Subscribe
Share
Share
Embed
Welcome to Agriculture and Agri-Food Canada’s podcast series that explores the freshest ideas in agriculture and food. Each episode explores a single topic in depth—digging deep into new practices, innovative ideas, and their impacts on the industry. Learn about Canada’s agricultural sector from the people making the breakthroughs and knocking down the barriers! Farmers and foodies, scientists and leaders, and anyone with an eye on the future of the sector—this podcast is for you!
Ali: It was January 2019 that I received a call on my office desk from the person that I know later on was a farmer and he was reading a ransomware message for me and telling me that, this is what I see on screen. What should I do? And I was like, don't do anything. I'm coming over to help. Don't touch the keyboard, don't do anything because, you know, when there is ransomware attacks, attackers are actually monitoring everything, and there is a counter on your screen. And that opened my eyes on this new sector. I had never worked in agri-food before 2019, I was very much focused on the financial and defense sector.
Kirk: That one unexpected call set Dr. Ali on a new path: bringing his cyber security research and expertise into agriculture. Since then, he has founded the Cyber Science Lab at the University of Guelph. The lab is a true leader and innovator in our sector, identifying and countering cyber risks while also training a new generation of advanced cyber security professionals to protect our farms and food system.
In this episode, Dr. Ali explains where farms face the greatest risks and what practical steps producers can take to be more secure. And he’s got some sobering stories to share along the way — from helping a chicken producer facing an attack to living incognito among hackers in Eastern Europe.
Marie-France: We will also hear from Charles-Félix Ross, who tells the story of how Quebec’s Union des Producteurs Agricoles – or UPA -- was hit by a ransomware attack back in 2022. He’ll explain how he led the organization through it, and the lessons learned.
Kirk: Before we wrap up the episode, we’ll share a Cyber Security Toolkit from us here at Agriculture and Agri-Food Canada — with checklists, guides and information you can put to use right away.
Marie-France: Welcome to the First Sixteen, a podcast about innovators and innovation in Canadian agriculture. I am your co-host Kirk Marie-France Gagnon.
Kirk: And I am your other co-host, Kirk Finken.
Marie-France: So Kirk, returning to your conversation with Dr. Ali. I am curious to know what stood out for him when he started focusing on agriculture and cyber security?
Kirk: I think it was just how much digital technology was already in use on Canadian farms.
Ali: The more I engaged myself in the community, the more I found interesting stories and how vast is this sector, how much technology people are using in this sector that was surprising to me, right. And how much forward thinking are the farmers and the people in Canada, trying to improve the performance and productivity through digital technologies. That's, by its nature, increasing the attack surface or the cyber risk.
Kirk: So we heard about some of that risk at the start there with the farmer who called you, I know you are a small lab operating in southern Ontario, not a large company, but can you give me an idea of how many calls you get?
Ali: Sure, in Southern Ontario in 2024, we as a small lab, responded to 46 incidents right. And, you know, when we are called for that incident, it's actually a big thing, because that means the farmer is seeing the message, the attackers are starting to either share the information or communicating with the target, which means they're well advanced in the in terms of the attack stage.
Kirk: When you say they’re very advanced by then what do you mean?
Ali: If you look into the steps of the attack usually what the attackers would do is when they get access to a system, first they try to steal any private identifiable information, like credit cards, like customer information, all those things. But all of these steps they try to hide themselves. They try to make sure that the user, the owner of the system, or even the cyber security team cannot detect them, cannot find them. All the attackers out there know that the moment they drop a ransomware, the user would see a message. That's the intention of the ransomware, right? So they would only do so when they are done with the system.
Usually these activities are done by different hacking groups. So we have like one hacking group specialized in getting into the system and stealing those private information like credit cards, data, right. Then once they are done, they are creating a backdoor and pass it to the next group. That group is more about attacking other systems. That's why when you see a ransom message, it probably means that the attackers have been in your system for quite some time.
Kirk: Oh wow….And in those situations, some have called you. What has been the scariest example of a cyber attack on a farm that you've seen?
Ali: Well, the scariest for me was a chicken farm attack back in 2023. It was late December, I was on holiday with the family when we received the call, the guy was panicking on the phone. And he was like, “I'm losing control of the temperature in my barn, and the chicks are dying.”
He was telling me that if the temperature is changing for more than 15 minutes, chicks start dying, right? And that was quite an eye-opening for me, that we have a subsector in the agrifood that the response time for a cyber attack could be 15 minutes only. And you do not see it in other sectors or many other sectors. For example, comparable would be financial sector and maybe defense that they require such a short response time.
