P&C the March 2022 issue

Betting the Farm

Cyber security is essential for public trust in our food chain. It also will significantly reduce the threat of loss.
By Melissa Hersh Posted on February 28, 2022

Sophisticated cyber criminals are demonstrating their ability to move from cyber-enabled non-physical business interruption to physical damage or property destruction—or even casualties—using cyber-enabled means. Securing mission-critical sensors, devices, equipment and communications systems that support precision agriculture and smart value chain operations is good for business, sustainability, food systems resilience, and, ultimately, economic and national security.

The food and agriculture industry in the United States is almost entirely privately owned, as are the digital asset owners and operators, equipment manufacturers, and third-party vendors and partners who support them. Without cyber-security standards, the farm-ag industry is rife with cyber risk.

Many farms and agricultural processors are heavily invested in internet-connected technology.

There are currently few, enforceable cyber-security standards in the farm-ag industry.

A scattershot approach to cyber increases business and systemic risk. The insurance industry may be able to force some changes.

The financial services industry could pave the way for incentivizing robust security protections and ushering in best practices in digital security. Digital due diligence is a mutually reinforcing security activity, so it needs to be conducted by a range of participants, among them investors, lenders, insurance industry stakeholders and digital infrastructure manufacturers.

Internet-of-things (IoT) solutions in the farm-ag industry have largely been deployed without cyber-security standards and concepts necessary for such mission-critical tools. IoT solutions are often a network of connected devices embedded with sensors, controllers and software that allow for the free exchange of data over the internet. When 5G networks become ubiquitous, some worry the future pace of IoT deployments will be incompatible with the highest cyber-security standards. Information technology (IT) and operational technology (OT) are increasingly converging, raising the risk to systemic digital infrastructure systems. Their convergence also increases the risk of cyber-enabled, non-physical business interruption and losses, as well as physical property damages and losses and potentially even casualty losses or worse.

Digital Infrastructure  

In the United States, the infrastructure-intensive food and agriculture sector accounts for one-fifth of economic activity. At the same time, it accounts for one-third of human-induced carbon emissions globally. The development of precision agriculture and the deployment of so-called smart food production and manufacturing will contribute to the stability of our food systems and decrease greenhouse gas emissions. Smart food processing relies on automation to reduce manufacturing errors and help food providers track their supply chains. But many of these smart systems are of unknown provenance and pedigree.

Megan North, a vice president and professional lines broker at AmWINS, says the food and agriculture sector relies on technology to address myriad obstacles related to food production and distribution. “Facing challenges from climate events, social responsibility and supply chain frustrations, we’re seeing companies in the food and agriculture space scramble to adapt to a seemingly evolving operational landscape,” North says. “From drones, weather sensors, tracking equipment which follows product from the field to the store shelves, to even machine learning and AI—there is an evolving reliance on technology.”

“Any device connected to a business’s network is considered an endpoint, and any unsecured endpoint is an opportunity for a threat actor to exploit access to that network for monetary gain or other nefarious interests,” North says. “As the food and agriculture industry increases its reliance on technology, so will its vulnerability to threat actors also increase.”

The introduction of precision farming and IoT solutions is designed to increase the efficient use of critical data to enhance sustainability, quality assurance and profits. IoT and industrial IoT solutions are used all along the value chain, from the farm to the transportation to the processing facilities. Industrial IoT solutions are used in smart food processing facilities as well as within solid waste disposal and wastewater treatment facilities.

For example, real-time information about soil moisture, derived from sensors, will enable farmers to make irrigation decisions that maximize crop yields. Farms also use smart meters to track and forecast electricity, water or other energy usage demands. Farmers use this information to make real-time decisions, plan farm operations, and reduce costs. They can also use IoT sensors to track livestock feeding patterns or monitor the temperature of animals, information that helps farmers make decisions regarding the animals’ health, welfare and breeding.

Because pre-harvest and production activities depend on critical inputs from other infrastructure sectors that are also digitally transforming, such as energy and water, the smart farming IoT ecosystem is fundamentally a system of interdependent systems.

