Introduction to Agricultural Cybersecurity
Like any new technologies, digital agriculture technologies, or agtech, have both benefits and risks to understand and manage. As a farm operator, you know better than anyone that handling your business involves a lot of risk assessment and risk management. Cybersecurity training is yet another tool in your risk management toolbox to help ensure your business is secure.
Reflection: What Values Do You Bring to Your Farm Business?
Take a moment to think about a value, belief, talent, or skill that you have that helps you in your role as a farmer. Now, on a piece of paper, or in a separate window on your computer, take a minute to jot down a few lines about this positive part of yourself: What is it? And why is it important to you?
Cybersecurity practices build off of your existing knowledge and skills, including your robust risk management skill set as a farmer. Keep this in mind as you work through the rest of the module.
Cybersecurity has to do with how you manage your digital systems, networks and the data they hold and transmit. You might think that because you’re in a rural area or are not a large farm, you won’t be a target - and you wouldn’t be alone. Research at the University of Guelph (Russell 2022) showed that some farmers felt that their small farm size, rural location, or slow internet download speeds meant they would be unlikely targets. Cybersecurity doesn’t seem to be something that most farmers think about very often, or see as a priority for their farm businesses. But, even though most farms are located in rural areas, a farm business can be just as vulnerable to cybersecurity incidents as any other business.
Security by Obscurity?
In today’s connected world, “security through obscurity,” meaning “my operation is too small or too remote to be targeted”, is no longer enough to protect a farm business from criminals or others who may want to cause harm. A cyber criminal thousands of kilometers away can be just as ‘close’ as an equipment thief one block over.
Today, like any individual, or any business, farms equipped with digital systems use and produce all kinds of data. Next-generation farm equipment – along with agronomic and other data services – allows producers to manage their land and animals at an increasingly granular level in near real-time. These precision agriculture and smart farming technologies provide opportunities to boost productivity and profitability, and to enhance traceability.
The flowchart below is a sketch of the ‘farm-to-fork’ value chain. At each step along the value chain, physical devices connected to the internet, the internet-of-things (see 🌐Data Infrastructure in Module 1), offer enhanced visibility and control of production, processing and distribution.
Any of these devices or systems could be attractive targets for ‘bad guys’.
That being said, an important difference between farm businesses and other small- and medium-sized businesses is that farms are part of a critical infrastructure - our agri-food system. In addition to their economic function, farms contribute directly to food security. If bad actors want to cause disruptions, critical infrastructures and supply chains are some of the first things they look to as potential targets. At the farm level, disruptions to critical conditions for livestock or preventing timely action related to growing and harvesting crops can create big pressures for producers and their families.
The figure below shows how a cyber “virus”, such as malicious code or malware, can affect a whole food system - from the farms, processors, distributors, retailers, and consumers. The effect of a cyber incident at the farm-level doesn’t just hurt the farmer, it hurts all of us.
As you can see in the figure, when a virus enters one farming operation, it can rapidly spread to other farms, and then impact the entire supply chain leaving consumers frustrated.
A cyberattack like this occurs in three main phases:
- Preparation Phase: A bad actor performs reconnaissance on a farm or farm network - planning and weaponizing the cyberattack before delivering it to a device or a network.
- Compromise Phase: The attack exploits the vulnerabilities in the farm systems and is installed in the target device or software.
- Breach Phase: The bad actor commands and controls the targeted part of the farm system, and completes its objective - which is most often profit, but can also be reputational loss, food system disruption, or a number of other motivations.
This can then impact an entire food supply chain, from the processors, to distributors, retailers, and finally, consumers. If fertilizer, pest control or irrigation systems are affected, an entire growing season could be at risk. If a disruption targets buyers, or processors, of farm products, both producers and the public can be hurt through price changes, interrupted food supplies and sometimes livestock losses and crop spoilage. In all cases, the human costs of dealing with a malicious cyber exploit or a system failure can be hard on a farm business and a farm family.
