Tractors vs. threat actors: How to hack a farm

While I was in the UK police force and part of the National Cyber Crime Unit in 2018, I was asked to give a talk on cybersecurity at a National Farmers’ Union (NFU) meeting in southern England. Right after I started my talk, one farmer immediately raised his hand and told me that his cows had recently “been hacked”. Baffled and amused, I was instantly hooked and wanted to know more about his story.

He went on to tell me that his farm was relatively high tech and that his cows were hooked up to an online milking machine. Once, when he had clicked on a malicious email attachment, his computer network went down and he realized that without the network he had no way of knowing which cow had been milked or which cow needed milking next, causing major panic and stress – and quite possibly not just for him.

Making things worse, it wasn’t just his cows that had been attacked, according to the farmer. All the farm’s online accounts had also been compromised and, therefore, his tractors had been taken offline, leaving him with no information on which of his fields had been cropped or still needed cropping, as the tractor usually plans out the routes via his online accounts.

Tractor being used in a Dorset field

Caught in the crosshairs

Indeed, farming is nowhere near like it used to be. The increased use of email, online monitoring tools, remote controls, and payment systems – as well as automated smart farming equipment such as internet-connected tractors – means that the digital threat level is rapidly increasing for farmers and rural communities.

Few of us give this much thought, but some farms are very high tech and I personally am immensely impressed by the technology used in agriculture. However, this equally attracts threats far worse than slugs and crows. Put simply, farmers all over world are now experiencing the same cyberthreat level as other industries.

A University of Cambridge report recently said that smart farming technology such as automatic crop sprayers and robotic harvesters could be hacked and the probability with which this could happen is increasing. The UK’s National Cyber Security Centre (NCSC) works with the NFU to support the agriculture and farming sector, but there is still so much more for farmers to take on and learn.

Speaking with local farmers in my home rural county of Dorset, UK, I have realized they really are in need of more awareness of how best to protect themselves and their businesses. I recently met with one farmer, let’s call him Tom, in the middle of the Dorset countryside at the end of a busy harvest season. He showed me the tools and equipment used, which were all data-hungry, heavily tech-focused, and all internet-connected.

Tom’s tractors can be mapped, monitored, and controlled – as well as switched off – remotely. They all have 4G connectivity and they will not work without the latest updates being applied (excellent move by John Deere). It immediately struck me that if his systems were hit with ransomware or a DDoS attack, the effects would be financially crippling, especially if it were to happen at harvesting time.

Map showing where the tractors are located

Cash cows for cybercriminals?

I looked around Tom’s office network and found a few critical flaws that didn’t take long to fix – think no local security software, every online account using the same passwords, no local backups, etc. But it soon became apparent that there is clearly very little cybersecurity training offered when you set up online farming accounts or smart farming equipment, nor is such training on the radar of these farmers. Their job it is to supply the world with produce, rather than prioritize keeping cyberattacks at bay.

Tom’s collection is made up of three tractors covering his 8,000 acres of land, each of which has an online account attached that he enters and controls via a username and password. This access grants him the ability to see where the tractors are located, check updates, and perform other admin abilities.

He is using Windows 10 for the two local machines and a VPN to work remotely via another office a few miles away, but the majority of the data gathered from his various devices is stored in online accounts. Farming is now more digital than ever and probably produces more megabytes than kilograms. Tom noted that there is every detail imaginable that can be analyzed, from which fields have been fertilized to which fields have the most weeds per 50 cm² area in order to know how much pesticide and where to spray it, to reduce consumption compared to a blanket spray.

This map shows where the most fuel is used in the field

Tom is constantly checking his email and it became obvious to him that the threat was quite visible and that cybercriminals attack using email as their first port of call in most circumstances. With no security software in place, this became an instant worry.

He also told me that some local dairy farmers connect their cows to their network, meaning they can monitor the flow of milk produced per cow … but this also comes with the risk of being held to ransom should these networks become compromised. I had never thought that a cow could be ‘held to ransom’, but this is the Wild West of the internet where anything unseemly goes.

Example of yield data that is invaluable to a farm

Digital security for farmers

The farming industry is vital to the world’s food industry and therefore requires the utmost protection from cyberattacks. It is seemingly potentially very easy to hack a farm, and consequently more awareness is vital in the industry. From basics such as implementing password managers and using multi-factor authentication, to using cutting-edge security technology to withstand an attack on big farming service companies such as John Deere, it is clear that more needs to be done to support farms around the world.

There is a distinct possibility of being able to compromise these online accounts and it comes with the risk of being able to remotely access large machines, control them, hold them to ransom, and hold the usual (high quantity of) farm data to ransom too. Each year more smart and machine learning technology is developed, offering more protection to those who need a balance of convenience and security, but it is taking time to funnel down to all industries and those who need it. In the meantime, awareness and education on the quick wins is key to warding off the inevitable attacks.