1

PREPRINT

Threat Modeling and Attack Surface Analysis of IoT-Enabled Controlled Environment Agriculture Systems

ANDRII VAKHNOVSKYI IOGRU LLC, New York, NY 10022, USA

Abstract —The United States designates Food and Agriculture as one of sixteen critical infrastructure sectors, yet no mandatory cybersecurity requirements exist for agricultural operations, and no formal threat model has been published for Controlled Environment Agriculture (CEA) systems — greenhouses, vertical farms, and indoor cultivation facilities that depend on tightly coupled IoT sensor networks, industrial control protocols, and cloud-based fleet management. This paper presents the first comprehensive threat model for IoT-enabled CEA, developed through systematic application of STRIDE threat analysis, MITRE ATT&CK for Industrial Control Systems mapping, and IEC 62443 zone-and-conduit decomposition to a production platform deployed across 30+ commercial facilities in 8 U.S. climate zones. We enumerate 123 unique threats across 25 dataflow-diagram elements spanning 15 communication protocols — 10 of which (Modbus RTU/TCP, BACnet/IP, 0–10 V, 4–20 mA, SDI-12, DALI, I2C, pulse, and dry contact) operate with zero authentication or encryption by design. Threats are scored using DREAD risk assessment and mapped to 19 MITRE ATT&CK for ICS techniques. We identify five novel attack classes unique to AIdriven CEA: stealth destabilization of neural-network-tuned PID controllers, baseline drift poisoning of anomaly detectors, crossfacility propagation via federated transfer learning, adversarial agronomic schedules that exploit crop biology rather than computational models, and reward poisoning of reinforcement-learning energy optimizers. Physical impact analysis quantifies crop loss timelines: aeroponic systems fail within minutes of irrigation disruption, humidity manipulation triggers pathogen outbreaks within 48–72 hours, and CO2 injection manipulation creates worker safety hazards at concentrations exceeding NIOSH’s Immediately Dangerous to Life or Health (IDLH) threshold. A survey of 10 commercial CEA control vendors reveals that only one CVE has ever been issued against any vendor in this category, zero vendors operate bug bounty programs, and zero hold IEC 62443 cybersecurity certifications. We propose a defensein-depth countermeasure framework mapped to IEC 62443 security levels and NIST Cybersecurity Framework functions, and recommend that CEA operators target Security Level 2 as a minimum baseline. The complete threat catalog, data flow diagrams, and risk assessment artifacts are published as openaccess supplementary materials.

Index Terms —Controlled environment agriculture, cybersecurity, Internet of Things, threat modeling, STRIDE, MITRE ATT&CK, industrial control systems, BACnet, Modbus, MQTT, neural network PID, adversarial machine learning, critical infrastructure, food security.

I. INTRODUCTION

Corresponding author: Andrii Vakhnovskyi (e-mail: andrii.vakhnovskyi@gmail.com). ORCID: 0009-0007-8306-5932.

ONTROLLED Environment Agriculture (CEA) — en- C compassing greenhouses, vertical farms, indoor cultivation facilities, and plant factories — represents a rapidly expanding segment of global food production, with the market projected to exceed $120 billion by 2030 [1]. CEA facilities depend on dense networks of IoT sensors and industrial actuators to maintain precise environmental conditions: air temperature, relative humidity, CO2 concentration, photosynthetically active radiation (PAR), substrate moisture, and nutrient solution chemistry must be regulated simultaneously and continuously. Energy expenditure for climate regulation accounts for 20–50% of CEA operating budgets [2].

Modern CEA platforms integrate three distinct technology tiers: (1) a field layer of industrial sensors and actuators communicating via legacy protocols including Modbus RTU, BACnet/IP, and analog 4–20 mA current loops; (2) an edge computing layer hosting real-time control logic, neural network-based PID auto-tuning, and anomaly detection; and (3) a cloud layer providing fleet management, cross-facility transfer learning, digital twin simulation, and regulatory compliance integration [2]. This three-tier architecture creates a complex attack surface that spans operational technology (OT), information technology (IT), and machine learning (ML) domains.

