Food supply chain cyber threats are down on the farm
The U.S. heartland is often dismissed as “flyover country.” But it is essential — perhaps more than those on the coasts might want to admit. Because it’s also “feed-the-world” country.
Without flyover country — as in farm country — none of us would be eating at upscale restaurants or shopping at upscale grocery chains. Without food, everything else fades to insignificance.
Which makes farms very much part of the nation’s critical infrastructure. It also could make them a tempting target for cyber attackers.
Because modern farms, for all the dirt in the fingernails of those who run them, operate in cyberspace. The mammoth machines — some retail for more than $1 million — that plow, plant, fertilize, and harvest hundreds to thousands of acres every year (a mid-size farm is more than 1,500 acres) are increasingly autonomous through connections like Wi-Fi, 5G cellular service, radio sensors, and GPS.
And if humans aren’t directly in control, it’s software that keeps mega-tractors, combines, and harvesters where they are supposed to be. It’s software that controls everything from whether to plant or chew up cornstalks, and the amount of fertilizer, herbicide, and insecticide those machines spread.
That means if malicious hackers could exploit software vulnerabilities to penetrate those systems and install a malicious firmware update, they could shut down a whole fleet of machines right at planting or harvest time. Or take control not only of where those machines go but how much fertilizer, herbicide, or insecticide they distribute on a given field.
The risk debate
How likely is any of that to happen? There is considerable debate about that.
According to an ethical hacker who goes by the name Sick Codes, the risk is high. He presented his findings(acknowledging the help of a number of fellow hackers) of multiple vulnerabilities in two of the largest agricultural equipment vendors in the U.S. — John Deere and Case IH — through video at the DEF CON conference earlier this month, calling it “a tractor-load of vulnerabilities in the global food supply chain.”
But according to James Paul, managing director at the Synopsys Software Integrity Group, while Sick Codes’ findings may be technically accurate, they overstate the risk.
“I think farming is likely one of the last places threat actors would hit,” he said. “Food supply would be more easily attacked in distribution.”
He added that while farming equipment may be moving toward autonomous and the mega-farms may be using it, that is not yet the norm. “The vast majority of farmers I know — and I know a lot of them — are relatively good-sized operations but smaller than the large conglomerates, and almost none of them have persistent connectivity in their equipment besides GPS,” he said. “Many farms are in areas that still struggle to get even consistent cellular signals, let alone broadband.”
Paul Roberts, editor-in-chief at The Security Ledger, who has done considerable reporting on the lack of security in agricultural machinery, agrees that some of the scenarios predicted by Sick Codes, such as overdosing fields with poisonous chemicals, may fall into the “next-generation-evil” category. “But that’s a thin thread to hang a ‘not-a-problem’ sign on,” he said.
The more immediate, and realistic, threat, he believes, is denial of service — the ability of a hacker to push out a malicious firmware update that would “brick” machines (render them useless) at a crucial time of the season.
“Through its precision agriculture platform JDLink Connect, John Deere has already created a single point of failure for hundreds of thousands of deployed planters, harvesters, tractors — mission-critical equipment,” Roberts said.
If a fleet of John Deere tractors or combines went down, farmers wouldn’t be able to fix them because the company doesn’t allow customers access to its software. And the company wouldn’t have the staff to deal with hundreds or thousands of broken machines, Roberts said, since a fix likely wouldn’t be as simple as pushing out an update over the internet. If it was a ransomware attack, it could take days or weeks for a company to get its systems functioning to the point where it could even create a patch.
“And with agriculture, unlike shipping, that’s the difference between a successful and a failed harvest versus just an unexpected delay in delivery,” he said.
However likely or imminent the risk, the point of Sick Codes’ presentation was that such attacks are possible, and it would make sense to take steps now to prevent them.
Part of his case was that, until earlier this year, there wasn’t any documentation of a single software vulnerability attributed to John Deere.
Roberts noted the same thing in Forbes this past April. John Deere “is as much a software maker and data broker as an agricultural equipment maker,” he wrote. “Millions of lines of software code run its GPS-directed and internet-connected precision farming machinery. Furthermore, its equipment relays terabytes of data via satellite and cellular connections from customer farms to Deere’s cloud servers.”
Yet when he searched the U.S. National Vulnerability Database and the CVE (Common Vulnerabilities and Exposures)list (maintained by Mitre Corp.) that assigns an ID number and severity level to known software vulnerabilities, he found none attributed to John Deere.
That might sound like good news but it’s not. It’s very bad news — unless you’re a hacker. Because there is no such thing as perfect software. It’s written by humans, which means there are defects in it. And one of the most important things an organization can do is find and fix those defects before criminal hackers do.
Sick Codes said he had found a number of defects, both in the John Deere and Case IH software.
After showing a map of a portion of the heartland dotted with hundreds of farms, he said that if attackers could access the equipment used on any farm, they could “permanently deny service to that farm by simply overspraying in one season, literally loading up fertile ground with too many chemicals. And then for the next year, or even the next 50 years, it would be infertile or unsuitable ground. You could do that with a few lines of malicious code.”
