Skip to content
Don't miss

Get the daily Cyber Briefing in your inbox

SIGN UP
Podcast

Hacking the Harvest: Jonathan Braley on Ransomware, GPS Disruption, and Securing U.S. Agriculture

Season 2 Episode 26 •

Show Notes

In this episode of Cyber Focus, Frank Cilluffo sits down with Jonathan Braley, Director of the Food and Agriculture Information Sharing and Analysis Center (Food and Ag-ISAC), to explore the growing cybersecurity threats facing the U.S. food and agriculture sector. They examine the integration of operational technology (OT), the rise in ransomware attacks on farms and food producers, and the fragile nature of supply chain cybersecurity. Braley highlights why even small farms are increasingly targeted and how awareness, threat intelligence sharing, and proactive cyber defense strategies are essential. The discussion also touches on the geopolitical dimensions of agricultural cybersecurity, with examples from Ukraine, Israel, and China.

Main Topics Covered:
• Why cybersecurity threats matter in the agriculture and food production sector
• The risks posed by operational technology (OT) and GPS disruption in precision agriculture
• The impact of ransomware attacks on small farms and supply chain resilience
• Emerging cyber threats tied to foreign adversaries, disinformation, and intellectual property theft
• New technologies in agriculture: AI tools, drones, and autonomous farming systems
• The importance of cyber threat intelligence sharing and public-private collaboration in agriculture

Key Quotes:
“Historically we all have this picture of a farm in our heads with the manual tractors and people out on the fields. But there’s a lot of technology now baked into the food and agriculture sector.” – Jonathan Braley
“If we’re relying on our precision agriculture without a backup plan, when [GPS] goes down, it’s not going to be a good situation for us.” – Jonathan Braley
“Anywhere along that [supply] line, one of those companies has a cyber incident—it’s going to impact everybody.” – Jonathan Braley
“The ransomware group seemed to have an understanding of the nature of food and ag, and they hit them when it was most impactful [during peak planting and harvesting season].” – Jonathan Braley
“The more we can share with each other [across government and industry], I think we have a better chance of protecting ourselves.” – Jonathan Braley

Relevant Links and Resources:
• Food and Ag-ISAC: https://www.foodandag-isac.org/
 Cybersecurity Information Sharing Act of 2015 (CISA)

Guest Bio:
Jonathan Braley is the Director of the Food and Ag-ISAC, a key hub for cybersecurity information sharing across the food and agriculture sector. He also serves as Director of Threat Intelligence at the IT-ISAC, where he supports some of the world’s leading technology companies. Braley’s work focuses on improving cyber resilience in agriculture, helping farms, suppliers, and food producers detect and defend against ransomware, OT threats, and supply chain vulnerabilities.

Transcript

1
00:00:00,000 –> 00:00:01,000
Jonathan Braley [00:00:00]:
You’ve got the packaging, you’ve got the logistics, you’ve got the transportation, you’ve got the grocery stores. And all of a sudden you have 10 companies all involved in this one product that you’re trying to sell. Anywhere along that line, one of those companies has a cyber incident. It’s going to impact everybody.

2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:15]:
Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week I have the opportunity to talk about a sector that doesn’t get as much love as I believe it deserves in the, in the cyber community, and that’s the food and agriculture sector. And couldn’t have a better guest than Jonathan Braley, who is the director of the Food and Ag ISAC, Information Sharing and Analysis Center. I think given the theme and the topic, we want to step back and actually take a look at what the sector encompasses and entails and then get into the threats they’re facing today. So, John, thanks for joining us today.

3
00:00:02,000 –> 00:00:03,000
Jonathan Braley [00:00:55]:
Sure thing, Frank.

4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:00:56]:
So I thought maybe as I sort of just teed up to rewind a little bit, when we think food and ag, I think most people don’t think technology, they don’t think cyber. Can you help shape what the landscape looks like and why cyber matters?

5
00:00:04,000 –> 00:00:05,000
Jonathan Braley [00:01:13]:
Yeah, I think historically we all have this picture of a farm in our heads with the manual tractors and people out on the fields. But there’s a lot of technology now baked into the food and agriculture sector, mainly to be more efficient. We have smart sensors and switches, smart irrigation systems, there’s precision agriculture technology where these tractors are driving themselves and all that’s been great. We’ve become a lot more efficient. The, the stress with, as our population grows, you know, we need to meet those demands and the technology has helped us do that. But every time you start to introduce new technology into these sectors that historically didn’t have it, there’s some risk associated with that, especially when you have internet connectivity and things like that. You’re going to have all these new devices that are going to potentially have vulnerabilities that you’re going to have to patch, that you’re going to have to monitor for threats against. So, you know, the food and ag is just like any other sector.

