Deere Invests $1.5 Million in Cybersecurity for Enhanced Protection

James Johnson, the Chief Information Security Officer (CISO) at Deere & Co. since 2014, is acutely aware of the cybersecurity landscape’s evolving challenges. Central to his concerns is the threat of a “one-to-many” attack, wherein cybercriminals exploit vulnerabilities within Deere’s infrastructure to potentially take control of its expansive network of agricultural machinery. Given the critical role these machines play in global food production, such an event could severely undermine the trust that Deere has built over its 188-year history.

“Our customers trust us a lot,” says Johnson. “Our executives are laser focused on making sure we do the right things with data, as well as our equipment.”

Proactive Cybersecurity Measures

In response to the potential threats, Johnson implements a multifaceted cybersecurity strategy. One component is continuous attack surface management, a process that continuously probes for vulnerabilities across all digital assets. This proactive approach is paired with penetration testing (pen testing), a simulated cyberattack that assesses the resilience of Deere’s systems.

Bug Bounty Program: A Partnership with Ethical Hackers

However, Johnson is particularly enthusiastic about the Bug Bounty program he launched in 2022, in collaboration with HackerOne, a well-known cybersecurity platform. This initiative allows external researchers to identify vulnerabilities in Deere’s software and hardware systems before malicious actors can exploit them. In return, these ethical hackers are compensated based on a sliding scale determined by the severity of the issue discovered. Over the past three years, Deere has invested over $1.5 million in this program, evidencing its commitment to cybersecurity.

• Current Engagement: Approximately 85 ethical hackers are connected through the program, with plans to expand this number to 150 by the end of 2025.
• Collaboration Process: Once vulnerabilities are reported, Deere’s internal cybersecurity experts assess their impact, validate the findings, and implement necessary fixes, often in conjunction with the researchers.

Real-World Examples and Challenges

One pertinent case Johnson shared involved sensitive data—a directory containing names and phone numbers—that was inadvertently exposed. The ethical hackers quickly flagged the issue, allowing Deere to secure the information before it could be maliciously exploited.

Strengthening Cybersecurity Education

Johnson is also committed to enhancing cybersecurity education at the collegiate level, recognizing a talent shortage in this domain. In line with this, Deere hosts the annual “CyberTractor Challenge,” which has transitioned from a company initiative to a broader event aimed at educating students on cybersecurity in the agricultural sector. This program has attracted the interest of peers in the industry, including CNH Industrial and AGCO Corporation.

This challenge is hosted at Iowa State University and sees participants engage in hacking tractor systems, subsequently discussing their findings and mitigation strategies. Deere also employs students part-time, allowing them to gain hands-on experience in securing cloud environments.

Employee Awareness and Culture of Cybersecurity

With nearly 76,000 employees, cultivating a versatile cybersecurity culture is essential. Johnson implements various initiatives, such as:

• Phishing Tests: Regular assessments to gauge employee awareness of cybersecurity threats.
• Annual Training: Certification courses to reinforce cybersecurity principles.
• Monthly Newsletters: Company-wide updates on best practices and recent threats.

Additionally, Johnson hosted a guest lecture by cybersecurity expert Nicole Perlroth and established a CISO Awards program to recognize exemplary security initiatives within Deere’s ecosystem.

Leveraging AI and Future Strategy

Deere has recently begun utilizing artificial intelligence (AI) technology within its cybersecurity framework, which significantly enhances its response capabilities. AI solutions can now determine the malicious nature of reported phishing emails, effectively filtering and removing harmful communications from employee inboxes in under 20 minutes—an optimization from the previously targeted four-hour evaluation period.

Looking Forward

Johnson maintains a straightforward criterion for measuring his cybersecurity success: “We’ve not been on the front page of any newspapers,” he states, implying that proactive measures have effectively mitigated risks thus far.

As the cybersecurity landscape continues to evolve, with increasing pressures from AI and evolving threats, Deere remains committed to building a robust security culture that not only protects its digital assets but also fortifies the trust placed in it by its customers and stakeholders.

Conclusion

Investing in cybersecurity has become a necessary strategic pillar for companies like Deere, which operate within critical industries. By engaging with the ethical hacking community, continuously educating employees, and leveraging cutting-edge technologies like AI, Deere is positioning itself as a leader in cybersecurity resilience. These efforts will be vital in protecting against potential threats that could undermine not just the company’s operations but the broader agricultural infrastructure as well.