Cybersecurity in Agriculture Act of 2025: What It Means and What It Misses
US Congress is finally addressing food and agriculture cybersecurity, here’s what the bill gets right, what it misses, and how to make it work in the real world.
Earlier this year, Congress put forward S.754, the Farm and Food Cybersecurity Act of 2025. That one was about risk assessments and yearly crisis drills — basically asking, “How fragile is the food system if someone pulls the plug?” Enter the new Cybersecurity in Agriculture Act of 2025. Same arena, different play. Instead of measuring the cracks, this one says, “Let’s start building the scaffolding to hold the whole thing up.” It shifts from rehearsing disaster to trying to prevent it, which is a much better mindset.
Here’s the gist: five Regional Agriculture Cybersecurity Centers, likely planted at land-grant universities, tied together into a national network. Their to-do list is ambitious: create new tools, build testbeds, train the workforce, run attack-and-defense exercises, and improve situational awareness. USDA’s National Institute of Food and Agriculture (NIFA) would steer the tractor here, with DHS offering “consultation.” The budget: $25 million a year through 2030. On paper, it’s tidy. Duties lined up, funding carved out, governance boxes checked.
But agriculture is anything but tidy. It’s combines running through the night, co-ops running on paper-thin margins, and cold-chain warehouses that can’t afford to lose power for even a few hours. Systems thinking makes you pause and ask: Will this framework actually work in the messy, unpredictable world of agriculture, or does it just look shiny in a PDF? The structure is there, but the joints — the people, the processes, the gritty details of how this connects back to the farm gate — still need reinforcement.
What the Bill Gets Right
Let’s start with credit where it’s due. This bill finally recognizes agriculture for what it is: critical infrastructure, highly digitized and highly vulnerable. It doesn’t treat farming as a quaint backdrop to cybersecurity; it treats it as the frontline. The duties assigned to the centers: SOCs, testbeds, training, and tools are categories no one would argue against. Regional tailoring is smart, too. The threats in Iowa’s grain belt don’t look like Florida’s citrus groves, and a one-size-fits-all cyber playbook wouldn’t get far. A national coordinator over the five hubs is also wise: someone has to prevent duplication and make sure lessons learned in one region don’t sit siloed.
And the funding? While modest in scope, the fact that it’s annual through 2030 shows this isn’t meant as a one-off pilot. That’s important. Agriculture doesn’t need a cybersecurity fireworks display that fizzles out in a year; it needs durable protection that evolves with the threat climate. So yes, on intent and structure, the bill deserves applause. The problem is that the devil isn’t in the intent. It’s in the execution.
Situational Awareness Without Access Isn’t Awareness
One duty in the bill is to “develop cybersecurity situational awareness systems to monitor threats, intrusions, and anomalies.” Sounds great. Until you ask: monitor what, exactly, and with whose permission? Farmers own their data. Co-ops own their systems. OEMs guard their logs like proprietary crop genetics. There is no automatic pipeline of information to a university lab.
That means situational awareness can’t just be “collect all the data.” It has to be opt-in, privacy-respecting, and technically safe. Operational Technology (OT) monitoring differs from IT monitoring; you cannot simply install a sensor that risks tripping a grain dryer or halting a milking line. Any design has to be lightweight, store-and-forward, and built for spotty connectivity. If the centers assume they can “see everything” the way an enterprise SOC does, they’ll end up with empty dashboards. Worse, they might introduce risk where none existed.
SOC Reality Check for the Farm Sector
The bill also calls for each center to build a security operations center (SOC) for agriculture. Policymakers love SOCs; they sound concrete, serious, even cinematic. But agriculture is not a neat corporate campus where you can monitor endpoints and call it a day. It’s roaming equipment, patchy networks, and OT systems that were never designed with cybersecurity in mind.
And here’s the harder truth: even if you could design the perfect Ag-SOC, who exactly is going to staff it? Very few people today understand both cybersecurity and agriculture. Even fewer have expertise in OT/ICS/IoT. In my own experience inside a manufacturing company, almost no SOC analysts were trained for industrial environments. They knew Windows logs and email phishing campaigns inside out, but ask them to interpret telemetry from a PLC, or to decide whether an irrigation controller fault was cyber or just a mechanical hiccup, and you’d get a blank stare. Agriculture is predominantly OT/ICS/IoT, with very little enterprise IT, which exacerbates the gap even further.
So, where do you find these people? Are we going to train them on the job? If so, who’s teaching them when there’s already a national shortage of OT/ICS expertise, even more so in agriculture? It’s not as if there’s a shelf of “farm cyber analysts” waiting to be hired. Without a clear plan to build and train this workforce, I’m left with more questions than answers. A SOC is only as strong as the people inside it, and right now, the pipeline of talent for agriculture is closer to a trickle.
Tools and Testbeds: From Lab to Tractor
The bill shines when it talks about developing tools and testbeds. Intrusion detection systems tuned for tractors? Secure architectures for barns? Live cyber ranges where researchers can safely hack a milking system without ruining a farmer’s livelihood? All overdue, all exciting.
