Cyber threats to precision agriculture

When I was asked to contribute this article regarding cybersecurity and farming, my mind immediately went to my experiences on the small family farms of my youth, where I helped relatives with haying or cattle and the technology was as complex as an old tractor and square bales. While effective, those tools were nothing like the technologies in use today.

This article focuses on the use of advanced technologies and the cyber risks they present to modern farming operations. Precision agriculture and precision livestock farming are not all that different from most modern manufacturing; they use advanced technologies to improve input efficiency and collect output data to facilitate future production decisions.

Technological change is to be expected in any industry, but the use of advanced technologies in farming also creates new vulnerabilities and presents a risk to farming operations. The exponential growth in the use of technology, such as networks, GPS, Internet of Things (IoT) devices and automated systems contributes to a significantly increased attack surface. Of added concern is the large amount of digital data that must be collected, analyzed and stored using networks, wireless, satellite, on-board computers and the cloud.

The use of multiple networks and real-time data creates vulnerabilities that can ─ and likely will ─ be exploited by malicious cyber actors. The risks are significant in both financial and human terms.

Threats

Cybercrime pays, and agriculture is ripe for attack. The increasing application of smart technology and devices only elevates the risk of the agricultural industry being impacted by a cyber attack. Cyber criminals are looking for industries that are digitally exposed and might not have strong defences. In response to these threats, earlier this year HSBC UK issued a strong warning to UK farmers to “be vigilant against fraud attacks in the face of increasingly sophisticated levels of fraud and cybersecurity attacks against the agricultural industry.”¹

The Canadian government has identified the risk to agriculture, agri-food and the supply chain as being among the top 10 critical infrastructure challenges. As early as 2018, Agriculture Canada began to gather data from the industry regarding its cybersecurity protection measures in an effort to mitigate the risks and threats facing these vital systems.

There are literally hundreds of cyber attack scenarios that could seriously impact precision agriculture. Consider these examples of attacks that have been seen, or are anticipated as high probability, in the agriculture sector.

Data integrity attack – A cyber threat actor protesting the use of antibiotics in meat targets a large cattle operation and modifies the health-related data of the herd to make it look like the cattle have a disease. They release this false data on the Internet.

It could take weeks to confirm through lab testing that there was no outbreak, and even more time to convince people the results are to be trusted. By then, the damage is done: there would be a loss of product value, stock value, trade relationships and public trust.

Sensor hack - A cyber threat actor hacks an irrigation network and submits rogue data into a sensor network showing that watering is continuously required. Since the sensor is linked to an automated decision support system for irrigation, the fields flood, causing significant crop damage.

IoT attack - A cyber threat actor adjusts the operating conditions of an IoT sensor managing the environment of a large poultry barn, deliberately manipulating false readings to programmable logic controllers. The interference causes a disastrous change to temperature and feeding conditions, impacting animal health and production.

Ransomware – An employee opens an email attachment and ransomware spreads across the network, encrypting data and halting production. There is no known way to break ransomware encryption. Many smaller operations cannot afford to pay a ransom, but if you don’t pay, you don’t get your data back. In some recent attacks, data has been withheld even after ransoms were paid.

Basic protections

To protect systems and mitigate risk, consider these action areas.

1. Assess risks and implement security and performance controls. Implement recognized information security critical security controls to maintain and protect embedded and digital tools used in precision agriculture. A number of these controls are provided by equipment and software service providers.
    
2. Extend security practices to the local farm networks. An effective model is the Center for Internet Security’s (CIS) Basic Controls. Taken together with the protections applied to precision farming applications, they provide good defense-in-depth to protect against threats and to mitigate impacts when incidents inevitably occur. The CIS Basic Control areas include:

• inventory of hardware and software;
• continuous vulnerability management;
• controlled use of administrative privileges;
• secure configurations; and
• monitoring, analysis and maintenance of logs.

3. Build resiliency and redundancy of systems to compensate for system loss or network degradation by developing multiple communication and computer processing paths, such as 5G cellular, Wi-Fi, satellite, cloud services and edge computing. For example, alternative technologies, such as lidar or cameras mounted on equipment, can be used to create alternate modes for navigation and guidance.
    
4. Security awareness and staff training are critical. Many attacks begin with an opened attachment, a single mouse click or a website visited. Staff must be trained to understand the risks and act in a secure manner within systems.
    
5. Cyber risk insurance in the agriculture sector has generally lagged that of other industries, but it can be an effective means to help transfer some of the risk and to assist with the costs associated with a cyber-threat event. Many policies provide for immediate expert assistance to help identify and manage a cyber event and pay for recovery actions, and they often include provisions to compensate for loss of revenue.

I recognize that this brief article only scratches the surface of the cyber threat spectrum, but I hope it has provoked some thought on the potential risks and impacts to the agriculture sector and encouraged you to review your own level of protection with your IT staff or managed service provider.

For a more comprehensive evaluation of your security, and to develop a network security solution set tailored to your environment, talk to us at Baker Tilly, your partners in cyber risk management.