Kirk: The response time for poultry is short, but it also applies to a lot of operations – anything to do with livestock and greenhouses all have controlled and automated heating and ventilation systems. Wow. So what other gaps or weaknesses do you see that producers have to pay attention to?
Ali: I would say from the farmers, producers, owners point of view, the main weakness that I see is they are not considering cyber security as something that they are responsible for. They are seeing that the vendors are responsible, which is not true. You know, cyber security is always the owner, the business owner responsibility, regardless of what business you are running.
Kirk: That in itself sounds like a weak link — farmers thinking vendors are responsible, but vendors not always able to help.
Ali: So you can use vendors technology but still the liability and responsibility lies on you. And what I have seen in many attacks is because the forms are quite sophisticated and they are having different vendors even when the attack happens. That vendor may not have the resources to help the farmer, or even if they do, they don't know what is the source of the attack. Is it from their technology or other technology? So no one dares to touch anything.
Kirk: Is there anything that can guide farmers and vendors?
Ali: You know, currently there is no cyber security standard or requirement for agri-food sector. So technically the vendors can sell any product that they like, right. And because of lack of any understandable standard, there is no incentive for the vendors to invest in improving their cyber security. Secondly even for those vendors who are thinking about security, their communication lines are like “We’re in compliance with ISO 27001”, which is meaningless for a farmer.
Ali: We need to have cyber security standards that can be understandable. So you want a kind of ranking of A, B, C, D or high, medium, low, right? We have it in other sectors. For example, if you go to the utility sector, Ontario Cybersecurity framework that’s like 4 levels 1,2,3,4.
Kirk: Okay. So we need some industry standards. If you’re a government standards person-slash-cyber-security person and you’re listening, you have an assignment. As for the farmers, where can they start? They can’t wait around.
Ali: I remember I was working with a dairy farm owner, that his farm has been attacked. And after he responded to the incident and recovered, he was asking me, “Ali why those attackers came after me?” And my answer was because you were not secure, you were low hanging fruit. If I am an attacker and with two clicks, I can get access to your computer, to your systems, I definitely would do that, right. If you are an easy target, attackers would come after you regardless of where you are in the world or what you're operating.
Kirk: That’s a great point. Take us into the mindset of the hackers. I think this will help.
Ali: I have spent some time during my post-doc in Eastern Europe, living with those hacking groups so I could understand how they behave, right. Most of these hacking teams are operating like companies, normal companies. They go from 9 to 5. Even those hackers have their own family and priorities, right? So they will get a list of the targets and from that list, they try to identify which one are the easiest for me today to attack. That's how most of these cybercriminal groups are operating, they want to optimize their return. And, you know, from someone sitting in the Eastern Europe they are just scanning and searching their targets by IP addresses. They don't care. They don't even know that you are a southern Ontario farmer or not. They are seeing an IP address which is weak and they go after that.
So the rule of thumb for everyone in cyber security, especially the farmers, is don't be that weakest targets right. No one in cyber security even myself do not expect the farmers to invest significantly in cyber security but you need to invest enough that you are more secure than other targets. So the attackers go after others, not you.
Kirk: Marie-France, what I heard from Dr. Ali was an uncomfortable, but also very simple message. There are multiple pieces of tech on a farm that can be entry points for hackers. The criminals are scanning, looking for the weaknesses. You need to just follow good cyber security practices so there are no weak points.
Marie-France: Putting myself in the boots of a producer, the risk is a little unnerving. But it’s eye opening to know that anonymous criminals in another country are just doing this as a 9 to 5 job?
Kirk: Yeah, on the other hand, the more we talk about it, you can scare yourself sure, -- it’s kinda like coyotes. You know they’re out there. You know how they operate, what they’re looking for. You also know how to protect your livestock -- predator-proof and electric fences, among other things. So you just do the right things.
Marie-France: And what are the right things to do in this case? Did Dr. Ali talk about how folks in our industry can protect themselves against hackers?
Kirk: Yes, he did give some pointers.
Ali: The biggest advice I can give to the farmers is to build a plan. What would happen if you are impacted by the cyber security cyber attacks? Or at least document that you yourself have attended a couple of online workshops in cyber security, online training in cyber security.
Because in cyber security we have three pillars : people, process and technology. For the people, we can have training education for the process, that's your internal process. Think about it how you can make it more secure. And of course investing in cybersecurity defense and detection technologies. Please start thinking and showing some actions in at least one of these three pillars, people, process and technology.
