If hackers wanted to debilitate American society, they would have trouble taking down the entire power grid or financial system, but they could do serious damage to the companies that make and deliver Americans’ food.
The US food and agriculture sector lacks the resources, expertise, and government support to protect itself and its products from a rapidly expanding range of cybersecurity threats, according to lawmakers, policy experts, and former government officials. These shortfalls leave gaps that foreign government operatives or cybercriminals could exploit to remotely disable farming equipment, contaminate fertilizer, cripple milk supplies, and kill chickens.
In the past few years, cyberattacks on the meat processing giant JBS Foods and the Iowa farm services firm NEW Cooperative have laid bare the industry’s widespread vulnerabilities. And new technologies, including advances in artificial intelligence, are creating previously unimaginable risks, overwhelming a workforce not accustomed to dealing with digital security. Making matters worse, food and agriculture is one of only a few critical infrastructure sectors that doesn’t have an information sharing and analysis center, or ISAC, helping companies fight back.
All of these shortcomings make food and agriculture companies a prime target for Russian operatives bent on vengeance for Western sanctions, Chinese spies seeking a competitive advantage for their domestic firms, and ransomware gangs looking for victims that can’t afford downtime.
The federal government has recently begun addressing these dangers. Lawmakers are introducing bills and spotlighting the issue at hearings, and a presidential directive has spawned a series of reports and reviews. To the people most informed and worried about the chaos that hackers could cause, these developments are long overdue.
“Agricultural and food security is the foundation of American security,” says US congressman August Pfluger, a Texas Republican who has sponsored a bill on the subject. “Without a stable food supply, society stops functioning.”
Security threats to the food and agriculture sector have multiplied as the industry has become increasingly automated and digitized.
Precision agriculture uses GPS sensors and satellite imagery to determine the right kind of fertilizer for every patch of soil and send instructions directly to tractors that automatically move around and spray the appropriate mixes. If hackers breached these systems, they could poison the crops of every farmer using them. The impact wouldn't be clear until months later, when the crops would begin to grow poorly or fail to grow at all.
Farmers are also vulnerable to more immediate sabotage. The same remote-access technology that enabled John Deere to remotely disable a batch of Ukrainian tractors stolen by Russian forces could let hackers turn off millions of tractors across the United States.
America’s meat supply faces huge risks too. Inside the massive industrial facilities where most chickens are raised and slaughtered, the temperature and humidity are precisely controlled by internet-connected computers. With control of this system, hackers could engineer a catastrophe.
“You could lose tens of thousands of birds literally within 10 to 15 minutes,” says Marcus Sachs, deputy director for research at Auburn University’s McCrary Institute for Cyber and Critical Infrastructure Security. “We've seen this happen before. It's almost like a wave goes through the chicken house, where they all just die.”
Just-in-time logistics mean that even short-term cyberattacks can have serious consequences. Hacks that disrupt fertilizer or pesticide production can force farmers to sit out planting seasons. Breaches at meat-packing plants can cause destabilizing supply shortages. Tampering at a food processing firm can lead to deadly contamination. Already, ransomware attacks that have forced companies to shut down operations for a week have left schools without milk, juice, and eggs, according to Sachs.
“A major disruption in this sector leads to immediate public health and safety issues,” says Mark Montgomery, who served as executive director of the Cyberspace Solarium Commission.
Despite being increasingly vulnerable, Sachs says, the food and agriculture sector still “doesn’t really understand the threat mindset” as well as higher-profile sectors, like financial services and energy, do.
Today, food and agriculture is one of four critical infrastructure sectors (out of 16) without an ISAC, along with dams, government facilities, and nuclear reactors and materials.
The food and agriculture sector was one of the first to launch such a center, in 2002, but it disbanded in 2008 because few companies were sharing information through it. Members were afraid that such openness jeopardized their competitive advantages and exposed them to regulatory action. Now, Sachs says, businesses worry that exchanging information with each other could prompt antitrust lawsuits, even though such collaboration is legal.