Or a hacker could install “a firmware update that inserts an offset into the GPS locations used by the target. The target navigates itself onto a highway, into a river, through a fence, over a cliff, or whatever. The target is destroyed,” he said.
Autonomous isn’t the norm, but …
Paul again says such scenarios are highly unlikely in the real world. “I’ve personally never seen an automated tractor in a field,” he said. “Perhaps they will get there but right now it doesn’t work that way.”
The application of chemicals isn’t autonomous either, Paul said, explaining that chemicals are driven to fields in large tanks that have “just about enough to cover that field at the appropriate application level.”
Still, Sick Codes said hacking into the John Deere operations center was alarmingly easy, although one good result from his and his collaborators’ efforts is that there are now some CVE identifiers attributed to John Deere. Among the vulnerabilities the group found were:
- a misconfiguration of John Deere’s Pega Chat Access Group Portal (CVE-2021–27653) that defaults to administrative credentials, giving access to anyone on the platform.
- A cross-site scripting vulnerability that enabled the hackers to get “John Deere employee access, which we probably shouldn’t have,” he said. That gave them access to “the equipment reservation page for machine demo units. We were able to book units, cancel appointments, reassign tractors to certain locations. We injected the database and pulled out every single row, and we could see every single demo unit that was ever provided with the email addresses used to book those units.”
Those and other vulnerabilities — a total of 11 — allowed Sick Codes “to upload files to any user, log in as end-user, destroy any farm, run any farm off the road, upload whatever we want, download whatever we want, destroy any data, log into any third-party accounts — we could literally do whatever the heck we wanted with anything we wanted on the John Deere operations center, period. And that’s when we pretty much stopped, because we pretty much had the whole organization.”
If there is good news here, while Sick Codes said he had to get some help from the U.S. Cybersecurity Infrastructure and Security Agency to get John Deere to respond to his findings, the company has since made some visible steps toward better security.
Among them, this month it joined a bug bounty program operated by HackerOne, which allows good-faith researchers to probe its systems and products for vulnerabilities.
Although, unlike many high-profile bug bounty programs, the company offers no rewards to those who find defects. “John Deere does not operate a bug bounty program and makes no offer of reward or compensation in exchange for submitting potential vulnerabilities,” it says on the HackerOne website.
The company also told Threatpost that “none of the vulnerabilities identified enabled access to customer accounts, agronomic data, dealer accounts or sensitive personal information — nor did they provide anyone the ability to remotely operate equipment.”
And it said it has increased its security budget by 750%.
But the number of security holes Sick Codes was able to find and exploit so rapidly suggests that a skilled, motivated team of hackers from a hostile nation state could damage at least a portion of the nation’s food supply.
While the ransomware attack earlier this year on JBS Foods, the world’s largest meat supplier, was an example of what attackers could do to distributors, the Sick Codes presentation illustrates the risk to producers. If that part of the supply chain gets shut down at a critical time, there won’t be much for distributors to distribute.
“I think it was just a matter of time until someone started picking on the food suppliers’ cyber posture — that and water seem to be pretty easy targets, and they’re both sectors that if successfully attacked, would have a significant psychological effect on the American people,” said Emile Monette, director of value chain security at Synopsys.
“Food supply chain actions by the government have focused on continuity of supply, not necessarily on the security of the food suppliers themselves,” he added.
Fertile attack surface
Travis Biehn, principal consultant with the Synopsys Software Integrity Group, agrees, noting that “as attackers get closer to commonplace direct kinetic/physical effects, the farming industry seems like fertile ground for growing their playbooks and skills.”
And given the cyber risks to the increasingly autonomous consumer vehicles from malicious over-the-air updates, “I don’t know why doing the same to farming equipment would be much more of a stretch,” Biehn said, adding that if John Deere or any organization is expanding its security budget, it could dramatically improve its software security by using resources that have been available for more than a decade.
They include the annual Synopsys Building Security in Maturity Model (BSIMM) report that this year documents the software security initiatives of 128 organizations in multiple verticals, and the Open Web Application Security Project (OWASP) Top 10, which tracks the most severe and exploitable vulnerabilities in software.
Those, Biehn said, “can manifest into newly minted security capability.”
Paul still believes the risks to farms, at least at the moment, are low. “Bad actors mostly tend to be criminals who hit financial targets for financial gain. Bad actors who hit critical infrastructure are going to be state-sponsored or highly organized terrorists,” he said. “They aren’t going to have the patience to go after such a decentralized and poorly connected component of critical infrastructure, especially when it’s pretty simple to shut down gas pipelines, electrical grids, stock exchanges, etc.”
Roberts is less optimistic. “If you think the attack surface is too large, consider that just 100 large farms produce 80% of Nebraska’s beans and corn,” he said.
“And, as Sick Codes illustrated, John Deere’s equipment would tell the attackers exactly what farm they were on, who the owner was, etc. An adversary could be very surgical in where they targeted that attack, if they so choose. Or not. Why not take out everyone’s equipment and make sure the attack is successful?”