A Review on Security of Smart Farming and Precision Agriculture: Security Aspects, Attacks, Threats and Countermeasures

: In recent years, Smart Farming (SF) and Precision Agriculture (PA) have attracted attention from both the agriculture industry as well as the research community. Altogether, SF and PA aim to help farmers use inputs (such as fertilizers and pesticides) more efﬁciently through using Internet of Things (IoT) devices, but in doing so, they create new security threats that can defeat this purpose in the absence of adequate awareness and proper countermeasures. A survey on different security-related challenges is required to raise awareness and pave they way for further research in this area. In this paper, we ﬁrst itemize the security aspects of SF and PA. Next, we review the types of cyber attacks that can violate each of these aspects. Accordingly, we present a taxonomy on cyber-threats to SF and PA on the basis of their relations to different stages of Cyber-Kill Chain (CKC). Among cyber-threats, we choose Advanced Persistent Threats (APTs) for further study. Finally, we studied related risk mitigation strategies and countermeasure, and developed a future road map for further study in this area. This paper’s main contribution is a categorization of security threats within the SF/PA areas and provide a taxonomy of security threats for SF environments so that we may detect the behavior of APT attacks and any other security threat in SF and PA environments.


Introduction
Population growth, climate change, and rising affluence leading to more resourceintensive diets all mean that today, global food security is seen as a major challenge. According to the United Nations' Food and Agriculture Organization (FAO), global food production needs to be increased by 70% in order to feeding 10 billion people by 2050 [1,2]. Keeping pace with this growing demand for food while also working towards sustainable development requires new approaches to agriculture [2,3]. To this end, different cutting edge technologies that use IoT are supporting food industries [4] and industrial agriculture [5]. However, the development in these industries and their applications brings about a broad range of security challenges [6][7][8].
Moreover, the increased population will cause constraints in terms of land and water that will encourage adoption of farming techniques designed to improve agriculture resource utilization and crop yield. Applying IoT technology is a viable solution towards increased efficiency to tackle the challenges facing modern agriculture. As a result, we are observing the emergence of Smart Farming (SF) and Precision Agriculture (PA). Recent literature comes with numerous research works focusing on SF [9][10][11] and PA [12,13].
In general, both PA and SF refer to the use of modern technologies such as Internet of Things (IoT), drones, robotics and Artificial Intelligence (AI) in the control and management of farms in order to improve productivity and yield, while reducing input, land, and labor requirements.
A typical multi-layer SF architecture is shown in Figure 1. This architecture has been used as the reference architecture in several research projects [14][15][16][17]. In the architecture of Figure 1, the "Cloud", "Network Communication", "Edge" and "Physical" layers connect various smart IoT devices such as sensors and actuators as well as heterogeneous Cyber-Physical System (CPSs) to each other and to the internet [18,19]. A SF platform with the architecture of Figure 1 collects data from IoT devices, and then forms, processes, and controls data to provide various applications as well as various access levels to the users [20,21]. PA is distinct from SF in that it specifically refers to IoT-based approaches aiming at improving the efficiency of input use through providing farmers with tools that increase the granularity of decision making. In other words, PA is so sensitive and accurate that the minimum adversaries' activities simply can change the control system, target and damage valuable resources. Indeed, the PA is highly related to data and information of the system that can lead to costly, disruptive decisions and actions from the farmers via invalid data during run time.
For instance, in terms of crops, PA allows farmers the ability to move from managing fields to tailoring management to square meters or even individual plants within fields. For livestock farmers, PA means using IoT to shift from flock/herd scale management to being able to manage the needs of individual animals. A wide range of enabling technologies such as fog computing [22], AI [23], Unmanned Aerial Vehicles (UAVs) [24,25] and sensor networks [26] have been used to support both PA and SF.
Especially, IoT can be considered as one of the most important technologies for SF [27][28][29] and PA [30] due to its capabilities of remote sensing and operation without human interference. However, these IoT-based technologies create new cyber-security vulnerabilities and cyber-threats [1,3], which can be exploited to gain control on on-field actuators, sensors, and autonomous vehicles such as tractors, drones, sprayers, and planters, Refs. [1,3,31] as well as related databases and applications. A cyber-attack could have severe consequences on a farm. For instance, unauthorized changes to data could deceive a farmer to make changes that negatively influence the health of a herd. Poultry production relies on sensors to control temperature and air quality within barns. In this case, a cyber-attack could cause the mortality of thousands of birds. Similar sensitivities are in greenhouse growing conditions where a breach in cyber-security could result in a devastating amount of profit for the farming operation. [2].
Security is a highly-challenging aspect of SF [2,32,33] and PA [34][35][36] due to different properties of IoT devices including heterogeneity, mobility, and resource limitations. This exposes SF and PA to a broad range of cyber-threats.
Although the literature comes with several research reports focusing on securityrelated issues in SF and PA, to the best of our knowledge, there is no systematic review on these issues. A survey in this area, along with a future road map, can improve public awareness and pave the way for further research.
In this paper, we first discuss security aspects of SF and PA. Next, we review stateof-the-art attacks on SF and PA, and study the security aspect(s) violated by each of them. In reviewing literature for examples of specific attacks on SF and PA, we identify the general security violations of each. In many cases, these attacks are on IoT technologies that support SF and PA functions thus countermeasures suggested here focus on these identified threats, rather than on novel SF/PA specific mitigation techniques. According to our studies on security aspects and attacks, we present a taxonomy on cyber-attacks to SF and PA. Our taxonomy is based on the relation between attacks and the stages of Cyber-Kill Chain, which is a methodology for analyzing the chronology of complex cyber-attacks.
As a chosen class of threats for further study, we discuss the anatomy as well as the behavioral characteristics of Advanced Persistent Threats (APTs). Furthermore, we review risk mitigation strategies and countermeasures against cyber-threats to SF and PA. On the basis of the above discussions, we suggest some topics for future research on security of SF and PA.
The main contributions of this paper can be explained as follows.
• We itemize the security aspects of SF and PA and establish a map between attacks and security aspects. • We use CKC [37] for the first time to present a systematic taxonomy on cyber-threats to SF and PA. • We study the anatomy as well as the behavioral characteristics of APT. • Finally, we develop a future road map to highlight some related emerging areas that still need to be studied in future research.
The rest of this paper is organized as follows: Section 2 presents a review on existing reviews to highlight our motivations for the work of this paper. We examine cyber-attacks on SF and PA in Section 3. CKC-Based taxonomy on security threats to SF and PA are presented in Section 4. Moreover, APTs are specifically studied in more detail in Section 5. We study threat mitigation strategies and countermeasures in Section 6. Section 7 presents the future road map and; Section 8 concludes the paper.

