2025 Was the Year Food and Agriculture Cybersecurity Stopped Being Abstract

food and agriculture cybersecurity, food system security, agricultural cybersecurity, ransomware in food and agriculture, cyber physical risk, critical infrastructure cybersecurity, food supply chain risk, farm cybersecurity, ag cybersecurity policy, NIS2 directive, EU NIS2 food and agriculture, cybersecurity compliance burden, farmers and cybersecurity, cybersecurity for small farms, supply chain cybersecurity, food safety and cybersecurity, operational technology security, OT security in agriculture, cyber risk management, cybersecurity resilience, systems thinking cybersecurity, cyber risk in food systems, zoos and aquariums cybersecurity, cyber physical systems, industrial cybersecurity, cybersecurity and public safety, food infrastructure security, cyber resilience planning, ransomware impact on food industry, cybersecurity education, AI and cybersecurity risk, deepfakes and disinformation food systems, cybersecurity leadership, policy versus reality cybersecurity, human factors in cybersecurity
Written By Kristin King

Why nothing actually resets at midnight, especially in food and agriculture

Every New Year’s Eve, the world watches a clock. In Times Square, a ball drops. Confetti flies. We count down the final seconds together and convince ourselves that something clean and decisive has just happened; that we’ve crossed a line, closed a chapter, started fresh.

But most systems don’t change on the stroke of midnight.

Food systems don’t reset. Farms don’t pause. Animals still need to be fed. Processing plants still run. Refrigeration units still hum. Cyber risk doesn’t wait for a countdown. It accumulates quietly, one ignored assumption at a time.

That’s what 2025 made impossible for me to ignore.

This time last year, I was still standing in the same uncomfortable place I’ve occupied for most of my career: between worlds.

In food and agriculture rooms, I’m “the cybersecurity person.”
In cybersecurity rooms, I’m “the food security girl.”

Neither label fits. Both miss the point.

What changed in 2025 wasn’t visibility; it was friction. More people started asking better questions. Not enough, not everyone, but enough to feel the shift. The conversations stopped being theoretical and started brushing up against lived reality. And once that happens, you don’t get to go back.

If you’ve been reading along this year, you’ve seen me trace that friction through real events: cyber incidents at breweries and grocery distributors, policy frameworks that look sturdy on paper and collapse on contact with farms, and the ongoing insistence that the people in barns, processing plants, zoos, and aquariums are not edge cases.

They are the system.

Here’s the part I don’t usually say out loud: this work is lonely.

I’m often the only person in the room translating between industries that desperately need each other and don’t quite trust one another. Food and agriculture professionals don’t want abstract cyber frameworks that ignore operational reality. Cybersecurity professionals don’t want to slow down for context.

So, I stand in the middle, explaining, again, that these worlds are already entangled. The question isn’t if cyber risk belongs here. It’s how long we pretend it doesn’t.

Food and agriculture have always survived through community. Farmers share equipment. Neighbors show up when a barn burns down. Going it alone has never worked in this sector. So instead of waiting for permission, I spent 2025 building bridges, finding the other people who understand that cyber risk here is human, operational, and physical all at once.

This year, I found more of them than I expected.

Early morning on the farm - 1980s

At what felt like the 11th hour of 2025, I joined the Cybersecurity Association of the Food Industry as Vice President of Food & Agriculture Cybersecurity. The title matters less than the alignment. CSAFI understands that securing what feeds us is not a competitive sport. Risk doesn’t respect organizational boundaries. Neither can resilience.

At the same time, much of my year unfolded in zoos and aquariums, another place where cyber conversations tend to stall because people imagine keyboards instead of consequences. I began the year there. I ended the year there. And I’m grateful for the candor of zoo CEOs, presidents, and staff who didn’t dismiss cybersecurity as someone else’s problem.

Because when you look closely, the patterns are familiar.

The Dallas Zoo incident is often described as “not really a cyberattack.” No malware. No digital phishing. That framing misses the point. It was social engineering executed in physical space: intelligence gathering, trust exploitation, and human behavior intersecting with infrastructure.

Different venue. Same playbook.

At IAAPA Expo, I heard the same question repeatedly: Could that situation happen to us? The answer is yes. And now, at least, the industry knows it.

Food and agriculture saw the same pattern play out, just with higher stakes and fewer headlines.

In June, a former employee at a South Carolina chicken plant remotely accessed systems and attempted to raise dangerous chemical levels while disabling alarms. What stopped it wasn’t a tool or an alert. It was a human being on the floor who noticed something wasn’t right.

Technology didn’t save the day. People did.

When a cyberattack hit Asahi (Japan’s largest brewer), the fallout wasn’t confined to IT. Workers lost shifts. Distributors scrambled. Izakaya owners rationed their last kegs of Super Dry. Orders were written down and faxed to warehouses.

Faxed. In 2025.

This is what cyber-physical risk actually looks like when it hits food systems.

Policy, unfortunately, hasn’t caught up.

The USDA’s National Farm Security Action Plan reads like it was drafted by someone who’s never had dirt under their nails. The Cybersecurity in Agriculture Act means well, but it assumes resources and staffing that many farmers simply do not have.

Across the Atlantic, NIS2 is pushing cybersecurity obligations down food and agriculture supply chains. The problem? The people receiving those requirements often have no background in cybersecurity. Small UK farmers supplying EU processors are getting handed lengthy security questionnaires for the first time. Compliance pressure that nobody designed with their reality in mind.

The data tells the same story if you’re willing to look honestly. Academic literature documents a handful of incidents over a decade. Industry tracking shows hundreds in a single year. That gap isn’t disagreement, it’s invisibility. Small farms don’t issue press releases. Co-ops don’t make headlines. They pay quietly, work manually, or close.

