The U.S. watchdog agency responsible for the safety of food and agriculture is the Food and Drug Administration (FDA). However, the FDA's food security division is mainly involved in identifying for recall off-the-shelf products whose ingredients contain known pathogens or toxic chemicals. Ensuring the cybersecurity of the food pipeline from which tainted shelved products originated depends on the Department of Homeland Security for funding and the National Institute of Standards and Technology (NIST) for architectures.
"Many aspects of the food and agriculture sector are connected to the Internet, hence they are potentially vulnerable to a cyber-attack," according to FDA Health Specialist Lindsay Haake,. "We advise following the cybersecurity guidance published by the [DHS's] Cybersecurity and Infrastructure Security Agency (CISA), as well as the National Institute of Standards and Technology."
The first DHS-sponsored effort to explore the cybersecurity vulnerabilities and possible impact to U.S. society of our increasingly smart agriculture technologies and the food pipeline is being tackled by the Pacific Northwest National Laboratory (PNNL), according to Mary Lancaster, an epidemiologist and data scientist at PNNL.
"Technology is rapidly creating a fourth agricultural revolution," said Lancaster. "Our project called FARM, for 'Food and Agriculture Risk Modeling', will proactively identify the potential vulnerabilities within today's digital agricultural software and equipment; calculating the consequences of potentially successful cyberattacks, a huge problem space that no one else is addressing."
The first agricultural revolution occurred just after the last Ice Age (circa 10,000 BC) when humankind made the long, slow transformation from a lifestyle of "hunting and gathering" to one of "agriculture and settlement" which in turn made increasingly large population centers possible.
The second agricultural revolution (circa 1650 AD) was marked by a quintupling of output per agricultural worker, creating centralized population growth which spawned the Industrial Revolution (circa 1800 AD).
The third agricultural revolution (circa 1900 AD) increased crop yield with enhanced seed varieties and the widespread use of chemical fertilizers, pesticides, and controlled irrigation to produce even higher yields.
The fourth agricultural revolution (circa 1960) began an increasingly rapid switch to digital technologies with a focus on integrating all parts of the agricultural pipeline—from fields and livestock to the off-farm segments of processing and delivering food—thus requiring more data analytics to continuously monitor the growth/health/delivery of crops and livestock. This has resulted in today's increased reliance on Big Data for farmers, agricultural information service providers, and large pipeline participants (like major supermarket brands).
With the digitization of the 4th Agricultural Revolution came increasing cybersecurity vulnerabilities. Cyberattacks have already caused economic issues for businesses in the food sector, resulting in increasingly frequent food recalls, and even direct attacks on the IT facilities managing food processing. For instance, in May 2021, JBS (the world's largest meat processing company, named after its founder José Batista Sobrinho) experienced a ransomware attack that affected its global operations; the company paid $11 million in bitcoin as ransom to get professional criminal hackers to release its systems in June 2021. During the ransomware attack, the company was forced to temporarily shut down some of its businesses in Australia, Canada and the U.S., leading it to lay off 10,000 workers worldwide.
To head off future food-related IT attacks, food ingredient hacks, food-processing equipment malware, and other digital pipeline intrusions, PNNL created the Food and Agriculture Risk Modeling (FARM) program. The goal of FARM is to produce software that accurately models the entire digital sector of the 4th Agricultural Revolution, with particular emphasis on identifying its cybersecurity vulnerabilities and possible effects such as gaps in food supply, poisoning, spoofs of testing data that cause unnecessary recalls, criminal counterfeiting, ransomware, and more.
"FARM grew out of industrial cybersecurity research at PNNL focused on growing vulnerability identification in new directions," said Lancaster. "The software model we build will assess the risk of successful attacks, identifying the attack surface from automated agricultural growing practices, to digital food processing systems, to supply pipeline logistics—including data from industrial sources—to ultimately determine the impact of successful exploitation of food and agriculture cybersecurity vulnerabilities."
Farming automation might seem like a relatively small part of the gross national product, but the results of PNNL's preliminary analysis were surprising."The thing that captured our imagination is that we hadn't realized how ubiquitous the food industry is," said Lancaster. "According to government data, the food industry (including the growing of trees to be processed into paper for packaging) accounts for about 10% of U.S. employment."
According to Lancaster's survey of government statistics, about half the acreage used for growing food is using automated equipment, and 90% of food packaging is robotic, leaving it vulnerable to cybersecurity breeches. They also found digitization in the sector is increasing daily, as the automation is improving in efficiency, production capacity, and compliance with government regulations.
"Automation is going to keep spreading across all segments of agriculture, since it enables more informed decisions in an industry that operates on very slim profit margins," said Lancaster.
FARM, PNNL says, is the first U.S. effort to proactively identify potential vulnerabilities within digital agricultural and food-pipeline technologies, and to plot the possible adversarial consequences of exploiting those vulnerabilities—running the gamut from planting the seeds to placing finished products on shelves.
The most dangerous cybersecurity vulnerabilities include many of those already faced by the power-generation industry—namely outdated SCADA (supervisory control and data acquisition) operational technology (OT) from the 1950s. These vulnerabilities have been thoroughly studied by NIST, which has detailed instructions in place (NIST SP 800-82) to secure legacy food processing systems. Education and assistance in applying NIST guidelines by particular companies is available from the Food Protection and Defense Institute directed by the University of Minnesota's College of Veterinary Medicine, but much of the 4th Generation Agricultural Revolution's digital technologies originated in more modern times, and thus have the capability of including cybersecurity in the design phase of modern agricultural OTs.
To be sure, building cybersecurity into OTs seminal designs and initial architectures is a relatively new consideration, especially on small farms. Large farms, on the other hand, at least have the OT software in place to secure new equipment, such as drones for monitoring growth and crop health. Still, the complexity of possible compromises of modern agricultural equipment, food processing ingredient databases, and supply-pipeline issues have not been addressed as one extended attack surface, according to Lancaster, since many different systems, processing steps, trucking companies, and more, are today a patchwork of cybersecurity vulnerabilities.
Many of the vulnerabilities are shared by other industries, such as International Standardization Organization (ISO) electronic communication busses where hacks can disable whatever equipment is using them, software updates containing malware which affects all computer systems, and ransomware attacks that can be used against any industrial IT. But the agricultural and food industry also contains unique attack vectors, according to Lancaster.
"The issues are complex and multidimensional," said Lancaster. "Including interference in early disease detection in a herd, food ingredient hacks resulting in recalls, and the malevolent alteration of microbial testing data for either creating dangerous foods or even for causing the unnecessary destruction of products that are really OK."
Lancaster's PNNL team is aiming to have a prototype of its proof-of-concept software model ready within next few months, and then will test and validate its accuracy using historical data. Hopefully, the model will help to identify where the agricultural and food industry should be making cybersecurity investments.
"We suspect that the model will suggest that, at a minimum, cybersecurity needs to be an add-on to existing smart agricultural components," said Lancaster.
If the testing and validation deems that the FARM model is producing reasonable suggestions, then the PNNL team will begin looking for sponsors to hone its application to industry, including corporate farms, food processing plants, and food-pipeline delivery vendors.
R. Colin Johnson is a Kyoto Prize Fellow who has worked as a technology journalist for two decades.
No entries found