Protecting Agriculture Critical Infrastructure

Vulnerabilities are only weak spots when they are abused. According to multiple government reports, professional criminals and state actors have become a serious risk for business and governments22. Criminals become more professional and have more equipment and tooling to execute cyber hacks. Data, money and other valuable assets such as intellectual property, confidential business data, personal information and the continuity and integrity of digital processes can be abused by malicious actors.

A secure chain is only as strong as the weakest link

Challenges are not only visible on an organizational level, but are strongly chain focused. The agrifood sector is operating in chains or networks and is dependable on other chain organizations or third parties. Some risks are obscured and/or displaced outside an organization's span of control. A secure organization, chain and network are therefore a shared responsibility. When managing the risks of the whole chain,

it is important to identify not only the physical chain, but also the "digital chain". This chain effect has been proven in other sectors by, for example, the disruptions that occurred some time ago by DDoS attacks on Dutch banks, government departments such as DigiD23 and - when it comes to system failures - the power failures in Noord- Holland24. The impact of a non-functioning chain is exceptionally high and costly25.

A secure chain is only as strong as the weakest link.

A successful cybersecurity attack can have major impact, not only on the IT side but especially on the business. Some consequences are loss of reputation or loss of business due to system downtime (for example costs of not-harvesting). For an organization to take control, it has to ask itself: Are our digital "crown jewels" and reputation adequately protected and under control? And if my system fails, is my business resilient enough to recover?

Total security is an illusion and in most cases impossible to achieve, due to the substantial impact security measures can have on society and individuals. To find the balance in security, freedom, social and economic growth has become a challenge nowadays. We can combine digital innovation and transformation within acceptable risks. To cope with these vulnerabilities and threats, multiple technical solutions or standards can help to mitigate threats and risks. But improving cooperation - both internal and external at various levels - by sharing knowledge, expertise and expe- riences is one of the basics in developing cybersecurity resilience in the organization and the agrifood chain.

Agrifood processes not considered "vital" by government

In 2010 the Dutch government labeled several sectors as being "vital". In 2015

this process was repeated but now from the perspective of vital processes instead of vital sectors. This time agrifood processes were not labeled as vital. They were assessed as being too fragmented and therefore incapable of disrupting society or the economy. But how much impact does it have when processes for assuring food quality and food production seem vulnerable to cyber threats? Is this assessment changing with the fast digitalization of the food chain? When a shortage in crops

or unreliable quality manifests, societal unrest arises. But when vulnerabilities and outages of continuity become reality, the food production processes and geographic distribution of the products will show to have a great level of resilience due to the vast networks of the food supply chain. No branch of the food chain will be threatened

as a result of outages in the major food production locations. Moreover, when food supply is thin, products can be replaced by similar or alternative products to balance the shortage. This is why food production and distribution processes are not catego- rized as "vital infrastructure" by the Dutch government (2015).

But the vulnerabilities of the (digital) food supply chain is more and more dependable on other products and services that are labeled as "vital", of which the most important ones are drinking water, energy en transport. Besides continuity and security of food supply, food safety and quality control are vital pillars of the food business. But what happens when fraud is committed? Our attention has been drawn to the fact that there is no information on how little attention there is for cybersecurity as a consolidating factor in data on quality of produced food in an ever digitalizing chain26.

Agrifood businesses struggle with cyber security measures Agrifoodcompaniess support27 the view that digital data exchange is increasing in the agrifood sector. They mention not only technology as a main driver, but also the growing need for traceability, increasing need of customers and consumers for information on sustainability and further globalization of our food supply chains.

Indeed, data is considered as a valuable asset for companies in the agrifood sector. Farm data is seen as farmers' new product alongside its crops and animals, and needs appropriate security.

According to the companies interviewed, sensitive data in the agrifood sector particularly concerns business data, being valuable information for the market and its competitors. For instance food product prescriptions but also plans for take-over are considered as market-sensitive data. And for each food supply chain (dairy, meat, vegetables etc.) in the agrifood sector the risks and vulnerabilities will be different. Cyber attacks by hacktivists in order to damage the reputation of companies are seen as an increased threat. Also the increase of extortion was named in which firm data is taking hostage.

Some businesses wonder whether the agrifood sector has sufficient awareness of cybersecurity compared to other sectors. It seems that awareness in the IT and software companies as service provider of the agrifood sector, is high enough. And large food enterprises (especially multinationals) also seem to be reasonably aware of cybersecurity. Also due to their accountancy firms that carry out risk assessments and impose arrangements to meet cybercrime attacks. And also because of the new stricter privacy and data protection regulation with the obligation for data controllers to notify data breaches and higher fines.

So how should the agrifood sector deal with cybersecurity taking into account that a lot of agrifood chains operate in an international environment, crossing borders, and dealing with different legislation? Also the different cultural biases and legal systems between US, Europe and Asia on cybercrime should be taken into account. Opinions vary on how a joint approach should look like. Who should take responsibility, who will organize it and who should be involved? The large and more powerful companies in the agrifood sector such as multinationals or European purchasing alliances of the supermarket groups? And how will the costs and benefits be divided among the involved parties along the food supply chain?