Attack season

Connectivity across our municipalities is growing. While the term “smart cities” evokes images of large urban areas like New York or Singapore, connectivity is also spreading in our rural areas. Municipal connectivity can bring significant benefits to communities through increased efficiency, access to services, and distribution of resources such as energy. However, as has been well documented, communities seeking to implement these solutions must view them through a particularly critical cybersecurity lens. Placing internet connectivity at scale on infrastructure where there was previously no connectivity changes the risk assumptions, the resilience framework, and the response options in the event of a crisis. These issues are well understood for cities with large concentrations of humans, critical infrastructure, and connected devices. Rural areas are also experiencing a rise in connectivity through Smart Agriculture. While the cybersecurity issues with Smart Agriculture are well documented, some of the impacts may be less well understood. This post explores how a cyberattack against Smart Agriculture systems in strategic areas can cause significant economic, food security, and public trust issues if timed correctly. This outline provides specific guidance for cybersecurity officials in communities with Smart Agriculture to focus on their vulnerabilities and the right time of year when a cyberattack would have maximum impact.

Bricking Tractors

In the early months of Russia’s invasion of Ukraine, Russian forces stole some very expensive farm equipment. They were John Deere tractors, and they were shipped to farms in Chechnya. This might seem petty, but large industrial-scale farm tractors are not cheap and can create real value for farms as they scale up. A much needed dose of schadenfreude came early on as reports came out that the tractors were useless because they were remotely bricked. 

The origins of this clever cyber event are in the right to repair movement. Many of the advanced farm equipment manufacturers created products that are so complex and involve so much software that to repair them, they must be taken to a licensed repair facility. This means there is connected software inside the tractors that diagnoses and runs other advanced functions. It also means that repairing your tractor yourself is a thing of the past, causing many issues with farmers worldwide. Prior to the invasion, Ukrainian cyber actors were active in building software that could jailbreak a tractor so that it could be repaired without taking it to a repair facility and incurring the cost. While the issue of the right to repair is outside the scope of this work, the relevant fact is that there were Ukrainian cyber actors with significant familiarity with the tractor software at the time of the invasion, and a few months later, the stolen tractors were bricked.

In a moment of despair, the idea of tractors that wouldn’t start in Russian fields may have felt good, but it highlighted something bigger. The fact that sizeable industrial-scale farm equipment can be remotely bricked is not limited to this conflict. It is a threat to smart agriculture everywhere, and it should be part of a more significant risk framework for using connected devices in our agricultural systems. Smart Agriculture also employs devices such as soil sensors, unmanned aerial vehicles (UAV), and other precision technology that allows us to be more efficient and precise with our watering and fertilizer, both of which are finite commodities. Together, those devices comprise a connected system of systems that, much like other connected municipal deployments, sits on top of critical infrastructure. A disruption of any critical infrastructure sector will cause an impact, but disruption in the food sector has a different disruption timeline. This makes the cybersecurity of Smart Agriculture systems unique because of the seriousness of its impact, but also because this is an example of a “seasonal cyberattack” if executed for maximum effect.

Macroeconomic Farming

In the US, corn and soybean farming are big business. This is so much so that universities in large corn and soybean-producing states such as Iowa and Illinois put significant research resources into optimizing planting times, harvest windows, fertilization, and watering to maximize the output per acre of farmland. This is not just an economic exercise but also a means by which farming can continue to produce enough food for a growing national and global population. The amount of arable land is not growing, so the output per acre of arable land must grow instead.

According to Iowa State University, the optimum planting window for corn presents an interesting trend. While the best planting times are April 11th  – May 18th, the expected relative yield decreases rapidly after May 18th, as shown in the graphic below.

The story is the same for soybeans. According to the same study, the optimum window for soybean planting is between April 11th and May 20th. The earlier planting can increase yields to 3-4 bushels per acre, with a fall-off throughout the planting season and a steep decline beyond May 20th.

The important factor to consider in both graphs is a date after which the expected relative crop yield drops considerably, which impacts the market price of corn and soybeans and the availability of both commodities for foodstuffs. Specifically, between May 20th and June 4th, the drop-off is significant, with only a 15-day window. That is a potential 20% drop in relative yield in both cases. A 20% drop in relative yield done at scale becomes macroeconomically significant if spread across enough farms in the highest-producing areas. This presents a significant motive to target Smart Agriculture in specific macroeconomically significant growing areas during a specific time window each year.

Corn Prices

As an example, the below graphic represents the price of corn commodities in the US market over a five-year period. The mountainous nature of the graphic showcases the potential for significant price swings that impact markets in a very real way. In 2022, the price of corn spiked to $8, double where it stands today. Such a swing causes economic disruption and real tensions on the ground when corn and corn products are much higher priced or unavailable. 