According to Danielle Jablanski, an OT cyber-security strategist at Nozomi Networks, by 2030, global spending on IoT for agriculture is expected to more than triple from its current rate of $8.5 billion. “This includes investments in precision farming, smart greenhouse technologies, livestock tracking and monitoring,” Jablanski says. “And most of this is being driven by the ubiquity of sensors as well as the required network costs.” Jablanski, whose research on this is part of a Guidewire Insights report, also notes that IoT in agriculture will be limited to large-scale farming operations until access to reliable and affordable high-speed internet becomes more commonplace.

Michael Deal, chief marketing technology officer at NAU Country, a leading U.S. crop insurer and part of QBE, says he sees this type of technology being adopted in both farming and distribution. “On one hand,” Deal says, “we’ve personally seen a slower acceptance rate with precision ag technology due to the reluctance of policyholders to share their personal information and farm data. However, even with the hesitancy of a few and cyber risks present, there is still a remarkable adoption of technology in the field today.”

Until the demand from customers arises to ensuring that asset owners and operators have better visibility into their digital supply chains and greater network security, things are likely to operate as business as usual. The same goes for technology vendors and the need for better security by design for devices and solutions.
Danielle Jablanski, OT cyber-security strategist, Nozomi Networks

Wireless Balancing Act

All of these IoT systems—which include, among others, smart greenhouse technology and livestock tracking—depend on wireless communications systems that support high volumes of data at high speeds. These sophisticated communications systems are necessary for real-time monitoring and command and control of cyber-physical systems, which incorporate digital, analog, physical and human components. Wireless communication systems like 5G or even future 6G add to the volume of new digital infrastructure being deployed.

Historically, OT environments—such as industrial control systems, building-automation or management systems, or emergency management systems—were used without being connected to IT systems. But industrial IoT and IoT solutions are increasingly creating cyber-physical systems environments. As a result, there is a greater convergence of previously siloed information technology and operational technology ecosystems.

Within the OT environment, however, many industrial controls systems, such as supervisory control and data acquisition systems, generally have longer life cycles than their IT counterparts. As a result, many of the sensors and components responsible for physically controlling systems and the electronic devices that are digitally programmed to interface with the physical world may not be secure. The same holds true for dashboards or systems used by decision makers who remotely manage irrigation processes on the farm or who supervise industrial processes within a food production facility. Weak access controls and weak security protections for connected devices in OT environments designed for safety can lead to cyber risk. This risk is compounded by systemic digital infrastructure risks in sectors that depend on the food and agriculture industry, such as energy, water and transportation.

  • Non-physical business interruption (the loss of networking and communications systems, malware, ransomware, denial of service incidents and disinformation)
  • Data risk (privacy breaches, IP theft, data manipulation, business-critical information exfiltration or espionage, R&D data, vendor and supplier information, crop yield forecasts, proprietary genetic technologies)
  • Cyber-physical business interruption and property damage (operational technology, IoT or industrial IoT disruption, malware, denial of service, product contamination, destruction of equipment)

The Coverage Market  

Cyber insurance was designed to respond to loss or disclosure of private information. These days, it has evolved to include financial protections and business interruption loss. North, of AmWINS, says recent events have shown cyber loss can mean a significant shift from the financial to the physical realm. “We’ve seen hospitals, water treatment plants, and oil pipelines targeted,” she says. “Each of these attacks can produce tangible losses, including physical damage and/or bodily injury.”

As the food and agriculture sector becomes more reliant on IoT devices and connectivity, North says, the threat of cyber-induced physical damage is heightened. “Whether that threat is bodily injury to consumers, loss of product, damage to hardware or machines—there’s a number of ways it could manifest,” she says. “The food-ag sector is highly sensitive to supply-chain risks and disruptions—whether from weather, social, environmental or other macroeconomic pressures. I would argue you can add cyber to that class as well.”

What about coverage options? What are insurers looking for? North says recent attacks on critical infrastructure have prompted discussions about baseline controls and protections for cyber insurance and underwriting.

“We’re seeing a shift in the cyber industry now in the wake of events like these, which has shown carriers imposing expectations of their insureds—to carry certain baseline controls when it comes to network security—regardless of their industry,” North says. “If insureds don’t exercise certain baseline controls or articulate appropriate compensatory controls—it’s becoming harder and harder to find coverage for them.”

