In an arena at Iowa State University, two dozen students leaned over laptops on tables between green and red tractors. They came from across the country for the fourth annual .
鈥淭oday is the first day that we've actually started hacking. We鈥檙e still trying to play around with the systems, with the networks, with communicating with the machinery,鈥 said Anish Nag, an undergraduate student majoring in cybersecurity engineering at ISU.
Nearby, the lights on a tractor blinked on and off.
Amelia Wietting, senior embedded security engineer at John Deere, led the effort to launch the first CyberTractor Challenge in 2022. Two years later, she helped turn the event into a nonprofit and invited other farm equipment manufacturers.
鈥淥ne of the big things that we try to solve here is that talent pipeline of building the future of cybersecurity peers that we鈥檙e going to work with tomorrow,鈥 Wietting said.
At the start of the weeklong event, experts from universities and companies teach students about the technical protocols that run agricultural equipment, along with general cybersecurity concepts, like ransomware.
Teams of students then connect to the electronic components in tractors during a two-day ethical hackathon. They test points of entry and potential security flaws.
These skills are vital to farm equipment manufacturers as they try to stay ahead of bad actors.
A growing need for cybersecurity
While cyberattacks began making national headlines in the , the agricultural sector is becoming 鈥渕ore interesting to adversaries,鈥 said Carl Kubalsky, director and deputy chief information security officer at John Deere.
A ransomware attack shut down of the beef-processing capacity in the U.S. in 2021. That same year, were attacked at the start of harvest. The disruption to Iowa鈥檚 NEW Cooperative impacted around of U.S. grain producers.
Farm equipment experts say the need for cybersecurity has grown alongside precision agriculture, which includes GPS-guided machinery, internet-connected sensors and other data-driven technologies, to farm more efficiently.
鈥淭he way we used to apply herbicide to a field several years back was to broadcast herbicide on every square inch of that field,鈥 Kubalsky said. 鈥淲e now have a product that鈥檚 capable of looking across the sprayer boom 鈥 greater than 100 feet long 鈥 that uses cameras to identify green weeds in a green row of crops and spray herbicide on just that weed.鈥
But each connection point to the internet, cloud storage, software or app, creates a potential 鈥渁ttack surface鈥 to extract data or cause harm. Additionally, farmers might use multiple pieces of machinery made by different manufacturers.
鈥淭echnology gets more and more complex, which leads to these problems where we have interconnected systems where we might not understand fully how they integrate together,鈥 Wietting said.
Santosh Pitla is a professor in biological systems engineering at the University of Nebraska-Lincoln. His research focuses on agricultural robotics and cybersecurity for autonomous machines, including self-driving tractors.
鈥淭here are always bad actors looking to hack into things or make the systems compromised,鈥 Pitla said. 鈥淚magine a 600 horsepower tractor, which is probably like 60-70,000 pounds, with no driver in it, and someone hacks it.鈥
Without layers of security built in, hackers could drive a fully autonomous tractor onto an interstate or shut it off, he said. In 2022, Ukrainians farm equipment stolen by Russian troops.
A large-scale attack during the narrow window for planting and harvesting could hurt on-farm incomes and state economies that rely heavily on agriculture, Pitla said.
It could also disrupt national and global food supplies, according to James Johnson, vice president and global chief information security officer at John Deere.
鈥淐yber is not regional. It鈥檚 not country by country. It鈥檚 a global threat,鈥 he added.
Johnson emphasized companies that build products with cybersecurity in mind are going to be better positioned to handle whatever comes next.
AI and Gen Z
Johnson said it鈥檚 difficult to predict what the next five years could look like in cybersecurity with the rapid rise of artificial intelligence.
AI could help cybersecurity experts become more sophisticated in preventing and responding to attacks, he said. But there will likely be new challenges. For example, AI could make it harder to detect phishing campaigns, which trick people into giving out their credentials or downloading malware.
Many Generation Z university students interested in cybersecurity bring unique skills to tackle these rapidly evolving challenges, he said.
鈥淚鈥檓 a network native,鈥 Johnson said. 鈥淭hese students have a different world. Networks aren鈥檛 as important to them. It鈥檚 applications; it鈥檚 the cloud; it鈥檚 the AI.鈥
Trent Walraven recently graduated with a master鈥檚 degree and joined John Deere鈥檚 IT development program. In high school, he played YouTube videos in the background and stumbled upon cybersecurity conference talks.
鈥淎t some point, I realized I was paying more attention to those background security talks than my homework,鈥 Walraven said.
As an intern with John Deere, Walraven volunteered at the first CyberTractor Challenge, which he described as a pivotal moment. Instead of simply reading numbers or text on a screen, Walraven said he could get his hands on the hardware and see the tractor respond.
鈥淭hat additional physical attribute to it just really draws me,鈥 Walraven said.
This field benefits from having people with diverse backgrounds, he added. Many of the students at the CyberTractor Challenge are pursuing degrees in cybersecurity, computer science, software engineering, math and general engineering.
鈥淏eing somewhat technical is the bare minimum,鈥 Walraven said.
Cybersecurity on the farm
Beyond cybersecurity from manufacturers, Pitla said farmers should take certain steps to protect their data and overall operations.
A proliferation of agricultural apps allow farmers to more easily calculate seed rates and yield losses, identify weeds and monitor field conditions.
鈥淎 lot of times you go from one app to another without thinking about security,鈥 Pitla said. 鈥淛ust because one of them has a really perfect security rating doesn't mean it's not compromised, because a third or fourth app might be not up to the security clearance that we need.鈥
Pitla and other cybersecurity experts recommend multi-factor authentication (MFA) to verify a user鈥檚 identity. Location-based MFA uses IP addresses and GPS to determine whether a user is logging in from a trusted location.
Creating complex and unique passwords, and keeping software up to date are also strongly recommended.
Last year, Iowa State University Extension and the Center for Cybersecurity Innovation and Outreach released a 鈥溾 webinar series to offer advice and resources.
. It鈥檚 being distributed in partnership with , a collaboration of public media newsrooms in the Midwest. It reports on food systems, agriculture and rural issues.