Cybersecurity in Agriculture: How to Protect Your Operation on a Budget

This article was updated as of August 26, 2022.

Technological innovation has recently improved productivity, efficiency, and communications in all industries, and agriculture is no exception. Data collection, analysis, and storage allow ranchers and farmers to refine their processes, increase yields and comply with regulations as they evolve. Unfortunately, there is a downside. All these improvements create digital data, and protecting it is the function of cybersecurity. Given that the FBI has already identified agriculture as an industry with cyber risk, how are digital assets protected inexpensively?

It may seem obvious, but the first step in protecting data is knowing where it is. Data is created in many forms, from emails and documents to process logs and sensor information. As farmers and ranchers become more reliant on digitized data, they become more vulnerable to cyberattacks. The size of your operation is irrelevant, as hackers often infiltrate smaller operations to reach their larger objective. The Target hack is an example where hackers broke in via an HVAC client company, using a phishing email to install malware.

Therefore, it is essential to know where data resides. For many, hard drives on desktops are common. However, network storage, servers, portable devices (such as smartphones, laptops, and tablets), and IoT (Internet of Things) devices are all possible.

IoT devices and sensors are perhaps the most dangerous and need protection, as compromising one of these can allow access to the entire network and the data stored on it. In smart farming or precision agriculture, the rancher or farmer must understand the path data travels, whether it involves RFID tags, automated milking machines, soil sensors, GPS monitoring of crop growth using drones, or any other agricultural activity or process, including those in the entire supply chain.

Some data may reside in the cloud. If so, how does your cloud service provider manage your data? Perhaps other third parties have access to data for analysis and visualization?

Ignoring cybersecurity is not an option as the risks are many and varied. With each innovation or automated process comes additional cybersecurity risks. For example, data is valuable. Using Big Data at a farm or ranch level can allow hackers to analyze data to predict market availability and pricing—an advantage in the futures market. Hackers can also have disruptive motives, such as destroying data or holding it to ransom until financial compensation is received.

As there is no dedicated security standard for smart agriculture (although it is coming), agricultural operations can choose from several others. These include ISO 27001 and the NIST Cybersecurity Framework, neither of which are mandatory but offer guidelines for reducing cybersecurity risk. If the business accepts credit cards as part of operations, then the PCI-DSS standard is often mandatory and helps protect cardholder data and payment processing.

Therefore, protecting your operation on a budget will require, but is not limited to, the following steps:

1. Select and align with a cybersecurity and compliance standard. Even if the current budget only allows partial compliance, any pending tasks can be worked on as additional budgets become available.
2. Ensure that operations have a reliable backup and recovery strategy if data is lost or corrupted. It is imperative to test the process rather than have it fail when needed.
3. Security awareness is key for all employees, not just those in management or office positions. Ensure that everyone is aware of the common ways hackers try to acquire data.
4. Hire a cybersecurity professional familiar with your business. Such a person can determine areas of risk and protect against them. Many outsource these professionals rather than offering full-time employment.
5. Ensure you have a security software suite to block viruses, malware, and other threats.
6. Ensure that all software has the latest updates and security patches.
7. Network monitoring software can also block potential threats by IP address or only allow specific ones. Those accessing data remotely should only do so over VPN. This software will also monitor when approved users access information.
8. Change default password settings when implementing:
   1. Software applications
   2. Cloud services
   3. Networking devices
   4. End-user devices
9. Implement multifactor authentication (MFA) where available, and for those credentials which do not have that option, require strong passwords. Strive for a minimum of 14-15 characters and complexity requirements where available.
10. In terms of third parties, ensure all disclose their data protection methods, including backup and recovery processes and that they align with your expectations.

None of the above require significant capital investment, and several only require a small amount of time each month. Once achieved, the business can then look at the next step in cybersecurity, proactive threat monitoring, alerting, and even hunting.