Attack Season

Connectivity across our municipalities is growing. While the term “smart cities” evokes images of large urban areas like New York or Singapore, connectivity is spreading in our rural areas as well. Municipal connectivity can bring significant benefits to communities in the form of increased efficiency, access to services, and distribution of resources such as energy. But as has been well documented, communities seeking to implement these solutions must view them through a particularly critical cybersecurity lens. Placing internet connectivity at scale on infrastructure where there was previously no connectivity changes the risk assumptions, the resilience framework, and the response options in the event of a crisis. These issues are well understood for cities where there are large concentrations of humans, critical infrastructure, and connected devices. Rural areas are also experiencing a rise in connectivity in the form of Smart Agriculture . While the cybersecurity issues with Smart Agriculture are well documented, some of the impacts may be less well understood. This post explores the ways in which a cyberattack against Smart Agriculture systems in strategic areas can cause significant economic, food security, and public trust issues if timed correctly. This outline provides specific guidance for cybersecurity officials in communities with Smart Agriculture to focus on not only their vulnerabilities but on the right time of year when a cyberattack would have maximum impact. Bricking Tractors In the early months of Russia’s invasion of Ukraine, Russian forces stole some very expensive farm equipment. They were John Deere tractors, and they were shipped to farms in Chechnya. This might seem petty, but large industrial scale farm tractors are not cheap, and they can create real value for farms as they scale up. A much needed dose of schadenfreude came early on as reports came out that the tractors were useless because they were remotely bricked . The origins of this clever cyber event are in the right to repair movement. Many of the advanced farm equipment manufacturers created products that are so complex and involve so much software that to repair them, they must be taken to a licensed repair facility. This means that there is connected software inside the tractors that is doing diagnostics and running other advanced functions. It also means that repairing your tractor yourself is a thing of the past, causing a lot of issues with farmers around the world. Prior to the invasion, Ukrainian cyber actors were active in building software that could jailbreak a tractor so that it could be repaired without taking it to a repair facility and incurring the cost. While the issue of right to repair is outside the scope of this work, the relevant fact is that there were Ukrainian cyber actors with significant familiarity with the tractor software at the time of the invasion, and the a few months later the stolen tractors were bricked. Subscribe now In a moment of despair, the idea of tractors that wouldn’t start in Russian fields may have felt good, but it highlighted something bigger. The fact that large industrial scale farm equipment can be remotely bricked is not limited to this one conflict. It is a threat to Smart Agriculture everywhere and it should be a part of a larger risk framework regarding the use of connected devices in our agricultural systems. Smart Agriculture also employs devices such as soil sensors, unmanned aerial vehicles (UAV), and other precision technology that allows us to be more efficient and precise with our watering and fertilizer, both of which are finite commodities. Together, those devices comprise a connected system of systems that, much like other connected municipal deployments, sits on top of critical infrastructure. A disruption of any critical infrastructure sector will cause an impact, but disruption in the food sector has a different disruption timeline. This makes the cybersecurity of Smart Agriculture systems unique because of the seriousness of its impact, but also because this is an example of a “seasonal cyberattack” if executed for maximum impact. Macroeconomic Farming In the US, corn and soybean farming are big business. So much so that universities in large corn and soybean producing states such as Iowa and Illinois put significant research resources into optimizing planting times, harvest windows, fertilization, and watering to maximize the output per acre of farmland. This is not just an economic exercise but also a means by which farming can continue to produce enough food for a growing national and global population. The amount of arable land is not growing so the output per acre of arable land must grow instead. According to Iowa State University , the optimum planting window for corn presents an interesting trend. While the best planting times April 11th – May 18th , the expected relative yield decreases at a rapid rate after May 18th as shown in the graphic below. Image Credit Iowa State University The story is the same for soybeans. According to the same study, the optimum window for soybean planting is between April 11th and May 20th . The earlier planting can increase yields up to 3-4 bushels per acre with a fall off throughout the planting season and a steep decline beyond May 20th . Image Credit Iowa State University The important factor to consider in both graphs is that there is a date after which the expected relative crop yield drops considerably, which impacts market price of corn and soybeans and the availability of both commodities for foodstuffs. Specifically, between May 20th and June 4th , the drop off is significant and that is only a 15-day window. In both cases, that is a potential 20% drop in relative yield. A 20% drop in relative yield done at scale becomes macroeconomically significant if spread across enough farms in the highest producing areas. This presents a significant motive to target Smart Agriculture in specific macroeconomically significant growing areas during a specific window of time each year. Corn Prices As an example, the below graphic represents the price of corn commodities in the US market over a five-year period. The mountainous nature of the graphic showcases the potential for significant price swings that impact markets in a very real way. In 2022, the price of corn had such a spike up to $8, double where it stands today. Such a swing causes both economic disruption and real tensions on the ground when corn and corn products are much higher priced or not available at all. Image Credit: Business Insider Like many different stocks or commodities, outside forces can impact the price. In the case of agricultural commodities, that outside force could be a well-timed and specifically targeted cyberattack