I did not focus much on tractors, though, but automatized irrigation systems that allow remote access and configuration. When choosing my own options, and since I never had the information I needed, I always chose the simplest solution, i.e., local manual configuration without remote access.
Around here the public water supply is remotely controlled, but like an Intranet, via optical fiber. I suspect this has to do not only with poor reception in remote locations but also with security. But water meters are accessed via SIM, I think.
Every time I mention any concerns with security, however, these are met with skepticism. The usual inability to foresee third-parties' motivations, in variations of
"Why would anyone want to interfere with my equipment?"
are very common. And I admittedly lack the skills to raise concerns for this issue past saying that ignorance of threats doesn't make them go away. My only hypothetical case is systematic crop failure due to poor irrigation associated with futures markets that depend on yields.
Oh yes, this sounds way too familiar. "Why would anyone want to hack my system?" - pretty much most people I talked to about IT security, between circa 2000 and 2010, give or take a few years.
> My only hypothetical case is systematic crop failure due to poor irrigation associated with futures markets that depend on yields.
Besides stock market manipulation, ransomware and warfare, any 12 year old who discovers shodan.io or mass-scan can potentially stumble over some Internet exposed, remote control interface. A random 12 year old will go ahead and destroy stuff simply because that's cool or whatever, without thinking twice about it. Source: Just ask anybody who has ever been talked into doing IT at a school.
As you also said, it's hard to guess what motivations someone might have. And when you connect some device to the Internet, you are actually connecting the Internet to the device. Seems to be an often overlooked issue with IoT or smart-somethings.
Because it's interesting and "because we can". It's a challenge without any other motivation besides curiosity.
But lets say some ransomware outfit discovers farmers as their niche, because the security barrier is relatively low and it's a time sensitive business. Your crops are ready to harvest, but your equipment is not starting until you pay the ransom? What can you do then? Waiting and letting the crops rot is not an option, renting hardware from others can be difficult/expensive/impossible, so the most would pay the ransom. I haven't heard of attacks targeting farmers/farm equipment in particular, but it could be a real problem in the future.
Or: very nasty farmer with the same crop hacks your equipment so you and most of his other competitors can't deliver, allowing to gauge prices due to near-monopoly.
I agree that automotive and farm equipment have generally mediocre security track records and that, with the addition of remote connectivity, these issues are concerning. But all hyperbole and breathless reporting like this gains us is an excuse for repair hostility under the guise of "security."
That's what every other company has been trying to do too, not just farm equipment manufacturers. If you look between the lines you'll find that the "security industry" is largely in favour of corporate-authoritarianism. Thankfully, not everyone is stupid, and I suspect farmers are actually more likely to spot the BS.
If you're looking for some unreasonably secure device, obviously you have to bake an apple pie from scratch in order to ensure no steps in your supply line are tampered with. Current system has plenty of problems with which that's being used as a defense though, and the fact that those systems are so closed is what allows zerodium to exist in the first place.
The researcher's write-up from April: https://sick.codes/leaky-john-deere-apis-serious-food-supply... (submitted thrice but not discussed.)
[1] https://sick.codes/leaky-john-deere-apis-serious-food-supply...
https://www.vice.com/en/article/xykkkd/why-american-farmers-...
