# Security for Agriculture and AgTech
Agriculture sits at the intersection of two trends that dramatically expand its cybersecurity risk profile: the digitization of farming operations through precision agriculture technology, and the growing recognition of food and agriculture as critical infrastructure requiring the same protection considerations as power grids and water systems.
Precision agriculture has transformed farming over the past two decades. GPS-guided tractors from John Deere and CNH Industrial now execute sub-inch field operations autonomously. IoT soil sensors relay moisture, temperature, and nutrient data to cloud platforms in real time. Drones survey crop health, identify disease vectors, and apply targeted pesticide treatments. Automated irrigation systems adjust water delivery based on sensor data and weather forecasts. Livestock monitoring sensors track animal health, feeding patterns, and movement through connected ear tags and collars.
Each of these technologies improves agricultural productivity, reduces input costs, and enables data-driven decision-making at a scale impossible with manual methods. Each also introduces network-connected endpoints into an operational environment historically managed by farmers and agronomists, not IT security professionals. The result is a rapidly expanding attack surface in environments with limited cybersecurity expertise, inconsistent connectivity, and no established security operations function.
At the enterprise level, large agribusinesses (commodity processors, food manufacturers, agricultural input companies) operate complex supply chains with ERP systems, food safety tracking platforms, and trade execution systems. The 2021 ransomware attack on JBS Foods demonstrated that a single breach of a large agribusiness can disrupt protein supply chains across multiple countries.
This article maps the specific threats facing agriculture and agribusiness, the regulatory environment, and how the Planetary Defense Model applies to agricultural security programs.
---
In June 2021, JBS Foods, the world's largest meat processing company, was struck by ransomware deployed by the REvil threat group. Operations across JBS facilities in the United States, Canada, and Australia were shut down for several days. The disruption idled approximately 22,000 workers, halted processing of roughly 20 percent of U.S. beef production capacity, and contributed to short-term price increases for beef and pork. JBS paid an $11 million ransom in Bitcoin to restore operations.
The JBS attack was followed two months later by a ransomware incident at NEW Cooperative, an Iowa-based grain cooperative, in which the BlackMatter group claimed to have encrypted systems and threatened to release stolen data. These events prompted CISA and the FBI to issue joint advisories specifically addressing ransomware threats to the food and agriculture sector.
The food and agriculture sector is attractive for ransomware operators for a straightforward reason: the operational consequences of extended downtime are severe and time-sensitive in ways that other industries are not. Meat processing facilities cannot hold livestock indefinitely. Seasonal planting and harvest windows cannot be missed. These operational pressures create pressure to pay ransoms quickly, making agricultural operations higher-probability payout targets.
The operational technology embedded in modern precision agriculture shares many characteristics with industrial control systems (ICS) in manufacturing or energy: it is often running older firmware, it was designed for function rather than security, and it is increasingly network-connected without the benefit of enterprise security controls.
John Deere's Operations Center platform, which aggregates data from connected equipment, manages field prescriptions, and integrates with precision agriculture applications, handles highly sensitive data: field maps, yield data, equipment telemetry, and application records. A compromise of this platform could expose competitive intelligence, enable tampering with field prescriptions (planting rates, fertilizer applications, pesticide applications), or provide leverage for extortion.
GPS spoofing is a precision agriculture threat vector that does not require a network intrusion: by transmitting false GPS signals, an attacker can cause GPS-guided equipment to deviate from its programmed path. In agricultural applications, this could result in crop damage, equipment collision, or misapplication of inputs at scale. Drone operations are similarly vulnerable to GPS spoofing and signal jamming, which can cause drones to land in wrong locations, drop payloads off-target, or fail to complete missions.
Automated irrigation systems, when connected to the internet for remote management, have been demonstrated to be vulnerable to unauthorized access. An attacker with access to an irrigation controller could cause over-watering (flooding) or under-watering (crop stress and loss) at the scale of entire fields.
Agricultural biotechnology represents decades of research and hundreds of millions of dollars in investment. Genetically modified seed varieties, pest-resistance traits, yield-enhancement technologies, and herbicide-tolerance traits are intellectual property of significant economic value to the companies that develop them and to the nations seeking agricultural self-sufficiency.
APT41, the Chinese state-sponsored threat group, has been publicly attributed by U.S. government agencies to targeting of agricultural trade secret data and biotechnology research. The specific targets have included agricultural input companies (seed companies, agrochemical manufacturers), university agricultural research programs, and agricultural trade organizations. The objective is the acquisition of research that would otherwise require decades and billions of dollars to independently develop.
Beyond biotechnology, agricultural trade intelligence has strategic value: knowing the planting intentions, yield forecasts, and inventory levels of competing agricultural producers enables advantaged position-taking in commodity markets. The theft of this information from agricultural companies and government agencies has been attributed to state-sponsored actors.
The FDA's Food Safety Modernization Act (FSMA) and its traceability requirements (Section 204, effective 2026 for covered produce items) require food supply chain participants to maintain and rapidly produce electronic records of the food traceability lot codes, quantity, and location of covered foods. This regulatory requirement is driving digitization of food traceability systems throughout the supply chain: from farms through processors, distributors, and retailers.
These traceability systems are, by nature, connected to multiple supply chain partners. A compromise of a traceability platform could enable data manipulation (falsifying food safety records), supply chain visibility for competitive intelligence, or disruption of recall capability during a food safety event. The interconnected nature of supply chain systems also creates pathways for lateral movement between organizations.