6
00:00:05,000 –> 00:00:06,000
Jonathan Braley [00:02:06]:
We’re all integrating this new technology and it’s going to be a challenge for them to kind of adapt to the risk there.

7
00:00:06,000 –> 00:00:07,000
Frank Cilluffo [00:02:12]:
And third party risk, supply chain, it does touch every sector. But when we think about agriculture, I think it has some unique challenges, and I think GPS immediately and assured positioning, nav, timing and the like. But, but I don’t want to lead the witness here. Is that the way we should be thinking about some of these issues?

8
00:00:07,000 –> 00:00:08,000
Jonathan Braley [00:02:34]:
Yeah, I mean GPS is big. And then operational technology as well. There’s a lot of manufacturing.

9
00:00:08,000 –> 00:00:09,000
Frank Cilluffo [00:02:40]:
Singing our song here.

10
00:00:09,000 –> 00:00:10,000
Jonathan Braley [00:02:41]:
Industrial control system, so yeah, it’s kind of across the board and it’s the same challenge. The farms themselves are bringing in technology, but also the manufacturing, again, they were, you know, used to air gap them, right? You didn’t have any internet connectivity, but now you want to be able to remote in, right?

11
00:00:10,000 –> 00:00:11,000
Jonathan Braley [00:02:59]:
So if there’s an issue, you don’t want to call someone at 2 in the morning to drive in. You can just get in there and remote in. You don’t, you want to have logistics. So you might have facilities across the country for inventory and all that. You want to make sure that those are connected. And then for security, kind of a double edged sword. When you are connecting these facilities to the internet, you can also bring in a lot different technology that’s also helping defend yourself.

12
00:00:11,000 –> 00:00:12,000
Jonathan Braley [00:03:23]:
So there’s a lot of reasons we’re seeing this kind of shift from these air gap facilities to bringing all this technology. And I think it’s all beneficial. But again, we just have to be careful and make sure we understand the risks there.

13
00:00:12,000 –> 00:00:13,000
Frank Cilluffo [00:03:33]:
And these aren’t only big farms. Right? It’s also small farms that get into this. And for transparency, the McCrary Institute does support the food and ag sector in both research and more broadly around cyber, specifically poultry and timber and the like. But what does it mean for a small farm?

14
00:00:13,000 –> 00:00:14,000
Jonathan Braley [00:03:57]:
Well, the larger farms, they are fairly mature. We work with these groups and what’s always surprising to me is they do have large security staffs. They’re proactive. You know, they’re working with our ISAC and sharing what they’re seeing. But there’s a vast supply chain, right? We have all these small partners and suppliers and they’re working closely with these groups as well. So that’s their challenge is not only are they defending themselves, they have to be interconnected with these small companies that likely don’t have security staff, they don’t have the resources.

15
00:00:14,000 –> 00:00:15,000
Jonathan Braley [00:04:29]:
They’re worried about growing crops, right? They’re not thinking about the adversary that’s going to come in and hack their new technology that they just brought onto their farm.

16
00:00:15,000 –> 00:00:16,000
Frank Cilluffo [00:04:38]:
And it’s already a very busy job. You just look at the sector, 5am they’re already doing more than most people do by 10am, so adding this on to responsibility is a tough issue. And I might note that it’s every sector, you sort of see the small and medium sized businesses in particular assume the same risk but obviously don’t have the same resources. And how do we square that circle? Any thoughts? I think that’s where the ISAC comes in.

17
00:00:16,000 –> 00:00:17,000
Jonathan Braley [00:05:08]:
Yeah, that’s one of the things we’ve been doing is, and our members ask us, right? Some of the more mature companies that our members are saying how can we help the supply chain. Ways we’re doing it, we do produce analytical products for free that we’re trying to distribute widely. But one thing is just trying to raise awareness to the actual threats because I think a lot of them, they don’t have a way to consume that. I mean you and I talked before that not a lot of reporting happens for the food and agriculture sector, right? The threats are there. We see the threats and I think for them there’s this, there’s this gap in awareness. And what’s concerning to me, and I’m sure we’ll talk about ransomware in a little bit.

