FBI warning of cyber risks for nation’s food supply misses the machinery
“Software is eating the world” has become a cliché since Mosaic creator and Netscape cofounder Marc Andreessen coined it in 2011. More recently it’s becoming clear that it needs an update: Software could determine whether the people in the world will eat — or not.
Indeed, there are benefits and risks from using software in anything. It can (and does) make farming vastly more efficient and productive. But it’s made by humans, which means it’s not perfect, and if malicious hackers are able to exploit those imperfections, they could damage or shut down agricultural operations at critical times of the year.
The FBI, in a recent flash alert, warned of exactly that — the threat of ransomware attacks is increasing in the agriculture industry, especially at times like spring planting and fall harvest.
“Although ransomware attacks against the entire farm-to-table spectrum of the FA [food and agriculture] sector occur on a regular basis, the number of cyberattacks against agricultural cooperatives during key seasons is notable,” the alert stated.
Among the ransomware attacks the agency listed from 2021 were those against six grain cooperatives last fall, between Sept. 15 and Oct. 6. “A variety of ransomware variants were used, including Conti, BlackMatter, SunCrypt, Sodinokibi, and BlackByte. Some targeted entities had to completely halt production while others lost administrative functions,” the FBI alert reported.
Cybersecurity experts within the FA sector welcomed the alert, which came with more than a dozen recommendations to “mitigate the threat and protect against ransomware attacks.” The recommendations include improving data protection, network segmentation, keeping systems patched and up-to-date, multifactor authentication, strong passwords, and using a virtual private network.
A gaping hole
But those experts note that the alert and the recommendations are focused on the office, administration, and distribution operations of those businesses, which they say leaves a gaping hole — vulnerable farm machinery that is increasingly run by software.
Connected farm machinery isn’t mainstream yet, but in the nation’s breadbasket larger farms do increasingly operate in cyberspace. The mammoth machines — some retail for more than $1 million — that plow, plant, fertilize, and harvest hundreds to thousands of acres every year (a midsize farm is more than 1,500 acres) are increasingly autonomous through internet connections.
An ethical hacker who goes by the name Sick Codes, in a presentation at DEF CON 29 in August 2021, said he and fellow hackers had found “a tractor-load of vulnerabilities in the global food supply chain,” specifically in farming machinery that he said could allow attackers to shut them down at crucial times like planting or harvesting.
Kevin Kenney, a Nebraska farmer and inventor who has worked with Sick Codes in researching vulnerabilities in connected farm equipment, said while he agrees with everything in the recent FBI alert, “I don’t think anyone at the FBI who authored this alert knows how and where these threats actually exist within the modern tractors farmers use daily.”
“It’s one thing to worry about large farm cooperatives. It’s exponentially worse when you see the immense threat with modular telematic gateway (MTG) hooking all types of agricultural equipment systems to the cloud without any consideration for cybersecurity constructs,” he said.
“In a nutshell, tractors are linked to the cloud and they’re vulnerable.”
Indeed, John Deere, the $120 billion giant in the heavy equipment industry, is touting those links to the cloud. It announced in February that its autonomous tractor is “production ready” and will be available to farmers before the end of the year.
That means farmers won’t even have to sit in the cab. According to the company, once they drive the tractor to the field, configure it, and swipe a screen to start, they can leave and monitor its progress on a mobile device.
Which is obviously convenient, and if it does become mainstream, will save tens of thousands of days of labor. But it’s also risky, according to researchers like Kenney and Sick Codes.
They note that tractors and other farm machinery from John Deere use Microsoft Windows Embedded Compact/CE, a 26-year-old operating system that has been out of mainstream support since 2018. Extended support, including critical security updates, will end next year.
One recent example of the implications of connectivity comes from the war in Ukraine. CNN reported this past weekend that Russian forces plundered about $5 million in farm machinery from a John Deere dealership in Ukraine, but when they transported it to Chechnya they couldn’t use it because it had been remotely locked.
While most of the world would applaud that, it shows that if malicious hackers got the same kind of control, they could disable farm machinery anywhere in the world, at least temporarily — possibly long enough to compromise planting or harvest.