Existing Reviews
Many researchers have conducted reviews on different aspects of PA. Some of these surveys focus on the applications of AI-based techniques in PA [38][39][40], the design of sensors [41] and sensor networks [42][43][44][45][46] to support PA, the application of educational hardware such as Raspberry Pi [47] and technical aspects such as imaging techniques [48] and routing protocols [49,50]. More specifically, few researchers have reviewed the literature on threats to PA. For example, Boghossian et al. [51] have presented a review on vulnerabilities of PA as well as the related threats along with some limited threat mitigation strategies. Another review on cyber-security threats to PA has been reported by Window [34]. However, none of the aforementioned reviews on threats to SF come with a taxonomy or a future road map for further research in this area.
On the other hand, surveys on SF and related technologies have been of interest to several researchers in recent years [52,53]. Especially, the roles of IoT [54][55][56] and AI [57] in SF has received great attention. Moreover, security-related aspects of SF have appeared as part of the subject in some surveys. As an example, one may refer to the research reported by Gupta et al. [2], wherein some challenges related to the security and privacy of SF have been studied, without presenting a taxonomy of threats. As another example, a review published by Barreto et al. [58] takes an empirical approach towards the identification of cyber-security challenges of SF. However, the most relevant works to the scope of this paper are those focusing on threats to SF. Among these works, we can mention the one reported by Demestichas et al. [3], which fails to develop a taxonomy or a future roadmap. Table 1 presents the characteristics of the existing surveys in the scope of SF and PA. Review on IoT-based Multidisciplinary models for SF Considers Cyber-Physical systems role in PA Applies cloud computing technologies for better production of crops IoT, WSN, Cloud computing [57] Explores the advantages of using deep learning in SF Provides a bibliography containing 120 papers in SF and PA IoT, AI, ML [58] Studies cyber-security challenges in SF using an empirical methodology to highlight security threats in SF systems IoT, ICT

