Securing Farms from Cyber Threats: A John Deere CISO Q&A

Get Hired 3x Faster with AI- Powered CVs

Modern agriculture has become a deeply connected, software-driven industry where cybersecurity is now as fundamental as the tractors and harvesters that work the fields. Protecting the agricultural supply chain involves a multi-layered strategy, from securing embedded hardware in smart fleets to defending against sophisticated persistent threats.

Carl Kubalsky, Director and Deputy CISO at John Deere, recently shared insights into the most urgent security challenges facing agriculture today. He emphasized how his team collaborates with partners and ethical hackers to anticipate threats and outlined key priorities for the coming year and a half.

When asked about common security gaps in smart agriculture fleets, particularly in embedded hardware and firmware, Kubalsky pointed to connectivity and integration points as primary concerns. As systems grow more interconnected and software-reliant, they gain advanced capabilities like autonomy but also introduce vulnerabilities in embedded systems that are challenging to safeguard. These systems often operate with limited resources, complicating the deployment of protective measures. Compounding the issue, agricultural equipment frequently remains in service far beyond typical technology lifecycles, with infrequent or nonexistent patch updates. Harsh, remote operating environments add another layer of difficulty.

To address these challenges, John Deere adopts a security-by-design philosophy, building protections directly into products from the initial development phase. This is reinforced through defense in depth strategies, including secure firmware, thorough testing, network segmentation, real-time monitoring, and active engagement with ethical hackers to identify and resolve potential weaknesses. Kubalsky stressed that this is an industry-wide issue, and no single organization is exempt from these risks.

Collaboration with equipment manufacturers and third-party vendors is another critical component of Deere’s security framework. Kubalsky explained that security must extend throughout the entire supply chain, beginning with clear expectations for secure development and responsible data handling. Equally important is fostering a culture of transparency and shared accountability. The company works closely with partners, suppliers, and the wider cybersecurity community, including through bug bounty programs that encourage ethical hackers to uncover vulnerabilities. Initiatives like the CyberTractor Challenge bring external experts into controlled environments to test and improve the security of smart agricultural equipment.

Proactive vulnerability identification is another area where John Deere excels. By employing a secure-by-design approach, the team conducts threat modeling and virtual assessments during the design phase, long before hardware is manufactured. This early analysis helps pinpoint where additional protections are needed. Testing occurs across virtual simulations, bench-level component checks, and real-world conditions on working test farms. These methods, combined with bug bounty initiatives and internal red team exercises, have revealed vulnerabilities that directly influence product design and support protocols.

Regarding advanced persistent threats (APTs), Kubalsky acknowledged that state-sponsored actors and other highly skilled adversaries are now active within the agriculture sector. These groups employ deception, social engineering, and valid account exploitation, tactics increasingly supercharged by generative AI. Their ability to mimic normal behavior makes detection and response especially difficult.

In response, John Deere maintains a forward-looking security posture, continuously monitoring the threat landscape and scaling capabilities proactively. The company’s cybersecurity team has expanded to over 230 professionals worldwide, with an emphasis on continuous learning and innovation. This includes refining detection techniques and developing proprietary AI-driven defenses. Still, Kubalsky emphasized that security cannot be achieved in isolation. The broader agricultural industry must share threat intelligence, coordinate defensive measures, and collectively enhance capabilities to keep pace with these evolving threats.

Looking ahead, Kubalsky outlined three core priorities for the next 12 to 18 months: people, platforms, and partnerships.

People remain at the heart of Deere’s mission, protecting customers, employees, dealers, and all who rely on the company’s technology. Attracting, nurturing, and retaining top talent is essential in a rapidly changing threat environment. Initiatives like collaborations with Iowa State University, international recruitment efforts, and early-career programs such as the CyberTractor Challenge help cultivate expertise not only for Deere but for the entire industry.

Platforms involve advancing secure-by-design development, strengthening embedded firmware, enhancing telemetry for faster threat detection, and scaling incident response capabilities. Innovation and the ability to adapt quickly are vital for staying ahead of adversaries.

Partnerships with ethical hackers, industry peers, and the global security community are crucial for building resilience across agriculture. These collaborations reinforce Deere’s security posture while elevating standards throughout the sector.

As Kubalsky concluded, the task of securing agriculture is ongoing and relentless. Adversaries need to succeed only once; defenders must succeed every time.

(Source: HelpNet Security)