18
00:00:17,000 –> 00:00:18,000
Jonathan Braley [00:05:43]:
But a lot of the cyber attacks we’re seeing are opportunistic. So it’s not that these adversaries are specifically going after food all the time, but it’s just the nature of them using mass phishing, scanning for publicly exposed systems. They’re just going to happen to come across farms. And we hear it all the time where, you know, these small businesses will say, you know, why would anyone take the time to attack us? We’re so small. But they don’t understand that they’re going after everybody. If you, if you have a vulnerable system, they’re going to go in there and they’re just going to cater whatever financial demands they want based on your revenue.

19
00:00:18,000 –> 00:00:19,000
Frank Cilluffo [00:06:15]:
And if you can maybe drill a little deeper on what that risk profile looks like. So you mentioned OT and industrial control systems and that’s potential life, death, sorts of scenarios. But also IT with ransomware and the numbers are staggering, they are jumping pretty high. So if you want to maybe give a little snapshot of what that risk profile looks like.

20
00:00:19,000 –> 00:00:20,000
Jonathan Braley [00:06:38]:
Yeah, I think ransomware, year after year we’re seeing a steady increase in it, which is definitely concerning to us. And I think it was 212 attacks against the food and agriculture last year. And this is large companies and small companies. And again that opportunistic nature, what we’re kind of seeing now where historically we’d see the generic phishing, maybe they’re going after a vulnerability that’s popular. Now we’re seeing them as soon as a critical vulnerability comes out, they all kind of jump on the same vulnerability. We see the exploitation start, we see the proof of concepts where people design the actual exploit get posted online. And then we see all these ransomware groups kind of run through the different victims that didn’t take the time to patch. So for a mature company, they’re going to know about it, they’re going to see the report.

21
00:00:20,000 –> 00:00:21,000
Jonathan Braley [00:07:28]:
But for a small company, you know, they might not even be aware that they have a vulnerable product, right? So there’s going to be this large gap in time where unless the vendor is telling them or their larger supplier is saying, hey, if you’re using this, you need to patch it, then it might not happen until they have a cyber incident.

22
00:00:21,000 –> 00:00:22,000
Frank Cilluffo [00:07:43]:
Very well said. And this is not science fiction. Any examples that sort of, I go back to, we all paid attention when JBS got hit, but I think part of that was because it was riding the wave in the wake of the, the big Colonial Pipeline hack. But I think there’s some other incidents, whether it’s in Ukraine or others, that I think have stark implications.

23
00:00:22,000 –> 00:00:23,000
Jonathan Braley [00:08:09]:
Yeah, I would say, you know, in the US a few years ago, there were several food cooperatives that they were hit with ransomware during peak planting and harvesting season. So what was concerning there is the ransomware group seemed to have an understanding of the nature of food and ag, and they hit them when it was most impactful. So that was eye opening. And then your point on Ukraine, we could probably look at the John Deere tractor situation.

24
00:00:23,000 –> 00:00:24,000
Frank Cilluffo [00:08:33]:
That was a pretty big deal. Yes?

25
00:00:24,000 –> 00:00:25,000
Jonathan Braley [00:08:34]:
Yeah. So in that case, you know, Ukraine’s being bombarded by Russia. We’ve seen GPS go out. So we already know that that region where they’re relying on things like precision agriculture, they haven’t been able to. They’ve had to revert back to these manual operations. But then we saw Russian adversaries actually try to take control of their tractors, right? So why?

26
00:00:25,000 –> 00:00:26,000
Jonathan Braley [00:08:53]:
Maybe they would use them themselves, maybe they would use them, you know, for war type of things. But in that case, it was, it was beneficial that John Deere was actually able, they had some kill switches where they could kind of turn those, turn those off so they couldn’t be used against them. But you can imagine the ramifications if they had all control of these very large tractors and can do what they want with them.

27
00:00:26,000 –> 00:00:27,000
Frank Cilluffo [00:09:12]:
I mean, we recently had Peter Singer on, who wrote a book called Ghost Fleet. If you think about it, it really is the potential to turn your own technology into zombies. And that is not science fiction. That has happened. And when you think about Ukraine, I think GPS has become a luxury, right? They basically have to figure out how to operate everything without that capacity and capability.

28
00:00:27,000 –> 00:00:28,000
Jonathan Braley [00:09:36]:
Yeah.

29
00:00:28,000 –> 00:00:29,000
Frank Cilluffo [00:09:37]:
And I think that has similar implications domestically, does it not?

