Ag Geek Speak

1. Talking Cybersecurity with Tech Support Farm's Chris Sherman

A Podcast for Precision Agriculture Geeks Season 3 Episode 1

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 22:52

We sit down with Chris Sherman of Tech Support Farm to explore how cybercrime targets modern agriculture and what practical steps protect farms and agribusinesses from losses. From avoiding spoofed invoices to equipment lockouts, we share simple defenses any grower, consultant, or retailer can start today.

In this epsiode, we discuss with Chris

• why agriculture is a prime target for cybercrime
• social engineering that targets busy planting and harvest seasons
• real cases of spoofed invoices and wire fraud
• risks in connected equipment and robotics
• password best practicesand password managers
• consumer email vs commercial domains and DMARC
• backups, rapid recovery, and remote support
• reducing tech fatigue with managed services
• how Fence Check evaluates your cyber posture
• Tech Support Farm's free webinar on passwords, phishing, and email security

You can find out more about Tech Support Farm at https://techsupport.farm/

Complete your free Tech Support Farm Fence Check at https://techsupport.farm/fencecheck/ to get a free, actionable report within 48 hours

Find our more about Tech Support Farm's winter webinars https://techsupport.farm/winter-webinars/

At GK Technology, we have a map and an app for that!


https://gktechinc.com/

Meet Tech Support Farm

Sarah

Welcome back to Ag Geek Speak. We are so excited to be talking about technology and agriculture. And today we're doing a little something different. We have a guest, Chris Sherman, with what's the name of your business again, Chris?

Chris Sherman

Tech Support Farm.

Sarah

Tech Support Farm, thank you. And we are going to be visiting with him about how he actually supports a lot of farmers. Tell us a little bit about yourself and your business.

Why Agriculture Is A Target

Chris Sherman

Okay. So Tech Support Farm is what is known as an MSP or an MSSP. We're a managed service provider. So we fix computers, we take care of networks. We basically take care of any of the infrastructure that your technology lives on. So we've taken care of Wi-Fi, uh, you know, your cellular data, connectivity issues, stuff like that. Anything that goes wrong with your computers, that's what we take care of. And then we're also a managed uh security service provider. So we provide all of the cybersecurity side. We take care of all of the software that needs to go into your devices to protect you from hackers. We uh handle all of um phishing attacks, email protection, stuff like that. We do all of the uh backup and disaster recovery for farms. And so, you know, a lot of the software and a lot of the stuff, the data that you're storing, we we back all of that up so that in the event that there is an issue, we can put you guys back online pretty much instantaneously. So we operate out of West Fargo, North Dakota, but we have clients pretty much across the contiguous US. So we're out on the West Coast, out on the East Coast, we're down in, you know, Georgia, North Carolina, South Carolina. We are kind of smattered all across the United States right now.

Sarah

So cybersecurity for agriculture, I mean, that's kind of an interesting thing to even think about. What and you said that the government has put out a statement about it. Can you help us kind of understand what are really the issues with cybersecurity when it comes to agriculture?

