Speaker 3 (36:32):
Yeah, I've definitely seen where it's disrupted supply
chains, you know, notnecessarily so much in, in the
food side of things.
I've seen it more inmanufacturing sides of things.
And what's interesting aboutthat is you can see an
organization that, let's saythey, they're a supplier to a
much larger organization and,and that much larger
organization ends up dictatingthe rules, which those rules may
(36:55):
not be what, what the victimthemselves actually wants to
live by, but they have to dowhat they're told as a result.
So I've seen organizationscompletely get wiped out by an
attack, and they, if they paidthe attacker, uh, the attacker
would given them the means torestore their environment and be
back up and operational.
However, their client or theircustomer says, no, we don't pay
(37:19):
threat actors ever.
We don't pay criminals.
You're not gonna do it either.
And so that organization has tobuild everything from scratch.
So I've seen that happen, uh,I've seen those things happen
and, and which, which isinteresting because in some of
those industries, covid slowedthings down where I think that
was probably, if it was in moreof a robust economic setting,
(37:40):
that would've been incrediblypainful.
It was still painful, but it'dbeen much, much more painful.
Uh, but I, yeah, I, I'vedefinitely seen, I think the
other part is, is in, forexample, in the, in the medical
side, this word gets reallyhairy when you're dealing with
patient information.
And this is really just to usean example there, you know,
patient records get moved fromplace to place to place for
(38:01):
legitimate reasons.
And if one point of that processgets hit, it can be very
disruptive to everybody else.
And then everybody else isgetting involved saying, you
need to tell us this.
You need to tell us this.
Why did this happen?
Why did that happen?
And that can be incrediblydisruptive.
And so, uh, I can tell youthough, in the cases where,
like, let's take the, the, oneof the bigger attacks that's
(38:22):
happened in recent history hasbeen on the colonial pipeline.
And that, uh, you know, that wasa big deal because that did, uh,
impact, you know, especially onthe northeast and impacted the
ability to deliver gasoline.
And, and what what wasinteresting about that attack is
the pipeline itself wasoperational.
It was the financial backendthat was impacted.
And so the pipeline itselfcouldn't bill, they couldn't do,
(38:45):
they couldn't
That's what really shut thatpipeline down.
The attackers didn't find a wayto cut off the supply.
They just felt, you know, thebackend.
And that goes back to all thesekind of interoperabilities and
all these things that areattached.
And you might think, Hey, myoperation out in the field can
work fine, but what if you, whatif your financial stuff is down,
your accounting stuff is down,how long can you operate in the
(39:06):
field that way?
So yeah, I mean, on the supplychain stuff, it's weird how all
this stuff works and, and itjust gets, um, it just gets
worse.
I mean, we see organizationsthat start to have a global
footprint and something mighthappen in a completely different
country, but since it's stilltheir same company, it, you
know, it makes its way over, notfrom an attack perspective, but
(39:26):
from a legal or regulatorycompliance perspective.
So there's many different waysthat I've seen this, you know,
kind of supply chain getaffected by just one, one
attack.
That probably took a a few daysfor the bad guys to actually do.
Speaker 1 (39:39):
Arlen, let me ask you this.
What can our listeners do tolearn more about how to take
cybersecurity seriously fortheir operation?
Wh where do they go?
Speaker 2 (39:49):
Well, there's, there's a lot of information
obviously available out on, onthe, on the web, but, but I
think to Chris's earlier point,you, you need to find a trusted
professional that you can sitdown and work with.
This is, this is not ado-it-yourself kind of
environment.
Um, you need to, you need to sitdown and do a risk assessment.
(40:09):
You need to identify what assetsyou have, you know, that you're
using in your operation that areconnected and where those points
of of attack might happen from.
And, uh, then you need to getreally good guidance in how do
we create the right proceduresand policies?
How do we train our people?
How do we implement the righttech?
(40:31):
But, uh, it's not like you cango out to the website and just
punch it in and it'll give youthe list.
Every, every operation is uniqueand different, different risks.