30
00:00:29,000 –> 00:00:30,000
Jonathan Braley [00:09:42]:
It does. We actually, we did an interesting exercise on GPS earlier this year with some universities in Mitre and what we kind of found is we’re very fortunate. We don’t see a lot of disruptions to GPS in the US. There’s instances of spoofing and jamming, but you know, we can all pull our phones out and GPS just kind of works. But what, what we need to start thinking…

31
00:00:30,000 –> 00:00:31,000
Frank Cilluffo [00:10:02]:
Can’t take it for granted though.

32
00:00:31,000 –> 00:00:32,000
Jonathan Braley [00:10:03]:
Yeah, we do, we do. But if, if we look at these global political conflicts that are happening, we see that GPS is one of the first things that’s interrupted. So if we’re not prepared for that, not saying, you know, we’re going to have a global conflict, but we need to prepare.

33
00:00:32,000 –> 00:00:33,000
Jonathan Braley [00:10:15]:
If we ever had an incident with a foreign adversary that that’s one of the first technologies that might go. And if we’re relying on our precision agriculture without a backup plan, when that goes down, it’s not going to be a good situation for us.

34
00:00:33,000 –> 00:00:34,000
Frank Cilluffo [00:10:27]:
And when I think of agriculture, trust, confidence is integral in all cyber communities, but the potential for even disinformation around food and ag can have massive implications and a run on confidence. Is that true?

35
00:00:34,000 –> 00:00:35,000
Jonathan Braley [00:10:46]:
Yeah. Some of the nation state groups and hacktivists, I mean they’re trying to, fear uncertainty and doubt is their goal, right? So we’ve seen them go after the water sector, telecommunications, not a big stretch to think that they wouldn’t go after food, right? If they’re trying to make our government look bad or make us insecure about our own food, that would be definitely within their goal set. So I could see food being targeted as a means to cause a massive US disruption but also cause the, yeah, the panic, yeah, yeah.

36
00:00:35,000 –> 00:00:36,000
Frank Cilluffo [00:11:17]:
And the food supply just in time is becoming a bigger and bigger and bigger issue in agriculture, which is great from an efficiency standpoint, but it also is a potential single point failure or something we need to be thinking about.

37
00:00:36,000 –> 00:00:37,000
Jonathan Braley [00:11:31]:
Yeah, it’s definitely a double edged sword. We want to, we don’t want to waste food, right? So you’re creating this food at the level that it’s being consumed, and that’s just the nature of it for profitability, but also, you know, without having the waste. And that also makes it fragile, to your point. And it’s not like, I work with the IT sector as well. They have products that just last, right? These are perishable things.

38
00:00:37,000 –> 00:00:38,000
Jonathan Braley [00:11:54]:
And because it’s, it’s delivered in that just in time nature, even a minimal disruption, you know, could cause you not to find your food on the shelf or cause a partner you work with, they have a disruption, you might have to jump to a different partner, so.

39
00:00:38,000 –> 00:00:39,000
Frank Cilluffo [00:12:08]:
Or even an ingredient.

40
00:00:39,000 –> 00:00:40,000
Jonathan Braley [00:12:09]:
Right. Even an ingredient that’s commonly there is a big issue.

41
00:00:40,000 –> 00:00:41,000
Frank Cilluffo [00:12:12]:
And I just think that the elasticity, and this is again, every sector faces that just in time and for good reason. I mean, we want to be efficient, but we also need to recognize the potential consequences. And do you all do tabletops for entities, or how do you get a small farm to think about some of this?

42
00:00:41,000 –> 00:00:42,000
Jonathan Braley [00:12:35]:
Yeah, for us it’s been awareness, producing the public reports. We do the cybersecurity guide.

43
00:00:42,000 –> 00:00:43,000
Frank Cilluffo [00:12:42]:
Threat Intelligence.

44
00:00:43,000 –> 00:00:44,000
Jonathan Braley [00:12:43]:
Right, right. We’re pretty active on social media. But again, I think we’re always going to have that challenge is, you know, they’re not always aware, they’re not plugging into that. So that’s where, you know, we do, even though we’re, we’re made up of private entities within the ISAC, we do have relationships with the USDAs and the CISOs. And we’re hoping that groups like that and the universities that we work with can help get the word out. Because, you know, the universities are usually plugged very well into those local farms.