Real-World Farm Cyber Attacks

Chris Sherman

Okay. Um, so again, you know, the federal government, things that catch the federal government's attention is is usually big dollar amounts, right? And so back in 2021, I think it was uh Mankato, Minnesota, there was the Crystal Valley Cooperative was was held for ransom. And what really caught the federal government's attention in that one wasn't so much the dollar amount, because I think it was, I think it was like 11 to 15 million that it ended up costing. It was the fact that the ransom took place the first week of harvest. And for a cooperative to be held hostage like that right in that first week, that was really a telltale sign that these threat actors abroad were studying U.S. agriculture patterns. They knew when to attack, when the optimal time was. Because had this happened in like, you know, maybe, you know, February or March, it would have just been a one-off. We would have been down for a couple, you know, days and got back online. And instead, they were able to force the hand to just out of necessity, right? And so the issue is that since then we've seen a lot of high profile attacks. We've seen JBS meats out of South Dakota. We saw Dole was uh attacked, and so was UNIF uh Unify Foods was uh attacked. Um Spudnik Potatoes, the company that owns uh they were held, uh they were they had a cyber attack and and you know, hundreds of millions of dollars that cost them. So all of these are federal government style attacks that get their attention. In 2022, FBI in conjunction with USDA came out in a private industry notification and they told everybody that agriculture is one of the top 10 industries being targeted by cybercrime. But the problem is that what we are just waking up to is the the vast uh untalked about issue on the producer level. Um in 2024, the USDA estimated their their sent their farm census was about 1.88 million farms in the United States. That's a tremendous amount of the pyramid in this industry. And the average farm has about a million dollars of equipment and infrastructure. And that's just the average, right? We have farms that have a lot more. But then at the same time, farming requires a lot more catch upfront, a lot more capital and liquidity. And the average farm has about half a million dollars on hand at any given time. And so it really lends itself to being low-hanging fruit because farmers are inherently trusting. We've got more and more, we have tons of guys running around without any passcodes on their phones, without any, you know, passwords on their computers, and everybody's trying to unlock things. And unfortunately, that keys in the visor trust mentality that we have in real life does not translate to our digital footprint, right? And and what ultimately ends up happening is we leave ourselves really vulnerable and we have a lot more cash running through our through our businesses than other small businesses. And so therefore, you know, when we have a cyber breach, it's not, you know, hundreds of dollars, you know, that they've taken. It is in the hundreds of thousands of dollars. The biggest one that we saw was like $300,000 uh that they got away with, and they had a $450,000 uh transaction pending. Those are the types of numbers that put people out of business.

Sarah

No kidding. And so, like you actually are aware of some instances where farms have actually been attacked.

Chris Sherman

Absolutely.

Sarah

Have lost money.

Chris Sherman

Yes.

Sarah

Without revealing locations or people. Can you kind of explain to us like a real life scenario that actually happened?

Chris Sherman

I I can give you a lot of them. Okay, so number one, busy time of the year, right? Planting, harvest, and uh threat actors will know that that's the time and they will spoof your local uh vendors and they will invoice you and tell you, you know, in order to, you know, maintain services, you need to hurry up and pay this bill. Here's the link to pay. And what do you guys do? They end up paying the bill because they want that bulk fuel. They want that, they want to make sure they've got fertilizer. They want to make sure that these services continue going. And so they pay it and they're like, we'll deal with the books later. And then by the time they find out that they were paying somebody else, it's too late. It's that it's social engineering. Most of cyber attacks in the United States for agriculture is definitely very carefully orchestrated social engineering. Another one is where they will spoof the vendor and they'll send out the invoices, and they will literally mirror the invoices that were already sent out and said, Hey, I don't think you paid this. And so we have companies that would readily tell you that, yeah, we we ended up paying $30,000 in invoices, and we found out that they were repeats, but they were repeats from uh from somebody spoofing them. The FBI and I can't remember what other federal agency did an experiment with a brand new combine um on, I think it was University of Kansas, if I'm not, if my memory serves me correctly, don't quote me on that one. But basically they sat out there with a laptop and they had uh a couple guys demonstrate how they could hack into the combine and take it over, and they could lock out the driver and they they had full control of the of the unit. And people ask you, you know, why? Why is ag even a target? And it's very simple. Number one, food is national security. We know that, right? I mean, going all the way back to biblical times, it was it was slash and burn. But now, you know, now we don't have to do that. We just sit behind a keyboard and and we mess with the digital side of it and it ruins it for us. We see over in areas around the world where they're hacking into planting equipment and they're during planting season and they're pushing seed down too deep. During the drying season for for next year's seed, they nuke it. Uh they they mess with the readout displays on on drying drying equipment, they're messing with milk pasteurization, all of these things. And so, you know, the reason why is obviously, you know, taking control of the food supply. But then at the same time, it's weakening public trust in in you know traditional institutions, things that we've assumed to be safe. It's as, you know, it's just generally assumed you can walk into a grocery store and the food that you're gonna eat is going to be safe. And again, you know, if they can weaken the the public's trust in the society's systems, that's a that's a great attack. But last but not least is money. Money is a huge factor. You know, ag is a $1.5 trillion industry in the United States. It is phenomenal.