Despite the critical role of CEA in food security, the cybersecurity of these systems has received remarkably little academic attention. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) designates Food and Agriculture as one of sixteen critical infrastructure sectors [3], yet compliance with cybersecurity standards remains entirely voluntary. The FBI has issued multiple Private Industry Notifications warning that ransomware actors deliberately time attacks on agricultural cooperatives to coincide with critical planting and harvest seasons [4]. Ransomware attacks on the food and agriculture sector reached 265 incidents in 2025, more than doubling from 2023 [5]. High-profile incidents include the REvil attack on JBS S.A. that shut down 20% of U.S. beef processing capacity (ransom: $11 million) [6], the BlackMatter attack on NEW Cooperative that threatened 40% of U.S. grain production software [7], and the Everest ransomware breach of STIIIZY that exposed 420,000 cannabis customer records [8].

A systematic literature review reveals a critical gap: while formal threat models exist for smart grids [9], connected vehicles [10], healthcare IoT [11], and building automation systems [12], no comprehensive threat model has been

2

PREPRINT

published for CEA systems . The two closest works are Fereidooni et al. [13], who applied STRIDE to precision agriculture (field crops, not CEA) and identified 58 threats, and Tripathi et al. [14], who produced 126 threats for smart greenhouses but with limited depth (only four attack trees) and no coverage of the cloud, ML, or compliance integration layers.

Furthermore, CEA-specific control system vendors — Priva, Argus Controls, TrolMaster, Wadsworth, Hoogendoorn, Ridder, and Growlink — have received virtually no public security scrutiny. Our survey (Section VIII) finds that across all major CEA vendors, only one Common Vulnerability and Exposure (CVE) has ever been published, zero vendors operate bug bounty programs, and zero hold IEC 62443 cybersecurity certifications.

This paper addresses these gaps with the following contributions:

• 1. We present the first comprehensive threat model for IoT-enabled CEA, applying STRIDE systematically to a three-tier reference architecture deployed across 30+ commercial facilities, enumerating 123 unique threats across 25 data-flow-diagram elements and 15 communication protocols.
• 2. We map all threats to MITRE ATT&CK for ICS techniques and score them using DREAD risk assessment, providing a quantitative, prioritized threat catalog.
• 3. We identify five novel attack classes unique to AI-driven CEA — including adversarial agronomic schedules, the first reported adversarial ML attack class targeting a biological organism rather than a computational model.
• 4. We quantify the physical consequences of cyber-physical attacks on CEA systems, including crop loss timelines, worker safety thresholds, and financial impact per attack scenario.
• 5. We survey 10 commercial CEA control vendors and document the near-total absence of public cybersecurity posture in this industry segment.
• 6. We propose a defense-in-depth countermeasure framework mapped to IEC 62443-3-3 foundational requirements, NIST Cybersecurity Framework v2.0 functions, and OWASP IoT Top 10 [41] categories.

The remainder of this paper is organized as follows. Section II surveys related work. Section III describes the CEA reference architecture. Section IV presents the threat modeling methodology. Section V enumerates the threat catalog. Section VI quantifies physical impact. Section VII introduces AI/ML-specific threats. Section VIII surveys vendor security posture. Section IX proposes countermeasures. Section X discusses implications and limitations. Section XI concludes the paper.

II. RELATED WORK

A. Threat Modeling Methodologies

Threat modeling is a systematic approach to identifying, classifying, and prioritizing security threats against a system. The most widely adopted methodology is STRIDE, developed by Microsoft [15], which categorizes threats into six classes:

Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. STRIDE operates on Data Flow Diagrams (DFDs) and assigns threat categories to each DFD element based on its type (process, data store, data flow, or external entity).

Complementary frameworks include MITRE ATT&CK for ICS [16], which maps adversary tactics, techniques, and procedures (TTPs) observed in real-world industrial control system attacks to a structured matrix of 12 tactics and over 100 techniques; IEC 62443 [17], which defines a zones-andconduits model for industrial network segmentation with four security levels (SL 1–4) based on attacker capability; and DREAD [18], which provides a semi-quantitative risk scoring model across five dimensions: Damage, Reproducibility, Exploitability, Affected users, and Discoverability.

Recent surveys by Xiong and Lagerstr¨om [19] and Shevchenko et al. [20] have cataloged over twelve distinct threat modeling methodologies including PASTA, LINDDUN, OCTAVE, and VAST, each with different strengths. We adopt STRIDE as our primary methodology because of its systematic per-element enumeration, augmented with ATT&CK for ICS mapping for operational relevance, IEC 62443 zones for countermeasure alignment, and DREAD for quantitative prioritization. This multi-framework approach addresses the common reviewer criticism of over-reliance on a single methodology [21].

