The food supply chain has a cybersecurity problem – Help Net Security

Report on Cybersecurity Vulnerabilities in the Agri-Food Sector and Implications for Sustainable Development Goals

Introduction: A Threat to Global Food Security

The integrity of the global food supply chain is facing an emergent and significant threat from cyberattacks. The increasing digitalization of the agri-food sector, while a key driver for innovation and efficiency in line with SDG 9 (Industry, Innovation, and Infrastructure), has simultaneously exposed critical vulnerabilities. These security gaps pose a direct challenge to the achievement of fundamental Sustainable Development Goals, most notably SDG 2 (Zero Hunger), by jeopardizing the safety, availability, and stability of our food supply.

Analysis of Cyber Threats and Their Impact on Sustainable Development

Primary Threat Vectors

The agri-food sector is susceptible to a range of cyber threats that undermine its stability and contribution to sustainable development. The U.S. Federal Bureau of Investigation (FBI) has identified four principal threats:

1. Ransomware Attacks: These attacks disrupt operations, directly threatening food production and supply, which impacts SDG 2 (Zero Hunger) and causes economic instability contrary to SDG 8 (Decent Work and Economic Growth).
2. Foreign Malware: The introduction of malicious software can cripple critical systems, affecting the entire supply chain from farm to consumer.
3. Data and Intellectual Property Theft: The theft of sensitive agricultural research and business data undermines innovation and the competitive capacity of the sector, impacting progress toward SDG 9.
4. Bioterrorism: The malicious manipulation of digital systems could compromise food safety, posing a significant risk to SDG 3 (Good Health and Well-being).

Escalation of Ransomware and Geopolitical Risks

Ransomware incidents targeting the food and agriculture sector have shown a marked increase, with 84 reported cases in the first quarter of 2025, more than double the figure from the same period in 2024. These attacks disrupt essential processes like seed production, forcing costly and resource-intensive crop relocations that strain farm resources, directly impacting the economic viability central to SDG 8. The vulnerability is not limited to large corporations; a ransomware attack on a Swiss dairy farm’s milking robot resulted in financial loss and the death of livestock, illustrating the severe impact on small-scale producers.

In the current geopolitical climate, the agri-food sector represents an attractive target for nation-state actors aiming to cause widespread disruption. A successful attack that halts food production can trigger shortages and price inflation, undermining the stability and peace sought under SDG 16 (Peace, Justice, and Strong Institutions).

Systemic Impacts on Food Systems and Public Trust

Disruption to Supply Chains and Community Access

Cyberattacks extend beyond technical failures, causing direct financial losses and operational slowdowns that ripple through the supply chain. Recent cybersecurity breaches at major grocery chains like Stop & Shop and Whole Foods resulted in product shortages, demonstrating a direct impact on food availability for consumers, particularly in urban centers, which is a key concern of SDG 11 (Sustainable Cities and Communities).

Threats to Public Health and Responsible Production

The compromise of digital control systems poses a direct threat to public health. A failure in temperature or storage monitoring systems can lead to rapid food spoilage, creating waste that runs counter to SDG 12 (Responsible Consumption and Production) and introducing contaminated products into the market, thereby endangering SDG 3 (Good Health and Well-being).

Identified Sector-Specific Vulnerabilities

Several factors contribute to the sector’s vulnerability, hindering the development of resilient infrastructure as envisioned by SDG 9:

• Legacy Technology: Many systems in use were not designed with modern cybersecurity threats in mind, making them difficult to secure.
• Lack of Prioritization: Small- and medium-sized agribusinesses often lack the resources or awareness to implement robust cybersecurity measures.
• The Human Element: Insufficient employee training on phishing and social engineering tactics creates significant security gaps.
• Foreign Technology Risks: The use of drones and sensors with potential security flaws, particularly from adversarial nations, presents a risk of unauthorized access to sensitive systems.

Governmental Responses and a Path Forward

Mobilizing for a Secure and Sustainable Future

Recognizing the threat, governments are implementing measures to fortify the agri-food sector. In the European Union, food production and distribution entities are now classified as critical infrastructure under the NIS2 Directive, a move that strengthens institutional capacity in line with SDG 16. While the United States lacks a single mandatory framework, federal agencies like CISA and the USDA have intensified efforts, providing resources and action plans to protect this critical sector.

Addressing these challenges requires a multi-faceted approach. The following strategies are essential for building a cyber-resilient food system capable of supporting the Sustainable Development Goals:

• Implementation of robust security protocols, including multi-factor authentication (MFA).
• Consistent and timely software updates and patch management.
• Comprehensive cybersecurity training for all employees.
• Fostering public-private collaborations to share threat intelligence and best practices, directly aligning with the principles of SDG 17 (Partnerships for the Goals).