Cyber criminals do not discriminate. They aim to take utmost advantage of vulnerabilities through which they can access systems or data, typically for a ransom or other monetary gain. A system with the least amount of resistance, North says, is most likely to fail. “Insurers are not interested in providing protection for those companies who are not willing to do the basic steps when it comes to cyber-security,” she says. “If they do, it is likely coverage will be severely limited and/or pricing prohibitive.”

While cyber insurance policies provide protection in the event of a breach, many carriers also provide additional services. “From breach response, legal services, and forensics to assistance with restoring data and system functionality,” North says, “cyber policies are worth much more than their paper in such an event.”

Deeper Threats Emerge in Food-Ag Sector

On a broader scale, digital infrastructure risk could exacerbate other threats to food systems. For example, building-automation and building-management systems use cyber-physical systems to regulate temperature, humidity, ventilation and other conditions vital to food safety. Moreover, building-automation and building-management systems are used in laboratories that serve the food industry.

All systems are becoming cyber-physical systems. The convergence of information and operational technologies, aimed at optimizing the availability and reliability of processes, is also increasing the attack surface. Cyber criminals have developed the capabilities to modify or exploit IoT environments in such ways that can potentially offset the very gains these systems are designed to confer. For example, systems designed to ensure availability of data can be exploited to deny, degrade, distort or destroy data.

North says companies seeking coverage need to adopt best practices in their efforts to prevent cyber attacks, despite the price tag. The cost of not doing so could have impacts beyond the ability or inability to insure themselves against cyber risk, North says. “In the food and agriculture industry, the nature of services is often critical to life—or society—so there exists motivation on a lot of fronts to keep that system or service running.”

Well resourced, state-backed cyber criminals pose a persistent threat to U.S. critical infrastructure sectors, among them food and agriculture. Recent attacks against privately owned infrastructure targets reveal the fragility of our just-in-time supply chains and have highlighted either single points of failure or opportunities for catastrophic disruption in critical supply chains. The attacks have prompted the federal government to try to identify critical failure points and the consequences of failure across sectors.

Undermining the integrity of farm-ag IoT could reduce public confidence in American-made products and systems. A campaign of state-sponsored cyber attacks and well coordinated disinformation campaigns against the food and agriculture sector in the United States could undermine its position as the largest provider of food assistance globally, creating a geostrategic influence vacuum.

Cyber-informed engineering ensures that the development of functionality within a system is balanced with the development of mechanisms to ensure that functionality cannot be misused or redirected to catastrophic purpose. By protecting against the potential for misuse throughout the development life cycle, we limit the need for bolt-on security solutions.
Virginia Wright, energy cyber-security portfolio manager, Idaho National Laboratory

Sophisticated state cyber adversaries and opportunistic cyber criminals understand the importance of food systems to a country’s reputation, food security, economic prosperity, even national security. Consequently, poor underlying cyber readiness in the food and agriculture sector is amplified whenever more unsecured digital infrastructure is deployed.

Last summer’s ransomware attack against JBS, a leading global food supplier, was certainly a wakeup call for the food and agriculture sector. The attack came amid supply chain woes brought on by the COVID-19 pandemic. In response, JBS suspended its meat processing operations in several key countries, one in the United States and another in Australia, by taking them offline. Additionally, upstream slaughter of cattle precipitated further business interruption losses and price volatility. The company’s rapid response helped its eventual recovery, but the experience offers no guarantees that other companies, in similar straits, would follow suit.

The JBS attack was the latest in a spate of ransomware attacks against the food industry, including retailers and restaurants, coming on the heels of two other U.S.-based attacks that highlighted critical infrastructure vulnerabilities in the energy, water and wastewater sectors. These attacks did not succeed in causing property damage or casualties, but they did demonstrate the ability of cyber criminals to disrupt business operations and instill fear and mistrust in critical infrastructure sectors.

