Introduction

Food and agriculture is one of the 16 critical infrastructure sectors designated by the US Department of Homeland Security, but it receives considerably less security attention than energy, water, or transportation. The sector’s operational technology runs grain storage and handling facilities, refrigerated distribution infrastructure, food processing and packaging lines, and irrigation control systems — all with SCADA and PLC components that are increasingly connected to enterprise networks and, through compliance requirements, to internet-accessible supply chain platforms.

The sector’s experience with ransomware between 2021 and 2023 demonstrated what happens when this OT infrastructure is disrupted: JBS, the world’s largest meat processor, paid $11 million to REvil after a ransomware attack disrupted beef production across North America and Australia for five days. NEW Cooperative, an Iowa grain handling organisation, was struck by BlackMatter ransomware in September 2021, with attackers threatening to publish 1,000GB of data including soil maps and research data. Crystal Valley Cooperative, another Minnesota grain and farm supply company, was hit by ransomware the same month. Dole Food Company’s 2023 ransomware incident temporarily halted salad production lines and required North American operations shutdown.

These were not isolated incidents or novel attack techniques. They were the result of enterprise-standard cybercriminal tooling applied to organisations that had not adequately separated OT from IT networks.

The OT Architecture in Food and Agriculture

Grain Handling and Storage

Grain elevator facilities use SCADA systems to manage grain receiving, drying, storage aeration, and loadout operations. PLC-controlled conveyors, bucket elevators, and pneumatic systems move grain between receiving pits and storage bins. Temperature and moisture sensors monitor stored grain quality, feeding into monitoring systems that trigger automated responses.

Historically these systems were isolated on local networks or used proprietary serial communications. The operational efficiency pressure to integrate grain inventory with ERP systems and commodity trading platforms has added IP connectivity — often via off-the-shelf industrial routers with default credentials and no patch management.

The RealFlex and TeleCom platforms used widely in grain elevator SCADA have known vulnerabilities that remain unpatched in operational deployments because downtime for patching is commercially expensive during harvest season.

Cold Chain and Refrigeration

Food cold-chain OT includes refrigeration control systems (typically using BACnet or Modbus over IP), temperature monitoring infrastructure, and automated warehouse management systems. Cold storage facilities operate at tight temperature tolerances for food safety: a control system compromise that disrupts refrigeration can destroy millions of dollars of inventory in hours.

Building automation systems managing refrigeration are frequently installed and maintained by HVAC contractors using standard IT networking equipment — flat networks, default credentials on BACnet/IP controllers, and remote access via consumer-grade VPN products.

Food Processing and Packaging Lines

Automated food processing relies on PLC-controlled machinery for mixing, cooking, packaging, and quality inspection. Siemens S7, Allen-Bradley ControlLogix, and Omron systems control production lines. Integration with MES (Manufacturing Execution Systems) for production scheduling and OEE (Overall Equipment Effectiveness) tracking creates connectivity between the OT layer and enterprise networks.

The JBS attack disrupted processing lines because the ransomware spread from IT networks to systems that managed scheduling and operational data for processing — not necessarily the PLCs themselves, but the systems that coordinated what the PLCs were instructed to do.

Irrigation and Precision Agriculture

Large-scale crop farming increasingly uses automated irrigation controlled by SCADA systems, connected soil moisture sensors, and GPS-guided machinery. While these systems have lower immediate safety consequences than industrial processing, they represent a growing connected surface. Disruption of irrigation scheduling during critical growth periods has meaningful economic impact, and remote access credentials for agricultural management platforms are targets for credential theft.

Regulatory Developments: FDA FSMA Rule 204

The FDA’s Food Safety Modernization Act Rule 204 — the “Traceability Rule” — requires food manufacturers, distributors, and certain retailers to maintain detailed traceability records for foods on the Food Traceability List (FTL), including leafy greens, soft cheeses, nut butters, shell eggs, and finfish. The rule requires digital records of Critical Tracking Events (CTEs) — growing, receiving, transforming, creating, and shipping — with interoperable data exchange with FDA systems.

The initial compliance deadline was January 2026, though enforcement has been phased. The security implication is direct: FSMA 204 compliance requires systems that were previously paper-based or isolated to connect to networked platforms that can exchange records with FDA and trading partners. Every new connectivity requirement is a potential attack surface.

Operators implementing FSMA 204 digital traceability should ensure that the connected compliance systems are network-isolated from OT systems for production operations. A traceability platform compromise should not provide a pivot to production PLCs.

Threat Actor Landscape

Ransomware affiliates represent the most active and impactful threat. The JBS, NEW Cooperative, and Crystal Valley incidents were all financially motivated ransomware operations without specific sector targeting — food and agriculture organisations were attractive targets because they had the revenue to pay significant ransoms and the operational urgency to pay quickly.

Nation-state pre-positioning is an emerging concern. CISA’s 2024 advisory on Volt Typhoon’s OT pre-positioning activities identified food and agriculture as a sector of interest alongside energy and water. While no confirmed Volt Typhoon activity in food and agriculture OT has been publicly attributed, the sector’s critical infrastructure designation and the disruption potential of production halts make it a plausible target for Chinese pre-positioning operations designed to provide leverage in geopolitical conflict scenarios.

Hacktivists have targeted food companies in campaigns related to animal rights and environmental causes. While typically focused on IT systems and data exposure rather than OT disruption, hacktivist groups have demonstrated interest in agricultural sector organisations.

Defensive Priorities for Food and Agriculture OT

Network segmentation between IT and OT remains the foundational control. The IT-to-OT lateral movement observed in JBS and similar incidents requires a flat or insufficiently segmented network. Implementing a Purdue Model-aligned segmentation — with DMZ layer separation between corporate IT, business-critical OT systems (MES, historian), and process control networks — constrains ransomware spread even when an IT environment is fully compromised.

Remote access hardening for operational systems. Grain elevator and cold-chain OT systems frequently have remote access enabled for vendor maintenance, often via RDP or VNC with weak credentials over consumer-grade VPN products. Replace with industrial-grade remote access solutions with MFA, session recording, and time-limited access grants. Audit all active remote access connections.

Patch cycles for widely deployed agricultural SCADA. RealFlex, TeleCom, and similar grain management platforms release patches that are rarely applied in operational environments. Establish a patch review and deployment schedule that accommodates operational windows — harvest, processing shutdowns — while ensuring critical vulnerabilities don’t remain unpatched for multiple seasons.

FSMA 204 implementation security review. Organisations implementing FSMA 204 compliance platforms should explicitly review network placement, access controls, and data flows before go-live. The compliance requirement creates new connectivity; the security review ensures that connectivity is appropriately controlled.

Incident response planning specific to food safety implications. A ransomware event that disrupts refrigeration or processing controls has food safety consequences beyond IT recovery timelines. Incident response plans should include food safety team involvement, FDA notification assessment, and product hold procedures — not just IT recovery steps.

The food and agriculture sector’s OT security posture has improved since 2021 but remains materially weaker than the energy and water sectors, which have benefited from years of mandatory regulatory standards (NERC CIP, America’s Water Infrastructure Act) that do not have equivalents in food and agriculture. The sector faces an environment where ransomware operators are actively interested, nation-state pre-positioning activities are plausible, and new regulatory requirements are driving connectivity that expands the attack surface. The priority should be the basics: segmentation, credential management, and remote access hygiene.

Tags
food-agriculturecritical-infrastructureransomwareSCADAgrain-elevatorJBSFSMAFDAcold-chainOT-securitysector-briefing