Suddenly it does get very hot in the greenhouse. The grow pipe appears to be heating up at maximum and the windows are closed. The screen system does not seem to respond to the sun and the irrigation is set to zero. The climate computer no longer responds to adjustments, instead giving an unknown message. Hostage. Pay up, or you won't regain control of your greenhouse. This scenario may seem far-fetched, but at the same time it is not unimaginable. Horticulture is at the forefront of using modern technologies and that simultaneously makes the sector a target for hackers. The information and knowledge of suppliers, growers and breeders also attract the attention of malicious parties. Marco van Loosen and Patrick Dankers of Priva explain what is going on and how it is possible that the horticultural industry is simultaneously the most modern in the world, but also somewhat naive when it comes to cyber security.
Digital espionage from the East, a Dutch newspaper headlined last month. Ransomware attacks pose a risk to Dutch companies, according to various cybersecurity companies. Last week Dutch science organization NWO was in the news: it was extorted by hackers. Their network was taken hostage and because they did not pay a ransom, confidential information was revealed on the dark web. According to Marco van Loosen, these are threats that the horticultural sector must also be aware of. He started working as Information Security Lead at Priva last year. His colleague Patrick Dankers (Portfolio Manager Horticulture) explains that there are various ways in which hacking in horticulture can be a risk. Theft, for example, of technology.
"We expect the use of cloud solutions in horticulture to take off in the next five years. Then you can think of autonomous cultivation, harvesting robots, harvest predictions and the associated algorithms, but also the knowledge of, for example, the breeding companies. All technology that can be interesting for outsiders," says Patrick.
"On the other hand, you don't have much use for this data without knowing how it is used in practice," adds Marco. "That also makes the process data from the greenhouses themselves a target. The combination between technology and the process data gives the opportunity to be able to apply the knowledge elsewhere, or at least to be able to catch up technologically in horticulture."
A second threat that horticulture may face is cybercriminals penetrating the greenhouse. "By adjusting parameters or settings or taking over users' accounts, you can obviously cause a lot of damage. Then there may be hostage taking and asking for ransom, but sometimes they are also just out to do damage."
"Previous DDOS attacks on the government were also found to have been carried out by an adolescent," Patrick gives as an example. "But whoever is behind it, the fact remains that disruption of services is a risk that comes into play, both locally and in the cloud."
Secure and modern
The fact that Priva, of all companies, has come forward with this may seem surprising. The company offers various services that make it possible to control and optimize a crop via the cloud. Priva is happy to share information on how these solutions contribute to, for example, an autonomous greenhouse or scaling up in the sector. "It's a shaky balance: we don't want to paint doomsday scenarios or spread fear, yet this is a topic that concerns the entire sector. At the moment there is a lot of focus on the great opportunities and not on the risks. As Priva, we want to take the lead in making the sector aware of the opportunities that cloud technology offers, but only if you use that beautiful technology properly and safely. By being alert and aware, we at Priva and our users can contribute to this," says Patrick.
Within Priva itself, information security is a high priority. Last year, Marco was recruited, who is working non-stop with a special security team. When developing products and services, we work on the basis of known security principles, and security is also given sufficient attention in new releases. In addition, penetration tests are performed by ethical hackers. "We let them loose on our services and see where we can make improvements. First they are allowed to try and penetrate our systems from the outside, and at a later stage we give them access so that they can also identify any security weaknesses from the customer's point of view. Findings are assessed and resolved. This kind of double testing keeps us on our toes and allows us to continuously increase the security level of our systems. "
Password on a post-it
There is also work to be done at a much more basic level, at the companies themselves. "There is a large group of customers who are serious about cybersecurity, but we also recognize the sector as one in which security is handled somewhat naively. That really starts with the cliché cases: companies where the password is attached to a computer screen with a post-it, where the Wi-Fi network for guests has had the same password for years or is not separated from the other networks. It might end up with a grower who can control the greenhouse with his iPhone through Priva Operator, but doesn't think about how to handle the security of his phone."
"As Priva, we do everything we can with our cloud platform to protect that knowledge and process data: the data remains with the customer and it is only under Priva's control. To continue doing that safely, we are now turning on two-stage security by default for new users of our cloud services," Marco continued. "In doing so, we help companies make the right choices in this regard. We also ensure that existing company accounts can be used to access our platform so that rights can be easily assigned and removed, for example when employees leave the company. And we also ask companies to think about the security of their systems themselves. Is there someone responsible for IT? Is there someone who regularly checks and monitors everything?"
Learning money paid
"From a historical perspective, hacking is obviously not an important topic for this sector, because it is relatively new. We now see that big players are more engaged in it - perhaps also because learning money has already been paid," Patrick continues. Marco adds: "we are therefore working with the security teams of these big players to fine-tune the security requirements. But companies that do not employ specialists themselves can also choose to outsource part of their IT security."
For growers, it is usually really not necessary to set up a complete security team themselves as well. "But growers sometimes wonder what they have to hide, or what can go wrong. If someone unnoticed is in your system and has access to process data, for example. But also, growers have their own way of growing a tomato, cucumber or rose in the best possible way. Their own knowledge is all in the system and that has been developed and refined over the years. You don't want a hacker to get hold of this, but neither do you want your neighbor or competitor to have access to it. At the same time, of course, you want to take advantage of the new possibilities of this technology, which is certainly possible if we as a sector give security sufficient priority."