B. Cybersecurity in Agriculture

The academic literature on agricultural cybersecurity has grown rapidly since 2020 but remains focused on precision agriculture (field-level systems: drones, GPS-guided tractors, weather stations) rather than CEA. Key surveys include:

Ferrag et al. [22] (2020) surveyed security threats in agricultural IoT, identifying attack vectors across sensor networks, communication channels, and cloud platforms. Gupta et al. [23] (2021) reviewed security of smart farming with a focus on precision agriculture. Two comprehensive 2024 systematic reviews — one in Computers and Electronics in Agriculture [24] analyzing 58 documents and another in Computers & Security [25] analyzing 37 articles — established the state of the art but noted the absence of formal threat models for specific CEA architectures. Kulkarni et al. [26] compiled the most comprehensive incident catalog, documenting 30 cybersecurity incidents in food and agriculture from 2011–2023.

The emerging discipline of cyber-biosecurity [27], [28] addresses the intersection of biological systems and digital control — a framing directly applicable to CEA. Duncan et al. [28] note that agriculture and food account for approximately 20% of U.S. GDP ($6.7 trillion) and 15% of employment (43.3 million jobs), yet cyber-biosecurity protections remain minimal. CEA is uniquely vulnerable because cyberattacks on environmental controls can trigger biological consequences — humidity manipulation induces pathogen outbreaks, nutrient tampering creates plant stress that opens disease windows, and HVAC compromise can push unfiltered air into recirculating hydroponics — creating cyber-to-biological

3

PREPRINT

attack chains that traditional cybersecurity frameworks do not capture.

C. ICS Attack Precedents

The feasibility of cyber-physical attacks on industrial control systems is well-established. Stuxnet (2010) [32] destroyed approximately 1,000 uranium enrichment centrifuges by manipulating variable frequency drive speeds via Siemens S7 PLCs. BlackEnergy (2015) [44] targeted the Ukrainian power grid, causing 230,000 people to lose power for six hours. Most relevant to CEA safety systems, TRITON/TRISIS (2017) [43] was the first malware designed to attack Safety Instrumented Systems (SIS) — specifically Schneider Electric Triconex controllers at a Saudi petrochemical plant — demonstrating that even safety-critical interlocks can be compromised when SIS networks are inadequately segmented. The protocols exploited in these attacks (Modbus, S7comm, OPC) are the same protocols used in CEA systems, making these precedents directly transferable.

The protocols used by CEA systems are also exposed on the public internet at scale. Shodan and Censys scans reveal over 18,700 BACnet devices exposed on UDP port 47808 (60% in the U.S.), 102,000+ MQTT brokers without authentication on port 1883, and 179 Modbus devices on port 502 across critical infrastructure sectors [40]. While these figures represent all sectors, CEA facilities connected via commercial ISPs with default router configurations are part of this exposed population.

D. Threat Models in Adjacent Domains

Formal threat models have been published for several domains adjacent to CEA. Jbair et al. [9] applied STRIDE to a smart grid microgrid, demonstrating the case-study validation approach. The building automation system (BAS) security analysis by Kaur et al. [12] is particularly relevant because BAS systems share BACnet and Modbus protocols with CEA — and BAS components have accumulated significant CVE history: the Honeywell/Tridium Niagara Framework alone received 13 critical CVEs in 2025 for root-level remote code execution affecting over 1 million installations globally [45]. The Contemporary Controls BASC-20T BACnet router (CVE2025-13926) was found to have unauthenticated RCE with the product already obsolete and unpatchable [46]. These vulnerabilities in BAS middleware and protocol gateways are directly applicable to CEA installations that use the same components. The ICS threat modeling systematic literature review [29] (2024) catalogs methodologies applied to industrial control systems but finds no CEA-specific application. The “Publish Your Threat Models!” position paper by Kohnfelder and Shostack [21] argues that the security benefits of publishing threat models far outweigh the risks, a principle we follow by releasing our complete threat catalog as supplementary material.

E. Gap Statement

No published work provides a formal, systematic threat model for CEA systems that covers the complete technology

TABLE I

FIELD-LAYER COMMUNICATION PROTOCOLS

stack: field-layer industrial protocols, edge AI controllers, cloud fleet management, compliance integration, and the AI/ML attack surface introduced by neural network PID tuning and cross-facility transfer learning. This paper fills that gap.

III. CEA REFERENCE ARCHITECTURE

The threat model is developed against a production CEA IoT platform (IOGRUCloud [2]) deployed across 30+ commercial facilities in 8 U.S. climate zones over 7+ years of continuous operation (2017–2024). The architecture comprises three tiers, illustrated in Fig. 1.

