Hackers are coming for our Thanksgiving turkeys and John Deere tractors. It’s time to reevaluate America’s food security
The supply chain that produces our fresh-tasting Thanksgiving dinners is one of the most fragile and fragmented of any industry–and one of the hardest to secure.
Earlier this month, white-hat hacker Sam Curry disclosed on Twitter that he and a group of other white-hat hackers quietly spent 10 days in July discovering 100 unique vulnerabilities on farming machine giant John Deere’s corporate networks and websites, including exploits that would enable attackers to take over customer accounts or access employee credential information. The company had since patched everything, Curry added, but the exercise speaks to a much larger issue that’s picking up steam in the food and agriculture industry.
Within the last year, multiple food retailers and processing plants across the U.S. have been targeted by ransomware, prompting the FBI to alert the sector of the elevated risk and President Biden to recently sign an executive order protecting America’s food security. States, too, have taken action to protect their food and water from growing cyber threats, including recent action in California and Nebraska to develop response plans and educate farmers.
The system required to deliver a vegetable or a processed good from a farm on one end of the U.S. to a dinner table on the other end is an absolute spiderweb of logistics, involving numerous suppliers, transporters, and retailers with their own individual systems and tools to keep themselves safe.
The extra support from state and federal partners is critical to mitigating the risk that the supply chain carries, but it must be paired with more education from the cybersecurity industry on how farmers and retailers can protect themselves from threats.
White-hat hackers like Curry are already doing this–but it’s not just corporate networks that are potentially at risk. A hacker who goes by the moniker “Sick Codes” demonstrated an exploit at the DefCon security conference in August of this year that allows anybody with physical access to several models of John Deere and Co. tractors to jailbreak the machinery, overriding the digital locks that farmers put on their machines.
While the hacking display was partially done to support farmers’ rights to repair their own machinery, Sick Codes also shared a glimpse into a terrifying hypothetical with real-world consequences. In one presentation, Sick Codes showed how a single motivated attacker could take down common agricultural equipment–and threaten global food security with a few keyboard strokes.
The idea of targeting one business to cause chaos in many others is, of course, the nature of any supply chain attack (Remember SolarWinds?). The distributed nature of the food supply chain system–which also has to work internationally, convoluting the chain even further–is no different. Attackers only have to target one segment of the supply chain to throw the entire food production or delivery system off balance.
Few industries keep thinner profit margins than food and agriculture, and often doing their due diligence on whether a third-party partner has the proper security controls goes by the wayside in order to keep food moving. Unfortunately, when the food supply chain breaks in a specific region, the consequences are felt by virtually everyone through higher prices and scarcely stocked shelves, reminiscent of the early days of the COVID-19 pandemic.
Similarly, few industries have such a large gap in technological prowess as food and agriculture, where some farms might be entirely data-driven and others might be partially run on a Windows 98 desktop computer. This presents a unique problem for the equipment manufacturers that sell to farmers and the retailers that rely on them: How do you keep systems patched and up to date across the globe when there’s such a discrepancy in cyber literacy?
The short answer is to keep it simple. Farmers can build resiliency into their networks by using strong passwords, limiting the number of network connections they have, and even just sharing information on potential strange behavior with the authorities. The food and agriculture industry can also get a head start on defending themselves against attackers by paying attention to what’s happening in other, more lucrative industries like banking and technology. For agricultural manufacturers like John Deere and Caterpillar that fear their intellectual property could be stolen in a cyberattack, taking hints from how other international companies defend their IP can be beneficial, though John Deere’s current strategy of safeguarding its IP is controversial. Whenever possible, players in the supply chain should be stress-testing vendors to ensure that they have the basic cyber controls in place, so that those interconnected networks don’t get taken down.
The food and agriculture ISAC has also been around for more than 20 years to help businesses identify and mitigate threats in the industry while promoting proper cyber hygiene. If a food processing plant, a retailer, or a farm can afford it, they should allocate a proper budget to security or outsource 24/7 monitoring to ensure nobody’s infiltrating their environment. Implement a good vulnerability management program–even if that business-critical Windows 98 desktop can’t be patched, the machines connected to it should be. Staying on top of vulnerabilities across any and all machines that can be patched will go a long way toward staying safe.
With the global food crisis worsening every day, it’s critical that farmers and their partners in the farm-to-table supply chain take food security seriously. Cybersecurity is a critical ingredient to keeping food on families’ tables, and together, from the security sector to the agricultural industry, we must work to defend the food supply chain.
Mark Manglicmot is the SVP of Security Services at Arctic Wolf.
The opinions expressed in Fortune.com commentary pieces are solely the views of their authors and do not necessarily reflect the opinions and beliefs of Fortune.
More must-read commentary published by Fortune:
- Elon Musk knows what he’s doing. Here’s the real value he sees in Twitter
- California Gov. Newsom: ‘Ideological attacks on ESG investing defy the free market—and taxpayers are losing out. Here’s why we consistently beat Republican-led states in nearly every economic category’
- Pollsters got it wrong in 2018, 2020, and 2022. Here’s why political polling is no more than statistical sophistry
- The last American venture capitalist in Beijing: Here are the strategic miscalculations undermining America’s technology competition with China
Our new weekly Impact Report newsletter will examine how ESG news and trends are shaping the roles and responsibilities of today’s executives—and how they can best navigate those challenges. Subscribe here.