Like many different stocks or commodities, outside forces can impact the price. In the case of agricultural commodities, that outside force could be a well-timed and specifically targeted cyberattack against a Smart Agriculture system.

Attack Season

While issues such as turning off electricity, causing massive gridlock, or large-scale municipal data breaches grab significant attention in the cybersecurity community, the potential for long-lasting impacts in Smart Agriculture may be more significant than in urban environments. Cyberattacks against urban structures will cause significant issues and may have emergent behaviors we have yet to fully understand, as outlined here. However, attacks against potentially less prepared and less well-resourced rural communities with Smart Agriculture deployments could cause impacts that reverberate through months or years, depending on scale. The attack vectors are there. The attackers simply must time their outage correctly.

Imagine industrial-scale farming in Iowa and Illinois, where macroeconomically significant corn and soybean crops are grown. Farmers and farming communities must use the most advanced farming equipment, likely connected to the Ukrainian John Deeres, to optimize planting and harvest. One can also easily imagine a larger system with UAVs, space assets, and other components to maximize output per acre. As planting season approaches, all equipment is tested, soil nutrient levels are collected, and weather pattern data is considered. Farmers purchase the stock they need to plant their fields and hire additional people to help with planting. The assumption is that they will plant at the optimum time according to significant research on the topic by leading scientists. The data collected, and the research will combine for what each farmer hopes is that 3-4 additional bushels per acre yield. 

If a malicious actor wanted to disrupt this flow, it would start before planting season with the soil nutrient levels. Spoofing that data to provide inaccurate readings would create the potential for dangerously high levels of macronutrients in the soil, resulting in the deaths of many of the plants in the field. It would also cause an economic investment by individual farmers that would cause problems for their already thin margins. When planting season arrives, this is the moment to brick the tractors. This move depends heavily on when planting would begin in a given region, so it would be unlikely to unfold as a monolithic attack. Instead, it would need to happen on the day of planned planting for maximum impact. The planting would only be delayed by days before a patch would be pushed, but that may be enough to cause even a 5-10% reduction in crop yield instead of the 3-4 extra bushels per acre that was the goal. Further, such an attack could be combined with attacks on the UAVs or Earth sensing data from space assets to create a combination of inoperable equipment and inaccurate readings.

Doing such an attack at scale would require multiple attacks. Simply bricking every tractor would not be enough. Causing inaccurate soil nutrient readings that result in overnutrition plus bricking plus issues with guidance data from UAVs or space assets could cause a massive disruption over a 2–3-week window, which might be enough. 

Long Term Effects

If a cyberattack could cripple macroeconomically significant agriculture yields, the effects would be felt throughout the year and perhaps into the next. The market prices of the specific commodity targeted would reverberate through the markets, causing significant price jumps worldwide. Locally, some farmers may not recover, forcing their farms into foreclosure and potentially taking that arable land offline for 1-2 years. If the soil is overnourished, it may need to fallow for a growing season. Foodstuff prices will also rise and likely stay high as the raw materials will not be available, or at least not as readily available, across the given year. With higher market and grocery store prices, some farmers are out of business or struggling, and planting season is only once per year, so the potential for long-term effects is significant. 

Thousands of years of human agricultural history have left us with an intuitive, if not biological, understanding of planting season and harvest season. But as we further connect our agriculture to the internet in pursuit of greater yields and efficiencies, we must start thinking about attack season. Smart Agriculture is most vulnerable in the US's April 11th – May 20th window for crops like corn and soybeans. Including preparation time, that window is probably larger until at least the first of April, if not into mid-March. Rural communities must consider this attack window when implementing Smart Agriculture at scale. Planting seasons vary with agricultural zones, so that the dates will vary depending on the local community. The risk calculations for implementing such connectivity should include the planting season window, as it would be the optimum time to create the longest-term impact on communities and markets. 

Further, when food supplies are disrupted, a significant trust factor must be considered. News of a cyberattack that disrupts agricultural food supplies will cause significant problems within local communities, as well as nationally and internationally, as news spreads. This kind of panic can worsen market prices and cause real pain in grocery bills. That is the kind of direct-to-consumer impact that malicious cyber actors live for, and it is also the kind of effect that may allow one to extract concessions from the target. 

Smart Agriculture can transform efficiencies and yields for important crops. Given the growing global population and the scarcity of arable land, we may have already crossed the line where these technologies are necessary. Increasing yield per acre translates into more people fed and lower foodstuff prices. It is also an attractive target for a cyber actor looking to make a big splash. Cybersecurity of Smart Agriculture should consider these impacts and the windows in which cyber attackers can operate for optimized effect. Unfortunately, the windows for optimized crop yields and optimized cyber disruption overlap on the calendar.