45
00:00:44,000 –> 00:00:45,000
Frank Cilluffo [00:13:08]:
Especially land grants, and I’m biased here because Auburn is a land grant, but, but in some ways building off of that infrastructure and integrating cyber, they already know the role that a land grant university and their local offices play. So speaking about the feds, I mean, USDA is designating the Sector Risk Management Agency for cyber. I don’t want to put words in your mouth, but when we were at Solarium, we were less than pleased with the resources. Are we starting to see some transition there?

46
00:00:45,000 –> 00:00:46,000
Jonathan Braley [00:13:43]:
Right now is a little challenging. There’s a, you know, a lot going on with the government. But no, I think early on it was a little surprising maybe that USDA was handed that torch. The folks we work with…

47
00:00:46,000 –> 00:00:47,000
Frank Cilluffo [00:13:54]:
By CISA or some of the other.

48
00:00:47,000 –> 00:00:48,000
Jonathan Braley [00:13:55]:
Right, right. But to that same point, I think USDA is already very plugged into the food and agriculture sector. So it made sense. I think there was already relationships built and I think there’s a trust with the food and agriculture companies that they, you know, could work with USDA in that regard. At the same time, you know, we’ve always struggled to find the information that we need. We’re not seeing food specific things coming out of the government. There’s been a couple. I mean, we do get some things, but we’re not seeing constant updates on, hey, here’s what food and agriculture companies are seeing.

49
00:00:48,000 –> 00:00:49,000
Jonathan Braley [00:14:26]:
We’re not getting those reports that say, send this to your members and let them know and be aware of this. We wish we would see a little bit more of that.

50
00:00:49,000 –> 00:00:50,000
Frank Cilluffo [00:14:32]:
And who comprises the food and ag? This may be a very simple question, but it’s everything from Coca Cola down to John Deere or Pepsi or anyone else.

51
00:00:50,000 –> 00:00:51,000
Jonathan Braley [00:14:41]:
It’s such a broad supply chain. So you have, you have these farms, you know, some are producing produce, some are producing meats, you have the beverage companies, but then, you know, you have the transportation companies, you have the tractor equipment, you got the industrial control system manufacturers and it just kind of goes on and on.

52
00:00:51,000 –> 00:00:52,000
Frank Cilluffo [00:15:00]:
Maybe the question is who’s not part of the sector?

53
00:00:52,000 –> 00:00:53,000
Jonathan Braley [00:15:03]:
And I think that supply chain and the number of hands that touch the product to the point of your just in time delivery is something to talk about as well. So for a small farm, you know, they might be able to grow their produce, go to their local farmer’s market and sell it, right? But more than likely they’re working with a distributor that’s getting that into some retail capacity. So there’s probably three companies there. And then if you look at a processed food, you might have multiple companies that are producing products that become one. You’ve got the packaging, you’ve got the logistics, you’ve got the transportation, you’ve got the grocery stores. And all of a sudden you have 10 companies all involved in this one product that you’re trying to sell.

54
00:00:53,000 –> 00:00:54,000
Jonathan Braley [00:15:40]:
And anywhere along that line, if one of those companies has a cyber incident, it’s going to impact everybody.

55
00:00:54,000 –> 00:00:55,000
Frank Cilluffo [00:15:44]:
Which is incredibly complex. And, and again, the psychological impact that, that, that plays into that. But I’d be curious, sort of from an OT perspective, what would a disruption in like a processing plant look like? I mean, what keeps some of these folks up at night?

56
00:00:55,000 –> 00:00:56,000
Jonathan Braley [00:16:05]:
Yeah, you can, there’s, there’s a kinetic kind of manner that you talked about earlier. If you had some sort of machinery that has a threshold of safety, if you could somehow get into the controls and move it beyond that, you could imagine workers cleaning it when it’s supposed to be off. What if somebody hacked in and turned that on?

57
00:00:56,000 –> 00:00:57,000
Jonathan Braley [00:16:26]:
Temperature, if you could mess with temperatures, you could have, you know, unsafe food going out, you could have food that’s spoiled. If we look at pharmaceutical and maybe fertilizer industries, there might be pressures and temperatures and things. So there’s lots of instances where you could mess with those thresholds and industrial control systems.

58
00:00:57,000 –> 00:00:58,000
Frank Cilluffo [00:16:43]:
So it’s almost up to the creativity of the attacker to an extent, right? And have we seen anything overseas that you think requires greater emphasis and focus here? Cause I think there is this belief, oh, that’s happening somewhere else. But once a technique, a tactic, a method, a source is exploited, that could easily be used as an attack vector here. Right?