Nebraska’s STAVE project already shows what this can look like, a testbed that shrinks agricultural systems into a safe lab environment. Agricultural cyber-game competitions, such as the 1890s AI & Ag Cyber Games event that just happened a few weeks ago, have proven that hands-on challenges train students far better than another slide deck. These are green shoots worth watering.
But here’s the rub: findings mean nothing if they never leave the lab. A vulnerability report that sits in an academic journal won’t help a farmer in spring. Every testbed output should be required to translate into something real: a firmware patch, a retrofit kit, or, at the very least, a plain-language checklist. Otherwise, we’re cultivating research papers, not resilience.
And here’s the bigger systems question: why are we always securing after the fact? Ag-tech needs to be built with security by design, not bolted on later when it’s already in the field. Research should be funded not just to uncover flaws but to prove to manufacturers that building secure systems up front has long-term cost benefits, fewer recalls, less downtime, and stronger trust with farmers. If we can show the business case, maybe we can finally get tractors, grain systems, and dairy automation designed with cybersecurity baked in instead of slapped on with duct tape later. That shift alone would be transformative.
Training That Speaks OT, Not Just IT
The bill also gestures at training. That’s good, but generic cyber hygiene won’t cut it. Agriculture is overwhelmingly an OT environment. Defenders need to know SCADA, GPS spoofing, and how to harden an irrigation controller without wrecking a crop. That’s a very different skill set from locking down a corporate email server.
We need scholarships, apprenticeships, and dual-degree programs that produce professionals with one boot in the barn and one in the SOC. Ag majors should be incentivized to pick up cyber or IT minors, and cyber students should learn enough about livestock sensors and cold-chain logistics to be useful. OEM partnerships are essential, too; you can’t defend what you’ve never touched.
And extension services should be part of this from the start. They’re trusted, they’re local, and they can carry cyber literacy into rural communities in ways Washington never could. If training doesn’t reach that level, it’ll stay trapped in lecture halls.
Funding and Eligibility: Good Seeds, Thin Soil
The bill limits eligibility to land-grant universities with ag and cyber programs. Logical, but narrow. Some non-land-grant institutions have deep ICS expertise and could be valuable partners. A consortium model would be smarter.
As for funding: $25 million a year sounds like a lot until you divide it across five centers, a national coordinator, SOCs, testbeds, training programs, and rural outreach. Suddenly, it looks thin. The JBS ransomware attack alone cost $11 million just in ransom. The real economic hit was far higher. Trying to cover an entire trillion-dollar sector on that budget is like trying to irrigate the Midwest with a garden hose.
The Silent Gaps
Then there are the things the bill doesn’t mention.
Data privacy and ownership. Farmers deserve clarity on who owns yield data, drone imagery, or livestock sensor feeds. This data affects markets and livelihoods. Right now, too often, vendors hold the cards. The bill should at least direct the USDA to issue model contracts or best-practice guidance.
A food-and-ag cybersecurity framework. Just about every other critical sector has one. Agriculture doesn’t. We need plain-language controls tailored to farms and processors, rooted in NIST 800-82 at a minimum, but written in terms that are easily understood by farmers. Without a common framework, everyone is guessing at what “secure enough” means.
Scope. The bill doesn’t say whether it’s for the largest, most tech-heavy operations or for the whole sector. Attackers know the vulnerable often isn’t the multinational processor but the small co-op or mid-sized farm that ties hundreds of acres together. A resilient program names its target population and makes sure small and mid-sized producers aren’t left outside the fence. Not to mention, it lets hackers know we mean business.
Threat lens. Foreign adversaries are real, but so are ransomware gangs timing attacks to harvest, domestic extremists who see farms as political targets, and insiders with access. Farmers know this reality. If the centers design only for nation-states, they’ll miss the domestic threats already knocking on the barn door.
A Systems View
Here’s how I see it: technology is the seed. People and process are the soil. Governance, privacy, and vendor cooperation are the irrigation. Without tending all three, this bill risks becoming a beautiful trellis with nothing climbing it. With the right attention, it could grow into the durable, OT-fluent defense posture agriculture needs, one that spans from the biggest processor to the last pivot on the last field.
The Cybersecurity in Agriculture Act of 2025 is not a bad bill. In fact, it’s one of the better starts agriculture has seen in Washington in terms of cybersecurity in this sector. But it needs sharper edges if it’s going to survive contact with reality. Clarify access and consent for monitoring. Translate testbed results into farm-ready fixes. Bake OT into training. Incentivize OEM cooperation. Guarantee outreach to small and mid-sized producers. Develop a framework. Address data ownership. None of this undercuts the bill’s intent. It strengthens it.
Your Turn
I’ve laid out what I see. Now I’d love to hear from you. If you’re in agriculture, policy, or security, what did Congress get right here? What’s missing from your vantage point, on the farm, in the co-op, in the lab, or in the office? What would make you say, “Yes, this will help me next season,” versus “That sounds nice on paper”?
A bill can plant the seed, but resilience gets built in the dirt — in tractors, pivots, barns, co-ops, and cold-chains. That’s where security has to live, sturdy enough to stand up to drought, flood, and ransomware alike.
Stay Safe, Stay Curious,
Kristin King