Cyber-Attacks on SF and PA
As suggested by recent research works, the main security aspects of SF and PA can be outlined as follows. • Privacy is required to keep a user from unauthorized access to to other users' information. Some attacks such as Physical Attack, Replay Attack, Masquerade Attack can lead to the violation of privacy. Several research works have focused on the privacy of SF and PA [59][60][61]. • Integrity: guarantees information not to be changed during storage or transmission. Integrity of PA and SF has been part of the topic in several research projects [62]. • Confidentiality of SF and PA, which protects data against unauthorised access has been of interest to a few researchers [61,63]. • Availability guarantees the continuity of the provided services. Some recent research works have focused on the availability of SF and PA [64]. • Non-Repudiation keeps users from repudiating what they have done in the system. The importance of non-repudiation in SF and PA has received attention form a few researchers [65]. • Trust: makes it impossible for a user to spoof another identity. The literature in this area comes with a few research projects focusing on authenticity of SF and PA [65].
In the absence of proper provisions for security aspects discussed above, SF and PA may be exposed to a variety of attacks that may exploit these environments and related smart information systems or cause harm, stealth, unauthorized change, or destruction on them.
In the following, attacks on SF and PA are classified on the basis of their target components.
• Attacks on Hardware: Unknown or unprotected vulnerabilities of IoT and cyberphysical devices (as well as other hardware components) may be exploited by professional attackers using specialised tools [66]. As good examples for this kind of attacks, we may refer to side channel and Radio frequency (RF) jamming attacks, which can violate privacy, confidentiality, or authenticity when they hit poorly-designed IoT and cyber-physical systems [2,[66][67][68].
-Side Channel Attack [2,69] aims at gathering unauthorized information regarding the implementation detail of a system via monitoring physical parameters such as electrical current or voltage. Attacks of this type violate the confidentiality of the system. -RF jamming [2,68] attacks are caused by the open nature of wireless channels and the progress in designing jamming-resistant wireless networking systems. Attacks of this type violate the availability of the systems in the SF and PA area like a greenhouse.
• Attacks on the Network and Related Equipment: target the network or the connected devices. This category of attacks can be further categorized as follows.
-Denial of Service (DoS) [70,71] prevents users or devices from their authorized access to a resource such as a node, a server, or a communication link/network. For example, Radio Frequency (RF) Jamming [2,72] overwhelms the RF spectrum used by a network aiming to deny communication services to the connected nodes. [2,67,72] transparently store and replay (or in some cases modify) data transmitted over a connection. These attacks may target the confidentiality or the integrity of the system. -Botnets [2,73,74] are groups of Internet-connected devices (remote sensors), each running one bot or more. Botnets can be used for many different purposes, including Distributed DoS (DDoS) attacks, information stealing, SPAM dissemination. They can be designed to violate availability, integrity, or trust.

-MITM (Man-In-The-Middle) Attacks
-Cloud Computing Attacks [2] misuse cloud features such as self-provisioning, on-demand services and auto-scaling to take advantage of cloud resources. For instance, an infected virtual machine can quickly spread the infecting malware to other virtual machines via the cloud. These attacks may target non-repudiation, trust, or integrity.
• Attacks on Data: hit the data while being stored, transmitted, or processed in the system. This category of attacks can be divided into the following subcategories [75].
-Data Leakage [2,76] refers to the illegal transmission of an organization's data by a source (a person or a device) within the organization to an unauthorized external destination. This kind of attack violates the confidentiality of the data. -Ransomware [37,72] encrypts files, partitions or entire storage devices, and keeps the key secret to make the owner [77] pay a ransom. These attacks violate the privacy, trust, and integrity. -Cloud Data Leakage [76,78] is the exposure of data related to the users of an organization or the provided services, which violates the privacy of users or parties. -False Data Injection [2,79] is a title for attacks that try to feed malicious information or control commands into the system. This kind of attack targets the integrity of the data. -Misconfiguration [2] is the action of configuring the SF or the PA reporting systems in a way that reflects invalid information regarding the managed farm, which can lead to costly, disruptive decisions and actions from the farmers. Misconfiguration attacks violate the integrity. •