59
00:00:58,000 –> 00:00:59,000
Jonathan Braley [00:17:12]:
Yeah. So we saw when Israel, Palestine kind of kicked off, there was some Iranian hacktivists that actually found a vulnerability in a programmable logic controller in industrial control systems. And they mainly went after the water sector. But a lot of food companies, beverage companies had the same sort of PLC in their own environments and they were actually impacted as well. So it has happened here, and then we’ve seen overseas Israel had their smart irrigation systems impacted one time. So a lot of what we talk about was theoretical. We were kind of looking at a worst case scenario.

60
00:00:59,000 –> 00:01:00,000
Frank Cilluffo [00:17:46]:
Water in the Middle east is a big deal.

61
00:01:00,000 –> 00:01:01,000
Jonathan Braley [00:17:48]:
Or if you turn on all the irrigation systems in the middle of the night and flooded a field, that’s concerning. And while it was theoretical, we’re starting to now see that these are happening. We have some examples of it actually being the case.

62
00:01:01,000 –> 00:01:02,000
Frank Cilluffo [00:18:00]:
And how about UAS? Because I mean when you think of drones and the role that they’re playing in terms of crops, that, that, that’s also become mainstay. Right? It’s not, it’s not one or two. This is pretty, I’ve been to small farms at universities recently and they’re co-locating some of their research with, with UAS and the like.

63
00:01:02,000 –> 00:01:03,000
Jonathan Braley [00:18:21]:
So same thing with the GPS, drones rely on that. But also, yeah, you know, drones are used for dropping fertilizers and pesticides now. And there’s a lot of data on these drones you can think of just looking at an adversary.

64
00:01:03,000 –> 00:01:04,000
Frank Cilluffo [00:18:33]:
Don’t use a DJI drone, just in the, for what it’s worth.

65
00:01:04,000 –> 00:01:05,000
Jonathan Braley [00:18:36]:
I won’t. But the, you know, the drones flying over the field, you might have experimental fields and things. So there’s a lot of data on the drones, not just, you know, shutting them down. There’s also valuable data if somebody wanted to map out, you know, the certain pesticides you’re using. They could use flight data and the weight of the drone and things like that or see where certain fields might have different activity. So we’re in competition with other countries as well. So some of the competitive data where we have farms, things like that is also something that we’re concerned about. It’s not always this disruption type event for food and ag. There’s also a lot of valuable intellectual property.

66
00:01:05,000 –> 00:01:06,000
Frank Cilluffo [00:19:11]:
I’m really glad you brought that up. Let’s unpack that a little more. Sort of you got the data side and intellectual property theft and lots of R and D investment in agriculture, and then you’ve got the more disruptive, destructive OT side. But what sort of IP theft are we concerned about here?

67
00:01:06,000 –> 00:01:07,000
Jonathan Braley [00:19:30]:
So I’ll just pick on China. So they’re interested in…

68
00:01:07,000 –> 00:01:08,000
Frank Cilluffo [00:19:33]:
They’re easy to pick on in the cyber world.

69
00:01:08,000 –> 00:01:09,000
Jonathan Braley [00:19:35]:
They’re interested in being more self sufficient with food. They import a ton of food, not just from us, from a whole bunch of different countries. So we have a lot of intellectual property where some of the genetic work, you know, it can take 10 years for a discovery in a lab to become a product on a shelf. So for them, anywhere they can jump in our timeline and start stealing some of that data that we’ve used. One, they’re not going to have to buy it from us, but two, you know, they’ve shortcutted their own resources. And to your point, you think about the technical staff you need, the laboratories, all that stuff is just incredibly expensive. So that’s very valuable.

70
00:01:09,000 –> 00:01:10,000
Jonathan Braley [00:20:09]:
Competing products, so for some foreign nations, they’re selling the same crops that we are, right? So if they could get a heads up into a company’s data and see like, hey, they’re dealing with a drought, they’re going to have down numbers this year, they could go after their, you know, undercut them on the market with who they typically sell to, things like that. So a lot of intellectual property, precision agriculture, there’s AI technologies now in food.

71
00:01:10,000 –> 00:01:11,000
Frank Cilluffo [00:20:30]:
Glad you brought that up too. I’m not going to let you escape. You can’t escape with a little discussion around AI. What does AI look like in the, in the agriculture sector?

