The Threat Landscape No One Talks About
The food and agriculture sector is designated critical infrastructure under the US national framework, and the European Union’s NIS2 directive includes food production in its essential services scope. Neither designation has translated into security investment or awareness at the level the sector’s operational exposure warrants.
CISA’s Cyber Storm 2024 exercise specifically focused on food and agriculture sector response — a choice that reflected assessed risk rather than sector maturity. Food and Ag-ISAC’s 2026 threat intelligence analysis identified 72 distinct active threat actors targeting agricultural and food production supply chains, spanning nation-state espionage groups, financially motivated ransomware operators, and ideologically motivated hacktivists. Russia accounts for approximately 59% of observed adversary activity in the sector; China, 25%.
The sector’s operational technology environment is diverse and fragmentation creates security gaps at almost every layer.
What OT Looks Like in Food and Agriculture
Food and agriculture OT spans multiple distinct environments with different risk profiles:
Primary agriculture (farms, irrigation, precision agriculture): Modern farming operations use precision agriculture systems that integrate GPS-guided equipment, soil sensors, irrigation control systems, and drone-based crop monitoring. Many of these systems connect via cellular networks with minimal authentication. Irrigation control systems, often based on PLCs from Rockwell, Siemens, or smaller agricultural-specific vendors, control large volumes of water over wide geographic areas.
Processing and manufacturing: Slaughterhouses, food processing plants, and beverage manufacturing use SCADA systems and PLCs to control conveyors, temperature management, sterilisation processes, and quality control sensors. The IT/OT boundary in these environments is frequently permeable — production scheduling systems connect to both the plant floor and enterprise ERP systems.
Cold chain logistics: Temperature-controlled storage and transport uses monitoring and control systems to maintain product safety. Loss of temperature control doesn’t just represent financial damage — it creates food safety risks that trigger mandatory regulatory disclosure and product recalls.
Water use in agriculture: Irrigation infrastructure in large agricultural regions is interconnected at scale. Many irrigation district SCADA systems are internet-exposed with default or weak credentials — a pattern CISA has documented specifically in automatic tank gauges and other agricultural water management equipment.
The JBS Incident: Setting the Benchmark
The May 2021 ransomware attack on JBS USA remains the reference point for food sector OT impact. JBS, one of the world’s largest meat processors, shut down all US beef processing operations for several days after a REvil ransomware attack encrypted IT systems. Though the ransomware itself didn’t directly infect OT systems, the interdependence between IT and production scheduling forced a complete operational halt.
JBS paid $11 million in Bitcoin to the attackers. The total operational impact — lost production, supply chain disruption, temporary price increases for beef in affected markets — was substantially larger. The incident demonstrated that ransomware targeting IT systems in food processing can cause critical infrastructure-level disruption without ever touching a PLC.
In 2026, ransomware operators have significantly improved their understanding of OT environments. Groups including Clop, RansomHub, and ALPHV (before its law enforcement disruption) have documented the OT-IT boundary specifically to maximise operational impact without triggering immediate physical safety responses that would cut off ransom negotiation.
Nation-State Targeting: The Espionage Risk
The Russia and China attribution in Food and Ag-ISAC’s threat intelligence isn’t primarily about ransomware. Both countries conduct agricultural espionage targeting:
Seed and crop genetics intellectual property: Agricultural biotechnology companies holding proprietary seed genetics represent high-value IP targets. China-affiliated economic espionage cases documented by the FBI and Department of Justice have included attempts to acquire restricted crop strains physically, but network intrusion against the IT systems of seed companies is an established parallel vector.
Production capacity intelligence: Understanding a competitor nation’s crop yields, processing capacity, and supply chain constraints has strategic value in commodity markets and food security planning. Nation-state actors map agricultural production infrastructure for the same reasons they map energy infrastructure.
Pre-positioning: Consistent with the Volt Typhoon OT pre-positioning doctrine documented for US energy and water infrastructure, critical food production facilities are assessed as targets for capability pre-positioning. The operational objective is disruption capacity, not immediate exploitation.
Common Attack Vectors in Food Sector OT
Internet-exposed HMIs and SCADA interfaces: A significant number of food and agriculture OT systems are directly internet-accessible, either deliberately (remote monitoring) or inadvertently (misconfigured networking). Shodan searches reveal operational interfaces for irrigation systems, food processing conveyors, and cold storage management with no authentication or default credentials.
VPN and remote access exploitation: COVID-era expansion of remote access to OT systems created connectivity that was never appropriately secured. Credential stuffing against Fortinet and Cisco VPN appliances (the same vectors used in ransomware intrusions documented by CISA) provides initial access to networks that include food processing OT.
ERP and IT/OT integration points: Enterprise resource planning systems that interface with production scheduling and quality management systems in food manufacturing create bidirectional network paths. Compromising the ERP environment provides visibility into production data and potential access to engineering workstations on the OT network.
Supply chain and integrator access: Food processing equipment vendors and system integrators frequently retain remote access to equipment for maintenance. These credentials and connections are rarely audited or monitored with the same rigour as internal access — a pattern consistent across OT sectors but particularly acute in food manufacturing where specialised equipment vendors hold persistent access.
CISA Guidance and Sector Resources
CISA’s 2026 OT cybersecurity guidance, developed to address cost and complexity barriers, is relevant to food sector operators who face smaller IT/OT security teams than energy or water utilities. Key CISA recommendations applicable to food sector OT:
- Segment OT networks from corporate IT networks with defined data flows through industrial DMZs
- Implement unidirectional security gateways (data diodes) for connections from OT to IT where only monitoring data needs to flow outbound
- Require MFA for any remote access to OT environments
- Conduct annual ICS-specific risk assessments using the CISA CSET (Cyber Security Evaluation Tool)
- Develop and test OT-specific incident response plans that address operational continuity during a cyber incident
Food and Ag-ISAC provides sector-specific threat intelligence sharing for members. Membership is particularly valuable for smaller agricultural operations that don’t have internal threat intelligence capacity — the shared intelligence on active campaigns targeting the sector provides context that no individual organisation can develop independently.
Practical Priorities for Food Sector OT Security Teams
Inventory all internet-exposed OT: Run Shodan searches against your own IP ranges. If you find OT interfaces exposed without authentication, treat this as critical priority regardless of other work.
Enforce network segmentation between IT and OT: If the ransomware that hits your corporate network can reach production scheduling systems or PLCs, you have an IT incident that becomes an OT operational crisis. A properly segmented OT network limits the blast radius to IT systems and allows production to continue from manual procedures.
Review remote access for all vendors and integrators: Every VPN credential and remote access connection held by an external party should be documented, audited for necessity, and subject to the same authentication requirements as internal staff. Unused vendor access should be revoked.
Develop manual operational procedures: OT environments in food processing should have documented manual operating procedures for scenarios where control systems are unavailable. These procedures should be tested periodically. The JBS response was hampered by dependence on IT systems for production scheduling that had no manual fallback.
Engage with CISA’s food sector resources: CISA’s Food and Agriculture Cybersecurity Checklist is a practical starting point for smaller operators. CISA advisors provide free on-site assessments to critical infrastructure operators including food sector companies — a resource that is underutilised relative to the assessed risk.