Chapter 6: Security & Risks
Cybersecurity architecture, physical security, risk assessment, failure mode analysis, and mitigation strategies for smart agriculture monitoring systems.
6.1 Security Architecture Overview
Smart agriculture monitoring systems present a unique security challenge: they combine IT (information technology) and OT (operational technology) in an outdoor, physically accessible environment with limited on-site security personnel. A security breach can result in data loss, false alarms, unauthorized control of irrigation or climate systems, and ultimately crop damage or financial loss. The security architecture must address threats at three levels: physical security of field hardware, network security of communications, and application security of the cloud platform.
The defense-in-depth approach applies multiple independent security layers so that a breach of one layer does not immediately compromise the entire system. Each layer is designed to detect, delay, or prevent unauthorized access, and to provide audit trails for incident investigation.
6.1.1 Security Layer Architecture
| Security Layer | Threats Addressed | Key Controls | Standards Reference |
|---|---|---|---|
| Physical Security | Theft, vandalism, tampering, unauthorized access | Tamper-evident seals, lockable enclosures, anti-theft mounts, site access control | IEC 62443-2-1 |
| Network Security | Eavesdropping, man-in-the-middle, replay attacks | TLS 1.2/1.3 encryption, VPN tunnels, certificate-based authentication | NIST SP 800-82 |
| Device Security | Firmware tampering, unauthorized configuration | Signed firmware, secure boot, password-protected configuration | IEC 62443-4-2 |
| Application Security | Unauthorized access, data manipulation, privilege escalation | Role-based access control (RBAC), MFA, audit logging, input validation | OWASP IoT Top 10 |
| Data Security | Data loss, corruption, unauthorized disclosure | Encrypted storage, regular backups, data integrity checksums | ISO/IEC 27001 |
6.2 Risk Assessment Matrix
A systematic risk assessment identifies the most significant threats to system availability, data integrity, and crop safety. The risk matrix below evaluates each identified risk by likelihood and impact, and specifies the required mitigation measures. Risks rated "High" require immediate mitigation before system commissioning; "Medium" risks should be addressed within 30 days of deployment; "Low" risks are monitored and addressed in the next maintenance cycle.
| Risk Category | Risk Description | Likelihood | Impact | Risk Level | Mitigation Measure |
|---|---|---|---|---|---|
| Physical | Lightning strike on sensor mast | Medium | High | HIGH | Install IEC 62305 lightning protection, SPD on all lines |
| Physical | Sensor vandalism or theft | Medium | Medium | MEDIUM | Tamper-evident seals, remote tamper alarm, security camera |
| Environmental | Flooding of field equipment | Medium | High | HIGH | IP68 enclosures, elevated mounting, flood level alarm |
| Environmental | Extreme heat/cold sensor failure | Low | Medium | LOW | Select sensors with appropriate operating temperature range |
| Power | Grid power outage (greenhouse) | Medium | High | HIGH | UPS backup, minimum 4-hour runtime for critical systems |
| Power | Solar battery depletion (winter) | Medium | Medium | MEDIUM | Size battery for 5-day autonomy, low-battery alarm |
| Communications | 4G network outage | Low | High | MEDIUM | Dual-SIM or LoRa backup, local edge alarm capability |
| Communications | LoRa RF interference | Low | Medium | LOW | Frequency hopping, link quality monitoring, antenna optimization |
| Cyber | Unauthorized gateway access | Low | High | MEDIUM | Strong passwords, disable unused ports, VPN access only |
| Cyber | MQTT broker compromise | Low | High | MEDIUM | TLS encryption, client certificate authentication, ACL rules |
| Sensor | Sensor calibration drift | High | Medium | HIGH | Scheduled calibration, cross-sensor validation, drift alarm |
| Sensor | Biofouling on water quality sensors | High | High | HIGH | Weekly cleaning schedule, anti-fouling coatings, redundant sensors |
6.3 Failure Mode and Effects Analysis (FMEA)
FMEA systematically identifies potential failure modes of each system component, evaluates their effects on system operation, and prioritizes corrective actions. The Risk Priority Number (RPN) is calculated as Severity × Occurrence × Detectability (each scored 1–10). Components with RPN above 100 require immediate design mitigation.
| Component | Failure Mode | Effect | Severity (1-10) | Occurrence (1-10) | Detectability (1-10) | RPN | Action Required |
|---|---|---|---|---|---|---|---|
| DO Sensor (aquaculture) | Biofouling / membrane clog | False high DO reading, no aeration triggered, fish mortality | 10 | 8 | 3 | 240 | Weekly cleaning, redundant sensor, trend monitoring |
| Solar battery | Capacity degradation (winter) | Node offline, no data, no alarms | 8 | 6 | 4 | 192 | Annual battery replacement, low-voltage alarm at 20% |
| RS-485 cable | Moisture ingress at connector | Communication errors, sensor data loss | 7 | 7 | 5 | 245 | IP68 connectors, annual cable inspection, spare cable on site |
| 4G modem | SIM card failure / network loss | No cloud data upload, alarms not delivered | 8 | 4 | 6 | 192 | Dual-SIM, watchdog reset, local alarm backup |
| Temperature sensor | Radiation shield contamination | Elevated temperature reading, false ventilation activation | 6 | 5 | 6 | 180 | Quarterly shield cleaning, cross-validation with reference |
| Edge gateway | SD card failure (data logger) | Data loss during connectivity outage | 6 | 3 | 7 | 126 | Industrial-grade SD card, RAID-1 or cloud sync when available |
6.4 Cybersecurity Implementation Guidelines
Agricultural IoT systems are increasingly targeted by cyberattacks due to their critical role in food production and their historically weak security posture. The following guidelines must be implemented for all internet-connected monitoring systems.
Critical Security Requirement: Never deploy an agricultural monitoring system with default factory passwords. All devices must have unique, strong passwords set before field installation. Default credentials are publicly known and exploited within hours of deployment.
6.4.1 Network Security Checklist
- Enable TLS 1.2 or 1.3 for all MQTT and HTTP communications between gateway and cloud
- Use certificate-based authentication for MQTT broker connections (not username/password alone)
- Segment the monitoring network from the farm's general IT network using a VLAN or separate router
- Disable all unused network services on the gateway (SSH, Telnet, HTTP if not needed)
- Enable automatic firmware update notifications and apply security patches within 30 days of release
- Configure firewall rules to allow only outbound MQTT/HTTPS traffic from the gateway
- Use a VPN for any remote access to the gateway configuration interface
- Enable logging of all login attempts and configuration changes with timestamps
6.4.2 Physical Security Checklist
- Install tamper-evident seals on all enclosure screws and cable entry points
- Configure tamper detection input on the gateway to trigger an alarm when enclosure is opened
- Use stainless steel security screws (Torx or pentalobe) instead of standard Phillips head
- Mount sensor poles with anti-climb collars or concrete footings to prevent removal
- Label all equipment with asset tags and record serial numbers in the asset register
- Install motion-activated cameras at gateway enclosure locations in high-theft-risk areas