Security by Design is Essential

Countless cyber-security vendors exist to help organizations protect their crown jewels. Unfortunately for the farm-to-table supply chain, there is no one-size-fits-all solution. There are, of course, best practices, but identifying what needs to be secured—and how—can be an onerous undertaking. This is particularly true for non-uniform, purpose-built IT, OT, IoT, and industrial IoT systems that include both legacy and new devices. At a minimum, cyber hygiene is a must. The use of cyber-security tools to detect anomalies is also a must. But hygiene and cyber-security tools are not enough to defeat sophisticated cyber adversaries. Operationally applied cyber security is necessary but not sufficient. Instilling security by design throughout the operational technology environment is essential.

North says that, while some companies have embraced cyber-security measures, others have been slower to the gate. “It really depends on the organization,” North says. “We’re seeing some take the change thoughtfully and methodically, while others simply are looking to maximize the value of the technology—hardware, software, products, etc.—as soon as possible, with security being an afterthought. Speedy and secure aren’t generally used simultaneously, as it can take time to ensure integration works seamlessly and at the most protected levels.”

But North cautions that companies must be concerned with not just their technology but also its adoption by employees. “No matter the circumstance,” she says, “you can’t ever remove the human element completely, which is many times where the breakdown occurs. In fact, cyber attacks are often a result of a human error or oversight. So the adoption of technology and ensuring its security also require proper training, user integration and preparation for end-users to complement the digital-security component.”

Security by design is a software engineering concept that has been widely used for high-risk, high-consequence systems and instrumentation and control systems, such as in nuclear power and aviation. But while this concept is often leveraged to ensure that a disciplined practice of coding and testing accompanies the creation of software, it is less often applied to an entire hardware or software system.

The Idaho National Laboratory (INL), a function of the U.S. Department of Energy focused on nuclear research, has developed a concept called “cyber-informed engineering,” which describes the process of eliminating vulnerabilities from the conceptual phase of designing technology through the deployment and operational phases. “Cyber-informed engineering ensures that the development of functionality within a system is balanced with the development of mechanisms to ensure that functionality cannot be misused or redirected to catastrophic purpose,” says Virginia Wright, the energy cyber-security portfolio manager at the Idaho National Laboratory. “By protecting against the potential for misuse throughout the development life cycle, we limit the need for bolt-on security solutions.”

This allows for organizations to embrace what INL refers to as “consequence-driven cyber-informed engineering,” a methodology that ensures the most critical functions of a digital system are engineered to be resistant to vulnerability.

The security of our critical infrastructure is deeply entwined with an ability to trust that the components used to build and operate digital infrastructure are protected from cyber threats. This trust depends on knowing what constitutes digital supply chains. Having line of sight into what “ingredients” are in our critical infrastructure is becoming a priority for cyber-security practitioners, who hope it will become a priority for safety-critical device original equipment manufacturers as well as processing and manufacturing asset owners and operators.

The cyber-security landscape for critical infrastructure sectors is evolving. The food and agriculture sector must look to security by design to safeguard food systems. Introducing transparency into the software, hardware and firmware supply chain is evolving into a best-practice standard for embracing a zero-trust digital infrastructure environment. The exchange of software bills of materials, which list the components that make up the software, allows transparent analysis of the pedigree and provenance of digital components within software, hardware and firmware that will impact mission-critical operations in critical sectors.

North says companies overlook their cyber supply-chain risk management and third-party risk-management at their own peril. “Over the last two years, we’ve seen such a focus for insureds on their internal cyber/network security that many of them have neglected the third-party or vendor risk that they face,” she says. “But it only makes sense that, if you are bolstering your own procedures, anyone with access to your network should practice that same level of security or better. Contractual requirements are one way companies can protect themselves. Requirements for baseline controls or those that match a company’s own standards can be critical.”

Knowing the provenance and pedigree of digital infrastructure that will make its way into critical OT and IoT systems before it is deployed is ideal. But identifying the vulnerabilities in the digital components that are the backbone of these systems is vital to ensuring security by design. Additionally, understanding what ingredients are already deployed in OT, IoT, and industrial IOT systems is also necessary. In some cases, the best cyber-security fix will be an analog solution.

