Cybercriminals are increasingly targeting the food production and agriculture sectors.
A recent study from global cybersecurity firm Check Point found that agriculture saw the largest year-over-year increase in cyberattacks – 101% – of any industry in the world. In the U.S, the increase was 38%, according to Check Point researcher Omer Dembinsky.
“Not double, like the overall number worldwide, but still very significant,” he said of the U.S. increase.
The agri-food sector still isn’t one of the top targets for cybercriminals – education, telecommunications and government continue to make up the most targeted industries. But as farms and production facilities become more reliant on technology, Dembinsky said, they also become more vulnerable.
“There is more and more modernization going on and continuing to grow – the computers in the field, and in manufacturing and transport,” Dembinsky said. “And it’s not something that has a lot of security and safety guards like bank institutions or the government.”
The industry has seen multiple recent high-profile attacks on large companies in the U.S. Last year, a cyberattack on Ahold Delhaize USA – the parent company of Stop & Shop – led to limited inventory at some stores. United Natural Foods, a grocery wholesaler which supplies Whole Foods and a number of smaller grocers, had to completely shut down its online ordering platform after a cyberattack in June.
But Doug Jacobson, who runs the Center for Cybersecurity Innovation and Outreach at Iowa State University, said that cyberattacks on small and mid-size farmers are also occurring, even if the attacks don’t attract widespread attention.
“An adversary steals $5,000 from a farmer, [it] doesn’t make the news,” Jacobson said. “An adversary steals $5 million from a meat processing factory. That makes the news. So our farm sector is already under attack.”
As agriculture technology like drones and computerized irrigation become more advanced, that creates an opportunity for bad actors to gain access to controls and shut down production. But many of the threats to smaller producers take the same shape as the phishing or extortion scams that impact many industries and individuals, Jacobson said.
“A lot of it right now deals with convincing the producer to transfer money to the wrong place,” he said. “Convincing them that, ‘hey, I’m the co-op, and we have changed banks, so now you need to route the money to this bank.’”
Lawmakers and researchers take notice
Federal lawmakers have introduced at least four bills this year to address the growing cybersecurity risks in agriculture. The proposals range from requiring the U.S. Department of Agriculture to conduct annual crisis simulations to prepare for cyberattack scenarios, to establishing research programs at universities across the country.
U.S. Rep. Don Bacon, a Republican from Nebraska, first introduced the American Agricultural Security Act last year as part of the farm bill, which was never passed. His proposal would direct the Secretary of Agriculture to establish at least one biosecurity and cybersecurity research center at a U.S. university. That center would work with the Agricultural Research Service and other federal agencies to research cybersecurity issues in agriculture and provide training and workforce development.
“If you’re the Department of Agriculture, you can go to – hopefully, something like UNL (the University of Nebraska - Lincoln) – and partner with some very smart people who are studying this, and you get a better product,” Bacon said.
His proposal would also establish a competitive grant program through the U.S. Department of Agriculture with the goal of researching how to protect the agricultural system from chemical, biological, cyber or bioterrorist attacks.
Cybersecurity and attack prevention is a traditionally bipartisan issue, Bacon said, and most of the agriculture-specific cybersecurity bills introduced this session have been co-sponsored by a member of the opposite party.
One of those bills is the Cybersecurity in Agriculture Act, which U.S. Reps. Zach Nunn of Iowa, a Republican, and Don Davis of North Carolina, a Democrat, introduced in June. The legislation would establish five Regional Agricultural Cybersecurity Centers at universities – and provide $25 million in annual funding to run the programs. A companion bill was introduced in the Senate last month.
Jacobson said bills like those have two distinct benefits for universities: It provides the much-needed funding to expand research across the many disciplines within agriculture, and it serves as an acknowledgment from the government that cybersecurity in agriculture is an important topic.
“Ag is such a diverse area,” he said. “You have everything from seeds to production to precision ag, so it’s an extremely complex problem. Especially if you start looking at land-grant types of universities that have a strong ag and engineering types of programs, this type of funding brings those groups together.”
Other universities in the Midwest and across the country are also prioritizing research on the topic. In 2023, the University of Nebraska’s National Strategic Research Institute, which is sponsored by the U.S. Strategic Command, announced a partnership with the university’s Institute of Agriculture and Natural Resources to partner on food, agriculture and environment security. Virginia Tech University is home to a similar research program.
Though Jacobson said it’s unlikely that many universities will establish specific degree programs in agricultural cybersecurity, he sees it being integrated into curriculums in agriculture-related programs from agronomy to biology.
“You can’t convert everybody into a cyber person, but you sure can help them understand some of the easy things, and what are the potential risks?” Jacobson said. “A lot of the time, there’s just a few easy things you can do to make yourself much less of a target.”
One tip Jacobson offered to producers is to always be skeptical of any request with a sense of urgency. If a co-op or distributor sends an email saying their payment method changed, he suggests calling to confirm before sending money.
“An email is not a way to do anything urgent,” he said. “Weird payment formats – question that. Nobody does business in Target gift cards.”
This story was produced in partnership with Harvest Public Media, a collaboration of public media newsrooms in the Midwest and Great Plains. It reports on food systems, agriculture and rural issues.