Attacks on Code (applications):
-Software Update Attacks [2] violate the integrity and the availability of the system via disrupting the update process of the installed software. -Malware Injection [2,72,80] refers to attacks that infect nodes and devices by malicious codes. This kind of attack violates integrity. -Buffer overflow [72,80] is a software coding error or vulnerability that hackers can exploit to gain unauthorized access to corporate systems. This kind of attack violates availability. -Indirect Attacks (SQL Injection) [2,81] use code injection techniques in order to mislead the database server to run malicious SQL codes injected into entry fields of the database. Indirect attacks violate trust.
• Attacks on Support Chain: are designed to hit different components of the support chain.
-Third Party Attacks [2,80] occurs when an adversary infiltrates a system via an outside partner or provider who has access to the system and/or the data. Third party attacks can violate the confidentiality or the integrity of the system. -Data Fabrication [82] involves the creation of malicious data or processes misusing an access provided for another purpose. It can lead to the violation of the system's integrity.
• Misuse Attacks: include attacks that misuse SF and PA physical resources in order to conduct attacks on other entities such as people or institutes.
-Cyber-Terrorism [2] may use IoT systems and cyber-physical devices to attack people or premises from afar. This can lead to the violation of trust in SF and PA systems. -Invalidation and /compliance [2,83] refers to disruptions in the certification process created by fabricated false data. These attacks target the integrity of the system.

CKC-Based Taxonomy on Security Threats to SF and PA
In this section, we present a CKC-based taxonomy for cyber-threats to SF and PA. Developed by Lockheed Martin [84], CKC decomposes the process of conducting a complex attack into seven stages. This decomposition improves the analyst's insight into an attack, and facilitates the study of adversarial strategies, approaches, and methods. The CKC stages of an attack are chained in a way that the whole attack scenario will fail if each of the adversaries fail to accomplish any individual stage. Our taxonomy provides a stageby-stage operational understanding of every cyber-threat, which can be efficiently used to detect APT groups active in the area of SF and PA.
In the following, we first, introduce the CKC model in more detail, and then propose our CKC-based taxonomy.

CKC
As suggested by CKC model, a typical complex attack consists of the following stages.

1.
Reconnaissance, where the attacker starts to identify and profile the victim via gathering as much information as possible. Any relevant information, such as email addresses, can be of interest in the reconnaissance stage. The primary goal of this stage is to discover the vulnerabilities of the victim. If properly accomplished, this stage can facilitate and accelerate a cyber-attack and make it difficult to detect via identifying the weak and strong points of the victim system. Moreover, the reconnaissance itself should not be suspicious to security mechanisms in the victim's system.
We can consider a passive and active approach for Reconnaissance. In the context of a cyberattack, passive Reconnaissance is known as footprinting. Active Reconnaissance is commonly referred to as scanning. An easy scan would be to ping every IP address owned by the destination network to see which ones went to real hosts. More sophisticated exploitation methods connect to every port number of the IP address to determine what services run on that host and which ports are open. In contrast to footprinting, scanning provides more specific information but is more intrusive. Additionally, the target may be alerted to a potential attack since scanning can trigger more abnormal connections, which must be avoided when scanning.

2.
Weaponization, wherein the attacker designs and implements the remote access malware (the weapon) e.g., the backdoor, virus or worm tailored to the vulnerabilities of the victim (discovered in the reconnaissance phase).

3.
Delivery, in which the attacker launches the remote access malware onto the victim (e.g., via a USB device, an e-mail attachment or a website).

4.
Exploitation, which triggers the remote access malware. In this stage, the attacker utilizes the remote access malware to action on the victim and the related network in order to exploit vulnerability.

5.
Installation, where the attacker tries to get permanent access to the victim via installing proper Command and Control (C2) servers. 6.
C2, wherein the attacker communicates with the C2 server in order to control the victim.

7.
Action on Target, where the attacker completes the attack scenario and achieves the final goal by compromising the victim.
The aforementioned stages are demonstrated in Figure 3. A point to note here is that not every attack goes through all of the above stages strictly and clearly. Moreover, some stages may not be observed, tracked, or reported. For example, the Reconnaissance stage is usually a secret stage, although the vulnerabilities identified in this stage may be reported later.

The Taxonomy
The taxonomy presented in this subsection connects known SF and PA cyber-threats to CKC stages.

Threats Related to the Reconnaissance Stage
Our review demonstrates that many state-of-the-art cyber-attacks on SF focus on several layers of the multi-layered architecture to collect information in the reconnaissance stage [37]. Moreover, IoT hardware is of great interest in the reconnaissance stage for many attackers targeting SF [1,2] or PA [2,3] systems. Thus, most cyber-threats to SF and PA fall into one of the following two categories.

•
Threats to the IoT hardware: Although IoT devices are commonly protected by software applications, they may be vulnerable to some hardware attacks such as default password attacks [2,87]. • Threats to the multi-layer architecture: These threats target different layers of the multi-layered architecture of Figure 1 as explained below.
-Physical Layer [2,88,89]: where sensors and actuators spread over farms and greenhouses gather environmental data and transmit it through gateways or receive command and control messages via the gateways. This layer is threatened by a variety of attacks during the reconnaissance stage. -Edge Layer: SF and PA environments rely on the edge layer devices for their realtime or near real-time computations and services. In some scenarios, attackers may be able to shutdown the function of these devices, causing disruption, delay, customer dissatisfaction, and financial loss [2].