72
00:01:11,000 –> 00:01:12,000
Jonathan Braley [00:20:39]:
Lots of different ways it’s used. One would, you know, just for precision agriculture, if you’re able to use AI to make the best use of your land, to monitor soil conditions, things like that, there’s a lot of different software out there now where you can rely on this very smart technology to just improve what we’re currently doing.

73
00:01:12,000 –> 00:01:13,000
Frank Cilluffo [00:20:55]:
And are these custom softwares or are they widely available? Would we have a SolarWinds sort of concern potentially?

74
00:01:13,000 –> 00:01:14,000
Jonathan Braley [00:21:04]:
It’s a good question. I think some of it’s proprietary. In some cases, they are developing AI technology to sell and that gets sold to other countries as well. It’s not just US countries. But yeah, it’s kind of across the board and I think even universities have done a lot of work in that space to see how they can improve.

75
00:01:14,000 –> 00:01:15,000
Frank Cilluffo [00:21:20]:
And how about automation? That, that I would imagine in terms of advanced manufacturing, you normally think, you don’t think of agriculture, but they do come into play here, right? A lot of this is automated already.

76
00:01:15,000 –> 00:01:16,000
Jonathan Braley [00:21:33]:
I mean the tractor drives itself and using GPS and other technologies, I mean they can pinpoint the seed to the exact spot, right? And you can run all day long. You don’t have to just have the workers normal eight hour shifts or however many shifts they work. You can just keep the tractors going. Same with harvesting, there’s a whole bunch of different equipment that doesn’t have a physical person driving it. You can just run on the field by itself.

77
00:01:16,000 –> 00:01:17,000
Frank Cilluffo [00:21:54]:
So you sort of teed up earlier that jamming GPS or spoofing GPS is sort of a prelude to potentially greater conflict. We have no shortage of geopolitical hotspots right now. If one were to pop or escalate, how do you see cyber coming in and what does it mean to the agriculture sector? So let’s not jump to Taiwan right away. We’ve had that discussion in many different ways. But there will be a bullseye potentially on all of our critical infrastructure. And ag, ag is one of those. Right?

78
00:01:17,000 –> 00:01:18,000
Frank Cilluffo [00:22:31]:
So what do you think we could see there?

79
00:01:18,000 –> 00:01:19,000
Jonathan Braley [00:22:33]:
Well, I think if we look at China, I know we didn’t want to do China, Taiwan, but they, we look at the, the Volt typhoon, Salt Typhoon, we’ve seen them get into the water sector, energy sector. We see them putting this just in case malware in our critical sectors and they haven’t used it. But we know that the, the goal was if we ever had a conflict, they’d be able to kind of turn that on and take advantage and you know, no stretch of imagination that we wouldn’t see that in food too. To me it seems like that would be an easy, I won’t say an easy target, but that’s an impactful target for an adversary if they could try to do that. And then, you know, we’ve got Israel, Palestine, we’ve got Russia, Ukraine, India, Pakistan even now, right? As we kind of pseudo get involved in these different conflicts, we see some of these hacktivist groups turning attention to U.S. critical infrastructure. And there’s kind of a blurry line between nation state and hacktivist now.

80
00:01:19,000 –> 00:01:20,000
Frank Cilluffo [00:23:28]:
Who’s the puppet, who’s the master?

81
00:01:20,000 –> 00:01:21,000
Jonathan Braley [00:23:30]:
Right, right. And the targeting, sometimes it’s like, are they following directions of the nation state or is there actually some involvement?

82
00:01:21,000 –> 00:01:22,000
Frank Cilluffo [00:23:37]:
Yeah, that’s, that, the whole issue around proxies is something we’ve, we’ve covered here in previous episodes, but it is getting difficult to discern. And the cohabitation and sometimes, sometimes you can peel that off too. I’m not sure where we’re smart enough to delineate that just yet. But, Jon, if there were one, and this is an unfair question, but if there were one thing, whether from government, from any industry, from the general public, if there were one thing we can do to make the greatest difference in terms of elevating our posture in the ag sector, what would that be?

83
00:01:22,000 –> 00:01:23,000
Jonathan Braley [00:24:17]:
Yeah, we really subscribe to risk informed defense. So kind of our mindset is the better that we can share, so the private sector sharing, the government sharing, us sharing with ourselves, that’s how you really understand the risk, right? It’s not good to look at one incident, try to figure out what happens. We want to see what is happening right now so we’re not just guessing at what’s the next threat is. The more we can share with each other, I think we have a better chance of protecting ourselves.

