by Erwin Kristen, Reinhard Kloibhofer (AIT Austrian Institute of Technology, Vienna) and Vicente Hernández Díaz (Universidad Politécnica de Madrid)
The European agricultural sector is transforming from traditional, human labour-intensive work to data-oriented digital agriculture that has great potential for semi- or fully autonomous operation. This digital transformation offers many advantages, such as more precise fact-based decision making, optimised use of resources and big changes in organisation – but it also requires improved cyber-security and privacy data protection.
To feed the world’s growing population and compensate for the loss of arable soil, the agricultural sector needs to increase efficiency, productivity and food quality, while simultaneously reducing labour costs and environmental impacts. The current approaches aim to use more powerful machines in the field, make these machines semi- or fully autonomous, and to plan precise fertilisation, irrigation, pest control and harvesting regimes based on detailed environmental data. The race for solutions has started: fields, crops and livestock are supplied with numerous sensors that monitor the environment. Machines are equipped with intelligent algorithms to perform their daily work with high precision and provide extensive operation status information, enabling a 24/7 availability. The agricultural system infrastructure, composed of numerous networked digital devices, is called Agriculture Internet of Things (AIoT).
The resulting bulk data can guide precise decision making on the farm and inform product development by machinery manufacturers. However, the colossal data gathering activities are very attractive for cyber-attacks, including theft, manipulation and misuse of data.
In the “AFarCloud” project, a group of European partners are working to implement the AIoT concept. We are currently developing an abstraction layer for AIoT-based architectures. This is the middleware that defines the software components and procedures, acting as an interface between the field layer and the cloud-based data processing layer where the farm management services are located (Figure 1).
Figure 1: The system architecture with the middleware as the interface between the field level and the cloud-based farm management.
The field layer includes the sensors, actuators, outdoor devices, vehicles and livestock. One important part of the middleware is the cross-layer cyber-security management (CSM) service, which handles the security maintenance process, providing a security process definition for periodic security assessment and security improvement recommendations. It facilitates a trouble-free, secure operation.
Cyber-security measures protect the production plant against attacks. In the early days of automation, only the information technology (IT) sector (farm management and middleware) was affected by cyber-security threats. The operational technology (OT) domain (farm and field) was secure by virtue of isolation. Today, cyber-security measures are necessary for both domains.
Modern sensors are more than just data sources that send data to a data gateway: they are small, complex systems with a microcontroller, FLASH and RAM memory, that hold an operating system and data pre-processing firmware. They need the capacity to update their onboard firmware. Because of the increasing number of sensors in the field, this must be done using a wireless method, such as “over the air” (OTA). Unfortunately, this contributes considerably to security risks.
Cyber-security risks in general are not addressed by the European agricultural standards, which focus on food and nutrition security, prevention of harm to workers as a result of farm labour or exposure to pesticides, minimising the use of heavy machines and ensuring the humane treatment of livestock. In the United States, the Department of Homeland Security (DHS) recently conducted research to identify potential cyber-security vulnerabilities for agriculture. In Europe, however, agriculture was absent from a recent paper  that outlined the risks and the need for monitoring support to ensure cyber-security for a range of domains. Even the EU publication “Study on risk management in EU agriculture”  failed to include smart farming or cyber-security.
There is a clear need to define cyber-security guidelines for modern Agriculture 4.0 in the EU. While dedicated IT/OT security standards are lacking in the agricultural sector, industrial automation control systems (IACS) and the automotive domain are guided by cyber-security standards to ensure secure operation. These could be partially transferred to agricultural electronic systems by manufacturers. Similarly, in the communication sector there exist ETSI M2M (machine-to-machine) communication standards with extensions for agricultural machines [L2] and the ISO Bus.
The AFarCloud project has been running for two years. In the third and final year we will focus on a security evaluation demonstrator (SED)  that shows how installing a fast-responding sensor manipulation monitoring system can improve the security of hardware and software in a simple sensor node.
We also plan to begin developing an agriculture cyber-security standard and to publish our research results (cyber-security assessment and analysis methodologies, requirements, security recommendations) as a useful guide for cyber-security in agriculture.
This project has received funding from the ECSEL JU (Horizon 2020) under grant agreement No 783221 and from the partners’ national funding organisations.
[L2] ETSI TR 103 511, V1.1.1 (2018) - SmartM2M - SAREF extension investigation - Requirements for AgriFood domain
 I. Nai-Fovino et al.: “European Cybersecurity Centres of Expertise Map - Definitions and Taxonomy”, doi:10.2760/622400. https://kwz.me/h1R
 Directorate-General for Agriculture and Rural Development (EC, 2017), ECORYS, Wageningen Economic Research, Study on risk management in EU agriculture, doi:10.2762/08778. https://kwz.me/h1U
 R. Kloibhofer, E. Kristen, L. Davoli: “LoRaWAN with HSM as a Security Improvement for Agriculture Applications”, 2020. http://doi.org/10.5281/zenodo.3999637
Erwin Kristen, AIT Austrian Institute of Technology
Vicente Hernández Díaz, Universidad Politécnica de Madrid