A. Field Layer

The field layer comprises a distributed network of industrial sensors and actuators communicating via ten OT protocols, none of which provide authentication or encryption by design. Table I summarizes the protocols and their security properties.

Sensor types include aspirated climate stations ( ± 0 . 1 [◦] C, ± 1 . 5% RH), NDIR CO2 sensors ( ± 50 ppm), quantum PAR sensors, capacitance substrate probes (VWC, EC, temperature), inline pH/EC transmitters, pulse flow meters, differential pressure transmitters, CT clamp power monitors, and IR leaf temperature sensors. Actuators include HVAC units from five major manufacturers (Carrier, Trane, Daikin, LG, Mitsubishi) controlled via BACnet/IP, dehumidifiers (Quest, Anden) via Modbus, LED lighting (Fluence, Gavita, Phantom) via 0– 10 V or DALI, irrigation valves via digital output, fertigation dosing pumps via Modbus, and CO2 injection solenoids via digital output. A typical zone deploys 20–40 sensors and 8– 15 actuators.

B. Edge AI Layer

The edge layer consists of industrial controllers hosting real-time control logic. Each controller operates autonomously without cloud dependency (air-gapped failsafe) and includes:

• TimescaleDB for time-series sensor storage (10-second resolution, 1-second for anomaly windows)

• SQLite for configuration: recipes, setpoints, automation rules, I/O mappings, BACnet object tables

• A 7-3-3 multi-layer perceptron (MLP) for neural network PID auto-tuning with Lyapunov stability guarantees

• Autoencoder-based anomaly detection on sensor data streams

4

PREPRINT

----- Start of picture text -----

Modbus
T/RH Sensors
CO2 Sensors 4–20mA ControllerNN-PID REST/WSSTB4 TransferFleet MgmtLearn/
Substrate SDI-12 Weather
Sensors Anomaly Digital Twin APIs
Detection
Flow/Power Pulse L1–L4 Web Dashboard Operators
Monitors
Autonomy
Mobile App Metrc / TB6/TB7
BioTrack
HVAC Units BACnet TimescaleDB
Cloud DB / OTA / Vendor
Modbus SQLite Config Recipe Library Updates
Dehumidifiers / NN Weights
0–10V TB5
LED Lighting AI Action Log
Irrigation / DO TB3
Fertigation
DO
CO2 Injection
TB1/TB2
----- End of picture text -----

Fig. 1. Level 0 Data Flow Diagram of the CEA reference architecture showing three tiers (Field, Edge AI, Cloud), seven trust boundaries (TB1–TB7), and 15 communication protocols. Solid arrows indicate data/command flows; dashed boxes indicate trust boundaries.

• A four-level progressive autonomy model (L1: monitoring, L2: recommendations, L3: autonomous with guardrails, L4: full optimization)

• Hardware watchdog timer for safety reset

Communication to the cloud layer uses REST API and WebSocket over TLS. Communication to field devices uses the OT protocols in Table I.

C. Cloud Layer

The cloud layer provides fleet-wide services:

• 3. TB3 — Edge Controller Boundary : bridges OT protocols to IP-based cloud communication; hosts all control logic; the single most critical asset.
• 4. TB4 — IT/Internet Boundary : edge-to-cloud communication over TLS (REST, WebSocket, MQTT).
• 5. TB5 — Cloud Platform Boundary : fleet data, user accounts, digital twin, and ML models.
• 6. TB6 — Third-Party Integration Boundary : compliance platforms, weather APIs, equipment vendor APIs.
• 7. TB7 — User/Operator Boundary : web dashboard and mobile application with role-based access.

• Aggregated telemetry storage from 30+ facilities

• Cross-facility transfer learning: VPD trajectories, PID parameters, seasonal templates, and anomaly baselines are learned at one facility and deployed to others

• Digital twin simulation for recipe testing

• Web dashboard and mobile application for remote monitoring and control

• Compliance integration with regulatory tracking systems (Metrc, BioTrack, LeafLogix, Dutchie) via REST API and webhooks

• Weather forecast ingestion for predictive pre-cooling

D. Trust Boundaries

We identify seven trust boundaries (TB1–TB7) for STRIDE analysis:

• 1. TB1 — Physical Facility Perimeter : physical access to sensors, actuators, wiring, and controllers.
• 2. TB2 — OT Network Boundary : the industrial control network carrying Modbus RTU, BACnet/IP, analog, and serial protocols — all unauthenticated.

