SoylentNews is people
SoylentNews
If hackers wanted to debilitate American society, they would have trouble taking down the entire power grid or financial system, but they could do serious damage to the companies that make and deliver Americans' food.
The US food and agriculture sector lacks the resources, expertise, and government support to protect itself and its products from a rapidly expanding range of cybersecurity threats, according to lawmakers, policy experts, and former government officials. These shortfalls leave gaps that foreign government operatives or cybercriminals could exploit to remotely disable farming equipment, contaminate fertilizer, cripple milk supplies, and kill chickens.
In the past few years, cyberattacks on the meat processing giant JBS Foods and the Iowa farm services firm NEW Cooperative have laid bare the industry's widespread vulnerabilities. And new technologies, including advances in artificial intelligence, are creating previously unimaginable risks, overwhelming a workforce not accustomed to dealing with digital security. Making matters worse, food and agriculture is one of only a few critical infrastructure sectors that doesn't have an information sharing and analysis center, or ISAC, helping companies fight back.
All of these shortcomings make food and agriculture companies a prime target for Russian operatives bent on vengeance for Western sanctions, Chinese spies seeking a competitive advantage for their domestic firms, and ransomware gangs looking for victims that can't afford downtime.
The federal government has recently begun addressing these dangers. Lawmakers are introducing bills and spotlighting the issue at hearings, and a presidential directive has spawned a series of reports and reviews. To the people most informed and worried about the chaos that hackers could cause, these developments are long overdue.
"Agricultural and food security is the foundation of American security," says US congressman August Pfluger, a Texas Republican who has sponsored a bill on the subject. "Without a stable food supply, society stops functioning."
Precision agriculture uses GPS sensors and satellite imagery to determine the right kind of fertilizer for every patch of soil and send instructions directly to tractors that automatically move around and spray the appropriate mixes. If hackers breached these systems, they could poison the crops of every farmer using them. The impact wouldn't be clear until months later, when the crops would begin to grow poorly or fail to grow at all.
Farmers are also vulnerable to more immediate sabotage. The same remote-access technology that enabled John Deere to remotely disable a batch of Ukrainian tractors stolen by Russian forces could let hackers turn off millions of tractors across the United States.
America's meat supply faces huge risks too. Inside the massive industrial facilities where most chickens are raised and slaughtered, the temperature and humidity are precisely controlled by internet-connected computers. With control of this system, hackers could engineer a catastrophe.
"You could lose tens of thousands of birds literally within 10 to 15 minutes," says Marcus Sachs, deputy director for research at Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security. "We've seen this happen before. It's almost like a wave goes through the chicken house, where they all just die."
Just-in-time logistics mean that even short-term cyberattacks can have serious consequences. Hacks that disrupt fertilizer or pesticide production can force farmers to sit out planting seasons. Breaches at meat-packing plants can cause destabilizing supply shortages. Tampering at a food processing firm can lead to deadly contamination. Already, ransomware attacks that have forced companies to shut down operations for a week have left schools without milk, juice, and eggs, according to Sachs.
"A major disruption in this sector leads to immediate public health and safety issues," says Mark Montgomery, who served as executive director of the Cyberspace Solarium Commission.
Despite being increasingly vulnerable, Sachs says, the food and agriculture sector still "doesn't really understand the threat mindset" as well as higher-profile sectors, like financial services and energy, do.
[...] "One vulnerability and attack," Pfluger says, "can lead to catastrophe for everyone downstream."
(Score: 5, Insightful) by Runaway1956 on Friday April 07, @07:10PM (17 children)
Someone remind me why it's desirable to have anything connected to the web? The tractor, the milking machine, the refrigeration, the ventilation, everything connected.
Smart phones, dumb Americans.
Abortion is the number one killed of children in the United States.
(Score: 5, Insightful) by JoeMerchant on Friday April 07, @07:44PM (9 children)
There is good value to be has from integrating field imaging data with irrigation, fertilization and pest control. It can also help to plan planting and harvest operations.
The tractor combines can get a little value from GPS based autopilots, some route planning, and coordination with other harvest support equipment. It also doesn't hurt to inform the supply chain earlier about crop yields, quality, etc. And market feedback definitely informs planting decisions and timing.
What should happen is a thorough, honest review of when network connectivity provides more value than risk and who is benefitting from that value vs when the connectivity is basically putting important systems at risk of attack for little or no benefit.
Of course, any time connectivity is provided, it should be implemented securely, without all the obvious vulnerabilities, maybe even following best practices. If that's too hard, pull the plug and take it off the network.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 5, Touché) by HiThere on Friday April 07, @08:12PM (3 children)
GPS should not require a connection to the internet. In fact the ONLY IOT things that are appropriately connected to the internet are those that you intend to be monitored/controlled from distant locations, and where you don't care if they are hacked. An "IOT"ish system that operated off of a local server would be a lot more justifiable and secureable.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 2) by JoeMerchant on Friday April 07, @09:45PM (2 children)
>IOT"ish system that operated off of a local server
98% of the value I get from IOT stuff would be improved by keeping it in my local network, ignoring the cloud services. Unfortunately, when you are buying $9 widgets off Amazon you don't get to specify the design / implementation, and nobody is marketing competitive IOTish products that operate on the local network.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 3, Interesting) by Runaway1956 on Friday April 07, @10:19PM (1 child)
Exactly. For instance, a Ring doorbell sounds kinda cool. I'd like to be able to see who is at the door, without picking my dead arse up off my chair. "Oh, hi Billy, come on in, it's unlocked!" Or, "Come around back, Marsha, we're in the garden!" But I most definitely WILL NOT give Amazon/Google/Apple/whoever access to the imagery or the audio from the doorbell. I've looked at security/surveillance cameras, and ditto. I WILL NOT hook my cameras up to the cloud. Yeah, I've shopped a little bit for such things. Haven't made a decision on anything, but I notice those devices that are not web connected seem to cost more.