A significant portion of U.S. agricultural operations are in areas with limited or no broadband connectivity. This creates specific security challenges:
These challenges make cloud-delivered, low-bandwidth-tolerant security tools particularly relevant for agricultural operations, and make managed services from providers with agricultural sector expertise a practical necessity for most operations.
---
CISA Critical Infrastructure Designation: The Food and Agriculture sector is one of CISA's 16 designated critical infrastructure sectors, jointly coordinated by USDA and FDA as Sector Risk Management Agencies. Large agricultural operations, food processors, and input manufacturers are subject to the same general framework of critical infrastructure protection guidance as energy and water utilities, though mandatory cybersecurity regulations for this sector lag behind the energy sector.
FDA FSMA Section 204 Traceability Rule: Effective January 2026 for covered foods (leafy greens, tomatoes, certain fruits, cheeses, and others on the Food Traceability List), this rule requires electronic traceability records and 24-hour production of records during FDA investigations. Compliance requires investment in electronic record systems and supply chain data sharing infrastructure.
EPA and USDA Regulations: Agricultural operations involving automated chemical application systems may have regulatory touchpoints with EPA and USDA that create security-relevant compliance obligations around the integrity of application records.
Commodity Trading Regulations (CFTC): Agribusinesses participating in commodity futures markets are subject to CFTC oversight. Material cybersecurity incidents affecting market participants may trigger reporting obligations.
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA): Once finalized, CIRCIA will require critical infrastructure entities (including food and agriculture sector entities above applicable thresholds) to report significant cyber incidents within 72 hours and ransom payments within 24 hours to CISA.
---
DPS: Data Protection and Sovereignty Agricultural IP is the most sensitive asset category in this sector. Seed trait data, field-level yield maps, research data, and trade position information must be inventoried, classified, and protected with encryption at rest and in transit. The Sovereign Data Protocol (SDP) asks: does the agricultural operator know where its most sensitive IP lives, and has it made deliberate decisions about access and protection? For precision agriculture platforms that aggregate data to vendor clouds (John Deere Operations Center, Trimble Ag Software), understanding the data sharing terms and access controls on those platforms is a DPS obligation.
VSD: Vulnerability and Surface Defense The precision agriculture attack surface includes IoT sensors, drones, GPS receivers, connected equipment, irrigation controllers, and the enterprise IT systems that integrate with them. Continuous Surface Reduction (CSR) in an agricultural context requires maintaining an inventory of all connected devices (OT and IT), establishing a patching cadence for firmware on connected equipment, and addressing the network exposure of internet-connected operational systems. Drone communication channels and GPS receivers may require specialized assessment.
SPH: Security Posture and Hygiene Default credentials on IoT sensors and network equipment, unpatched firmware on agricultural hardware, and absence of network segmentation between operational and enterprise systems are the most common hygiene findings in agricultural assessments. Autonomous Posture Command (APC) principles applied here include automated configuration verification for network equipment, firmware version tracking for connected agricultural devices, and network segmentation between precision agriculture systems and enterprise networks.
IAT: Identity Access and Trust Access controls on precision agriculture platforms (Operations Center accounts, drone management software, ERP systems managing commodity positions) must follow least-privilege and MFA principles. Supply chain partner access to traceability systems requires vendor access management controls. Zero Possession Architecture (ZPA) applied in agricultural settings means that access to sensitive field data and trade systems is explicitly authorized, logged, and revocable.
TID: Threat Intelligence and Defense Nation-state actors targeting agricultural IP, ransomware groups targeting operational disruption, and commodity market intelligence actors represent the primary threat actor categories for this sector. Predictive Defense Intelligence (PDI) for agricultural organizations includes monitoring for sector-specific threat actor activity, participation in the Food and Agriculture ISAC (Food and Ag-ISAC), and active monitoring for indicators of compromise specific to agricultural management platforms.
RGA: Risk Governance and Assurance FSMA traceability compliance, CIRCIA reporting obligations, and brand security requirements from food retail customers (many large grocery chains require cybersecurity assessments of their suppliers) constitute the governance framework for agricultural operators. Perpetual Compliance Assurance (PCA) means maintaining documentation of compliance posture continuously, not only at assessment time, and integrating cybersecurity into food safety management systems.
---
The agricultural vertical presents a FRM profile in which the TID and VSD domains often show the greatest gap between actual and required maturity. Nation-state threat actors targeting agricultural IP are sophisticated and persistent; most agricultural operators have minimal threat visibility. The OT attack surface in precision agriculture environments is broad, often undocumented, and rarely patched with the same rigor as enterprise IT systems.
CDA's FRM for agricultural operators adapts the standard six-domain assessment to account for the operational technology components (precision agriculture hardware, irrigation systems, processing equipment) that are not present in a standard enterprise engagement. The assessment team maps connected agricultural devices alongside enterprise IT assets and evaluates the segmentation, patching, and monitoring controls on both.
Recommended starting tier by organization type:
CDA's Planetary Crisis Protocol (PCP) is particularly relevant for large agribusiness operators: a ransomware incident that affects food processing operations is a multi-domain event simultaneously touching TID (detection), VSD (initial access), IAT (lateral movement), and RGA (regulatory reporting). The PCP provides a coordinated cross-domain response playbook for exactly this scenario.
---
---
---