an abstract paddle shape on a field of gradient gray

Image by Xiaowei Wang.

Attacking Agriculture

Rian Wanstreet

Agricultural production increasingly relies on sensors and internet-connected devices that are rife with security vulnerabilities.

On a rectangle of land the size of a baseball field three hours northwest of London, a project called Hands Free Hectare plants and harvests wheat with almost no human intervention. For the last three seasons, an autonomous tractor has worked its way up and down the plot, sowing the wheat and spraying it with liquid fertilizer, herbicides, and fungicides. A small robot collects soil samples and a drone takes thermal photos of the crop from above to monitor for inconsistencies. When researchers determine that the time is right, they send an unmanned combine harvester to mow the wheat and shoot it into the back of a grain tractor that drives itself alongside the combine.

Hands Free Hectare is just one of many examples of model farm projects that aim to demonstrate the promise of automated, autonomous agriculture on a large scale. In the US, the Microsoft-backed Grand Farm outside of Fargo, North Dakota is building a farm complex to experiment with robotic planting and irrigation; the University of California, Davis’ Smart Farm initiative is building “an Agricultural Innovation Hub to develop smart machines with industry collaborators.” Fully autonomous agricultural machinery is not yet commonly used, or even functional outside of very constrained environments. But the GPS-controlled machinery and drones that make that vision possible to imagine and fund today have already been widely adopted by agricultural operations all over the world. 

The adoption of technologies to automate and generate data about farming operations is known in the industry and in academia as “precision agriculture.” The cheerleaders of this approach frame it as the optimization we need—“each plant gets just the right amount of water and fertiliser for maximum yield,” as the Financial Times put it in 2017—to feed the world’s billions of mouths and conserve resources in the face of climate change. Precision agriculture is heralded by development agencies and funders as a solution to food insecurity. Under the banner of “feeding the world” the digitization and datafication of agriculture have gathered so much momentum that their continued development and adoption seems inevitable.

But the most promising takes on precision agriculture rarely mention the numerous threats that accompany it. All of that efficiency often requires not just sensors, but coordination among the sensors, routing of the data that those sensors collect back to a central data store, and ongoing monitoring to ensure that batteries haven’t died and connections haven’t dropped along the way. The proliferation in agriculture of systems that are supposed to run themselves has created a massive surface area of weak links, delicately strung together.

Threats to food supplies have always come in many shapes and forms: famine, war, and sabotage have wreaked havoc on societies throughout human history. Now, those of us whose access to food is mediated by digitized agricultural production systems face a double threat: the rapidly expanding mesh of insecure devices that control how our food is planted, watered, monitored, harvested, and transported; and, at the same time, the shifting balance of power away from farmers, towards the governments, corporations, and investors that wield massive amounts of capital.

Making Hay

In its purest form, the goal of precision agriculture is to guide or control every part of the food production system: what type of seed to use, how much fertilizer to apply, when to plant and harvest. The approach has its origins in the Geographic Information Systems (GIS) that was introduced on farms in the 1960s and 1970s to plot the locations of soil samples on a map, and in GPS receivers and mobile tools to monitor yields and soil composition, introduced in the 1990s. More recently, the rise of precision agriculture has been enabled by the explosion in internet connectivity that the world has experienced over the past ten years.

Farmers historically have been early adopters of sophisticated agricultural technologies, driven as much by incentive as by need. Governments often provide subsidies to digitize agricultural equipment and methods. Today, almost every piece of agricultural machinery sold by international corporations like Kinze, Deere, and Case IH has navigation systems and a variety of sensors pre-installed on it by the equipment manufacturers. Farmers can supplement these preinstalled systems with additional receivers on equipment like sprayers and combines, as well as ground sensors and drones that collect data points on moisture levels, mineral levels, and crop growth. Even smallholders—those farming on less than ten hectares, or a 1/25th of a square mile—are using these technologies in places like Nigeria, Colombia, and Indonesia.

McKinsey & Company considers agriculture to be a “massive opportunity” and an area “ripe for disruption.” Goldman Sachs expects the market to soon be worth $240 billion. Despite questionable returns, agriculture has become a darling of VC; according to the VC fund AgFunder, agricultural technology startups secured nearly $17 billion in funding in 2018, up 43 percent from 2017. 

Academic institutions, too, have turned their prowess towards fostering the development of new agricultural technology through startup accelerators and enhancing technologies of established corporations. Indeed, according to food systems expert Kevin Walker, academics in the US are becoming subcontractors of large multinational corporations, driven by the need to find funding for research that has “immediate and marketable benefits.”

The US government and military are also invested in the research and development of precision agriculture tools. The US Navy has invested in agricultural robotic swarm technology. Many of the startups developing drones for commercial agriculture are run by military veterans or former defense contractors. Even economic development sector initiatives rely upon defense contractors.

These types of funding streams yield specific results. The demand by VCs and universities for exponential returns in a short time frame means that security is, as with many non-agricultural venture-backed software startups, an afterthought. Hardware is adapted from other sectors and software outsourced, with no plan for service, repair, or maintenance, leaving pieces of equipment perpetually vulnerable to exploitation when it reaches end-of-life. And, even if they wanted to, private companies trying to translate government research and development into consumer agricultural products don’t have the billion-dollar budgets to prioritize security in the same way that DARPA might. 

Breach Party

Many of the same security vulnerabilities that plague battery-powered, cloud-connected devices in general affect farmers adopting precision agriculture. In an interview with precision agriculture expert Marc Window, a professor associated with Hands Free Hectare said of the project’s approach to security, “As with most of our ag robot developments we use technology that has been developed outside the ag area and migrate it over as and when needed. Security has not been a hot topic at all recently as we are still getting the fundamental systems working. Mostly we just use Wi-Fi.” This approach to (not) securing connected agricultural machinery is the norm, and it means that, in the same way that corporations can remotely brick a piece of machinery, malicious actors could hypothetically do the same, bringing a fleet of tractors down at once. One can imagine a scenario in which a piece of code is deployed to disrupt the harvest of entire nations. Or a scenario in which chicken farmers who use web-based software to remotely control the temperature of their hatcheries find their cooling systems manipulated, killing their animals. 

These are not purely hypothetical. China’s environmental efforts are being thwarted by companies doctoring surveillance camera footage and remotely altering or deleting undesirable information in automatic monitoring systems in order to appear more environmentally friendly than they are. A smart irrigation system in Israel has reportedly been hacked by the Syrian Electronic Army, a hacker group. Smart irrigation systems in general can be manipulated to empty entire water reservoirs or apply the wrong amounts of fertilizer and chemicals. 

Drones are being heralded as revolutionary in agriculture, but they have many known vulnerabilities since their security is essentially unregulated. They can be hijacked, remotely tampered with to return false data, or piloted to infiltrate remote Wi-Fi networks. The US Department of the Interior also sees espionage risks in the fact that its own drone fleets are manufactured by a Chinese company.

The tools of precision agriculture generate valuable datasets, and the value of those datasets corresponds to their size. To give a sense: the largest dairy farm in the world occupies more than 22 million acres and the largest field operation sits on more than 500,000 acres. Data from these operations can move markets. The US Department of Homeland Security has reported that at least one company has been approached by commodity brokers with an offer to buy the company’s data. But insider trading threats aside, the integrity of large operations’ data can be undermined by weaknesses in any number of factors that make precision agriculture work—IoT devices, software, or physical hardware. Although such market sabotage doesn’t appear to have happened yet, agricultural data breaches have: the security industry’s annual data breach compilation identified eleven data breaches among agricultural companies in 2019.

Even as US government agencies propel the adoption of precision agriculture, they recognize the new security threats that it poses. In 2016, the FBI released a joint memo with the USDA warning farmers that they were increasingly at risk of having their data held for ransom or of bulk data theft. In 2017, the US Navy conducted war games designed to train servicemen to protect key sectors, including food and agriculture, against malicious state and extremist actors. Soldiers were trained to mitigate attacks like remote tampering of temperature readings at a vegetable canning facility and ransomware targeting an agricultural company’s financial data. 

Roll Your Own Milk Sensor Backup

But war games won’t help farmers whom precision agriculture has made increasingly dependent on complex systems beyond their control: on the software that runs farming equipment, which can require paid subscriptions and constant updates; on the creditors who own the equipment, often worth hundreds of thousands of dollars, and to whom farmers must make regular payments; on manufacturers who have access to the data the equipment generates; and on the guarded knowledge of licensed repair technicians who are the only ones able to diagnose problems with proprietary systems

Take the relationship between farmers and John Deere, the largest manufacturer of agricultural machinery in the world. For years, John Deere has put proprietary software and hardware in its tractors, but now those tractors are increasingly connected to John Deere’s servers as well. According to an executive with the company’s innovation arm, “Our large equipment now has 4G LTE modems, with Wi-Fi and Bluetooth, and that does two-way communication so it collects data off your farm and sends it to the cloud.” As a result, the company can see all the data collected by the machinery they manufactured and can also remotely lock down, or “brick,” equipment if they suspect that farmers are trying to repair the equipment in unsanctioned ways. Farmers have responded with the Right to Repair movement on the basis that they shouldn’t have to fear having their own tractors remotely bricked for any reason, much less for making repairs.

Or consider Emiel Stam, a Dutch dairy farmer who used AgroVision robotics to milk his cows. He claimed in Dutch court that one of the robot’s sensors malfunctioned, infecting his cows and forcing him to cull his cattle. To make his case, Stam needed a historical record of the offending sensor’s readings—in this case, the milk flow sensor.

Stam had backups of those sensor readings through the machinery’s software interface, but they had been remotely wiped by the robotics company, which had access to the readings through a maintenance contract. Luckily, and very unusually, Stam had additional independent backups. He used his own data to correlate the milk sensor readings with the onset of his cows’ illness, prove the robotics company’s liability, and win damages for his losses. But he is the exception that proves the rule.

Beyond 2FA

Now that food systems globally are increasingly vulnerable to digital manipulation, farmers need to protect themselves. The FBI’s 2016 joint memo with the USDA encourages both small and large-scale agriculture operations to implement standard digital security measures: using secure passwords, setting up two-factor authentication, accessing networks via VPNs, and having company-specific email accounts for employees. 

But perhaps adding more technology to the technology problem is not the solution. One issue that extends well beyond agriculture is that there is no clear line of liability for the security of equipment and devices. To help demarcate where the responsibility lies, venture funds, development agencies, and government procurers could implement something like the US Department of Justice’s new policy on drone use. It requires partners and grantees to conduct a mandatory cybersecurity risk assessment and honor a data retention policy. Imposing such requirements on small organizations would be a financial burden, but perhaps such a cost is worth paying to protect farmers and food supplies. 

While these steps are necessary, they are not sufficient. We have a globally connected food system, and ameliorating harm requires systems thinking. Hacks are inevitable when we use connected technologies; the more we become reliant upon them to bring in our harvests, the more we can be assured that these systems will be exploited.

Rian Wanstreet is a PhD candidate at the University of Washington and an Open Science Fellow with Mozilla, researching the ramifications of new technologies in the agricultural sector.

This piece appears in Logic's issue 10, "Security". To order the issue, head on over to our store. To receive future issues, subscribe.