Farmers considered particularly at risk due to the time-sensitive nature of their work and how interconnected they are
Precision agriculture promises greater efficiency, lower inputs and greater productivity but it comes with an Achilles heel: its sophisticated interconnected computer systems.
These systems can be — in fact are designed to be — remotely operated. John Deere dramatically demonstrated this in May 2022 when the company disabled tractors looted from Ukraine by invading Russian forces.
Could these same ag tech systems be exploited by “threat actors” such as cybercriminals, disgruntled insiders or even state-sponsored operators looking to harm a rival nation?
Imagine: it’s a beautiful sunny autumn day, perfect for harvest. But the combine won’t start. Its screen simply displays a message saying that payment must be sent to an anonymous address to unlock the system. The clock is ticking and the weather won’t last. What will you do?
Read Also
Man charged after assault at grain elevator
RCMP have charged a 51-year-old Weyburn man after an altercation at the Pioneer elevator at Corinne, Sask. July 22.
Threat actors are already active against computer systems used in grain handling. After several such “ransomware” attacks in the United States last year timed to disrupt seeding and harvest, the FBI issued a notification in April to alert the ag industry, and particularly co-operatives, of the danger.
“Cyber actors may perceive co-operatives as lucrative targets with a willingness to pay due to the time-sensitive role they play in agricultural production,” the alert reads.
This seems to be borne out in Canada with an Aug. 7 ransomware attack on l’Union des producteurs agricoles in Quebec just in time for harvest. The group, which represents about 42,000 farmers and forestry producers in the province, is keeping tight-lipped about the incident while it investigates and responds.
While these attacks have focused on stationary targets, the potential to go mobile is growing as information technology becomes ever more pervasive and sophisticated on modern farms. Desktop computers in the house are linked to sensor-laden, computer-driven tractors, combines and sprayers. Everything is linked remotely to the internet.
The threat is part of a larger trend of attacks against critical infrastructure.
In 2019, researchers at Purdue University’s Center for Commercial Agriculture surveyed 800 commercial farmers (defined as 1,000 acres or larger) in the U.S. In a 2021 paper, they reported that up to 90 percent of producers with operations of 2,000 acres or more used imagery, soil sampling, and yield monitoring to guide decisions on seeding and fertilizer rates as well as drainage.
Almost half of farms in the survey used data software products and services, a number that went up to nearly two-thirds on farms above 5,000 acres. More than 70 percent shared their data with at least one outside service provider.
The paper cites research that shows precision agriculture is being adopted as quickly as genetic modification technology a generation ago. Guidance systems, sprayer boom control, planter row or section shutoffs are becoming standard. While adoption of variable rate technology is slower, it’s expected to get a boost from advancing robotics and artificial intelligence.
Already, it’s not unusual for a producer to have time to check the markets and do planning work right from the seat of the combine while the automated systems take care of most routine and repetitive operations.
But these same systems are ridden with flaws that can be exploited by threat actors, said an Australian researcher and ethical hacker that identifies himself publicly by the handle Sick.Codes.
In a presentation to the DefCon hacking conference in 2021, Sick.Codes said he first identified ag tech as an area to look into because, he said, “no one else was.”
What he and his colleagues found was troubling. The major manufacturers they examined lacked basic security features, such as guide documents to allow outside developers to avoid leaving exploitable holes in their software.
Sick.Codes said it was straightforward to get a developer account or gain access to a master dealer administrator portal to poke around in the systems. Once inside the hacker team easily found username and password information as well as real-world names and addresses for individual dealers and customers.
They also found they could access specific pieces of equipment. This would have allowed them, for example, to remotely access a tractor and upload malicious files.
“This can pretty much allow us to upload files to any user, log in as any user, destroy any farm, run any farm off the road, upload whatever we want, download whatever we want, destroy any data, log into any third-party accounts,” Sick.Codes said. “We could literally do whatever the heck we wanted with anything we wanted.”
He said the flaws were reported to the companies, but it was an onerous process to get through to them and have them fixed.
Over the last year, Sick.Codes has continued his deep dive into vulnerabilities in ag tech. At DefCon in Las Vegas in August 2022, he demonstrated the results of his latest project: “jailbreaking” a John Deere control system to allow him to do whatever he wanted. Perhaps fittingly in this case, it was to play an agriculture-themed version of the video game, Doom.
