Digital Agriculture—A Gap in Critical Infrastructure Protection

When the term cyberattack is mentioned, cheese is certainly one of the last things that comes to mind. Yet, surprisingly, cheese production has been disrupted by cyberattacks not once but twice. In April 2021, Dutch supermarkets suffered a shortage of cheeses due to a ransomware attack against a major logistics company, Bakker Logistiek, responsible for its warehousing. Only a few months later, in October 2021, a cyberattack hit the production plants and distribution centers of one of the largest U.S. cheese manufacturers. As a result, the company, Schreiber Foods, was unable to operate for several days, creating a shortage of cream cheese in the U.S. market right before the holidays.

These attacks demonstrate that the food production sector is far from secure. Cyber threats to this industry carry tangible consequences. The examples above were on a logistics company and distribution centers, but future attacks could go straight to the source, agricultural production, especially as extensive digitization of the sector has added new cyber vulnerabilities. Nevertheless, the digital agriculture sector is regularly omitted in most conversations about protecting critical infrastructure against cyberattacks. In order to protect our food sources, government officials quickly need to issue proper guidance on securing technology in the agriculture sector and offer tools to farmers to help identify and mitigate vulnerabilities.

The method of digital agriculture

Digital agriculture incorporates tools such as artificial intelligence (AI), the internet of things, robotics, and unmanned aerial vehicles into agricultural production. The driver behind the digitization of agriculture is the application of data and AI to decision-making for farmers. Examples may include access to weather data combined with management advice for the farm or the precise application of fertilisers by robots. Sensors can also provide detailed diagnostics about soil condition or constituent parts of an automated irrigation system. In addition, digital agriculture can contribute to more efficient monitoring of livestock and improved traceability of farm products along a supply chain, making it easier to comply with food-safety regulations.

A sector under attack

One of the reasons why digital agriculture must be at the forefront of discussions about protecting critical infrastructure is because cyberattacks against it are on the rise. One attack with dire consequences hit the sector only last year. The world’s largest meat processing company, JBS Foods, was affected by a ransomware attack in June 2021. This attack forced the company to halt cattle slaughtering at all of its US plants for a day threatening food supplies and leading to higher food prices for consumers. The company ended up paying eleven million dollars in ransom to resolve the attack.

While the attack on JBS is the most prominent example, the U.S. agriculture sector has been hit by many other major cyberattacks in the past two years. For example, a cyberattack on a Minnesota agricultural cooperative disrupted the livestock feed order and an Iowa farming co-op was hit by ransomware which disrupted the networks responsible for the feeding schedules of chickens, hogs, and cattle. Given that the digital agriculture market is growing quickly  (with the smart agriculture market expected to more than triple in the next decade, from $10 billion in 2020 to over $30 billion by 2028), the consequences of an attack are only increasing.  

A gap in critical infrastructure protection?

The absence of digital agriculture from discussions about critical infrastructure protection is a major oversight. Even though the definition of what constitutes critical infrastructure differs from country to country, a common element in both the United States and Europe is the fact that a critical infrastructure sector’s incapacitation or disruption would have a debilitating impact on society.

Most countries have included the agricultural sector in their designated critical infrastructure sectors, however digital agriculture is either only recently included, indirectly mentioned, or completely omitted. The United Kingdom published guidance tips for farmers’ cybersecurity only in late 2020. Despite this positive step, the sector was not included in the critical infrastructure list and the guide mainly contained general advice to farmers, not protective measures the government would introduce or vulnerabilities the farmers could mitigate in their devices.

In the United States, digital agriculture was mentioned by the Federal Bureau of Investigation (FBI) in a bulletin in April 2022. In the four page document, the FBI mentions a series of cyberattacks against farms, but only provides short, broad recommendations to farmers. Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA), the agency responsible for securing critical infrastructure, has not updated its food and agriculture sector specific plan since 2015, and there is no mention of digital agriculture technologies in its new 2023-2025 strategic plan.

Digital agriculture technologies are also notably absent from European Union statements and regulations. The protection of critical infrastructure in the EU is regulated by the Network and Information Systems Directive (NIS) which will soon be superseded by a new directive, NIS 2.0. Neither version refers to digital agriculture explicitly. NIS 2.0 briefly recognizes the growing threat of cyberattacks in agriculture (in Recital 37b), however, after acknowledging the threat, the document says nothing further on the issue.

An urgent need to regulate

Digital technology has become an increasingly large part of farming, and, as this trend has accelerated, agriculture has become much more vulnerable to cyberattacks. What differentiates the agricultural sector though, is the fact that food supplies are intrinsically linked to our survival. The threats are real, and the regulatory gap is growing. Addressing this gap is not complicated, given that critical infrastructure protection legislation exists. Government officials need to integrate digital agriculture into critical infrastructure protection and issue useful guidance and tools to help farmers secure their growing stocks of digital equipment, such as a program introduced in 2021 in Canada designed to assess the cybersecurity practices of the digital agriculture sector. Expanding protections system to digital agriculture could save us from catastrophic disruptions to our food supply.

Triantafyllos Kouloufakos is a legal researcher at the Centre for Information Technology and Intellectual Property Law at the Katholieke Universiteit Leuven, attorney at law licensed to practice with the Athens Bar, and a Cybersecurity Fellow at the European Cyber Conflict Research Initiative.