Threats Related to the Weaponization Stage
Attacks on SF and PA use a variety of techniques to evade detection in the weaponization stage. Most of these techniques try to prevent the attack to be revealed by security mechanisms operating in IoT device level or in network level. Thus, we classify cyberthreats related to the weaponization stage as follows. • IoT Device Level Evasion: It has been observed that defence in IoT device level mainly relies on anti-viruses and end-point security solutions embedded in or installed on devices, which detect well-known virus signatures or anomalies in behaviors. Welldesigned attacks on SF and PA try to hide themselves from these mechanisms. As an example, one may refer to hollowing technique or heap spraying, which may successfully embed a malicious code inside an application even in the case the antivirus includes the related signature [90][91][92][93]. • Network Level Evasion: Firewalls and Intrusion Detection/Prevention Systems (IDSs/IPSs) are the most common tools for in-network protection [94,95]. A key point to be reiterated here is that there is no completely secure solution, including firewalls and IDS/IPS. Although these tools can detect a malicious executable file, they may be unable to detect a malicious file attached to an email. Thus, they are not considered as completely-secure mechanisms in SF and PA. To evade these mechanisms, SF and PA attacks depend on a wide range of techniques, among which we can mention illegal use of well-known protocols (HTTPS, DNS, HTTP, etc.) [37] or ports (53, 80, 443, etc.) [37] as well as network spoofing [89].

Threats Related to the Delivery Stage
After the completion of the Weaponization stage, the adversary needs to find a way to penetrate directly or indirectly into the victim node(s) to deliver the malicious payload [96,97]. In direct penetration, the adversary personally delivers the exploit to the victim. Indirect penetration depends on a trusted third party to compromise the victim in a way that the adversary can deliver the exploit.
According the above discussions, we can divide threats related to the delivery stage into the following categories.
• Direct Penetration: Malicious payloads are commonly delivered through the body or the attachments of an email [98,99], such as a fake software update or a spear-phishing link [37,100]. • Indirect Penetration: In the indirection penetration scenario, a communication protocol, a gateway or a web application may play the role of the trusted third party. Trusted third parties can help attackers gather information via TCP/UDP port scan, spoofing and sniffing, or launch a pre-designed backdoor [1,3].

Threats Related to the Exploitation Stage
Some state-of-the-art attacks on SF and PA exploit a vulnerability in the software or in the underlying Operating System (OS) to get the victim run their malicious code in the exploitation stage [37,101]. Others use SQL injection techniques for this purpose [37,102]. Accordingly, the cyber-threats related to the exploitation stage can be classified as follows.
• Exploiting Software and OS Vulnerabilities: Zero-day exploits are good examples for this kind of threat [103]. They are not detectable by common software vulnerability protection mechanisms. They exploit unknown software vulnerabilities for which no patch or fix is available. Moreover, viruses, worms, Trojan horses, and backdoors are common threats related to OS vulnerabilities in smart devices and consequently in SF and PA [104,105]. • SQL injection: In recent years, SQL injection has frequently hit data-driven applications using code injection techniques [37]. It can potentially hit SF and PA databases as well.

Threats Related to the Installation Stage
In the installation stage, a downloader can be fooled, codes can be injected into the memory, or unofficial applications may be installed to download malware such as rootkits and backdoors [37,106]. To this end, some attacks may exploit vulnerabilities in Operating Systems (OSs) used in IoT such as Android [107], Raspberry Pi [108], Symbian [109], or Android with Linux kernel [110]. This kind of attacks may take one or a combiation of the following approaches to achieve the goal. Other attacks may exploit vulnerabilities in embedded software or firmware [114]. In this case, some of the following approaches may be taken by the attacker.  This stage is about how hackers control the victim system after completing the installation stage. This commonly happens via registering a C2 server [118]. Our studies highlight two C2 mechanisms in attacks on SF and PA, the first of which depends on network protocols [2,88] and the second uses removable media [37,101]. Thus, we categorise threats related to the C2 stage as explained below.
• C2s using Network Protocols: Many common attacks on SF and PA use HTTP/HTTPS, ICMP, DNS, FTP, SMTP and other standard network protocols for their communications in the C2 stage [119,120]. For example, in many scenarios, when direct connection to an external mail server or an agriculture database server is not possible, hackers rely on backdoors that use protocols such as FTP or SMTP to penetrate into the server via sending files or emails [37,101]. Moreover, to bypass common network security mechanisms, hackers may perturb DNS packets, which makes the attack more difficult to trace [121]. • C2s using Removable Media: Given the features of removable media (such as USB storage), they are commonly used to bypass networks for the exfiltration of data. For example, when a disk is formatted for decreasing the size of a partition, hundreds of megabytes of data (including malicious files) can be stored at the last addresses of the disk without being lost [37].