against a Smart Agriculture system. Attack Season While issues such as turning off electricity, causing massive gridlock, or large-scale municipal data breaches grab significant attention in the cybersecurity community, the potential for long-lasting impacts in Smart Agriculture may be more significant than in urban environments. Cyberattacks against urban structures will cause significant issues and may have emergent behaviors that we have yet to fully understand as outlined here . However, attacks against potentially less prepared and less well-resourced rural communities with Smart Agriculture deployments could cause impacts that reverberate through months or years depending on scale. The attack vectors are there. The attackers simply must time their outage correctly. Imagine industrial scale farming in Iowa and Illinois where macroeconomically significant corn and soybean crops are grown. Farmers and farming communities must use the most advanced farming equipment, meaning it is likely connected in the way the Ukrainian John Deeres were, to optimize planting and harvest. One can also easily imagine a larger system with UAVs, space assets, and other components to optimize output per acre. As planting season approaches, all of the equipment is tested, soil nutrient levels are collected, and weather pattern data is considered. Farmers purchase the stock they need to plant their fields and perhaps hire additional people to help with the planting. The assumption being that they will plant at the optimum time according to the significant research on the topic from leading scientists. The data collected and the research will combine for what each farmer hopes is that 3-4 additional bushels per acre yield. If a malicious actor wanted to disrupt this flow, it would start before planting season with the soil nutrient levels. Spoofing that data to provide inaccurate readings would create the potential for dangerously high levels of macronutrients in the soil, which would result in the deaths of many of the plants in the field. It would also cause an economic investment by individual farmers that would cause problems for their already thin margins. When planting season arrives, this is the moment to brick the tractors. This move depends heavily on when planting would begin in a given region so it would be unlikely to unfold as a monolithic attack. Instead, it would need to happen on the day of planned planting for maximum impact. The planting would only be delayed by days before a patch would be pushed, but that may be enough to cause even a 5-10% reduction in crop yield instead of the 3-4 extra bushels per acre that was the goal. Further, such an attack could be combined with attacks on the UAVs or Earth sensing data from space assets to create a combination of inoperable equipment and inaccurate readings. Doing such an attack at scale would require multiple attacks. Simply bricking every tractor would not be enough. Causing inaccurate soil nutrient readings that result in over nutrition plus bricking plus issues with guidance data from UAVs or space assets could cause a massive disruption over a 2–3-week window and that might be enough. Share Long Term Effects If a cyberattack could cripple macroeconomically significant agriculture yields, the effects would be felt throughout the year and perhaps into the next. The market prices of the specific commodity targeted would reverberate through the markets causing significant price jumps in markets worldwide. Locally, some farmers may not recover, forcing their farms into foreclosure and potentially taking that arable land offline for 1-2 years. If the soil is overnourished, it may need to fallow for a growing season. Prices on foodstuffs will also rise and likely stay high as the raw materials will not be available, or at least not as readily available, across the given year. With market and grocery store prices higher, some farmers out of business or struggling, and planting season coming only once per year, the potential for long term effects is significant. Thousands of years of human agricultural history has left us all with an intuitive, if not biological, understanding of planting season and harvest season. But as we move to further connect our agriculture to the internet in pursuit of greater yields and efficiencies, we need to start thinking about attack season. Smart Agriculture is most vulnerable when in the April 11th – May 20th window for crops like corn and soybeans in the US. Including preparation time, that window is probably larger until at least the first of April if not into mid-March. Rural communities must consider this attack window when considering how to implement Smart Agriculture at scale. Planting seasons vary with agricultural zones so the dates will vary depending on the local community. The risk calculations for implementing such connectivity should include the planting season window as it would be the optimum time to create the longest-term impact on communities and markets. Further, when food supplies are disrupted, there is a significant trust factor that must be considered. News of a cyberattack that will disrupt agricultural food supplies will cause significant problems within local communities, but also nationally and internationally as news spreads. This kind of panic can worsen market prices and cause real pain on grocery bills. That is the kind of direct-to-consumer impact that malicious cyber actors live for, and it is also the kind of effect that may allow one to extract concessions from the target. Smart Agriculture can transform efficiencies and yields for important crops. We may have already crossed the line where these technologies are necessary given the growing global population and the scarcity of arable land. Increasing yield per acre translates into more people fed and lower prices for foodstuffs. It is also an attractive target for a cyber actor looking to make a big splash. Cybersecurity of Smart Agriculture should consider these impacts and consider the windows in which cyber attackers can conduct an operation for optimized effect. Unfortunately, the windows for optimized crop yields and optimized cyber disruption overlap on the calendar. Leave a comment Connect with us: LinkedIn , Bluesky , X , Website To learn more about the services we offer, please visit our product page. This article was originally published on GoTech Insights. See the original post here . Nick Reese is the cofounder and COO of Frontier Foundry and an adjunct professor of emerging technology at NYU. He is a veteran and a former US government policymaker on cyber and technology issues. Visit his LinkedIn here . This post was edited by Thomas Morin, Marketing Analyst at Frontier Foundry. View his Substack here and his LinkedIn here .