The war in Ukraine has exposed some of the vulnerabilities of global food supplies, but given the increasing reliance on technology more widely in the food sector, how exposed to malicious actions are some of these production lines? Martin Allen-Smith investigates

A perfect storm of global events has put that most basic of human needs – food – into an expensive and potentially scarce state not seen since World War II. Record food prices have triggered concerns over a global crisis that risks driving millions into extreme poverty.

The war in Ukraine, supply chain disruptions and the continued economic fallout of the Covid-19 pandemic are reversing years of development gains in some parts of the world, and pushing food prices to all-time highs.

The commodities to have been affected the most include wheat, maize, edible oils and fertilisers, with global commodity markets facing upside risks through a reduction in grain supplies, higher energy prices, higher fertiliser prices and trade disruption due to the shutting down of several major ports.

Sustainable development group, The World Bank, warns that over the coming months, access to fertilisers will become a major challenge, and one that risks affecting production across a number of crops in multiple regions. Russia and Belarus are major fertiliser exporters, accounting for 38 per cent of potassic fertilisers, 17 per cent of compound fertilisers and 15 per cent of nitrogenous fertilisers.

Against this backdrop, the potential impact of technology has been magnified, with every measure to maximise production, increase efficiency and reduce cost being exploited wherever possible. As a result, the food sector is becoming increasingly digitised. Agriculture is ever more reliant upon sensor-driven digital infrastructure to optimise its production processes. Agritech has shown great potential – not least in its ability to reduce the cost of production and make a sizeable difference in a sector with notoriously low profitability.

According to the Cabot Institute for the Environment at the University of Bristol, which has undertaken extensive research on the part that cyber threats play in food security, an automated poultry feeding system in recent case studies has shown feed cost reductions of two to five per cent, translating to a 40 to 100 per cent increase in profitability. To stay competitive, poultry farmers competing with those that have adopted these technologies can do little else but follow suit.

The Institute points out that such rapid adoption does not allow time for careful consideration of the risks and requirements of such technologies – cyber security being key. The UK Government rightly considers the food sector to be part of critical national infrastructure, which should ensure that cyber security is of fundamental importance; and yet, it has been excluded from past consultations on regulation – indicating that the UK’s food sector has to look after number one when it comes to cyber security.

Taking control

Last year, the National Cyber Security Centre partnered with the National Farmers’ Union to create a cyber security guide for farmers, with both organisations emphasising that it is not just larger firms that need to invest in cyber security, with farmers of all sizes and types potentially at risk.

Just as the food crisis is global, so, too, are concerns over the cyber threat. In the US, the FBI’s cyber division recently published an alert for the food and agriculture sector stating that “ransomware actors may be more likely to attack agricultural cooperatives during critical planting and harvest seasons” in Autumn and early Spring.

It is the latest in a series of similar warnings, citing several instances in which organisations in the agriculture sector across the country have been targeted by ransomware in both the planting and harvesting seasons. It warned: “Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time sensitive role they play in agricultural production. Although ransomware attacks against the entire farm-to-table sector occur on a regular basis, the number of cyber attacks against agricultural cooperatives during key seasons is notable.”

Given the rapid march of tech across the sector, there are a whole host of potential weak spots to consider. Processes such as tilling, planting, fertilising, monitoring and harvesting can be delegated to AI, alongside algorithms that control drip-irrigation systems, self-driving tractors and combine harvesters, all capable of responding to the weather and the exact needs of the crop.

Risk analysis by Cambridge University, published in the journal Nature Machine Intelligence, warns that the future use of artificial intelligence in agriculture comes with substantial potential risks for farms, farmers and food security that are poorly understood and under-appreciated.

The report’s co-author, Dr Asaf Tzachor, from the University’s Centre for the Study of Existential Risk, said: “The idea of intelligent machines running farms is not science fiction. Large companies are already pioneering the next generation of autonomous ag-bots and decision support systems that will replace humans in the field. But so far no-one seems to have asked the question ‘are there any risks associated with a rapid deployment of agricultural AI?’”

The study adds that despite the huge promise of AI for improving crop management and agricultural productivity, potential risks must be addressed responsibly and new technologies properly tested in experimental settings to ensure they are safe and secure against accidental failures, unintended consequences and cyber attacks.

In their research, the authors have come up with a catalogue of risks that must be considered in the responsible development of AI for agriculture and ways to address them. They raise the alarm about cyber attackers potentially causing disruption to commercial farms using AI, by poisoning datasets or by shutting down sprayers, autonomous drones and robotic harvesters.

In the wider view, the consequences of a cyber attack are potentially greater for the food sector than many others because the impact is not limited just to the organisation concerned through business interruption and cost; they also add the spectre of harm to consumers through contaminated products and the huge reputational damage that could entail.

Cyber security specialists at CYE identified a number of key cyber risk factors which are particularly pertinent to food industry operators. It says that insecure and outdated industrial control systems could represent a vulnerability, with many food manufacturers still using legacy ICSs that are not configured to handle modern cyber threats.

Even new ICSs are missing long-term cyber security protections and are unprotected from external access through third-party channels, it warns.

Being insecure by design, ICS is even more challenging to protect when introducing aggressive digital transformation initiatives, which are becoming increasingly common. These efforts improve efficiency, but also introduce an expanded attack surface, by enabling greater connectivity to the manufacturing network, which exposes it to both commodity malware from the IT network (insecure HMI interfaces) and targeted attacks.

CYE also warns of a cyber security skills gap. Operations technology personnel responsible for operating and maintaining ICSs in the food manufacturing industry, are often experts trained in food safety and production, not in cyber security.

Although ICS cyber security standards are well-documented, their complexity and volume could overwhelm many food industry personnel. Research has also found that leaders in food processing and manufacturing are typically unaware of the extent of the cyber risk present in their industrial systems and OT/IT networks.

Perhaps the biggest challenge remains in harnessing the considerable advantages that the use of AI could bring to food production while ensuring the industry is as safe as possible from cyber threats. It may be a world away from the traditional datacentre target for many hackers, but the increasingly high-tech systems being used in agriculture and elsewhere within the food supply chain potentially represent low-hanging fruit for those looking to exploit such gaps with ransomware or other malicious attacks.

Jake Moore, global cyber security adviser at cyber security software firm, ESET, said: “Tractors may not seem the most obvious target to hack, but cyber criminals are astute enough to understand the repercussions and will go after systems which will fund their business model.

“The problem with farming machinery is that it often relies on unpatched third-party devices or is connected to out-of-date hardware which, when forced to update, can affect the desired output. Therefore, these devices are left at risk and become highly targeted by attackers.

“Real-world impact from cyber crime is growing at a rate that is becoming a huge worry to society and far more needs to be put in place to protect the most vulnerable.”


This article was published in the Q3 2022 issue of CIR Magazine.

Download PDF

Contact the editor