Sarah

So And so they will actually break in and they'll they'll glean like little amounts of money coming out of operations just like you just like you described.

unknown

Yeah.

Chris Sherman

But think about it this way if if they orchestrate the attack carefully, they can get little amounts from a large swath of the population. And so it becomes a very big payday. For very little effort. We've seen we've seen attacks where spyware was accidentally downloaded, and so they sat there and they watched the goings-on inside of a farm. They knew that dad and the boys were working on a land deal. They were talking to the bank, they had the insurance companies, and everybody everybody was all involved. And the threat actor realized it was about the the right time, and so they spoofed the bank and they sent him e-signed documents with wire information. And dad signed it, the boys signed it, and before they knew it, all their money was gone and they lost the land.

Sarah

My gosh.

Chris Sherman

Yes.

Sarah

And at land prices today, yeah.

From Food Security To Big Money

Chris Sherman

Now think about this. Okay, irrigation. Irrigation is fascinating because, and this goes for everything, right? This is irrigation, grain handling, dairy robotics, you know, uh ranch management, any of these platforms that we use. But a quarter section of potatoes is about upwards of a million dollars. Now, if you have hundreds of irrigators and they're all being run on the same platform, that becomes a choke point. Because now, if that ever gets hacked and they take over that, not only, you know, if you if you hold water off of potatoes for, you know, 24, 48 hours, uh, you're you're facing crop loss. Dairy farms is a great example. You know, my first job when I was like 12, 13 was on a dairy farm. And, you know, everybody ratio of human labor to the herd size was drastically different than what we have today because robotics has alleviated that. We don't have the three o'clock in the morning and three o'clock in the afternoon milking anymore because now it's a 24-hour operation. And most of it is, you know, is managed through robotics. But all of that data is stored in a central server. You take that over and you and you lock everybody out of that, and suddenly we don't physically have the human labor to offset that and to deal with that crisis.

Sarah

Cows don't get milked.

Chris Sherman

We're facing herd loss.

Sarah

That's bad.

Chris Sherman

Yeah. We are now seeing cattle rustling where it is it is no longer physically showing up and and stealing the cows. It is we're messing with the geofences and we're hurting them out and to waiting trucks. Yes.

Jodi

This isn't just the wild west anymore.

Chris Sherman

RFID uh swapping of tags. You know the old school where you peel the label off of the off of the cheaper item at the store and you stick it on the expensive one and hope that you can get through the, you know, kind of like back in the day. Now we're seeing that with RFID tags. They'll swap you know the RFID tag digitally with uh a cheaper animal and put it on a more expensive animal, and they end up, you know, that's it's happening in in real life at these auctions. And it's an issue that needs to be talked about. And what's interesting is that nobody is going to be at you know at Petroserve, you know, getting coffee and and fuel and and tell their neighbors that you wouldn't believe that we got hacked for $70,000 last night. That's not an that's not a morning topic. We just know that Brad is really was really cranky this morning and nobody knows why.

Sarah

And farmers are very private, yes, very trusting. Um, a lot of the clients that I work with on the mapping side of things, they are extremely good at you know fixing things with a 916 wrench and a hammer. Yes. But they're probably not so good at putting together agricultural data in a in a digital sense and making their maps.

Chris Sherman

That's the other problem is that we have such a proliferation of not only data, but solutions. And so you have to learn individual solutions, right? You have to learn each new piece of technology. And, you know, when it comes to equipment, we all understand electricity, we all understand the combustion engine, but technology, we design it so differently. And with you know, the introduction of artificial intelligence and the different creative directions that we can go with technology, it becomes very, very daunting. And we and you know, when we talk about data fatigue, especially in farms and ag, uh it's very real. I think there's a tech fatigue as well.

