Australia produces enough food to feed 70 million people. Not bad for a nation with a population just shy of 30 million. 

It is understandable, then, that food security (in terms of our national capacity to feed our citizens) hasn’t been an urgent priority until recently. 

However, the turmoil of the past few years has shown Australians just how vulnerable our food systems are. Supply shocks from COVID-19 and then the Ukraine war gave us a taste of how unprepared we were for disrupted supply lines. Thankfully, that was enough for the Federal Government to take our food security seriously.

In December 2025, the Department of Agriculture, Fisheries and Forestry released the initial part of Feeding Australia, our nation's first genuine attempt at a comprehensive food security strategy. Only a few months later, Australia’s food security made media headlines as conflict in the Middle East drove fuel and fertiliser prices to levels that genuinely hurt farmers.

The strategy is a work in process, prioritising supply chain resilience, productivity, affordability. Read through it carefully, though, and something is missing. Cyber security.

This is a glaring omission that could, in the worst instance, leave our food systems exposed to state-sponsored cyber warfare.

How does cyber risk connect to food security?

To understand the exposure, picture the value chain with the farm in the middle. On one side, you have the supply chain coming into the farm, with fuel, fertiliser, equipment, finance and labour. Produce flows out: through transport, processing, and retail grocery stores to eventually wind up on the table. A cyber-attack anywhere along that chain can stop the whole thing.

Supply chain disruption alone is already a significant risk; after the fuel and fertiliser supply shocks from the Strait of Hormuz blockage Australian winter crop production is projected to decline by 21% If diesel supply is disrupted, whether through conflict or a cyberattack on a refinery, the downstream impact on farming operations can be enormous.

Disrupt a fuel refinery and farms can't run machinery. Hit a freight provider and produce never reaches the shelves. LockImage removed.   up a processor's systems and livestock has nowhere to go. None of these scenarios require a direct attack on the farm itself, but the damage cascades.

What might a food security cyber incident look like?

You don’t have to rely on your imagination, because these attacks already occur. JBS is the world's largest meat processor and owns Primo Smallgoods here in Australia. Back in 2021, a ransomware attack targeted their OT systems and processing lines stopped across North America and Australia simultaneously.

That attack was attributed to a Russia-linked criminal group. The line between criminal ransomware groups and state-sponsored actors has become very difficult to draw, and in practice the operational impact is the same regardless of who directed the attack. The processing line stops either way.

In 2023, researchers identified 30 cyber incidents around the world that had disrupted different parts of the food supply system, which they linked to rapid adoption of digital technologies. Adoption has only increased since then.

Connected systems provide a broader attack surface

The more connected our farms become, the more ways in there are for attackers.

Australian agriculture has digitised fast. Connected devices using Internet-of-Things (IoT) technology is delivering quantifiable productivity gains to our farmers. These range from sensors that trigger automated irrigation and precision pesticide delivery, to crop and soil management, livestock monitoring and GPS-guided tractors.

The benefits are real and it is unsurprising that Feeding Australia promotes further digital adoption. The problem is that those connected systems can become entry points for an attacker.

Operational technology (OT), the systems that control major infrastructure, adds another layer of risk.

OT attacks don't just steal data or lock up computers. They stop physical processes from happening. In December 2025, the Australian Signals Directorate (ASD) published an alert warning of cyber threat actors targeting critical infrastructure, including operational technology within the food and agriculture sector. 

Every farm is also a business, and businesses get scammed

Every farm runs computers, applications and systems for accounting, ordering inventory and managing payments. That makes them targets for the same crimes hitting every other business.

Ransomware attacks lock up business systems and can freeze operations overnight. Business email compromise, where a scammer sends a fake invoice or new bank details, can drain hundreds of thousands of dollars in a single payment. A fertiliser order alone can run that high. With margins already thin, one fraudulent transaction can do lasting damage.

The ASD Annual Cyber Threat Report 2024-25 reported the average cost of a cybercrime incident for Australian businesses reached $80,850 per report. For large businesses, losses rose 219%.

39% of ransomware incidents were detected by the Australian Cyber Security Centre (ASCS), which then had to notify the affected organisations. They had no idea they'd been compromised until someone told them. Most farms would never receive that call, because they primarily sit below ACSC's visibility threshold.

State actors are watching this sector

The ASD Annual Cyber Threat Report 2024-25 describes state-sponsored actors as a persistent and growing threat targeting Australian critical infrastructure, including food and logistics. APT40, linked to China's Ministry of State Security, and APT28, linked to Russian military intelligence, have both been identified as threats to Australian critical infrastructure.