Multiple points of contact can also mean multiple points of failure, particularly where there is less well-developed cybersecurity capacity. This can create a variety of targets for disruption within a farm, or within the value chain. Three examples are shown below - a virus targeting a farm network can also affect connected systems like biosecurity monitoring and industrial control systems used for barn heating and ventilation. At this point, the virus can also spread into the supply chain.
Can you think of other ways a cyberattack can propagate within a farm and the value chain?
Much of this may seem hypothetical or unlikely - but there have already been instances of cyberattacks in the agri-food sector. In Ontario, a hog farm was cyberattacked with hackers claiming to have incriminating animal abuse evidence from a compromised farm surveillance system. The attacker’s requirement for releasing their control of the farm's network was a public statement from the business owners admitting to animal abuse. But in this case, the claim that they had incriminating footage was false - the barn cameras had never been hacked and there was no such footage. In another story, meat giant JBS paid $11M in ransom to resolve a cyberattack in the US in 2021 after their production line was temporarily stopped by a Russia-based hacking group.
What now?
Despite the capacity for harm, there’s good news. There are simple things that can be done to strengthen farm business’ cyber risk management.
Cybersecurity is a new part of farm business risk management.
Farmers are managing risk all the time - you understand how fundamental it is to operating a profitable and sustainable farm operation. Producers know that good risk management equals good farm business management. Taking care of cybersecurity is another BMP - best management practice.
Over the last few years, researchers with the Community Safety Knowledge Alliance and the University of Guelph have worked closely with farmers to understand how farmers perceive cybersecurity (Source: Botschner et al. Cybersecurity in Digital Agriculture: Current State and Future Directions. Unpublished. 2022; see also: Cyber Security Capacity in Canadian Agriculture Research Summary ). Hearing about cybersecurity brought up a range of feelings - from those of commitment and stewardship, to those of fear, confusion or apathy. Some felt it might not be something they think about at all, or they feel it’s purely an IT issue. Wherever you are in your cybersecurity journey, you’re not alone.
So what do you think when you hear ‘on-farm cybersecurity’?
You’re already familiar with the concept of security for you and your farm. As a steward of the land, you understand the importance of taking steps to leave your land in a better condition for the next generation. If you’re a rancher, you don’t want a breach in the fencing that would allow your animals to enter an adjacent road. If you have a farmgate store and, or hold customer financial data, you want to be a good steward of their privacy and information. Cybersecurity is much of the same - you don’t want openings for bad actors to cause your business or your community harm.
How does paying attention to cybersecurity help you to be the kind of grower you want to be?
However you relate to the idea of cybersecurity right now, by the time you’ve completed this module, you’ll be equipped with new knowledge and a set of new tools you can use to help make your farm operations more secure. You will also have better insight into the digital side of your farm business.
Some things to keep in mind:
There are things you can do, as a producer, to make things more safe and secure on your farm, but you don’t have to ‘go it alone’. There are important roles for your IT provider, different kinds of farm service providers, equipment vendors, input suppliers, commodity associations, federations and various levels of government.
If everyone works together, Canada’s food system can be made safer and more resilient. So, this module is a starting point to help you think about the role that cybersecurity can play in your farm operations. It will give you some ideas of how you can start to make small improvements that could make a big difference.
Completing this module can also be used as a resource for talking to the other stakeholders along the value chain as part of advocating for the support that will help farm businesses be more resilient and sustainable, so they can continue to feed Canada and the world.
Survey: Gaging your Current Knowledge and Practices
Before you continue, you’re invited to answer a few questions that will help you understand where your knowledge and day-to-day practices are in terms of on-farm cybersecurity. For now, there are no right answers – only your own honest answers.
If you choose to answer these questions, you will:
- Give yourself the opportunity to ‘get a read’ on where you are before we really get started with the module.
- Help us know where we might improve the module for other learners.
These questions – and any others in the module – are voluntary. You don’t have to answer any questions or do any exercises you don’t want to do.
Next: ✖️Awareness & Understanding
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License .