Threats Related to the Action Stage
In the last stage, the adversary tries to finalize the attack and achieve the ultimate goal, which can be the exfiltration of data or damaging valuable resources, etc. In this stage, most attacks on SF and PA try to infect as many IoT devices as possible, and get access to the network and the infrastructure in order to compromise valuable targets such as edge devices, servers, etc. [2,37,122]. Moreover, attackers may try to get command line terminals such as WinExe or credentials management tools such as Mimikatz to access one computer through another using methods such as Pass the Hash (PtH) [123].

Threats Related to More than One Stage
Include attacks that create threats related to more than one CKC stage. In this category, we can refer to ransomware and similar attacks. Specifically, APTs cover almost all CKC stages. These attacks are individually studied in more detail in Section 5. Figure 4 demonstrates our CKC-based taxonomy on cyber-threats to SF and PA according to the above discussions.

Case Study
In this section, we study the anatomy of the DoS attack against SF infrastructures reported by Sontowski et al. [124], and connect it to the stages of CKC.

The Target Environment
The target is an SF system based upon Microsoft FarmBeats 11 [125] connected to Microsoft Azure cloud. The SF system uses a Raspberry Pi, to which different kinds of sensors including ambient temperature, light, humidity, and soil moisture sensors are connected. In this system, IEEE 802.11 connects the Raspberry Pi to a Wi-Fi access point that provides cloud connection.

Anatomy of the Attack
On the basis of the details reported in [124], we can use the CKC methodology to study the attack as explained below.

Reconnaissance:
In this stage, the attackers have studied the architecture and components of the victim's system and gathered the information mentioned in Section 4.3.1. Then they have used sniffing tools such as WireShark in order to identify the address of the Raspberry Pi via tracking the sensor update packets it sends every few seconds/minutes. Moreover, they have identified the vulnerabilities in authentication and deauthentication mechanisms of IEEE 802.11, reported by Wright [126].

Weaponization:
In the Weaponization stage, the attackers have designed and implemented a Wi-Fi deauthentication tool capable of exploiting the vulnerabilities reported in [126] in order to disconnect the Raspberry Pi from the access point and consequently from the network and the cloud.

Delivery:
In this stage, the Wi-Fi deauther is installed on a MakerFocus ESP8266 Development Board, and imitates the Raspberry Pi via spoofing sensor update packets (using the address of the Raspberry Pi). Thereby, the deauthentication tool fools the access point because the access point perceives it as the Raspberry Pi.

Exploitation:
In this stage, the deauther fabricates and sends deauthentication notification packets to the access point (Spoofed as the Raspberry Pi). According to the IEEE 802.11 protocol, the access point is obliged to deauthenticate and disconnect the sender of these packets without the need for a new authentication. (In fact, this is the exploited vulnerability). This way, the Raspberry Pi is disconnected from the access point along with the sensors connected to it.

Installation:
The attack bypasses this phase, as it does not need any further installation after the deauther is delivered.

C2:
The attackers have designed a control panel software tool to control the deauther. This tool is installed on the MakerFocus ESP8266 Development Board along with the Raspberry Pi and plays the role of the C2 server.

Action on Target:
Since this attack is a DoS attack, the final goal is to disconnect the Raspberry Pi from the access point. Therefore, no further action is taken in this stage.

APTs in SF and PA
APT attacks create one of the most severe threats to SF and PA as they cover almost all CKC stages [37,101]. This severity motivates the discussions in this section, which are specifically focused on APTs as a chosen case for further study. In the rest of this section, we first introduce general APT attacks, and then go deeper into APT attacks on SF and PA. In addition to the anatomy of these attacks, we study some of their behavioral characteristics.