And you know, it is not a shame if you get attacked, everyone gets attacked. Even big companies get attacked, right? But you need to have a plan in mind and you need to be prepared for that day.
Kirk: Have you seen examples of farmers who are really leading on this?
Ali: Yes I have seen quite a number of farmers that are adopting new technologies, and at the same time, they are thinking about cyber security. Last year, in 2024, I was in AAFC annual conference, and I had a conversation with one of the farmers that after my talk, he came to me and told me, “Ali, I have been working with that vendor. And they told me that if you want to use your technology, you need to disable your firewall. And I told them, no way. You need to build your technology to work with my firewall.” And that was to me was like, wow, great, you're achieving something here, right?
So the business owners start asking the vendors, what are your cyber security protection or mechanisms that you have or they start deploying firewalls? I have even seen some of the dairy owners that they are conducting regular vulnerability assessment, right? Maybe twice a year.
When you conduct an assessment, vulnerability assessment, security assessment, you would have a clearer picture of what are the weaknesses you have. But it doesn't mean that you have to address all of them. You may decide and you may document that I accept some of those risks, or I plan to address them next year. If you are being attacked, if you pass that report to your cyber security professional, you have saved him or her a lot of time because you probably know what your weakness is, and they go after those that can be exploited.
Kirk: And so what about internet service providers? Is there anything farmers can do to ensure they have some basic protection?
Ali: I am seeing more and more farmers that, when even they are working and talking with their, um, internet service providers, they are telling them that I am running this business, what are the kind of protection you can offer me? Right? A lot of these telecom companies can provide a good level of security protection for your business or for your network free of charge, because they want to keep you as a client over there. Right? It's not the best, right? But it's better than nothing. If your telco company has a feature, enabling that alone would show to any attackers that you have a firewall and you are you are a more difficult target than the one that doesn't have the firewall.
Kirk: And so, one of the questions that farmers are always asking you know, what does it cost to protect the farm?
Ali: My rule of thumb is always $1 more secure than your peers. Because if it costs the attackers $1 more, they will not come after you if you go after another target, right. So that could be your rule of thumb, right? Of how much you want to invest.
Kirk: Ha ok, is there another benchmark?
Ali: In other sectors, financial sector, even transport, usually the cost of cyber security is 20% of the total IT cost. I haven't seen any farmers so far that they are investing that much in cyber security. Right. We are talking about much less than that but it costs you nothing to start the cyber security journey. You can easily go get the security self-assessment forms, either from our website. Just fill out those self-assessment forms. We have sector specific forms, for beef, for dairy etc. After filling those forms you will get some action and some advice. So you know what's really good to start with, right.
It costs you very little to send your staff or yourself to some of the cyber security awareness trainings, right, or online. I know that some societies and organizations like OMAFRA are running cyber security tabletop exercises. If in your area you are getting that chance, definitely attend those you know in the tabletop exercises what is happening is cyber security experts are putting you in a scenario that an attack has happened and you need to make decisions. So you go a step by step so you can feel and you can understand what decisions should be made during an attack, right. So that would prepare your mind significantly.
Kirk: What about buying cyber insurance?
Ali: By the way, that's a great, way, right? I mean, if your farm doesn't have cyber insurance, buying your cyber insurance will help you a lot because that would really significantly reduce the cost in the cyber attack and the insurance company helping you in terms of improving cyber security, right. But buying cyber insurance would not tell to the attackers outside that you have a protection in place right from their point of view you are like any other target. Invest in a firewall, invest in an IDS, Intruder detection system, invest in a proxy, that is visible from outside that are visible to outside attackers that would have a much better return on investment. I fully understand that cyber security is still among the most expensive IT services out there.
We at the University of Guelph, uh, or in collaboration with other parties, always try to push government to subsidize and support our farmers to achieve a good level of cyber security in the same way that they are subsidizing, say, bio security services. They need to help farmers to get to a good level of cyber security.
Marie-France: I can just say wow — this is great stuff. What stuck with me is Ali saying, start small. Every step makes you less of a target.
Kirk: Yeah and some of those tips will be in the documents we will share at the end there too.
Marie-France: And you know he also mentioned something important — tabletop exercises.
Kirk: Those exercises matter because in a real incident, there’s no time to figure things out from scratch — you’ve already mapped it out.