And it really gets down to wherewe started from.
You gotta identify your riskprofile and how you can protect
that the best way possible withthe budget you have available.
Speaker 3 (40:50):
I would say there's another resource out there, uh,
sans, s a n s, they produce anewsletter that you can
subscribe to for free calledOuch, O U C h, uh, exclamation
point.
And that one is really directedto the layperson and it's, it,
(41:11):
it, it's business purpose andpersonal purposes, but every
month they have a differenttopic that they go on.
And I think it's really, IM, youknow, that's an easy one to
learn from.
Outside of that.
Everything else that, uh, Arlenand I spoke about with, with
bringing that in, I don't, Ialso think it wouldn't be a bad
idea that if you have peers thatyou, you know, exchange ideas
(41:33):
and, and work with, there's nota problem bringing an expert in,
uh, to talk to with you all ofyou, right?
If you have things in common todo it that way.
One thing that I would warrantagainst, and I have seen this,
uh, in the ag businessspecifically, is please do not
share infrastructure with peoplethat are not legally attached to
(41:55):
you.
And I have seen this happen morethan once where we see, uh,
somebody comes in, they've beenattacked, and then we find out
that it's three, four, or evenfive companies using the same
servers, the same directory, youknow, all that kind of stuff.
And it really makes thingscomplicated, right?
And so I think you can go in itfrom a joint perspective, but
(42:16):
you have to have the problemsolved for each individual and
don't go in and pitch in moneyto save money on, on
infrastructure.
That's not the right way to goabout it.
But, um, but there, uh, there's,there's plenty of people, you
know, especially in those, youknow, ag areas of the country
that are, that are willing tohelp and, and that know that
business.
Well,
Speaker 1 (42:35):
Let's say one of our listeners finds themselves with
an attack on their business, uh,within their network.
What would you suggest that theydo?
Speaker 3 (42:48):
The first thing is, is don't take steps on your own,
because that could cause harm tothe whole situation.
And I'll explain that in asecond.
If you have cyber insurance, andwe've talked about that earlier,
that's your first call, youshould make, typically the cyber
insurance carrier is going topoint you to the right, in the
(43:10):
right direction with the rightexperts, typically that's gonna
be a, an attorney thatspecializes in these matters,
and b, an incident response firmthat also specializes in these
matters.
It's important to have both ofthose people there for you
because number one, the attorneyis gonna be your legal expert
and give you attorney-clientprivilege coverage, which you
(43:30):
need.
And any work performed by theincident response firm is going
to be covered under thatprivilege as well.
And why do you want those twogroups working with you versus,
you know, your IT person or yourIT consultant or whatever,
because the i IR firms instantresponse firms do this all the
time and they know exactly thesteps to take to make sure that
(43:52):
thing that not only can youroperation return, but also from
a, from a forensics and legalperspective, that things can
take place cuz you need thosesteps to be taken successfully.
If not, depending on whereyou're at, man, things can
happen.
And what I mean by that is,let's just take a ransomware
attack.
A lot of this happens whereransomware attack occurs.
(44:12):
People start unplugging things,rebooting things, or they just
tell their IT company, restoremy data.
Then guess what?
An incident response firm comesin and says, okay, what
happened?
They explain what happened andgo, oh, okay, we need to grab
data off of those systems so wecan understand what exactly
happened.
Because legally you need toknow, well, if all that
(44:33):
forensics data was destroyed,well guess what?
You have to assume the worsthappened, which, which may not
be the case and which you likelyisn't the case.
And so from a legal perspective,that puts you at a much larger
risk than it did before.
The other thing you just wannaknow is sometimes we've seen
people restore data, and guesswhat?
(44:53):
They just turn around and getattacked again.
They don't fix the problem andbring in an instant response
firm in as well, gives you theability to identify what
happened so you can then correctit.
So when you come backoperationally, you're not
repeating the same steps andhave that bad threat actor in.
And then from a legalperspective, a lot of people
worry about when am I supposedto tell my staff?