IV. THREAT MODELING METHODOLOGY

A. Multi-Framework Approach

We apply a composite methodology combining four established frameworks:

STRIDE [15] provides the primary threat enumeration engine. We decompose the architecture into 25 DFD elements (10 sensor types, 5 actuator types, 1 edge controller, 4 communication channels, 3 cloud components, and 2 external integrations) and apply the six STRIDE categories to each element systematically.

MITRE ATT&CK for ICS [16] maps each enumerated threat to real-world adversary techniques observed in industrial environments, grounding our analysis in operational threat intelligence rather than purely theoretical risks.

IEC 62443 [17] provides the zone-and-conduit decomposition for organizing countermeasures and defining target security levels. We map the seven trust boundaries to five IEC 62443 zones (Zone 0: field sensors/actuators at SL 1–2; Zone 1: edge controllers at SL 2–3; Zone 2: supervisory/HMI

5

PREPRINT

at SL 2–3; Zone 3: site operations at SL 3; Zone 4: enterprise/cloud at SL 3–4).

DREAD [18] provides semi-quantitative risk scoring. Each threat receives a score from 1–10 on five dimensions (Damage, Reproducibility, Exploitability, Affected users, Discoverability), yielding a composite score from 5–50.

B. Attacker Model

We consider four attacker profiles:

• 1. Remote External Attacker : accesses the system via exposed cloud APIs, MQTT brokers, or BACnet/Modbus services reachable from the internet. Capability: moderate (script kiddie to intermediate). Motivation: financial (ransomware), competitive espionage.
• 2. Insider/Technician : has legitimate physical or logical access to the facility. Capability: moderate to high. Motivation: sabotage, IP theft, financial gain.
• 3. Supply Chain Attacker : compromises a CEA equipment vendor, firmware update channel, or ML model repository. Capability: high. Motivation: espionage (nation-state), pre-positioning.
• 4. Nation-State Actor : targets CEA as critical infrastructure for geopolitical disruption or agricultural IP theft. Capability: very high. Motivation: food security disruption, economic warfare.

The Food and Ag-ISAC has identified 72 active threat actors targeting farm-to-table supply chains [30], and Hunt & Hackett documented 111 APT groups across agriculture, biotech, and industrial sectors [31]. Russia accounts for 59.3% of observed adversary activity against the agriculture sector, followed by China at 25.4%. Agricultural IP theft has been prosecuted at the federal level: in United States v. Mo Hailong (2016) [47], a Chinese national orchestrated a five-year conspiracy to steal proprietary inbred corn seed from DuPont Pioneer and Monsanto, resulting in $30M+ in losses and 5–8 years of R&D theft. In United States v. Haitao Xiang (2017) [48], a Monsanto researcher stole the “Nutrient Optimizer” predictive algorithm on a micro SD card and was intercepted at O’Hare Airport en route to China. These cases demonstrate that agricultural automation IP — including the control algorithms and crop recipes managed by CEA platforms — is an established target of state-sponsored economic espionage.

C. Scope and Limitations

The threat model covers the complete CEA IoT stack from field sensors through cloud services. It does not cover physical security of the building envelope (locks, fences), supply chain integrity of seed/genetic material, or business process threats (financial fraud, regulatory capture). The model is validated against a single vendor’s platform (IOGRUCloud); generalizability to other CEA architectures is discussed in Section X.

V. THREAT CATALOG

Systematic STRIDE analysis across 25 DFD elements yields 123 unique threats. Table II summarizes the distribution by STRIDE category and DFD element group.

TABLE II

THREAT DISTRIBUTION BY STRIDE CATEGORY

The complete threat catalog is provided as supplementary material. Here we present representative threats from each architectural tier, selected by severity (DREAD ≥ 40).

A. Field Layer Threats

The field layer presents the largest attack surface due to the complete absence of authentication and encryption in nine of ten OT protocols. Representative high-severity threats include:

T007 — CO2 Sensor Spoofing (S, DREAD: 44): A rogue 4–20 mA current source injected in parallel with a legitimate CO2 NDIR sensor reports falsely low CO2 concentrations. The edge controller responds by increasing CO2 injection, potentially raising levels above OSHA’s 5,000 ppm Permissible Exposure Limit or NIOSH’s 40,000 ppm Immediately Dangerous to Life or Health (IDLH) threshold. Attack hardware cost: approximately $30 for a precision current source. Mapped to MITRE ATT&CK T0848 (Rogue Master/Relay).