We’re seeing some take the change thoughtfully and methodically, while others simply are looking to maximize the value of the technology—hardware, software, products, etc.—as soon as possible, with security being an afterthought.
Megan North, Vice President and Professional Lines Broker, AmWINS

“Because one can never know if the security controls they’ve put in place are enough to stop adversaries in their tracks, employing non-digital failsafes and backstops for the processes and functions that matter most is essential for ag and other companies operating in 2021 and beyond,” says Andrew Bochman, co-author of Countering Cyber Sabotage: Introducing Consequence-Driven, Cyber-Informed Engineering.

Bochman emphasizes the need for organizations to prepare a Plan B—“and to plan for disruption or worse in advance of it actually happening. Organizations need to know what will be done when the computerized systems upon which they have become so dependent are no longer working or are no longer under their control.”

But Jablanski, of Nozomi Networks, says things are unlikely to change until customer demand changes. “Until the demand from customers arises to ensuring that asset owners and operators have better visibility into their digital supply chains and greater network security, things are likely to operate as business as usual,” Jablanski says. “The same goes for technology vendors and the need for better security by design for devices and solutions.”

Whether insureds take it upon themselves to demand best practices, NAU Country’s Deal says, will depend on the policyholder. “It has to make fiscal sense to the insured to justify the cost, which will be different for each individual,” Deal says. “As cyber risk and increased media around cyber risks are present, I am sure this will cause a heightened awareness of the emerging threats to many and a potential increase in spending on security.”

Driving Cyber Resilience  

Labelling the financial services industry as potential cyber juggernauts may be taking things a step too far. Or is it? The industry has deep expertise that can be leveraged to marry existing risk and opportunity profiles with emerging best practices in mitigating cyber-security risk. “Supporting long-term risks is the basis of the insurance industry’s value proposition,” says Monica Tigleanu, senior cyber underwriter at Munich Re, “making them well placed to manage the inevitable volatility that will ensue as the world transitions to a more sustainable future.”

The industry’s position in risk management means finance and insurance stakeholders need to understand the full nature of security risks presented by smart devices and digital OT infrastructure. Tigleanu says this understanding is already happening to some degree but more innovations in underwriting, claims and actuarial analysis are still evolving. She says it’s likely best for the insurance industry to work with third parties to perform digital due diligence. It remains unclear, however, what cyber-informed due diligence of digital infrastructure will look like.

In the absence of cyber-security regulations for the food and agriculture sector, there is little incentive for the industry to treat their digital assets as a systemic risk. Moreover, what constitutes sufficient cyber security is left to interpretation. Arguably, even when regulations emerge on the scene, whether imposed by government or industry, the financial services industry will likely have a role to play.

“Technology is a driving force in the world today, and agriculture is advancing,” Deal says. “People often don’t realize how technology-forward the agricultural industry is, from large agriculture forces like John Deere to individual producers embracing technical advancements. New AI, drones, seed modifications and growth models are just a few of the advancements that allow producers to achieve higher yields and more sustainably than ever before. We are all aware that with new technology come new risks. Most in the industry—including the USDA, the Risk Management Agency, Approved Insurance Providers and Crop Insurance Agents—are taking security to a new level and are continuously evolving with the technology to mitigate those threats.”

Ensuring the safety of our food systems from cyber risk, North says, will take a collaborative effort on the part of both industry and government. “Sharing of knowledge and best practices between the public and private sectors will allow us to establish the most resilience to cyber threats in the food and agriculture sector,” North says. “Insurers have the ability to provide financial protection as well as critical services. Cyber-security firms have data on the threat actors and attack trends. And governmental agencies have a mix of security data, industry metrics, and the ability to enforce certain requirements. Think how valuable a combination of all this could be for companies in deciding how to integrate technology into their business and do it both effectively and securely.”

Melissa Hersh is a global risk and strategy consultant and principal at Hersh Consulting.

More in P&C

CIAB Q3 2022 P/C Market Survey Results Are In
P&C CIAB Q3 2022 P/C Market Survey Results Are In
Key takeaways from The Council’s latest market survey.
P&C Important Loss Control Considerations for Manufacturers
Q&A with Sandy Smith, ARM, AINS, Assistant VP, Policyholder Services, EMC Insura...
Ostrich Syndrome
P&C Ostrich Syndrome
A recent federal lawsuit sent a regrettable message to C-suites: keep your head ...