An Introduction to APT Attacks
APT generally refers to a threat where an adversary (or maybe a group of adversaries) are persistently connected to a network to identify and steal strategic data without being detected [127]. APTs usually target highly-strategic corporations, industries, or financial agencies as well as government institutes or national security and defence agencies, where top secret information is stored, transmitted, and processed. Information regarding military and political plans, nuclear and aerospace technology, Intellectual Property (IP), etc. is of interest to APT groups [37,127,128]. Thus, it is pertinent to expect them to be interested in information regarding the agricultural sector as well.
APT attacks are different from other cyber-attacks in that they use personalized tools instead of more commonly used tools. Moreover, they take place over a longer period of time, which makes them more difficult to trace compared to other attacks. They utilise TTPs in a way that allows them to proceed covertly even in the presence of common IDSs or IPSs [37].
Systematic APT attack detection and prevention methods typically depend on multifaceted interaction between providers of security service providers and end users. Traffic monitoring, access control, and Whitelisting (monitoring and imitating access to the network from authorized domains) can be mentioned as commonly-used mechanisms used for this purpose [11,29].

APT Attacks on SF and PA
Most APT attacks on SF and PA try to gain hidden, persistent access to information regarding food chain and production network [4,129]. APT groups attempt to hit valuable targets such as greenhouses, livestock, and smart farms. To achieve their goals, APT groups depend on advanced techniques such as zero-day exploits, phishing attacks, and social engineering.
Among the consequences of ATP attacks in SF and PA, one may refer to the following.
• Theft of IP (patents, etc.) • Stealth of critical data related to food chain, control, genetics, etc. • Damage to important agricultural infrastructure (change to database entries or control parameters)

The Anatomy of an APT attack on SF or PA
A successful ATP attack on SF or PA is classically decomposed into the following three steps [130]. We map these steps to CKC stages.

Penetration (Infiltration):
This step can be mapped to the first three stages in CKC. Social engineering can be mentioned as a common reconnaissance technique used in this step [129]. This phase may involve vulnerability exploiting and malicious code uploading (SQL Injection). Penetration may lead to the installation of backdoors, which can provide the attacker with further access to the network. This step is composed of the following phases.
• Testing the target for detection • Deployment • White noise attack • Initial infiltration • Outbound connection initiation 2.

Further Access (Expansion):
This step may be mapped stages 4 through 6 in CKC. In this step, the attacker tries to gain longer access to the network or access to more strategic resources. The goal is getting control of critical functions and manipulating them to pave the way for the final step. This step is composed of the following phases. The following two functions can be run in this step.
• Expanding access and stealing credentials using phishing and similar techniques • Broadening the presence 3.

Information Stealth and Sabotage (Exploitation):
We can compare the final step to the last stage in CKC. In this step, APT groups may steal valuable information, shut down a strategic function, or cause damage to the system. Critical business information regarding the production value or cultivation process of livestock or crops may be of interest to APT groups in this step. These kinds of information can be sold to a rival or used to undermine the production process.
The stolen data may be stored somewhere inside the victim network for covert transportation in the future. APT attacks commonly use white noise techniques (maybe in the form of a DDoS attack) to evade detection systems [131]. This step is typically composed of the following phases.
• White noise attack • Extra data collection • Covering tracks Figure 5 demonstrates the anatomy of an APT attack.

Some Behavioral Characteristics of APT Attacks on SF or PA
In this subsection, we study some behavioral characteristics of APT attacks on SF and PA. In the following, we mention some symptoms that may be considered as warnings for an active APT attack.

•
Unusual and suspicious activities in security and control systems (especially the high-level access systems) • Widespread use of backdoor tools (Most of them can be detected by common IDSs. • Suspicious and unusual activities occurring in the databases • Evidences for data and information stealth

Risk Mitigation Strategies and Countermeasure
Our discussions on attacks and threats related to SF and PA highlight the need for a study on related risk mitigation strategies and countermeasures for different IoT attacks and security threats in SF and PA, which can be considered as the important side of research in this area. Tables 2 and 3 summarize our studies in this regard.
While it is not necessarily feasible for every farmer to be an expert at technology and cyber-security threats in agriculture, there are some cyber-safe behaviours farmers can perform to reduce the security risk. These include dynamic and secure passwords, frequently password changeover, data encryption, 2-factor user authentication, and updating software when prompted [132,133]. Avoidance of suspicious emails, links, and not saving personal or financial data on browsers and auto-fill features are recommended too [132,133]. Likewise, farmers should only make data-driven decisions when systems are demonstrably secure. Not only should farmers be wary of cyber-security threats, but it is imperative that the various stakeholders involved along the food production chain be cognizant of the risks. Farmers often are sharing data with trusted advisors, researchers, suppliers, and buyers -therefore, cyber-safe behaviours need to be encouraged throughout the data ecosystem.
Physical access controls and other physical behaviours can also reduce security risk. For instance, it is prudent to inspect and maintain devices regularly to prevent environmental and personal complications that could obscure security measures [133]. Creating back-ups of data helps reduce impact severity when data is stolen, and farmer access is denied. Protecting sensitive information, documents, and devices by placing them in secure spaces liked locked cabinets, rooms, and off-site caches can also reduce security risk [133].
Blockchain technology has been applied to some architectures to ensure data privacy and security as well as addressing fault tolerance, access control, and third-party removal to tackle these challenges [3,134,135]. We summarize existing research on intensifying security issues and privacy in IoT and ICT usage in the agricultural sector. Table 3 outlines a list of countermeasures that can be taken versus security features threats and threats layer in a smart farming environment. In fact, understanding and considering them is a viable way to obtain security threat mitigation in SF and PA environments.

