Virtually everyone says "yes" when asked if digital security is important. When push comes to shove, though, labour or water gets more priority from the grower, and for suppliers, there's always a higher item on the to-do-list, too. Strange actually, because in all company processes digital security is key.
So there is work to do. After a breakfast session in the World Horti Center this summer, a digital security work group was founded. Hoogendoorn Growth Management, Beekenkamp Group, InnovationQuarter and Lentiz work together and plan to incorporate other horticultural parties. The first goal? Raising awareness.
The room and the speakers: Danny den Hollander (Beekenkamp Group), Colinda de Beer (InnovationQuarter), Kevin Kleijwegt (Hoogendoorn Growth Systems) and Roel van Heijningen (Lentiz). Remco Duijverman of Hoogendoorn is also a member of the work group, but he was not present.
Who started that conveyor belt? What's that robot doing there? Is that sensor data right? Who is the 'mechanic' in the server room? Is the work laptop travelling to China or the United States? Those are all questions or situations that are more or less familiar to those who work in horticulture, even though it is not a popular subject to be open and honest about. Because anyone who's been hacked, must be stupid, right?
Well, no. Hackers get smarter so it can happen to anyone, and the grower with a fully automated greenhouse is maybe the most vulnerable of all. The work group does notice, that that last group still sees it as an unlikely occurrence. The three most common reactions are 'my supplier probably takes care of digital security', 'I don't click on wrong links' or 'that's scary, I don't understand that'.
None of those three is 'the right answer'. Even more so, the whole horticultural chain is interlinked, and a chain is only as strong as its weakest link. Only together and by sharing knowledge, horticulture can take steps.
Colinda de Beer opened. Photo: WHC
IT versus OT
Who knows the difference? Probably not everyone, even though every grower and supplier comes across OT. OT stands for Operational Technology, which are all machines, from conveyor belt to robotic arm, in the greenhouse. The OT is vulnerable, because the software that controls that hardware is often hard to update, or it can't be updated at all.
Some simple, sometimes obvious tips, are necessary. It's wise to change the password every now and then, on the hardware too ('adminadmin' is easy to hack). Choose for multi factor authentication for everything that requires logging in, and for a password manager which is guarded with another password to make using good, strong passwords possible. But isn't a password manager another risk? Yes, acknowledged Colinda de Beer of InnovationQuarter, one of the speakers, but the risk is a lot lower than using the same password on everything.
‘Air conditioning mechanics’
Besides Colinda de Beer, Kevin Kleijwegt of Hoogendoorn and Danny den Hollander of Beekenkamp spoke, too. They too shared tips and experiences. Kevin advised growers not to open your e-mail on the climate computer and to use the 3-2-1 back up rule (original data, back up drive and in the cloud with a password).
After seeing a video of people holding a ladder, walking in everywhere they want, Danny told about the tests Beekenkamp executed in the company to see how well Beekenkamp as a company is secured. That sure became an eyeopener, because the 'air conditioning mechanics' got as far as the server room.
"Accordingly dressed and believing in the good in people made that possible", Danny said. "That's why there's really no harm in asking the mechanic in the greenhouse what he is doing there. And to, easy as it is to let the supplier log in from a distance, make a comfort-risk analysis for installations if it is really possible", Kevin added. "It can always be beneficial to let someone from your own company physically look over the shoulder of the person logging in from a distance."
And then there's data. The amount of data increases, but the question is how much you want to keep. Data that doesn't exist anymore, can not fall into the wrong hands either, Kevin said. For that reason it is inadvisable to take business computers and phones to 'risk countries' like China, Russia or the United States. A little 'check' at customs and before you know it there's spyware on it. Several people in the room had similar experiences, or at least a hunch that something like that had happened to them. And if there is no other option, think about encryption of data or bringing an empty laptop or PC for that one visit.
Hacking to learn from
After an hour or so it was up to Roel van Heijningen from Lentiz to close with the question 'What's next?' Options were including digital safety in the Lentiz curriculum, doing a baseline measurement in horticulture to find out the main points of attention and or risks, and organising courses for growers where they learn how to hack each other, so they can start to see the risks.
Technical or ethical hacking, in which hackers decide to hack a company and then tell them (for a nice financial reward of course), is something to think about as well. In horticulture it is not common (yet), but everyone understands that if one kilogram of tomato seeds is very expensive (which it is), the data on new varieties should not be out for everyone to see. It is important to be well boarded up digitally.
For more information, please send an e-mail to email@example.com