Stupid.
Abortion is the number one killed of children in the United States.
(Score: 5, Interesting) by JoeMerchant on Friday April 07, @11:17PM
I have 3 PoE IP cameras that I view through the local network. One had UPnP that put my video on the internet automagically without my knowledge for about a year, nothing I cared about, just video of the yard, but still....
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 3, Interesting) by legont on Saturday April 08, @04:09AM (4 children)
If we have to military harden all the agriculture's machinery, what's gonna happen to food prices?
It's, off course, a rhetorical question. Besides, it's not possible in foreseeable future.
Consider a GPS spoofer for $50 and all the fun sending an army of tractors to the nearest police station or highway. Much more fun than recently popular transformer's shooting.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 3, Insightful) by JoeMerchant on Saturday April 08, @09:22AM (2 children)
Two guys in a pickup truck with a bed full of hand grenades can do billions of dollars worth of damage in the Houston area per hour.
Hardening network security is relatively cheap to do, compared to the physical vulnerabilities we live with.
Your GPS spoofer is a physical on site transmitter which can be easily found and disabled. Just having a physical off switch on the tractors is sufficient IOT security to prevent the tractors from marching on the capitol.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 2) by legont on Monday April 10, @04:13AM (1 child)
The only feasible way for John Deer to harden their security would be to issue a recall and then brick all their tractors to force farmers to actually do it. Yes, I happened to work with their software back in 90s. No farmer would volunteer to go back to Deer for many reasons one of them is they "deleted" their tractors.
Having say that, I think hackers would not be able to brick too many tractors for the same reason - they've been deleted. Tractors, obviously, not hackers.
Back to the issue, yes, one could harden future machinery, but not the current one which is supposed to work for 20 years or more.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by JoeMerchant on Monday April 10, @11:44AM
The ECU is a tiny (actual) cost compared to the machinery, thus their targeting of it as a profit center.
I don't know Deere but I know Caterpillar in the early 2000s was using 8bit 6811s to control their big equipment.
In cars, you can rip out the factory ECU and drop in generic (and usually less secure) replacement ECUs for on the order of $1K. Deere equipment is a lot more diverse than cars, but the same thing could be done with secure control systems, especially if Deere cooperates.
Україна досі не є частиною Росії Слава Україні🌻 https://news.stanford.edu/2023/02/17/will-russia-ukraine-war-end
(Score: 0) by Anonymous Coward on Saturday April 08, @11:54PM
Yes, and that's exactly what they're hoping for. :)
(Score: 5, Interesting) by RS3 on Friday April 07, @08:04PM (6 children)
I don't have time to find the reference, but somewhere (here, SN?) someone posted results of a poll of (we) Americans and very few were in favor of Internet-connected things.
That said, having worked somewhat in factory / automation, it's very very helpful to network as much as you can, but do not connect it to the Internet. At least be very sure of firewall, and no user computers / workstations / WiFi on the production machine subnet.
(Score: 3, Insightful) by aafcac on Saturday April 08, @12:14PM (5 children)
Yes, and in many cases we don't even get a choice. It has the feature whether or not you want it and there is no local only option because the company doesn't want to give up the profit from the data that's being collected. So the choice winds up being the iot item or nothing at all.
(Score: 2) by RS3 on Sunday April 09, @12:04AM (4 children)
I just helped install a pair of very large Sony TVs. They tried and tried to get us to connect to the 'net, buy Netflix and a bunch of other things. You persist and persist and you eventually get a normal non-Internet-connected TV that works. It was slightly more annoying than installing Windows.
(Score: 2) by hendrikboom on Sunday April 09, @01:25PM (3 children)
The TV that you got that did not connect to the internet -- was it a model of television that had no mechanism to make a connection? Or was it a television that had to be configured to not connect?
If the latter, I'd always worry if it was configured right.
-- hendrik
(Score: 2) by RS3 on Monday April 10, @01:35AM (2 children)
They had mechanism to connect to the 'net. We only ran power and HDMI. In the setup process they asked for WiFi password, but we just hit "skip". One or two menu steps asked if we wanted to enter our Amazon Prime or Netflix or ... but you could keep hitting "skip".
After all that, they performed flawlessly.
Of course it remains to be seen in the long run, but I'm pretty confident they'll be perfectly stable.
(Score: 2) by hendrikboom on Monday April 10, @08:27PM (1 child)
I wonder if they'd connect to wifi anyway if the wifi happened not to have a password.
(Score: 2) by RS3 on Tuesday April 11, @12:34AM
Fortunately most Wifi spots have passwords now. It would be pretty easy to test with a wireshark or similar packet sniffer. The aforementioned TVs are not mine, but I just got a couple of other "smart" TVs for repair and I might try testing what you asked about. It will be several weeks before I'll be able to work on them though.
TBH I was skeptical that the new Sonys would let you run them without Internet access, but I'm very happy that they do work perfectly.