Future Roadmap
In this section, we discuss some open research challenges related to the security of SF and PA. While in this paper, we begin the first steps in creating novel SF/PA mitigation strategies by reviewing the literature, developing a taxonomy, and conducting a case study on APTs. Future research can build upon this through interdisciplinary research that draws on knowledge from farmers, SF tool developers, and computer scientists to test the mitigation techniques mentioned here and to develop more specific strategies to the SF and PA context. Listed below, these challenges can highlight a future road map for further research in this area. •

Access Control from a Security Perspective:
Dealing with hired labor and livestock, the owners of farms, greenhouses, etc. are traditionally concerned about access control. However, they need to adopt a security perspective for their property. Authentication, authorization, and accounting should be incorporated to prevent unauthorized access, which is the stepping stone in many severe attacks on SF and PA. Although the literature in this area comes with some relevant research reports [1][2][3]41,50], there is still opportunities for systematic research. • Data Protection: Given, the abilities of smart devices and IoT, enormous data acquisition, communication and processing is a well-known characteristic of SF and PA [1,2]. This raises the need for efficient data protection mechanisms, which has been of interest to a few researchers [1,2]. However, data protection can still be considered as an open research challenge in this area. • Network Infrastructure and Physical Layer Protection: The physical layer and the network infrastructure play critical roles in SF and PA. They are targeted by several attacks [3]. Although a few research projects have focused on this topic [4,9,81,135,136], research in this area still needs to be developed. • Education as Risk Reduction: The social elements of reducing cyber-risks, such as education, has received relatively little attention by scholars [146]. Not only are farmers are interested in education regarding security threats to their operations, but education is regarded as a vital tool for reducing security risk [132,147,148] [3,121,149], there is still room for research on secure protocols specifically designed and standardized for SF and PA.
• Secure Smart Devices: Given the threats to smart devices used in SF and PA (studied in previous sections), security needs to be taken into consideration in design and implementation phases of these devices. • Secure AI Adoption: In recent years, some researchers have been concerned about the application of AI in SF and PA [2,3]. Thus, the security threats to AI such as adversarial attacks [1,2] can motivate future research on secure AI in SF and PA. Informed by this taxonomy of cyber-threats, strengthening policy regarding cyber-security in PA is an important consideration for future research. Legal frameworks designed to protect private data and ensure privacy are key to addressing the challenge of cyber-security arising from new farming technologies [150]. Reviews on the social science of PA have highlighted that future research needs to address how policy-makers should respond to cyber-attacks on agri-food systems [151].

Conclusions
SF and PA have the potential to enhance global food security and reduce agriculture's impact on the environment, however to be able to realize this potential these technologies need to be protected from cyber-attacks. It's clear right now that there are plenty of cyberattacks and security threats in this area. These attacks can impose serious disruptions to global markets and especially to the economies of developing nations that are heavily dependent on the agriculture industry. In this paper, we considered the security of SF and PA, which is a critical need in the field of smart farming. We highlighted important security aspects needed to be considered in SF and PA. We presented a survey on attacks that violate each of these security aspects. Accordingly, we introduced cyber-threats to SF and PA. It is a viable source to tackle existing security issues here. Our studies on SF and PA cyber-threats led to a systematic CKC-based taxonomy on these threats. Among the mentioned threats, we chose APTs for further studies. We studied the anatomy as well as behavioral characteristics of APTs. Moreover, we presented a survey on risk mitigation strategies and countermeasures against attacks on SF and PA. Lastly, we developed a future road map to pave the way for future research in this area.