Tech Fatigue And Data Overload

Jodi

Yep. So, so on that, I mean, that's a huge challenge for precision ag adoption, is just getting into that sort of like new tech mindset and then learning everything that comes with it. But it's but speaking of that, I mean, we work with not only growers and farmers, but we also work with independent crop consultants that own their own businesses, retailers, et cetera. You know, what are some things that we should be thinking about in terms of upping our own data security? And then also how can we work with you to help in your company to make us better in terms of being more data secure, cybersecure?

Practical Password Strategies

Chris Sherman

So the the two things that I I talk about is number one is passwords. Passwords are our keys. And for some reason, we have this mindset that we we need to make our our passwords as easy to remember as possible. So, you know, and I I always pick on on Johnson Farms, but Johnson Farms Wi-Fi is probably Johnson Farms. And you know, believe it or not, their password is Johnson Farms with an exclamation point. And and they might add another one to it, but but the security is so incredibly lax, right? And so we need to understand that our passwords, if if you have a 12-character password and it is all lowercase level or lowercase letters, do you realize that brute force attacks can have that cracked within a matter of two seconds? Literally. I had no idea. Yes. If you add an uppercase letter to it, you automatically triple the amount of time that it takes to breach it. If you add numbers to it and then special characters and you don't repeat them, you can inevitably, you can actually get to a point where it's, you know, I think the number was like 34,000 years that it takes to break into that. But obviously you should be changing your passwords more frequently. The thing is, make sure that your passwords are a minimum of 12 characters long. Use upper and lower case letters, use numbers and special characters. And and make sure you're changing them at least, you know, a year. That's that's the best, you know, practice right there. Um and again, don't reuse passwords, right? Think about cybersecurity and your security posture like home security. You don't go to the locksmith with an old key and be like, I'd really would like you to design a lock for this key, right? No. I mean, would why would we reuse our passwords? It just doesn't make sense, right? Throw it away. Start over. We have password managers that you can download, and it can go on your phone, on your desktop computer, you lock it up, and you've got biometric, you know, scanning on there or whatever the security features are. You don't have to remember your passwords, right? Make them complicated. There's another uh there's another one, then this might be a little bit more difficult to do on a podcast, but it's called munching. And you replace letters with characters or numbers, right? So the uh wheat field is two words. You would have capital letters in there in lowercase, but change the the A in wheat to an at sign, right? Change the I in field to an exclamation point. You know, now you've just exponentially made it more complicated or complex, but it's pretty easy for you to remember, but uh harder for a hacker to figure out. So uh passwords is number one thing that I think is is most important. Um, the second thing right now is g uh is emails. Everybody has to understand that there is a difference between consumer grade emails and commercial grade emails, and nobody seems to get this. And farmers are notorious for running multi-million dollar operations on residential grade hardware and infrastructure. Gmail, Yahoo, AOL, Hotmail, Netscape, all of those antiquated emails that we all hang on to, even if it's out of nostalgia, all of those emails are essentially mailboxes on the side of the road. Anyone can come up to them. They are not encrypted. Yes, you have a password, but they are not encrypted. Anybody can uh can grab them in transit, read the email, read the contents, and it continues on to the original destination with nobody knowing. So anything that you send your bank, all of the statements that you're sending, all the PLs and balance sheets at the end of the year, your tax information, your insurance stuff, your stuff that you send for employees, all of that is not being encrypted in those email platforms. We have to get past that. And we have to have our own company domains and have commercial emails, whether it's through Google Workspace or Outlook, whatever the case may be, that is step number one. Inside of a commercial email, now you can put on inbound email filtration to weed out those phishing scams and those attacks and those attempts. And then on the outbound, we can put in DMARC compliance to protect you from getting spoofed. So if you have, let's say you're a seed dealer or you're you know selling insurance, or maybe you're a you know custom applicator or harvesting or whatever, that nobody can spoof you as a company and send invoices out on your behalf and collect the money. Because ultimately, if that does happen, that company is liable for it.

Jodi

It's interesting. Having talked to you, Chris, the last two days at the NDSU Extension Roundup in Devil's Lake, I've had so many conversations in the last 48 hours of folks that have run across these, you know, phishing attempts, these fake invoices.