When am I supposed to tell mycustomers, my suppliers,
(45:15):
whatever.
That's what that attorney isthere for.
And they're going to help youand they're gonna bring in
experts in each particular area.
Like I talked about earlier.
If you have any kind ofrelationship with the
government, that's where theattorneys are gonna come in and
tell you this is, Hey, you needto, you need to report this
right now or you need to wait,or you have employees that live
in five states, so we need todeal with five attorneys
(45:37):
general.
So that's the thing.
So call your insurance carrierif you don't have insurance,
reach out to, I would reach outto an incident response firm
that's, that's reputable.
Uh, I'll name myself at the topof the list, but, uh, solace,
uh, but we will, we will thenengage a, a law firm, you know,
on your behalf and bring one inthat we think, uh, best suits
(45:58):
you.
I mean, I get in a lot ofsituations where, you know,
based on what industry you'rein, what size you are, maybe
even your personality that aparticular law firm or even a
particular attorney will workbest for that situation.
So that's what we bring to thetable.
So that would be, um, mysuggestion.
And Arlen, I dunno if you haveanything else.
You, you've arlen's beeninvolved in some of these,
(46:20):
whether he likes it or not, notof his own doing, just because
he's so well connected.
People call him a lot as well.
Speaker 2 (46:27):
Yeah, I mean, you just have to resist the urge to
just go fix it, you know, asfast as you can because there
are, there are certainly stepsthat need to be taken and, you
know, if insurance is involved,that's where it has to start.
They're gonna call the shots andmake the decisions.
So think before you act.
Same thing with preventing thinkbefore you click.
(46:48):
Um, you know, people are wherethe problems happen and, uh, if
we slow down and just thinkthat'll be a big step in the
right direction.
Speaker 3 (46:56):
A lot of people wanna be heroes in these situation and
that those are the, those arethe ones we gotta kind of say,
Hey, hold on, take a deepbreath.
We're gonna get through this,but we need to do it the right
way.
Speaker 1 (47:06):
Well, we appreciate that practical advice from the
two of you.
Well, Chris and Arlen, uh, thankyou for, for sharing, you know,
this information, this is a veryimportant topic that, um, our
listeners and owner operators,you know, need to listen to.
And he, to and I, I wannaencourage all of our listeners
to implement, uh, at least onething or or more that they've
(47:29):
heard today and help securetheir data and their operation
on their farm.
Um, as both of our guests havestated, it's a lot easier to be
proactive and protect things onthe front end than to have to be
reactive and have to deal with adata breach and have to clean
things up.
So Arlen and Chris, I want tothank you for your time, for
your expertise, uh, to sharewith our listeners.
(47:51):
And I'm grateful for thepractical wisdom that you've
shared with us today.
Speaker 2 (47:55):
It's been good to be with you, Dan.
Speaker 3 (47:57):
Appreciate the opportunity.
Dan
Speaker 1 (47:58):
And I want to thank each of our listeners for tuning
in today.
Topcon appreciates all of ourfriends and agriculture who work
so tirelessly to put food on ourtables and we believe that
farmers are the best.
If you enjoyed this episode,remember to like, to share, to
subscribe to Topcon TalksAgriculture on Spotify, apple
(48:18):
Podcasts, Amazon Music, orwherever you get your podcasts.
Please tell your friends aboutus, we'd love for you to follow
Topcon Agriculture on socialmedia.
Thanks again for joining ustoday.
See you next time.
Go out and make it a great day.
Popular Podcasts
Bookmarked by Reese's Book Club
Welcome to Bookmarked by Reese’s Book Club — the podcast where great stories, bold women, and irresistible conversations collide! Hosted by award-winning journalist Danielle Robay, each week new episodes balance thoughtful literary insight with the fervor of buzzy book trends, pop culture and more. Bookmarked brings together celebrities, tastemakers, influencers and authors from Reese's Book Club and beyond to share stories that transcend the page. Pull up a chair. You’re not just listening — you’re part of the conversation.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com