ISO/WD 24882 prioritizes security of agricultural machinery & tractors
As critical infrastructure, the food and agriculture industry keeps bellies full and countries running. Despite being the engine driving food stability, much of the industry lacks the cybersecurity to match today’s technologically advanced farming practices.
Bringing in roughly $1.5 trillion, food and agriculture (and related industries) made up about 5.6% of US GDP in 2023 (USDA). The industry affects everyone, every day, whether through the cost of groceries, employment opportunities or physical health.
Technology trends in food & agriculture
New technology impacts the day-to-day responsibilities of farmers and suppliers, manifesting in a number of ways:
Precision agriculture: New and actionable insight into soil and weather conditions empower farmers like never before. Smart sensors, IoT, GPS and AI technology unlock this data, giving them an edge against the elements and the ability to remain proactive in highly unpredictable environments.
Advanced machinery: Drones and robots have multiplied a farm’s ability to monitor and tend to crops. Drones can pinpoint lost livestock, facilitate flood models and scout for pests.
Automation: Not only does smart equipment level up data analytics, it also paves the way for automation. Self-driving tractors and harvesters can plow, seed and harvest fields with minimal human intervention, reducing labor costs. Automated feeding and watering systems reduce farmers’ daily, menial workloads, while greenhouses benefit from automatic temperature control.
Wearable devices: Not just a health maintenance tactic for people, wearable devices track livestock health too, monitoring heartrate, temperature and illnesses.
The applications of technology in farming continue expanding, including in adjacent fields, like logistics management.
High-impact cyber threats disrupting critical infrastructure
Covid-19 showed the world what happens when one part of an interconnected supply chain is interrupted: the flow of foods and goods stops. While technology can certainly help alleviate these issues, it also introduces new risks.
A hacked agriculture system could lead to incorrect treatment protocols for crops and animals, compromised physical facilities and the inability of large food and ag players to produce.
Beyond protecting access to equipment and facilities, farmers also now have data to protect. With smart devices, farms gather more and more information that, when aggregated, provides real proprietary value.
Cybercriminals who are able to take over an agricultural company’s systems hold a significant amount of power over entire societies. The same holds true for bad actors sponsored by political enemies looking to destabilize nations by disrupting food production or poisoning food supply.
Agricultural cyberattacks are on the rise, for example, the recent hack of robotic milking systems at a dairy in Switzerland or an earlier ransomware attack on Schreiber Foods.
Because of the extensive supply chains involved with turning raw products into the food that ends up on our tables, disruptions quickly lead to waste and empty shelves.
In the case of Schreiber Foods, its facility could no longer accept and process milk scheduled for delivery. The milk, a perishable good, had to find somewhere else to go for immediate processing or risk getting dumped. Cows, after all, must continue being milked, milk must continue exiting the facility, and trucks must return promptly to be refilled. The cycle continues regardless of a bottleneck, but the entire system turns dysfunctional.
SO/WD 24882: Industry standards for agricultural OEMs
ISO/WD 24882, a developing international standard, focuses on establishing cybersecurity requirements for the agricultural sector. With the aforementioned integration of digital technologies into farming equipment, this standard addresses risks to agricultural machinery, such as tractors.
ISO/WD 24882 compels agricultural OEMs to implement secure design, development, production and maintenance of agricultural machinery throughout its lifecycle. Notably, they should be able to conduct risk assessments during the design and development phases, and integrate security features into software, hardware and communications components. Security requirements must continue being met after deliver via software updates and maintenance logs, followed by secure decommissioning.
While similar in some ways to other cybersecurity frameworks (e.g. ISO/SAE 21434, the EU’s Cyber Resilience Act and UNECE R155) it reflects the unique challenges of the agricultural sector, namely remote operations and limited connectivity.
Data encryption & key management in food & agriculture
The security of critical food and agriculture infrastructure involves multiple factors: secure OTA updates; the ability to verify & authenticate incoming data sources; the secure collection, storage and sharing of data via encryption & proper encryption key management
To make this happen, farmers, most of whom already have a strong handle on cutting edge robotics and automated machinery, must level up their cybersecurity.
Facing a handful of intersecting policies and standards, these organizations need to partner with experts who have a strong grasp of the regulatory, technological, risk and strategic elements that comprise effective data security.
Their solutions should at least address the following:
- A unified key management system
- Demonstratable footprint-wide security policies, e.g. for decommissioning
- Ongoing risk assessment
- Verifiable data sharing
- Cutting-edge PKI technology
- Compliance, audit & reporting
- Crypto-agility
- Future-proof strategy
This inexhaustive list shows, not only the big-picture and granular complexity involved, but also the opportunity to streamline, strengthen and future-proof the core business.
To complicate matters, critical infrastructure is ultimately all linked: Food and agriculture depend on functional water systems and transportation. Unable to irrigate crops, export products or receive supplies, the industry would crumble.
As seen through the blossoming of new cybersecurity standards and policies, protecting critical infrastructure has become a matter of national priority everywhere, and rightly so.