John Deere tractor hack reveals food supply vulnerable to cyber attacks
Hacking a tractor to install a video game may seem like a funny prank, but it has confirmed security experts' fears about the vulnerability of our food supply to cyber attacks.
Australian security researcher Sick Codes hacked a John Deere 4240 display and installed the vintage 1990s video game DOOM, demonstrating his control of the system, to encourage agricultural technology developers to take security more seriously.
But the revelation that the display used code available openly on the internet and unsecured operating systems sent a shudder through security experts, who feared the boom in AgTech left agriculture wide open to attacks that could make food more expensive and harder to supply.
In a statement, John Deere said the hack, which involved physically accessing a unit that was not connected to the internet, did not put any customer or dealer's equipment, networks, or data at risk.
Palo Alto Networks is one of the largest cyber security companies in the world, specialising in preparedness, threat detection, and response.
Asia Pacific vice-president and regional chief security officer Sean Duca said developers sometimes overlooked security in the mistaken belief their devices were not a target.
Why would an Aussie hacker spend months breaking into a tractor computer, just to install a video game?
"We've seen many sectors coming up with technology to transform their own sector … where technologies move forward and security has been an afterthought," he said.
"There's no sector that's going to be left unscathed because everything is up for grabs.
"These devices are internet enabled, which means that you'll be able to sit in your lounge room and effectively watch what's going on [on your farm].
"And if you can do it from your lounge room, other people will be able to see what's going on from their lounge rooms too."
The company's 2022 Ransomware Threat Report estimated data ransom demands and payments were rising.
In 2020, the average demand was just over $1.3 million. In 2021 it was more than $3.2 million — although payments were on average less than half of the amount demanded.
The tools used also evolved from encrypting files to publicly naming victims, leaking stolen data online, and providing ransomware-as-a-service (RaaS) — where high-tech gangs sell malicious software to low-tech criminals for a subscription or commission based on the ransom payouts.
And, like meat processor JBS in 2021, many businesses pay up to end the attacks.
"Once upon a time, there were only X amount of banks that you could rob in a year … now, you can go online and fleece people hundreds or thousands of dollars at any point in time," Mr Duca said.
He said hundreds of thousands of malicious attacks per day could cripple businesses and, by extension, the food supply chains they were in.
"The impact could be catastrophic … something could happen where it does actually impact our food supply," he said.
The Australian Cyber Security Centre estimates an Australian comes under cyber attack every 11 seconds.
Queensland University of Technology food and agricultural sociologist Carol Richards has studied the adoption of digital farm technology.
Dr Richards said the industry was dominated by a "techno-optimism" that needed to be balanced with caution.
"It's all about the promise of the future and how fantastic it's going to be, how it's going to increase productivity and yield and so on," she said.
"I think we also need to look beyond that … what are the hidden consequences of this?"
Dr Richards said farm data legally gathered by the devices also had the potential to cause harm if misused.
"Where does the data go and how is it used? How is it governed? Who has rights to this data?" she said.
"I think there are questions that we need to be discussing before we run headfirst into this."
While the majority of the threat is from criminals trying to make money, rogue operators often use the same tools for political gain with risks that go beyond data theft and ransom.
CQUniversity lecturer in agriculture, Saba Sinai, analysed the role of agriculture in national security in a report for the Australian Strategic Policy Institute.
Mr Sinai said the risk of sabotage, cyber attacks, and activism on public infrastructure was well understood, but private farm infrastructure such as dams, chemical storage, and airstrips could also be targeted.
"In an increasingly hostile world, but also an increasingly connected world, those vulnerabilities need to be realised … the past three years, in particular, have really taught us that the improbable is probable," he said.
"If a particular problem arises, are we prepared to face it? If there is a wide-scale cyber attack across, for example, multiple meat processors, what do we do?"
Mr Sinai said whether it was a cyber attack, sabotage, activism or biosecurity, disruption in food supply had a destabilising effect that could devastate farming communities, paralyse whole industries, and eventually reach consumers.
"If the processor is impacted by a disruption, all of the producers that depend on that processing and the retailers at the other end are impacted by that," he said.
"If it keeps happening and producers and industries have to invest in greater protection that's a cost that has to be absorbed and that can inevitably lead on to the consumer."
He called on governments to think of food production as part of Australia's overall strategic readiness, to invest in local manufacturing and value-adding infrastructure, and to engage with Indigenous communities in northern Australia to help defend against threats.
"These are communities with long and deep connections to country across Australia and the value of that knowledge can't be overstated," he said.
Whether it was physical attacks on farm or cyber attacks online, security expert Sean Duca urged producers, developers, and governments to take action.
"Really think about how you secure the whole process around design, build, deploy — before running it," he said.
"You're actually going to be in a better position than anyone else in the market because, in the end, we will all have to be able to do this."
We acknowledge Aboriginal and Torres Strait Islander peoples as the First Australians and Traditional Custodians of the lands where we live, learn, and work.
This service may include material from Agence France-Presse (AFP), APTN, Reuters, AAP, CNN and the BBC World Service which is copyright and cannot be reproduced.
AEST = Australian Eastern Standard Time which is 10 hours ahead of GMT (Greenwich Mean Time)