Consider that China is our largest agricultural export market. An adversary with visibility into our harvest volumes, export pricing, and supply chain vulnerabilities holds a real advantage in commodity negotiations. That same access could later be used for disruption if the relationship deteriorates.

When food supply becomes a target for state-sponsored actors, cybersecurity stops being an IT problem and becomes a matter of national security.

The technique these actors increasingly favour makes detection particularly difficult. Living off the land means using legitimate tools and network processes rather than deploying obvious malware. Attackers blend into normal network activity and can sit undetected for extended periods before choosing to act. For organisations running limited security monitoring, this approach is very hard to catch.

Our supply chain is only as strong as its weakest participant

Agriculture is structurally different from banking or telecommunications when it comes to cyber risk. The sector runs through tens of thousands of small, often family-owned operations with no dedicated IT staff, limited budgets, and heavy reliance on consumer-grade technology and third-party platforms.Image removed.  

In a supply chain context, that creates a practical exposure where a sophisticated actor can target the weakest participant and still cause disruption at scale. A compromised small logistics provider is a door into the larger operators IT services. A compromised ag-tech platform used by hundreds of farms is a door into all of them at once. The attack surface across Australian food and agriculture is enormous, dispersed and largely unmonitored.

Australia needs a national strategy that sets clear expectations, shares threat intelligence, and supports smaller players to lift the whole chain. Leaving it to individual organisations guarantees the gaps remain. Australia's Security of Critical Infrastructure Act 2022 technically covers the food and grocery industry, but lacks sufficient integration with other ministries. 

The US has initiated a legislative farm and food cyber security framework. Australia has a gap.

The United States recognised this problem and moved on it. In 2025, lawmakers introduced the Farm and Food Cybersecurity Act with bipartisan support. It calls for regular risk assessments of the agriculture and food industry, annual crisis simulation exercises, and structured collaboration across the full supply chain from farmers through to retailers.
Australia has no equivalent, and the absence of a structured, coordinated approach to cyber risk management as part of our national food security planning is astonishing.

We must include cyber as a food security risk and build governance structures around it. That means moving past individual organisational assessments to stress-test the system itself. Walk through what happens when a key upstream supplier is knocked offline. Map how quickly processing bottlenecks cascade when one major facility stops. Work out where the manual fallbacks actually hold under pressure and where they fail. Australia’s financial sector has conducted similar exercises since 2022. Our food systems are every bit as critical as our financial systems and deserve the same rigour.

At present, DAFF runs food security policy and ACSC holds the cyber threat intelligence, and they operate under different ministers with different information-sharing arrangements. There is no formal mechanism for ACSC's intelligence about threats to food infrastructure to reach the policymakers and industry bodies responsible for food security planning. That is an operational gap, and it leaves us relying on individual organisations to manage a risk that is inherently shared across the whole system.

Our food security is worth getting right

Feeding Australia is an important and welcome step. But a food security strategy that overlooks the digital systems underpinning modern agriculture isn't yet complete.

Cybersecurity should be the strategy's fourth pillar, backed by mandatory risk assessments, clear governance, and a regular testing and simulation regime.

What can individual agribusinesses do now?

Basic cyber hygiene is achievable for operators who engage with this risk. When you buy IoT equipment, it almost always ships internet-connected by default. Change the default username and password immediately. Apply patches and updates when manufacturers release them. Enable multi-factor authentication wherever it's available so an attacker with stolen credentials can't simply dial in remotely. On the business side, verify any change to supplier bank details by calling the supplier directly before processing a payment. Train staff to treat unexpected requests with scepticism.

On the supply chain side, the discipline is around contingency planning. You can't control what happens to third parties, but you can think through what you rely on from them and identify alternatives before something goes wrong. If your primary freight provider is offline, who do you call? Is there another processing facility that could handle your livestock? How long could your operation continue if a key input supplier went down? Most businesses relied on manual processes not long ago. Those fallback options need to be mapped out and ready, because digital systems will fail, whether through cyber-attack or other causes.

If you're a producer, processor, or anyone in the agribusiness chain, now is the time to ask a hard question: if a cyber attack hit one of your suppliers tomorrow, would your business keep running? Securing the systems that grow our food is everyone's responsibility, and the time to act is now.

HAVE A QUESTION?

Get in touch