SDGs Addressed in the Article

• SDG 2: Zero Hunger
• SDG 3: Good Health and Well-being
• SDG 8: Decent Work and Economic Growth
• SDG 9: Industry, Innovation, and Infrastructure
• SDG 11: Sustainable Cities and Communities
• SDG 16: Peace, Justice, and Strong Institutions
• SDG 17: Partnerships for the Goals

Specific SDG Targets Identified

• SDG 2: Zero Hunger

  • Target 2.1: By 2030, end hunger and ensure access by all people to safe, nutritious and sufficient food all year round.
    
    Explanation: The article directly connects cyberattacks to threats against food security. It states that successful attacks can “halt food production,” leading to “shortages and drive up food prices.” The examples of Stop & Shop and Whole Foods show how such attacks “can directly impact food availability for everyday consumers.” It also highlights risks to food safety, which is a key component of this target.
  • Target 2.4: By 2030, ensure sustainable food production systems and implement resilient agricultural practices.
    
    Explanation: The article discusses the vulnerability of the agri-food sector’s production systems to cyberattacks, which act as a modern shock. It highlights the need for resilience by pointing out that “a lot of the technology farms and food companies use was built long before cyberattacks became such a serious issue,” making them difficult to secure.

• SDG 3: Good Health and Well-being

  • Target 3.9: By 2030, substantially reduce the number of deaths and illnesses from hazardous chemicals and air, water and soil pollution and contamination.
    
    Explanation: The article raises “public health concerns” by explaining that if cyberattacks cause “temperature or storage systems [to] go down even for a little while, food can spoil quickly,” which can “pose a danger to people.” This directly relates to preventing illness from contaminated food.

• SDG 8: Decent Work and Economic Growth

  • Target 8.2: Achieve higher levels of economic productivity through diversification, technological upgrading and innovation.
    
    Explanation: The article points out that cyberattacks cause “direct financial losses like ransom payments, fraud, or theft” and that “Operations may slow down, delaying production and delivery.” It also notes that many agribusinesses operate with “outdated software,” implying that technological upgrading is necessary to protect economic productivity.

• SDG 9: Industry, Innovation, and Infrastructure

  • Target 9.1: Develop quality, reliable, sustainable and resilient infrastructure.
    
    Explanation: The article explicitly states that “agriculture is officially recognized as critical infrastructure.” It details how this infrastructure is vulnerable to cyberattacks due to digitalization (“Farms, processing plants, and distribution systems are going digital”) and the use of outdated technology, thus emphasizing the need for resilient infrastructure.

• SDG 11: Sustainable Cities and Communities

  • Target 11.b: Substantially increase the number of cities and human settlements adopting and implementing integrated policies and plans towards… disaster risk reduction.
    
    Explanation: Cyberattacks on the food supply chain are presented as a modern disaster risk that affects communities. The article mentions government responses like the EU’s “NIS2 Directive” and CISA’s “cybersecurity factsheet” which are forms of integrated plans for disaster risk reduction.

• SDG 16: Peace, Justice, and Strong Institutions

  • Target 16.a: Strengthen relevant national institutions… to prevent violence and combat terrorism and crime.
    
    Explanation: The article describes how national institutions are mobilizing to combat the crime of cyberattacks. It mentions the FBI identifying threats, CISA providing resources, and the USDA launching the “National Farm Security Action Plan” to protect the sector. This demonstrates the strengthening of institutions to address these specific threats.

• SDG 17: Partnerships for the Goals

  • Target 17.17: Encourage and promote effective public, public-private and civil society partnerships.
    
    Explanation: The article concludes that addressing the cybersecurity challenges in the agri-food sector requires a “comprehensive approach, including… public-private collaborations.” This is a direct call for the type of partnership this target aims to promote.

Indicators for Measuring Progress

• Number of reported cyberattacks on the agri-food sector.
  
  Explanation: The article explicitly provides this data, stating that “In the first three months [of 2025], there were 84 reported cases [of ransomware attacks], which is more than twice the number from the same period in 2024.” This can be used as a direct indicator to measure the vulnerability of the sector (related to SDG 9).
• Prevalence of food shortages and price volatility.
  
  Explanation: The article implies this indicator by noting that attacks can “lead to shortages and drive up food prices.” The example of a “cybersecurity breach at Stop & Shop” which “led to widespread product shortages” serves as a qualitative measure of this impact (related to SDG 2).
• Number of government policies, frameworks, and initiatives implemented.
  
  Explanation: The article mentions several specific government actions that can be tracked as indicators of progress. These include the EU’s “NIS2 Directive,” the US “National Farm Security Action Plan,” and the reintroduction of “two bills aimed at modernizing and securing America’s agricultural sector” (related to SDG 16).
• Adoption rate of cybersecurity best practices by agribusinesses.
  
  Explanation: The article implies this indicator by listing necessary protective measures, such as the “implementation of MFA, regular software updates, [and] employee cybersecurity training.” Measuring the adoption of these practices would indicate progress in securing the sector (related to SDG 9).

Summary of SDGs, Targets, and Indicators

Source: helpnetsecurity.com