The risk doesn’t disappear because we don’t count it.

I’ve spent a lot of time this year thinking about how we talk about risk.

I’m not interested in fear-based cybersecurity awareness. Fear burns hot and fades fast. But pretending this isn’t serious is worse. This isn’t alarmism. It’s arithmetic.

Food safety is cybersecurity. The cost of doing nothing is already higher than the cost of acting; we just haven’t forced ourselves to add it up yet.

Ransomware incidents in the food and agriculture sector more than doubled in 2025, with early-year attacks accelerating sharply. Ransom demands in the high millions are no longer unusual, and shutdowns stretching for weeks are becoming a normal part of the fallout.

That math will eventually meet leadership teams who’ve treated cyber risk as someone else’s responsibility.

On top of it all, yes, I’m writing a book. Securing What Feeds Us: Cybersecurity in Food and Agriculture will be published by Wiley in late 2026. They reached out in 2025 because they recognized something I’ve been saying for years: this is not niche work. It’s critical infrastructure. Everyone eats.

The writing process has been… memorable. There is a specific kind of existential terror that comes from opening the software holding your entire manuscript and being greeted with File not found. The book survived. I mostly did. We move on, and the work continues.

The Bites and Bytes Podcast followed me through this year, featuring 18 new episodes and conversations with farmers, ranchers, researchers, data scientists, startup founders, and mental health advocates. Fourteen thousand downloads. Forty-four episodes across two seasons. Every conversation reinforced the same truth: the people closest to these systems understand risk far better than most frameworks give them credit for.

What surprised me most in 2025, though, was the students.

Agriculture, animal science, and food safety students are connecting dots I didn’t hear five years ago. They see the gap. They’re not waiting for someone to hand them a roadmap. They understand that technology without context is just an expensive liability. The future of this field won’t come from government or Silicon Valley. It will come from people who know what failure costs because they’ve lived near it.

Looking ahead to 2026, education, not fear, is where momentum lives. Real integration. Food safety professionals who understand cyber risk beyond compliance. Cybersecurity teams who understand what a cold-chain failure means for public health. Vendors are learning the industries they claim to protect. Partnership instead of pitching.

And yes, I know exactly what most cybersecurity predictions for 2026 are going to focus on.

AI and Deepfakes.

They’re not wrong. Deepfakes and disinformation matter, especially in food and agriculture, where trust is fragile, and panic travels faster than facts. A convincing fake recall notice. A fabricated video of a contaminated product. An impersonation of a regulator, supplier, or inspector that looks just real enough to act on. These scenarios aren’t theoretical, and the sector isn’t prepared for how quickly they can spread.

But here’s where the industry keeps missing the point: focusing only on AI is a distraction.

Most of the damage we’re already dealing with isn’t coming from cutting-edge technology. It’s coming from very ordinary failures. Shared credentials. Unmonitored remote access. Flat networks. Systems no one wants to admit they don’t fully understand. People improvising because production can’t stop, and policy never matched reality.

AI doesn’t create those conditions. We do.

If an operation can’t handle a former employee logging in remotely, a trusted vendor being compromised, or a staff member being socially engineered without a single line of code, then AI isn’t the biggest risk. It’s just the most fashionable one right now.

This doesn’t stop at food and agriculture, either.

Zoos and aquariums are about to feel this in different but equally serious ways.

Deepfakes and synthetic media don’t just distort facts. They distort expectations. What animals are “supposed” to look like? How are they “supposed” to behave? What a wildlife experience is meant to be. When those expectations are shaped by fabricated videos, manipulated images, or emotionally charged misinformation, the consequences don’t stay online.

They show up at exhibits. In visitor behavior. In pressure on staff, animals, and educators.

When the public’s understanding of the natural world is built on content that looks real but isn’t, it becomes harder to teach what’s normal, ethical, and safe in managed care environments and in the wild. It also increases the risk of disappointment, confrontation, and mishandled interactions when reality doesn’t match what the algorithm served up.

That’s not a technology problem. That’s an education, trust, and safety problem.

And it’s coming faster than most institutions are ready for.

More on that in a later article.

Post New Year’s Eve celebration clean-up - 1980s

We are overdue for a significant attack on the food industry. That’s not pessimism. It’s pattern recognition. When it happens, the question won’t be whether it was preventable. It will be whether we built systems: human, operational, and technical, that can absorb the shock and recover. Resilience isn’t perfection. It’s recovery. It’s human.

Consumers have a role here, too, and I didn’t write enough about that this year. Empty shelves feel like an inconvenience, not a warning. Until the public understands how fragile modern food systems really are, pressure for change will come almost entirely from inside the industry. That isn’t enough. Maybe next year.

As the clock resets and the ball drops, nothing truly starts over. But we do get to choose what we pay attention to.

2025 brought a book deal, a near-heart attack over a missing file, conversations that made the isolation easier to carry, and a growing recognition that food, agriculture, zoos, and aquariums are not peripheral to cybersecurity. They are central to it.

To everyone who read, questioned, argued, and stayed curious, thank you. These systems are built on community. So is this work.

Nothing resets at midnight.

The food system keeps moving. Animals still eat. Refrigeration still hums. Control systems still run. People still show up and make judgment calls inside systems that don’t forgive assumptions.

2025 didn’t introduce new risks.
It made the old ones harder to ignore.

That clarity is the opportunity.

If 2026 is the year we stop waiting for clean slates and start strengthening the systems we already depend on, then this work, quiet, unglamorous, and deeply human, will finally be worth the attention it’s getting.

Happy New Year.

Stay safe, Stay curious,

Kristin King

Kristin King
Next

When a Zoo Gets Hacked