Precision farming promises more output, cheaper input costs, and greater efficiency, but it has a fatal flaw: highly developed, networked computer systems.
Farmers are thought to be especially at risk because of how interdependent they are and how time-sensitive their activity is.
These systems can be operated remotely and were in fact created for remote control. In May 2022, John Deere powerfully illustrated this point by disabling tractors that Russian invaders had taken from Ukraine.
Imagine: It’s a gorgeous, sunny autumn day that would be ideal for harvest. However, the combination won’t run. Its panel merely states that payment must be made to an unidentified address in order to unlock the system. The weather won’t last, and time is running out. How will you proceed?
Could “threat actors” like fraudsters, irate employees, or even state-sponsored operators wanting to hurt a rival country use the same ag tech systems to their advantage?
Threat actors are already active against computer systems used in grain handling. After several such “ransomware” attacks in the United States last year timed to disrupt seeding and harvest, the FBI issued a notification in April to alert the ag industry, and particularly co-operatives, of the danger.
“Cyber actors may perceive co-operatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production,” the alert reads.
A ransomware attack on the Union des producteurs agricoles in Quebec on August 7 appears to support this in Canada, just in time for harvest. While it investigates and replies, the organisation, which speaks for over 42,000 farmers and forestry producers in the province, is remaining mum about the incident.
These attacks have primarily targeted stationary targets, but as information technology becomes more pervasive and sophisticated on modern farms, the possibility of going mobile is growing. Sensor-equipped, computer-driven tractors, combines, and sprayers are connected to desktop computers in the home. The internet is used to connect everything remotely. The danger is a part of a wider pattern of assaults on vital infrastructure.
800 commercial farmers in the United States (defined as those with 1,000 acres or more) were polled in 2019 by researchers at Purdue University’s Center for Commercial Agriculture. Up to 90% of farmers with operations of 2,000 acres or more employed images, soil sample, and yield monitoring to inform decisions on planting and fertiliser rates as well as drainage, according to a paper published in 2021. On farms larger than 5,000 acres, the percentage increased to over two-thirds, with nearly half of the farms in the survey using data software products and services. More than 70% of respondents disclosed at least one outside service provider with whom they shared their data.
According to studies included in the report, the adoption of precision agriculture is comparable to that of genetic modification technologies from a previous generation. Guidance systems, sprayer boom control, and section or row shutoffs for planters are all becoming commonplace. Even while variable rate technology is still being adopted more slowly, advances in robots and artificial intelligence are predicted to speed up this process. Already, while automated systems handle the majority of regular and repetitive tasks, a producer frequently has time to examine the markets and do planning tasks while sitting in the combine.
But according to an Australian researcher and ethical hacker who goes by the handle Sick.Codes online, these same systems are rife with holes that threat actors can exploit. Sick.Codes claimed in a presentation to the DefCon hacking conference in 2021 that he first chose ag tech as a field to investigate since “no one else was.”
It was alarming what he and his colleagues discovered. The large manufacturers they looked at lacked fundamental security features, such instructions for outside developers to follow so they don’t introduce vulnerabilities into their software. Sick. Codes said that obtaining a developer account or access to a master dealer administrator login to tinker with the systems was simple. Once inside, the cyber team quickly discovered usernames, passwords, as well as the genuine names and addresses of specific dealers and clients.