70. A tractorload of vulnerabilities

Cybersecurity in agriculture

Hi. If you are new here, I am Rhishi Pethe, and I am excited you’re in the “Software is Feeding the World'' community. Every Sunday, you will receive this free newsletter at the intersection of technology and agriculture systems. I am a product manager at Project Mineral (focused on sustainable agriculture) at X, the moonshot factory. The views expressed in this newsletter are my personal opinions.

Freedom to operate

Last week I wrote about unbundling of human beings (in agriculture). This unbundling is enabled by technology, software, data, and models.

Increasingly, the physical infrastructure of atoms is managed by the digital infrastructure of bits.

It makes agriculture and food systems vulnerable to online attacks and hackers.

A few months back, JBS, the largest meat processing company in the world was hacked and their operations in multiple countries were impacted. JBS had to pay $ 11 million ransom to the hackers to get the issue resolved.

These attacks threaten the “freedom to operate” (FTO) of agribusinesses.

Tractorload of Vulnerabilities

A group of hackers (security researchers ?!), recently published their findings after months of research, with a catchy headline,

Hacker Says He Found a ‘Tractorload of Vulnerabilities’ at John Deere

Security researchers found multiple vulnerabilities in the systems of John Deere and Case New Holland, two of the country's largest agriculture tech companies. In the wrong hands, they warn that these weaknesses could put consumers and the global food supply chain at risk. (highlights by me)

The hackers who go by the name “Sick Code,” (props for a great name!) published a YouTube video detailing their findings.

Some of the most pressing security problems in digital agriculture involve the physical infrastructure. They could take the form of plant factory control system intrusion, or unmanned aerial vehicle false position.

In Die Hard 2, Flight Windsor 114 crashed into the runway as terrorists messed with its positioning system, even though John McLane was on the runway with burning torches.

From Die Hard 2. Intentional corruption of altitude data.(Image Source: CBR.com)

From Die Hard 2. John McClane trying to warn the cockpit about the runway location.(Image Source: CBR.com)

The hackers lay out different scenarios a bad actor could execute on.

The sprayers are programmed by the hacker to unevenly spray the chemicals on the crops, applying ten times the chemical on certain parts of the field, and a tenth the dose on other parts.

This is a case of a variable rate prescription gone rogue!

The hackers said they could,

upload files to any user, log in as any user, destroy any farm, run any farm off the road, upload whatever we want, download whatever we want, destroy any data, log in to any third party accounts. We could literally do whatever the heck we wanted with anything we wanted on the John Deere operation center. (highlights by me)

These challenges are not unique to equipment manufacturers. Hackers can disrupt trials run by input companies, hack into crop yield and marketing data to disrupt commodity markets, and many similar scenarios. Hackers can disrupt farming operations of individual farmers, just as a virus attack on your computer can cause financial and non-financial damage to common consumers.

Who are these hackers?

James Bond Villains

Renée DiResta is a technical research manager at Stanford Internet Observatory, and one of the foremost thinkers on information wars, fake news, and digital disruption. Her seminal 2018 article “The Digital Maginot Line should be required reading for everyone. She calls out the “Dramatis Personae” in the digital disruption phenomenon, 

The combatants are professional, state-employed cyberwarriors and seasoned amateur guerrillas pursuing very well-defined objectives with military precision and specialized tools.

If you think of James Bond villains from the 60s and 70s, they felt comical and unreal at times, but the stories were prescient. Dr. No, Goldfinger acted independently. The cyber villains are mostly independent bad actors. Though, these independent bad actors can, are and will be supported by certain governments, as weapons in cyber warfare.

Are these challenges specific to agriculture

Janette Barnard (Prime Future) made an important point in her writeup about the JBS incident.

“Cyber security risk is industry agnostic. Ag companies are not unique snowflakes, which means mitigation strategies put to work in other industries also work in ag.”

Agribusinesses need to stick to the basics of cyber and information security: confidentiality, integrity, and availability.

Fig. 1. The Confidentiality, Integrity, Availability (CIA) triad.

C: Confidentiality covers data privacy; only authorized users can access each system or view each piece of information.

I: Integrity covers the data stored in a system being valid and accurate; only authorized users can use a system and modify the data.

A: Availability covers the data or services being accessible; authorized users can use the system and access the data.

Agriculture’s traditional focus has been on performance, and safety, but not security.

Even though the cybersecurity threat is industry agnostic, some of the solutions might not be. Cybersecurity presents a significant research challenge for agriculture. The current datasets used in machine learning based approaches to detect network detection are not based on smart agriculture ecosystems and environments. So new datasets will be required to build models of intrusion and detection.

A recent cyber survey of agribusinesses, found 56% of respondents ranked cybersecurity as a top 5 risk management priority, but only 45% had a plan in place, and only 20% are confident their data is secure, with almost no one with a contingency plan to manage breaches.

Agribusinesses need to take cybersecurity seriously as it jeopardizes their freedom to operate as a business. John Deere responded to the “Sick Code” analysis and said to have increased their security spending by 750% in the last 7 years. There is no good way to calibrate this increase. Given the explosion in devices, and data collection in the last few years, anything less would have seemed inadequate. 

“Freedom to operate” is not only a security and operational issue, but also a reputation issue. Customers will not trust an agribusiness and will not do business with it, if it cannot keep the physical and digital infrastructure safe.

Do it now or do it later?

In my personal experience, resource and budget allocation for information security from cyber threats can be a challenge. These “Freedom to Operate (FTO)” budgets contend with budgets for new product development, and product improvements. Cybersecurity investments and improvements are largely invisible to customers. In case of competing priorities, it is easy to kick the cybersecurity can down the road. 

FTO budgets can be perceived as slowing down product roadmaps and can create friction. It is important to not accumulate technical debt on cybersecurity, but to keep plugging away at it. This approach reduces the probability of a large incident.

Management teams, right from the C-Suite should talk about the importance of cybersecurity. Management should calibrate and allocate resources to manage cybersecurity on an ongoing basis, with little room for negotiation on “must-do” activities. There will be temptations from product teams to label their roadmap items as necessary to cybersecurity and a “must-do.” (I have been guilty of doing it, and fortunately in hindsight with negligible success!)

As the digital infrastructure becomes global, and multi-layered, agribusinesses will have to adopt industry best practices like “Defense in Depth.”

Defense in Depth (DiD) is an approach to cybersecurity in which a series of defensive mechanisms are layered in order to protect valuable data and information. If one mechanism fails, another steps up immediately to thwart an attack.

Approaches like defense-in-depth, ensure cybersecurity is not an afterthought, but is baked into your product development and operational processes.

Agribusinesses should conduct internal and independent external audits to measure the progress on cybersecurity, and make changes based on the recommendations.

A secure infrastructure, if done well, can be a differentiator for the company.

A “tractorload of vulnerabilities” can jeopardize the freedom to operate as a business. Do not let it happen!

So, what do you think?

💗 If you like “Software is feeding the world”, please hit the “Like” button at the bottom or share with a friend.

🙏 If you don’t mind answering 3 questions anonymously (2 are optional), I would love to get your feedback.