84
00:01:23,000 –> 00:01:24,000
Jonathan Braley [00:24:44]:
And then, you know, things like CISA 2015, I don’t know if you follow that at all, but that had a lot of protections for sharing. So that’s something that we’ve been paying close attention to, and we hope that that, you know, continues, right, so that we can have the, you know, antitrust protections and the information sharing so that when you do have an incident, one of the biggest challenges we have is members want to share it, but general counsel is saying we don’t want…

85
00:01:24,000 –> 00:01:25,000
Frank Cilluffo [00:25:07]:
Exactly.

86
00:01:25,000 –> 00:01:26,000
Jonathan Braley [00:25:08]:
…yeah, we don’t want it to come back.

87
00:01:26,000 –> 00:01:27,000
Frank Cilluffo [00:25:09]:
And, and we see that in every sector. There’s the CISOs and the CIO, CISO, CSOs. By and large, they want to lean forward, but often council says think twice about this.

88
00:01:27,000 –> 00:01:28,000
Jonathan Braley [00:25:22]:
Yeah, we, we’ve been able to kind of work around that just by anonymizing it so they can share with us, hey, here’s some indicators. Let everybody else know. We don’t really say who shared them. It’s still beneficial.

89
00:01:28,000 –> 00:01:29,000
Frank Cilluffo [00:25:33]:
Hey, John, what questions didn’t I ask that I should have? You covered a lot of ground here.

90
00:01:29,000 –> 00:01:30,000
Jonathan Braley [00:25:39]:
I guess I’ll just mention that, to me, ransomware is probably my most concerning threat to the sector right now.

91
00:01:30,000 –> 00:01:31,000
Frank Cilluffo [00:25:46]:
Thank you for bringing that up. Yeah, we jumped beyond the ransomware discussion.

92
00:01:31,000 –> 00:01:32,000
Jonathan Braley [00:25:49]:
No worries, but it’s, it’s, so we looked at, we did an exercise last year, we looked at all the different adversaries that had historically targeted the food and ag, and about 50% of them were ransomware groups. So not specific attacks, but the actual actors were majority ransomware. And I think it’s the opportunistic nature. To your point, we don’t see a lot of reporting on food and ag threats, but I also think we’ve been a little lucky where adversaries aren’t always focused on food and ag. But I think the opportunistic nature is a concern for me because it’s just going to happen to get food and agriculture companies, and it’s gonna be hard.

93
00:01:32,000 –> 00:01:33,000
Frank Cilluffo [00:26:19]:
So critical not only to our economy but to our public safety too. Right?

94
00:01:33,000 –> 00:01:34,000
Jonathan Braley [00:26:23]:
But the seizing of production is huge, right? I mean the incentive for a food company to pay that ransom is going to be higher than other sectors even. And at some point they’re going to realize that and they’re going to heavily target food. We see health care get hit quite a bit just because they know that the hospital is going to pay to…

95
00:01:34,000 –> 00:01:35,000
Frank Cilluffo [00:26:40]:
And recent trends unfortunately show it’s not a one time deal, right? You get hit once you pay, you’re often getting hit again.

96
00:01:35,000 –> 00:01:36,000
Jonathan Braley [00:26:49]:
Yep. Yeah. If you don’t figure out the hole where they came in, they sometimes come back in.

97
00:01:36,000 –> 00:01:37,000
Frank Cilluffo [00:26:53]:
Come back right in.

98
00:01:37,000 –> 00:01:38,000
Jonathan Braley [00:26:54]:
Different name or same name, we’ve seen all sorts of things.

99
00:01:38,000 –> 00:01:39,000
Frank Cilluffo [00:26:56]:
And not always get either your information back or even if it’s an OT set of issues, your system’s back up and running. Hey John, you gave us so much to think about. Thank you for your hard work on an under appreciated sector in this space. I’m glad that you’re out there fighting the good fight, and thanks for joining us today and keep fighting that good fight.

100
00:01:39,000 –> 00:01:40,000
Jonathan Braley [00:27:22]:
Awesome.

101
00:01:40,000 –> 00:01:41,000
Frank Cilluffo [00:27:23]:
Thank you.

102
00:01:41,000 –> 00:01:42,000
Jonathan Braley [00:27:23]:
Appreciate it. Thanks, Frank.

103
00:01:42,000 –> 00:01:43,000
Frank Cilluffo [00:27:24]:
Appreciate it. Thank you. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you’d like for us to host. Until next time, stay safe, stay informed and stay curious.

Related Content