Chris Sherman

Yes.

Email: Consumer vs Commercial

Jodi

They're way more common than we think.

Chris Sherman

It's crazy. So ultimately, what we do as a company is we're we're here to educate and we're here to help people, you know, raise awareness in this industry because there's nobody else doing this, right? But at the same time, we provide IT and cybersecurity services. And so we have guys that call us and are like, hey, I can't get on my Zoom meeting. Can you help me out? We can help you out. And we can do it remotely, right? But at the same time, we do cybersecurity in the background. Uh, we we make sure that all your devices are secured, we make sure your network is secured, we will set up your emails for you, right? If you have an email that you've been using for 20, 30 years and and you're not sure, and it seems like a daunting task to you know transfer it over, and how are you going to tell everybody? We've got the solutions for that. We can set up your email, we can set up the transition for you, we can make it very seamless. We take care of all of the backup and disaster recovery stuff.

Sarah

Well, that's a big deal.

Chris Sherman

And and you know, at the same time, you know, everybody knows that you know you you have a piece of equipment breakdown in the field, and we call, you know, the service uh mobile service truck or whatever, and they're like, Yeah, we'll be there by six o'clock, and six o'clock comes and goes, and we're it'll be tomorrow morning and that sort of thing. For us, our service is 90, you know, 90 to 95% remote. I can be anywhere in the United States and somebody can call and we can jump on remotely and take care of their stuff for them. So we try to provide that service that that ag needs for the the right help, not you know, two days from now kind of service.

Jodi

That's beautiful. And so if somebody, if if a grower, a consultant wanted to start working with you, what's the best way that they can start to interact with you and build that relationship with your consultant?

Services, Remote Support, Backups

Chris Sherman

You can go to techsupport.farm and you can fill out what we call fence check. Fence check is really Really a cool tool because what it does is it kind of starts that initial interview process and we find out more about your farm. We get to know, you know, what kind of operation you're in, uh, what kind of side businesses you might have, what kind of technology you're using, how big your farm is, how many employees you have, what kind of devices you're using, that sort of thing. And then within 48 hours, you'll get a report on exactly what you can do, the actionable steps you can take to improve your cybersecurity. We do not use it as a sales tool. We'll not contact you. We were not gonna, we'll never be that pesky company that keeps calling. And then if you do choose to go, you know, and and to have an interview with us, we sit down, we'll cover the report with you, and then we can tell you what we can do from there.

Sarah

Sounds like a pretty easy, you know, way to start getting things more lined up.

Chris Sherman

Absolutely.

Sarah

Being more secure. And something quite frankly, that most farmers I know do not enjoy doing at all. So to find that person to help out with that, that's a pretty big deal.

Chris Sherman

The other thing I would throw out there is that we are doing a winter webinar and it's gonna be a security webinar. It's totally free. Guys can sign up for it, bring your hired people, your moms, your dads, your aunts, your uncles, anybody that you like. Um, and it's a it's a one-hour interview or a one-hour webinar. We go through cybersecurity and the basics. We talk about passwords, we talk about emails, we talk about phishing attacks. We will dissect emails and show you how to look for telltale signs on on how to you know pick out phishing attacks and tell what is real and what is not. So it's it's very in-depth, but it doesn't cost anybody anything. And uh, and I think it's a great opportunity.

Jodi

What are the state of that? And then also what is the name of your website that people should go to to do this this fence check?

Chris Sherman

Tech su uh techsupport.farm, and it's the first thing on the website.

Fence Check And Free Webinar

Sarah

Well, I feel like we have just totally scratched the surface here. I feel like there's a lot of things that we could talk about more in depth. So we might have to see if we can have another conversation. This is just something I think for technology and agriculture that totally gets overlooked. Um, but this has been a great conversation. Really appreciate your time. Um, thank you so much, Chris, for joining us.

Chris Sherman

Absolutely. Thank you guys for having me.

Sarah

Thank you, Chris. With that, at GK Technology, we have a map and an app for the map.