In an arena at Iowa State University, two dozen students leaned over laptops on tables between green and red tractors. They came from across the country for the fourth annual CyberTractor Challenge.
“Today is the first day that we've actually started hacking. We’re still trying to play around with the systems, with the networks, with communicating with the machinery,” said Anish Nag, an undergraduate student majoring in cybersecurity engineering at ISU.
Nearby, the lights on a tractor blinked on and off.
Amelia Wietting, senior embedded security engineer at John Deere, led the effort to launch the first CyberTractor Challenge in 2022. Two years later, she helped turn the event into a nonprofit and invited other farm equipment manufacturers.
“One of the big things that we try to solve here is that talent pipeline of building the future of cybersecurity peers that we’re going to work with tomorrow,” Wietting said.
At the start of the weeklong event, experts from universities and companies teach students about the technical protocols that run agricultural equipment, along with general cybersecurity concepts, like ransomware.
Teams of students then connect to the electronic components in tractors during a two-day ethical hackathon. They test points of entry and potential security flaws.
These skills are vital to farm equipment manufacturers as they try to stay ahead of bad actors.
A growing need for cybersecurity
While cyberattacks began making national headlines in the early 2000s, the agricultural sector is becoming “more interesting to adversaries,” said Carl Kubalsky, director and deputy chief information security officer at John Deere.
A ransomware attack shut down nearly a fifth of the beef-processing capacity in the U.S. in 2021. That same year, six grain cooperatives were attacked at the start of harvest. The disruption to Iowa’s NEW Cooperative impacted around 40% of U.S. grain producers.
Farm equipment experts say the need for cybersecurity has grown alongside precision agriculture, which includes GPS-guided machinery, internet-connected sensors and other data-driven technologies, to farm more efficiently.
“The way we used to apply herbicide to a field several years back was to broadcast herbicide on every square inch of that field,” Kubalsky said. “We now have a product that’s capable of looking across the sprayer boom — greater than 100 feet long — that uses cameras to identify green weeds in a green row of crops and spray herbicide on just that weed.”
But each connection point to the internet, cloud storage, software or app, creates a potential “attack surface” to extract data or cause harm. Additionally, farmers might use multiple pieces of machinery made by different manufacturers.
“Technology gets more and more complex, which leads to these problems where we have interconnected systems where we might not understand fully how they integrate together,” Wietting said.
Santosh Pitla is a professor in biological systems engineering at the University of Nebraska-Lincoln. His research focuses on agricultural robotics and cybersecurity for autonomous machines, including self-driving tractors.
“There are always bad actors looking to hack into things or make the systems compromised,” Pitla said. “Imagine a 600 horsepower tractor, which is probably like 60-70,000 pounds, with no driver in it, and someone hacks it.”
Without layers of security built in, hackers could drive a fully autonomous tractor onto an interstate or shut it off, he said. In 2022, Ukrainians remotely disabled farm equipment stolen by Russian troops.
A large-scale attack during the narrow window for planting and harvesting could hurt on-farm incomes and state economies that rely heavily on agriculture, Pitla said.
It could also disrupt national and global food supplies, according to James Johnson, vice president and global chief information security officer at John Deere.
“Cyber is not regional. It’s not country by country. It’s a global threat,” he added.
Johnson emphasized companies that build products with cybersecurity in mind are going to be better positioned to handle whatever comes next.
AI and Gen Z
Johnson said it’s difficult to predict what the next five years could look like in cybersecurity with the rapid rise of artificial intelligence.
AI could help cybersecurity experts become more sophisticated in preventing and responding to attacks, he said. But there will likely be new challenges. For example, AI could make it harder to detect phishing campaigns, which trick people into giving out their credentials or downloading malware.
Many Generation Z university students interested in cybersecurity bring unique skills to tackle these rapidly evolving challenges, he said.
“I’m a network native,” Johnson said. “These students have a different world. Networks aren’t as important to them. It’s applications; it’s the cloud; it’s the AI.”
Trent Walraven recently graduated with a master’s degree and joined John Deere’s IT development program. In high school, he played YouTube videos in the background and stumbled upon cybersecurity conference talks.
“At some point, I realized I was paying more attention to those background security talks than my homework,” Walraven said.
As an intern with John Deere, Walraven volunteered at the first CyberTractor Challenge, which he described as a pivotal moment. Instead of simply reading numbers or text on a screen, Walraven said he could get his hands on the hardware and see the tractor respond.
“That additional physical attribute to it just really draws me,” Walraven said.
This field benefits from having people with diverse backgrounds, he added. Many of the students at the CyberTractor Challenge are pursuing degrees in cybersecurity, computer science, software engineering, math and general engineering.
“Being somewhat technical is the bare minimum,” Walraven said.
Cybersecurity on the farm
Beyond cybersecurity from manufacturers, Pitla said farmers should take certain steps to protect their data and overall operations.
A proliferation of agricultural apps allow farmers to more easily calculate seed rates and yield losses, identify weeds and monitor field conditions.
“A lot of times you go from one app to another without thinking about security,” Pitla said. “Just because one of them has a really perfect security rating doesn't mean it's not compromised, because a third or fourth app might be not up to the security clearance that we need.”
Pitla and other cybersecurity experts recommend multi-factor authentication (MFA) to verify a user’s identity. Location-based MFA uses IP addresses and GPS to determine whether a user is logging in from a trusted location.
Creating complex and unique passwords, and keeping software up to date are also strongly recommended.
Last year, Iowa State University Extension and the Center for Cybersecurity Innovation and Outreach released a “Cybersecurity on the Farm” webinar series to offer advice and resources.
