Agriculture is a connected, software-driven industry where cybersecurity is just as essential as tractors and harvesters. From embedded hardware in smart fleets to defending against advanced persistent threats, protecting the agricultural supply chain requires a layered, collaborative approach.
In this Help Net Security interview, Carl Kubalsky, Director and Deputy CISO at John Deere discusses the most pressing security challenges in agriculture, how his team is working with partners and ethical hackers to stay ahead of adversaries, and what priorities will define the next 12-18 months.
What are the most common security gaps you see in smart agriculture fleets, especially in embedded hardware and firmware?
The biggest gaps often appear at points of connectivity and integration. As systems become more connected and software-defined, they gain powerful capabilities, like autonomous operations, but also expose embedded systems that are harder to protect.
These systems can be resource-constrained, making some protections difficult to deploy, and many run far longer than typical technology lifecycles with infrequent or no patch cycles. In agriculture, the challenge is compounded by remote, rugged operating environments.
We counter this with a security-by-design approach, embedding protections from the outset and reinforcing them through defense in depth – secure firmware, rigorous testing, network segmentation, telemetry monitoring, and collaboration with ethical hackers to help find and fix issues we may miss. But this is an industry-wide challenge, and no company is immune.
How do you collaborate with equipment manufacturers and third-party vendors to ensure secure integration across the supply chain?
Security must extend beyond the factory floor. It must be integrated throughout the supply chain. At Deere, that begins with expectations for secure development and data handling. But equally important is building a culture of transparency and shared accountability.
We collaborate not just with partners and suppliers, but with the broader cybersecurity community. Our bug bounty programs invite ethical hackers to identify vulnerabilities across our ecosystem. These partnerships do not just help us. They help everyone in the agriculture industry improve.
We also bring external experts into events like the CyberTractor Challenge, which puts smart agriculture equipment into a controlled but realistic environment where security flaws can be identified and addressed.
Can you walk us through your approach to proactively identifying vulnerabilities on working test farms? Have you seen any success in using digital twins or simulated environments to uncover vulnerabilities before deploying tech in the field?
We take a secure-by-design approach starting with assessments in the design phase to virtually model connected components and evaluate potential threats before hardware is built. These early insights help guide where to focus on additional hardening and testing.
Our testing spans both virtual and physical environments. High-fidelity simulations allow us to model software updates, communications protocols, and hardware behaviors under varied conditions to uncover edge cases or unexpected interactions. Bench-level testing validates individual components in isolation, while in-field testing on working test farms mirrors conditions our customers face daily.
Paired with bug bounty programs and internal red teaming, this mix of lab, virtual, and real-world testing has uncovered vulnerabilities that directly shape how we design, build, and support our products.
How is the agriculture sector positioned to respond to APTs, and what are the key gaps in detection or response?
State-sponsored actors and other advanced persistent threats are now part of the agriculture threat landscape, and we have seen globally how these adversaries can disrupt critical infrastructure. Agriculture is no exception.
These groups evolve quickly, increasingly using deception, social engineering, and the exploitation of valid accounts. These tactics are now accelerated by generative AI. Once inside, they blend into normal activity, making detection harder and response slower.
At Deere, the approach is forward-looking, continuously monitoring the threat environment and scaling capabilities before gaps appear. The cybersecurity function has grown to more than 230 professionals worldwide, with a focus on continuous learning to innovate ahead of adversaries, from refining detection methods to developing our own agentic AI defenses.
While security is built into technology, processes, and culture through close collaboration across the business, the challenge cannot be solved in isolation. The broader agriculture sector must share threat intelligence, coordinate defenses, and raise capabilities collectively to match the speed and sophistication of these adversaries.
What are your top cybersecurity priorities over the next 12–18 months when it comes to protecting the agricultural supply chain?
People, platforms, and partnerships.
People: our customers, and others who count on Deere to be secure, including employees and dealers. Defending them is at the center of our mission and guides everything we do.
Incredibly talented people, who bring this mission to life every day, are also a critical part of this priority. Attracting, developing, and retaining the talent needed to address an evolving threat landscape is essential. This includes university collaborations with Iowa State University, international talent pipelines, and early-career initiatives like the CyberTractor Challenge. We are committed to developing talent not just for Deere, but for the industry at large.
Platforms: Advancing secure-by-design development, hardening embedded firmware, improving telemetry for rapid detection, and scaling incident response capabilities. Innovation and the ability to scale at the speed of emerging threats are essential to staying ahead of adversaries.
Partnerships: Collaborating with ethical hackers, industry peers, and the broader security community to strengthen resilience across agriculture. These partnerships help reinforce our security posture and improve the broader landscape.
Our job is never done. Adversaries need to succeed only once. We must get it right every time.
Source link