Marie-France: You have your plan B already availible. And that brings us to my conversation with Charles-Félix Ross. As Director General of the Union des Producteurs Agricoles in Quebec, he led the organization through a ransomware attack back in 2022. It was not a table top exercise. It was real.
Charles-Félix Ross: We were in the middle of our vacation, I was with my wife in France, and I received a call from my IT director, and he informed me that all of our of our computer networks, were out of order, completely paralyzed, jammed. We serve, more than 1000 customer, many organizations, we deliver services to the producers, sales agency, all the network were paralyzed.
Fortunately we had Cyber security insurance, and the first thing to do was calling the insurer, and they recommend us a breach coach, uh, a lawyer. She was very calm. She knows she she's a specialist in computer hacking. And every week she has to manage that kind of crisis.
Marie-France: It wasn't her first rodeo.
Charles-Félix Ross: No, not the first one. It's true. They, they had a swat team to help us and they are very specialized in computer science. And they recommend you to also to hire the negotiator because the, uh, the hacker was we're asking us for a ransom and, no, you can’t try to negotiate with them directly. You don’t know how they behave or who you are talking to. And the negotiator he is a specialist on that. He knows not all of hackers, but he knows many, many of them because his works is to negotiate with that kind of people. The negotiator start, having, discussions with the, the hackers, he told us that they were good hackers. Good, uh, good pirates, because they have their words, they respect their words. They have a good reputation. And, uh, on the web or the dark web. He told us you need to save time, so you need to have time because you're KPMG teams, they need to evaluate, what are the damages of your on your systems. Are you able to now rebuild the system and to know back on the services to your customer, you need to know, if the hackers succeeded to exfiltrate the to get some data, confidential information from your system in your data bank, and, and we need the time to evaluate all the situation.
And, you know, two weeks later, we were able to, with the help of KPMG, with the help of the negotiator and the lawyer firms, to rebuild our system and restart our, our system. And, uh, and two weeks after 2 or 3 weeks after everything was we were out of the crisis.
Marie-France: And Charles-Felix can you tell me a couple of lessons you learned from this ordeal?
Charles-Félix Ross: Two lessons. The first one is in that kind of situation you need to stay very calm and focused, and, uh, you need a leadership too, you need a captain on board. I was the executive director of UPA it was my responsibility at that time as an executive director to take the leadership. But we need the leadership to manage, you know, the people to want to help me, KPMG, the breach coach and manage also making the link between this team and my team and making the links between the my board of directors and my employees and the expert. In a crisis you need a leadership, you need a captain. And the second lesson was the you need to be very transparent. We gave the information what's going on to our customer, to our partners and the breach coach at the first time they say how you need to say nothing, keep it confidential, don't say anything. For our organization, where we are a confederation, 38 affiliated groups, we decided to be very, very transparent about what's going on. And, and people appreciate that.
They told us we, we want that you put the energy and the resource that never happen again. But, you know, they were not say you didn't do that and you they were not criticized. They were they were very supportive of the action we do to be out of the crisis.
Marie-France: What would be your advice if, producers and organizations that are listening to use right now?
Charles-Félix Ross: It's to prepare to be attacked. The big advice it's if it if it happens to my system know what is the plan? Do I have a cyber security insurance? Do I have a breach coach? Also if you work with other firms or organizations and you, you exchange data, you exchange services. But we need to ensure that this organization, their system not a place where the hackers can enter. And after that, enter in your system. After the cyber attack, we ask some of our customers to increase their level of security in order to protect us too.
Kirk: Marie-France, That was a real eye-opener. I just think that within my own family – and most farms are family run – within my own family I should be doing a cybersecurity assessment and plan. Even a table top exercise.
Marie-France: That’s a great idea and to help you as Dr. Ali said, cyber security doesn’t have to be overwhelming. Start small — do an inventory, train your people, and put some basic protections in place. Each step makes you less of a target.
Kirk - And from Charles-Félix, the lesson was clear: when an incident happens, leadership and transparency make all the difference. Have your team and your plan ready before the crisis comes.
Marie-France: A huge thank-you to both Dr. Ali Dehghantanha and Charles-Félix Ross for sharing their knowledge and their experiences with us.
Kirk: And if you’d like practical support for your own operation, Agriculture and Agri-Food Canada has created resources for farmers — including checklists, guides, and toolkits. You can find them by googling AAFC cyber security and your farming business.
Marie-France: We’ll link it right in the show notes so it’s easy to find. And until next time,
Kirk: Try something new….
Marie-France: Like a strong password that’s not your dog’s name or 1-2-3-4.