Modern agriculture depends on internet-connected machinery that is centrally controlled and collects and analyzes massive amounts of data, making it an inviting target for threat actors. Credit: Suwin / Shutterstock Against the backdrop of horrific reports from Russia’s Ukraine invasion, an encouraging story emerged earlier this month when unidentified Ukrainians remotely disabled tractors worth $5 million that Russian soldiers in the occupied city of Melitopol stole from Agrotek-Invest, an authorized John Deere dealer. The soldiers stole 27 pieces of farm machinery and shipped them primarily to Chechnya, 700 miles away, only to discover they had been rendered inoperable due to a “kill switch.”The dealership tracked the machinery using the tractors’ embedded GPS technology. Although the equipment was reportedly languishing at a farm near Grozny on May 1, one source said the Russians had found consultants who would try to bypass the digital protection that bricked the machines.Some observers fear that malicious actors could exploit the same technology Deere and other manufacturers use to update and monitor farm equipment. If successfully accomplished on a large-enough scale, a cyberattack could disrupt significant portions of what has become critical agricultural infrastructure.Modern tractors are intelligent machinesFarm equipment, including machines made by industry titan John Deere, evolved starting in the 1980s from old-fashioned analog tractors, combines, and so forth into digitally connected intelligent devices that produce treasure troves of agricultural data. For example, modern tractors became equipped with “torque sensors on the wheels that measured soil density, humidity sensors on the undercarriages that measured soil moisture, and location sensors on the roof that plotted density and moisture on a centimeter-accurate grid.” What enabled the kill switching by the Ukrainian dealership is something that initially began in the auto industry called vehicle identification number locking or VIN-locking. VIN-locking enables only authorized technicians to enter special codes to work on a machine’s internal network. Deere’s use of VIN-locking became infamous when the tractor maker decided to deny farmers access to the computer software running their machines so they could make repairs. The company argued that farmers had no right to access their proprietary code.Tractors fueled the right to repair movementThis refusal gave the “right to repair” movement in the U.S. steam to demand changes to the Digital Millennium Copyright Act (DMCA). The idea is to require John Deere and other equipment makers to provide access to “the same agricultural equipment’s diagnostic and repair information made available to the manufacturer’s dealers.” Deere has vigorously opposed this notion. Due to this stalemate, American farmers began purchasing cracked Ukrainian John Deere software, including diagnostic programs, payload files, and electronic data link drivers. (As it turns out, Ukraine has a historical affinity for tractors dating to around 1930. Back then, the machines became “game-changers” that elevated peasant farming to “a steel bastion of the collectivization of agriculture” during Stalin’s forced collectivization of agriculture.)In 2015, the U.S. Copyright Office approved an exemption to the DMCA that allows modification to “computer programs that are contained in and control the functioning of a motorized land vehicle such as a personal automobile, commercial motor vehicle, or mechanized agricultural vehicle … when circumvention is a necessary step undertaken by the authorized owner of the vehicle to allow the diagnosis, repair, or lawful modification of a vehicle function.” However, farming right-to-repair advocates consider this exemption to be too narrow.Hackable tractors are vulnerable to sabotageAt least one right-to-repair advocate, Kevin Kenney, argues that equipment makers’ remote control over vehicle software makes farmers and the food supply vulnerable to sabotage. In 2016, the FBI and the U.S. Department of Agriculture issued a bulletin warning that “the Food and Agriculture (FA) Sector is increasingly vulnerable to cyberattacks as farmers become more reliant on digitized data.That warning, however, focused chiefly on ransomware and the prospect of threat actors stealing farm-level data in bulk “to exploit US agriculture resources and market trends.” But the warning is consistent with one security researcher’s test earlier this year when he could remotely access the data of 25 Teslas simultaneously by exploiting a bug in an open-source logging tool.At least one tractor maker, AGCO, was forced to shut down production earlier this month when a ransomware attack hit it. But stealing data from tractors or even shutting down a tractor manufacturer’s plant is a far cry from reaching out to tractors across the nation and shutting them down en masse.Could a malicious actor hack and disable tractors?With the remote bricking of the Ukrainian tractors, the question now arises: Could malicious actors disrupt a nation’s farming and the food supply by hacking into many tractors simultaneously and disabling them? Writer and activist Cory Doctorow thinks so, at least to some degree. Given what he contends is Deere’s “dismal” infosec, “the tool that Deere used to brick all those stolen tractors in Chechnya is potentially available to even moderately skilled hackers who exploit Deere’s reckless decision to build kill-switches into its equipment and its negligent security,” he wrote.Farming expert John Fulton, Professor of Food, Agricultural and Biological Engineering at Ohio State University, thinks the only way hackers could cause damage to farming in any significant way is to hack the big equipment manufacturers. Even then, the threat actors would have to attack farm-by-farm, a relatively inefficient way of bringing a nation’s agriculture down, he tells CSO.“If they’re going to attack the farm, they’re going to be attacking one of those large companies to get to the farm,” he says. On the whole, Fulton thinks the ability to track down and disable stolen farm equipment is a good thing. “If someone stole your vehicle, you would want to have the opportunity and hope to get it back. So, if the GPS and the connectivity allow that to happen because someone was doing evil, then I think that’s a positive benefit of the technology,” he says.Fulton visited Ukraine 30 years ago to build back their infrastructure and expand their infrastructure for agriculture production following the collapse of the Soviet Union. At that point, the farmers were using “dilapidated and old equipment,” he says. It doesn’t surprise him that the dealership took the effort to disable the stolen tractors or that Ukrainian farmers value their machines so highly. “They recognize what the value of that is to their operation today versus what they had back in the eighties.” Related content news Almost 50% of organizations plan to reduce cybersecurity headcounts: Survey While organizations are realizing the need for knowledgeable teams to address unknown threats, they are also looking to reduce their security headcount and infrastructure spending. By Gagandeep Kaur Dec 06, 2023 4 mins IT Jobs Security Practices feature 20 years of Patch Tuesday: it’s time to look outside the Windows when fixing vulnerabilities After two decades of regular and indispensable updates, it’s clear that security teams need take a more holistic approach to applying fixes far beyond the Microsoft ecosystem. By Susan Bradley Dec 06, 2023 6 mins Patch Management Software Threat and Vulnerability Management Windows Security feature What should be in a company-wide policy on low-code/no-code development Low-code/no-code development could bridge the gulf of development backlogs that exists between great ideas and great execution of digital innovation. But not without security policies around areas like access control, code quality, and application vi By Ericka Chickowski Dec 06, 2023 15 mins Application Security Security Practices news analysis Cisco unveils AI-powered assistants to level up security defenses New AI-driven tools aim to simplify and bolster policies, alerts and prevention to reduce complexity when setting security policies and assess traffic without decryption. By Rosalyn Page Dec 05, 2023 5 mins Encryption Cloud Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe