CFISA CEO Michael Levin Guest Blog Article from F5 can be found here.
The sight of empty supermarket shelves during the COVID-19 pandemic brought home the fragility of our food supply chain. We can all see the importance of ensuring the security of the farming and agriculture industry. However, farming is becoming increasingly automated. This means new cybersecurity risks are emerging to stand alongside traditional risks like the weather and pests. Beyond our farmers, technologists and policymakers also need to recognize and address this risk.
Precision Agriculture and Smart Farming
Agriculture, like every other industry, is being digitally transformed. The rise of precision agriculture leverages technology to ensure that crops and soil receive precisely what they need for ideal health. Precision agriculture relies on mobile apps, smart sensors, drones, and cloud computing solutions. This change is happening across the entire farming industry, regardless of size.
Precision agriculture includes three common platform types—stationary, aerial, and ground-based mobile—which all rely on IoT tied to APIs. The sensor and robotic IoT devices constantly exchange data via APIs across the Internet, which provides greater freedom to communicate and manage complex agriculture systems. But it also expands the attack surface and exposes many cybersecurity entry points.
These precision agriculture devices and sensors are like other IoT devices, such as smartphones, fitness bands, vehicles, appliances, and even connected medical devices. We have already seen massive security failures in IoT devices in critical infrastructure, such as the cellular gateways emergency responders use. We also have seen IoT devices subverted into massive botnets used for DDoS attacks and credential stuffing. Unless steps are taken, we will see more of these security troubles, but with precision agriculture.
Precision Agriculture Risk
The risk to the farming industry when using precision agriculture solutions could include:
- Business and customer information data theft
- Stealing resources controlled by sensors and devices
- Destruction of equipment that devices manage
- Reputation loss if a data breach is made public
- Hijacking the system to use in an IoT botnet that carries out DDoS attacks and other assaults
To meet these risks, cybersecurity best practices must be in place to safely implement all technology solutions in farming.1 However, as our recent food-security wake-up call drove home, the greatest impact of a cybersecurity event in precision agriculture would be disruption to our society’s food supply, which would have repercussions far beyond any one business or demographic.
Attacks Against IoT Devices Continue to Rise
Cybersecurity experts have documented the rapid increase in cybercrime during the COVID-19 pandemic. All organizations are now operating in an environment of elevated risk and uncertainty. Despite numerous warnings from security experts (including F5 Labs’ work on IoT security), the proliferation of poorly secured IoT devices continues. Cybercriminals know this and are constantly sweeping the Internet for SSH and Telnet login pages that use default credentials. SSH and Telnet are common administrative interfaces for IoT devices, and quite often they have weak or no authentication configured. Without basic protections, attackers can harvest IoT devices at will with almost zero effort.
Protecting Farming and Agriculture IoT Infrastructure
For all the advantages that precision agriculture offers, the potential for mass disruption is also enormous. The likelihood of unsecured devices being located and compromised is certain. The impact is potentially catastrophic. Without proper cybersecurity on the IoT interfaces for the physical devices and sensors precision agriculture uses, data could be easily lost or stolen, the food supply could be disrupted, or human lives could be placed at risk.
When you enable a new sensor or device, take a few minutes to understand all the different ways these devices connect to your network and the Internet. Adhere to the following guidance to protect yourself and your systems:
- Avoid leaving connection points open when not in use.
- Choose IoT tools that can be hardened and updated easily.
- Always keep IoT systems up to date with current versions of the firmware.
- For non-IoT systems, ensure the operating system, firmware, security software, and web browsing tools are patched. Use currently supported systems capable of receiving updates.
- Familiarize yourself with the security features included in your devices and applications. You may need to configure things like data encryption, remote wipe, password customization, two-factor authentication, backups, VPN, and malware removal. Using two-factor authentication is now considered a best practice—be sure to turn it on if your devices support it.
- For mobile devices used in precision agriculture software and applications, take the time to understand your devices’ security settings. Wireless features such as Wi-Fi, cellular, Bluetooth, near-field communication, location tracking (GPS), and media sharing can all be potential breach points if left unsecured.
- For all mobile devices, realize that free Wi-Fi networks are unencrypted, leaving your device activity and data open to monitoring by attackers. Turn off any settings that automatically connect you to free Wi-Fi networks that you have not previously approved.
- Be aware of where your data is stored and transmitted. What data is stored on your physical device? Is it being shared via the cloud? If so, how often does it refresh, and who has access rights? Are any settings configured to share your data with applications you have not approved?
- Enable logging and monitoring of all precision agriculture software and applications so you can detect when systems are compromised.
Every industry that has embraced the growing capabilities of the Internet has eventually needed to reckon with the potential for anyone, anywhere to interfere and subvert their systems. Now it is time for agriculture to confront this reality as well. As farming is one of the most critical components of any society, we must make security part of our business acumen and consider it just as important as anything else we do to make our business successful.
If you do not have an employee who can successfully make cybersecurity part of the daily work duties, consider hiring a well-qualified vendor to serve in this role. Many farming executives wait until after a cybersecurity breach hits to resolve security vulnerabilities. Get proactive with security best practices so you can sleep at night.
1 In October 2018, the Department of Homeland Security (DHS) issued its report on Cybersecurity Threats to Precision Agriculture. This DHS report states, “As adoption of precision agriculture technology has increased, vulnerabilities and cyber threat issues have emerged. An attacker could exploit precision agriculture vulnerabilities to access sensitive data, steal resources, and destroy equipment.”