South Dakota wants to be hub of activity that protects nation’s food supply from cyberattacks; new law funds university-led partnership
Signed into law in March, South Dakota’s HB 1092 is a straightforward bill of fewer than 150 words. Its goal, though, is to address a complex, and growing, threat — cyberattacks that target farm production and the nation’s food supply.
“The agriculture industry as a whole has not prepared for attacks like the banking and utility sectors [have],” says Aaron Warner, CEO of ProCircular, a cybersecurity firm. He adds that several factors make the sector particularly vulnerable: on the one hand, agricultural production is widely dispersed and essential to national security; on the other, it is increasingly reliant on smart technologies and interdependent systems.
HB 1092 reflects what South Dakota Rep. Larry Tidemann sees as both a need and an opportunity. The need: get more people and research focused on ways to protect the nation’s food supply. The opportunity: make his home state a national leader in this area. His legislation allocates $1.25 million for two of the state’s public universities — South Dakota State (SDSU) and Dakota State (DSU) — to launch a CyberAg Partnership Initiative.
“SDSU is a leader in precision agriculture, and DSU is a center of excellence in cybersecurity, so this legislation asks them to work together and build on each university’s strengths,” Tidemann says.
The two schools will develop new undergraduate and graduate curricula, establish joint research projects, and raise public awareness about threats to agricultural security.
Dakota State University’s “Center of Academic Excellence” designation comes from the National Security Agency and U.S. Department of Homeland Security, and this year, the school also got a separate $30 million appropriation from the Legislature (SB 54) to make it an academic and economic hub for cybersecurity research.
South Dakota State University, meanwhile, is home to a first-in-the-nation bachelor’s degree in precision agriculture, thanks to a legislative appropriation four years ago (HB 1264) that funded the construction of a new classroom and laboratory.
‘Expanded number of vulnerabilities’
Technology has become a part of the inner workings of every facet of the food system, from how valves and temperatures are controlled in food plants, to the use of self-driving tractors, to how spray systems are used on farm fields.
“The rapid adoption and deployment of new technologies to operate machinery, to gather and analyze the data that drives precision agriculture, and the increasing reliance on communication technologies to link them have really expanded the number of vulnerabilities in the food and agriculture industries,” Jose Marie-Griffiths, the president of Dakota State University, said in legislative testimony earlier this year on HB 1092.
Of the cyberattacks experienced by the U.S. agriculture and food system, more than 70 percent involve ransomware; another 40 percent include some form of hacking. (Some attacks involve both ransomware and hacking.)
In April, the FBI issued a warning to the nation’s agricultural cooperatives to be on high alert for ransomware attacks during planting and harvesting seasons. Last fall, such attacks hit six grain cooperatives; two other incidents occurred in early 2022.
“Cyber actors may perceive cooperatives as lucrative targets with a willingness to pay due to the time-sensitive role they play,” according to the FBI notice.
Last summer, too, one of the world’s biggest meat processors was forced to shut down several plants due to a ransomware attack.
Protecting one Industry, building another
According to Tidemann, an upcoming symposium of farmers, manufacturers and university researchers will help determine initial priorities. He expects part of the two universities’ work to focus on how to retrofit existing equipment and add security features to new designs.
Tidemann says another benefit of the initiative will be building a workforce pipeline for the cybersecurity industry, a sector that South Dakota has targeted for new investments and economic growth.
This year’s passage of HB 1092 marks the second straight year that the South Dakota Legislature has provided funding for new partnerships among its universities. In 2021, lawmakers appropriated $20 million for the construction of a bio-products research facility, a joint venture between South Dakota State University and the South Dakota School of Mines and Technology.
“That collaborative brought the technology of the School of Mines to the raw materials of SDSU’s agriculture and natural-resources work,” Tidemann says. “[It] focuses on creating new bio-products from the state’s raw materials, including corn and timber.”
HB 1092 aims to build on an emerging economic sector, cybersecurity, while protecting one of South Dakota’s most important industries — agriculture.
Agriculture sector required to report cybersecurity incidents under new federal law
The agriculture and food sector is among 16 critical infrastructure sectors identified by the U.S. government. Under a new federal law, signed by President Joe Biden in March, owners and operators in these sectors must now do the following:
1) Within 72 hours of any substantial cyberattack against them, report the incident to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
2) Report any ransomware payments that they have made within 24 hours. Also under the law, which received bipartisan support in the U.S. Congress, the CISA has the authority to subpoena entities that fail to meet these two provisions.
Organizations that fail to comply with the subpoena can be referred to the U.S. Department of Justice. To prevent cyberattacks to the nation’s critical infrastructure, the CISA will launch a program that warns organizations of their vulnerabilities while also establishing a task force (with involvement by the 16 industries) to coordinate federal efforts.