Some companies participate in a Food and Agriculture Special Interest Group (SIG) housed inside the IT-ISAC, which gives them access to data and analysis from some of the world’s biggest tech companies, as well as resources like playbooks for confronting specific hacker groups.
“Our work with the industry has really expanded over the last three years or so,” says IT-ISAC executive director Scott Algeier. In that same time period, the IT-ISAC has recorded 300 ransomware attacks on the food and agriculture sector.
But the SIG’s offerings are limited, Sachs argues. It doesn’t hold regular large-scale exercises simulating attacks on food and agriculture firms, doesn’t staff a 24/7 watch center that constantly monitors these firms’ infrastructure (along with related events like severe weather and supply chain disruptions), and can’t automatically generate insights and alerts by comparing classified government intelligence with data from sensors inside that infrastructure. “I appreciate everything Scott is doing over there,” Sachs says. “It's a very good thing. But [the SIG is] not an ISAC.”
Algeier says the IT-ISAC has hosted exercises focused on the food and agriculture sector and that “members can reach out to us 24/7 if needed.”
But the sector needs its own ISAC that can “analyze the threat and provide a true operational assessment,” says Brian Harrell, a former assistant director for infrastructure security at the US Cybersecurity and Infrastructure Security Agency (CISA).
Pfluger says, “Plenty of folks I’ve spoken with think there needs to be a dedicated ISAC.”
Companies also need more support from the federal government.
The US Department of Agriculture, the industry’s sector risk management agency, is “significantly less effective” than other SRMAs, Montgomery says. The USDA doesn’t even have dedicated funding for its security support, which includes biannual sector-wide meetings, weekly threat bulletins, and occasional town halls.
“As the cybersecurity threats and vulnerabilities continue to grow, USDA is unable to conduct these SRMA responsibilities, which could have a significant impact on the safety and security of US agriculture,” the department said in its fiscal year 2024 budget proposal, which for the first time requested $225,000 for this work.
By comparison, the Energy Department requested $245 million for its Office of Cybersecurity, Energy Security, and Emergency Response.
USDA has shown “very little interest” in cybersecurity, says Sachs, who has tried to prod officials into action.
Allan Rodriguez, a USDA spokesperson, says the agency and the FDA work closely with CISA, the FBI, and the private sector. Eric Goldstein, CISA’s executive assistant director for cybersecurity, says his agency is working with USDA and other partners “to improve cybersecurity across the sector and build resilience to cyber disruptions.”
Fortunately, there’s a growing sense of urgency inside the US government to protect the nation’s tractors, fertilizer, milk, and chickens from hackers.
Pfluger’s bill, the Food and Agriculture Industry Cybersecurity Support Act, would create new federal resources for companies, require improved coordination between government and industry, and launch a Government Accountability Office review of the sector’s situation, including whether an ISAC is necessary. Pfluger says he’s “very optimistic” about the prospect for his bill, which two Republicans and one Democrat have cosponsored.
The White House is also taking action. Last November, President Joe Biden signed a memorandum on “the security and resilience of United States food and agriculture” that ordered up a suite of threat reports, risk reviews, and vulnerability assessments addressing physical and cyber challenges. Agencies have completed an initial assessment that was due in January and are finalizing an interim review that was due in March, according to DHS spokesperson Ruth Clemens.
In the meantime, experts say the government could better use its existing programs to help.
The USDA’s Cooperative Extension Service partners with land-grant universities and community organizations to provide agricultural training and guidance to farmers across the US. Sachs encourages USDA to leverage the trusted relationships that farmers have with their local extension agents to promote best practices on cybersecurity.
Sachs and his colleagues are even considering helping a coalition of land-grant universities launch an ISAC that would both facilitate information sharing and prepare students to enter the food and agriculture workforce with key cyber skills.
Whether or not the sector forms an ISAC, there’s widespread agreement that more must be done to counter the growing array of threats endangering these companies and the hundreds of millions of people who rely on them for basic sustenance.
“One vulnerability and attack,” Pfluger says, “can lead to catastrophe for everyone downstream.”
