Cyber threats facing agriculture: bad actors looking to dine out on farm data
Over the years, farmers have had to guard their fields against a variety of pests from six-legged insects to bipedal poachers. But, more recently, cyber criminals have joined this list of agricultural adversaries. And the threat is a serious one. So much so that the UK’s National Cyber Security Centre (NCSC) created a 14-page guide in 2020 (and reviewed last year) to help the farming community better protect itself from common cyber attacks – reaching out to sole-traders, small to medium sized operators, and large-scale commercial farms.
Other security agencies share concerns too that farming operations represent a developing target for future cyber attacks. In 2018, the US Department of Homeland Security released a 25-page report to raise awareness of ‘Threats to precision agriculture’ (PDF). And, more recently in 2022, the US Federal Bureau of Investigation (FBI) informed food and agriculture partners that ransomware attacks on agricultural cooperatives could be timed to critical seasons.
Facts and figures
Commercial infosec has picked up signals too. In a 2020 briefing, threat hunters from Crowdstrike, a US-based cybersecurity firm, described ‘suspicious discovery commands’ in telemetry gathered from the customer network of an unnamed large agriculture company. And, less than 12 months ago, Crystal Valley – a US farm supply and grain marketing cooperative – warned customers that the firm had been targeted in a ransomware attack. Elsewhere in the US, cyber criminals have gone after two grain cooperatives in Iowa, according to local media reports. The news is made more serious as Iowa is ranked number one in corn production in the US – providing a total harvest of 2552.2 M bu in 2021, compared with 2191.7 M bu for second-placed Illinois (figures courtesy of CropProphet). Machinery-makers have been targeted as well. AGCO – a worldwide manufacturer and distributor of agricultural equipment – informed customers in May 2022 that it had made progress in recovering its operations following a cyber attack earlier in the month.
Agricultural businesses have to contend with multiple attack surfaces that offer unauthorized users no shortage of potential avenues to explore. Returning to the NCSC advice from earlier in this article – the UK government agency warns that, “The increased use of email, online accounting tools, online payment systems as well as automated farming equipment means that it’s increasingly important for farmers and rural communities to look at their growing exposure to cyber risks.” There’s a plethora of new technology coming onto the market, including self-driving tractors, automated crop-picking robots, and precision weed-killing drones, to give just a few examples – all of which are designed to make agriculture a more efficient and profitable endeavor, but have the potential to cause harm if digital attackers can find a way in.
Security consultants NCC Group – which has offices in Europe and North America – teamed up with agricultural researchers and land management experts to compile a detailed report on the cyber security threat to farming and the wider food network (PDF). The study includes a deep look at the attack surface of both human-driven and autonomous farm vehicles, with analysts pointing out that Vehicle-to-Everything (V2X) communication systems represent the most noteworthy change in near-future designs. There’s no shortage of ingenuity in agri-tech and the computing kit that goes with it attracts creative minds. This month, a security researcher who goes by the handle ‘Sick Codes’ showed how the touchscreen from a John Deere tractor could be repurposed to run a crop-harvesting themed version of the computer game DOOM. And his 2021 DEF CON presentation (available to watch on YouTube) shines an educating light on the vulnerabilities that the agriculture sector has to contend with now and into the future.
“Potential risks must be addressed responsibly and new technologies properly tested in experimental settings to ensure they are safe, and secure against accidental failures, unintended consequences, and cyber-attacks,” write experts from the University of Cambridge, UK, who published a paper in February 2022 looking at the risks of using AI to grow food.
The difficulty for farmers is that are busy people – doing the vital job of providing food for the world – and asking them to be CISO’s and product security testers on top of their existing responsibilities isn’t a realistic option. Fortunately, some help is forthcoming. Last year, for example, the Canadian government rolled out a 48-month program to first assess the cyber security capacity of its agricultural sector and then work with farmers to develop useful resources.
Investment in cybersecurity operations has been flagged as an issue, particularly for smaller, family-run farms, which collectively remain a major source of food production in many EU countries. In a recent study, which focused on farms in Finland, researchers found that while the condition of networking cabling and other computing hardware elements was good, many of the microenterprises lacked the know-how to handle system backups and engage malware protection appropriately. It points to the need to automate software updates and other critical security processes (as much as it’s possible to do so) to avoid relying too heavily on users, who cannot all be expected to be IT experts.
Farmers may have no control over the actions of cyber adversaries, but they do have power over their own purchasing decisions. And shopping wisely – looking for digital products and services that have been designed with security first (not as an afterthought) and with aftersales support to take care of the unexpected – is important in building a stronger cyber defense from the ground up. Also, cyber-security-as-a-service providers able to meet the needs of the agricultural industry could represent a valuable and additional high wall for keeping threat actors away from our food.