From left, Colin Hamill (Sentinel Forge Technologies), Andrew Rose (BIO-ISAC), Alex Nunez (BGE) and Troy Lemaile-Stovall (TEDCO) addressed cyber resiliency in the agriculture and energy sectors at MTC’s Technology Transformation Conference. (TBM/George Berkheimer)

It’s easy to overlook agriculture in discussions of industries that need cybersecurity protection. As a critical sector that supports the nation’s most basic need, the way it is being transformed by technology has a lot of cybersecurity specialists worried.

That’s part of the reason why agriculture was paired with the energy sector for a discussion on infrastructure resiliency at the Maryland Tech Council’s fifth annual Technology Transformation Conference, held at the Live! Casino Hotel in Hanover in February.

A lot of things can go wrong, particularly when the first line of agriculture’s cybersecurity defense is arbitrarily left to small family farmers who have more pressing obligations and expenses to worry about.

Colin Hamill, founder of Towson-based Sentinel Forge Technologies, which focuses on cybersecurity for individuals, business and farmers, estimates there are more than 1,100 family-owned farms of 500 acres or less in Maryland alone. 

Although farmers aren’t likely to fall victim to ransomware attacks because hackers know they can’t pay, another angle makes them just as vulnerable, he observed: it’s through unprotected third-party vendors like them that hackers try to worm their way into the systems of the larger corporate entities they support.

“Most small farms spend zero dollars on cybersecurity,” Hamill said, in part because few options exist for small networks consisting of little more than a home computer, a smartphone and a handful of devices.

“A quarter of our farmers don’t even have Internet outside of cellular, and they don’t have the cloud,” he said. “There’s no money for the industry in selling to farmers, but farmers feed us. Cybersecurity professionals need to remember they’re essential.”

Threat convergence

Hamill and Andrew Rose, a cybersecurity adviser for the Bioeconomy Information Sharing and Analysis Center, speculated on what might happen if someone hacked a 15-ton autonomous combine harvester, or took the entire fleet offline days before the harvest, or took control of agricultural drones that spray chemicals. “No one’s really thought about that sort of thing,” Hamill said.

Threats to the agriculture supply chain aren’t limited to cyberattacks from foreign nation states, Rose said, but include the convergence of animal and environmental activists who oppose animal protein as a food source and are willing to perpetrate crimes to sabotage the industry.

“Our adversaries love to use groups like this as a cat’s paw,” he said. “They’ll infiltrate them and encourage them to do different things, we’re seeing that happen in Canada right now.”

Although regulation creates an impetus for cybersecurity investment, Rose is among those who think it should apply more to technology producers, not farmers.

“Technology should be secure by design,” he said. “The onus should be on the seller, not an 80-year-old farmer trying to figure out how to change a password on a drone.”

USDA data indicates the average age of a farmer in Maryland is 57, Hamill said, adding that it’s the younger farmers who are more likely to recognize the need for security.

“Producers don’t talk about cybersecurity or resiliency or redundancy when they sell a farmer technology,” said Alex Nunez, senior vice president of Government Affairs for BGE. “At most, a technician plugs it into their home router and walks away and no one thinks beyond that point.”

The energy angle

Like industry and society, agriculture depends on electricity, and climate change is becoming an increasingly bigger threat to the system.

“When a big [outage] affects critical customers, we think about hospitals and police and fire stations,” said Nunez. “But with agriculture, dairy products will spoil, cows won’t get milked. Nothing happens without energy.”

Resiliency itself, ironically, has led to a new set of resiliency problems. As more customers decide to install private solar panels and sell their excess electricity to utility companies, the one-direction grid has become decentralized, with a multidirectional flow of electrons that is fluid and fast acting.

“That opens up a lot of vulnerabilities that we’re going to have to ensure aren’t single points of failure,” Nunez said. 

Trust factor

Sharing information on all sides of the issue could help, but cultural and political difficulties make even that difficult, Rose said and are reluctant to report things to law enforcement.

What helps, he said, is celebrating wins against cyber terrorists to let farmers know the FBI is fighting back — and on the same team. ““To me, resiliency means getting ahead of the next attack and bringing together all of the parties … to do field or tabletop exercises together and ensure we have the ability to continue feeding our civilization and animals after an agricultural cyberattack,” Rose said. “If we’re not learning from what Russia is doing to Ukraine — taking out the electricity in winter and food in the summer to kill people — that’s a failure on our part to understand what’s coming next for us.”

Leave a comment

Leave a Reply