Kenney also said farmers can’t even follow many of the recommendations in the FBI alert. For example, one of them says to “regularly back up data, air gap, and password-protect backup copies offline. Ensure copies of critical data are not accessible for modification or deletion from the system where the data resides.”
“That’s a great idea,” he said. “But agricultural technology and equipment manufacturers, known as ATEMs, like John Deere, Case, Kabota, etc., don’t provide the tools — software, hardware, and information — to back up and restore software.”
He added that “John Deere has no fast way to restore software from cyberattacked tractors. It’s been reported that it would take days for a tractor to be restored after a lightning strike,” which could be similar or worse in the event of a successful cyberattack.
He also said most farmers don’t even know about, or understand, how MTG works.
“I sat through a job interview in June 2021 with the vice president of agronomy for the CVA [Central Valley Ag] Cooperative in York, Nebraska — one of the largest farm cooperatives in the Midwest,” he said.
“It surprised and disturbed me when I showed him a picture of the MTG and asked him if he knew what it was. He said he had no idea. Even more amazing, 95% of farmers don’t either.”
What that means, he said, is that “the CVA Coop, like hundreds of other unsuspecting farm cooperatives, has vulnerabilities within all of their mobile custom livestock, seed, fertilizer, and logistics services because of their unprotected cellular MTG modem linked to the cloud.”
Does that mean a hostile nation state could put the nation at risk of a catastrophic spike in food prices or at the risk of a significant lack of food?
Technically yes — a single ransomware attack on meat supplier JBS in May 2021 led to a major price spike. And that was just on the distribution system, not the raising and feeding of cattle.
But while cybersecurity experts worldwide are constant advocates for better software security, not all of them see the FA sector at an extreme level of risk.
James Paul, managing director with the Synopsys Software Integrity Group, said last year that the findings of researchers like Sick Codes may be technically accurate, but overstate the risk.
While farm machinery may be moving toward autonomous and the mega-farms may be using it, he said it’s not close to mainstream. “The vast majority of farmers I know — and I know a lot of them — are relatively good-sized operations but smaller than the large conglomerates, and almost none of them have persistent connectivity in their equipment besides GPS,” he said. “Many farms are in areas that still struggle to get even consistent cellular signals, let alone broadband.”
But Paul Roberts, editor-in-chief at The Security Ledger, who has reported extensively on the lack of security in agricultural machinery, said it wouldn’t take attacks on thousands of farms to cause major damage. “Consider that just 100 large farms produce 80% of Nebraska’s beans and corn,” he said.
“Looking at platforms like the John Deere operations center, it’s a central point collecting data from deployed equipment and pushing out software updates, etc. A successful compromise of that platform could conceivably be used to brick [disable] equipment deployed in the field.”
“And, from what I understand, unbricking such sophisticated equipment isn’t just a matter of holding down the start button, so to speak,” Roberts said. “It can take days to flash and restore a downed tractor, sprayer, harvester, etc. A widespread attack on the agriculture equipment supply chain might require thousands of service technicians to visit individual, far-flung farms to perform the restoration work — something it’s doubtful vendors like Deere could support.”
And, as the FBI alert noted, disabling farming operations at critical times, like planting and harvest, could cause major havoc. It’s not like an unexpected delay in the delivery of a product, which often is merely an annoyance, Roberts said. “It’s chaos, and fallow fields.”
Roberts said if there is any progress on the problem at the government level, it is increased awareness. “DHS [Department of Homeland Security] and CISA [Cybersecurity and Infrastructure Security Agency] are aware of the risk,” he said, because researchers like Sick Codes and I have spoken with them.”
Better awareness, but …
But he and Kenney say it’s difficult for researchers to test the cybersecurity of farm machinery because each machine costs so much and the vendors don’t make them available. “That keeps the hardware out of the hands of security researchers who might otherwise find and disclose serious, remotely exploitable vulnerabilities,” Roberts said.
Kenney said until the risks are addressed, farm machinery should be disconnected from the internet. “MTGs are a luxury for a few farmers and a hazard for all farmers who own these tractors built in the last 10 years,” he said.