T030 — HVAC Setpoint Tampering (T, DREAD: 46): BACnet WriteProperty service is used to modify the Analog Value object representing the temperature setpoint on a chiller or rooftop unit. BACnet/IP provides no authentication for write operations; any device on the BACnet VLAN can issue a WriteProperty command. Setting the setpoint to 40 [◦] C causes complete crop loss in flowering-stage cannabis within 4–8 hours. Mapped to T0836 (Modify Parameter).

T041 — Lighting Dark-Period Violation (T, DREAD: 44): A DALI Direct Arc Power Control (DAPC) broadcast command forces all grow lights to maximum output during the required 12-hour dark period. For short-day plants such as cannabis, even brief light interruption during the dark period prevents flowering and can trigger hermaphroditism — pollen sac development that converts seedless flower valued at $1,500–3,000/lb to seeded product worth $100–200/lb, a 90– 95% value destruction. Mapped to T0836 (Modify Parameter).

T055 — CO2 Injection Override (T, DREAD: 48): The digital output controlling the CO2 solenoid is latched in the energized state via GPIO manipulation, maintaining injection beyond the setpoint while simultaneously suppressing the CO2 high alarm. In a sealed 10,000 cu ft grow room with a 50 SCFH injection system, CO2 can reach IDLH concentrations within hours. CO2 is odorless; workers cannot detect rising levels without dedicated monitors. This is the highest-severity threat in the catalog: it combines cyberphysical manipulation with direct life-safety consequences. Mapped to T0836 (Modify Parameter).

6

PREPRINT

B. Edge Layer Threats

The edge controller is the single most critical asset, bridging unauthenticated OT protocols to the cloud:

T064 — PID Loop Denial of Service (D, DREAD: 42): A fork bomb or out-of-memory condition on the edge controller halts the PID control loop cycle. Without active climate management, room conditions drift to ambient — potentially exceeding 35 [◦] C in summer or dropping below 10 [◦] C in winter — causing crop damage proportional to the duration of the outage. Mapped to T0814 (Denial of Service).

T066 — Autonomy Level Escalation (E, DREAD: 44): The progressive autonomy model (L1–L4) is a novel attack surface unique to AI-driven CEA. An unprotected local REST endpoint allows escalation from L1 (monitoring only) to L4 (full autonomous optimization), enabling the AI to make irreversible control decisions without operator approval. This threat has no analogue in traditional ICS threat models. Mapped to T0855 (Unauthorized Command Message).

C. Cloud and Integration Threats

T082 — Multi-Tenant Data Leak via IDOR (I, DREAD: 42): Insecure Direct Object Reference on the cloud dashboard allows enumeration of facility identifiers, exposing environmental telemetry, crop recipes, and yield data of competing tenants on the same platform. For cannabis operations, this data constitutes trade secrets worth $500K–$5M+. Mapped to T0811 (Data from Information Repositories).

T093 — Transfer Learning Model Injection (E, DREAD: 48): An unauthenticated PUT to the cloud model repository allows an attacker to push arbitrary neural network weights to the fleet. Models are deserialized via frameworks (ONNX, PyTorch) that may execute arbitrary code during loading. A malicious model distributed across all downstream facilities constitutes a supply-chain attack with fleet-wide impact. Mapped to T0889 (Modify Program).

T095 — Compliance API Key Theft (S, DREAD: 46): Stolen Metrc or BioTrack API credentials enable creation of fraudulent seed-to-sale tracking tags, triggering state-level regulatory investigations that can result in license suspension or revocation. Cannabis licenses represent $250K–$500K+ in direct cost and tens of millions in facility investment at risk. Mapped to T0859 (Valid Accounts).

D. MITRE ATT&CK for ICS Coverage

The 123 threats map to 19 distinct MITRE ATT&CK for ICS techniques across 10 of the 12 ICS tactics. The most frequently mapped techniques are T0814 (Denial of Service, 17 threats), T0872 (Indicator Removal on Host, 16 threats), T0848 (Rogue Master/Relay, 14 threats), and T0836 (Modify Parameter, 13 threats). The unmapped tactics are Collection and Command and Control, which are subsumed by the cloudlayer threat analysis.

E. DREAD Severity Distribution

The ten highest-severity threats (DREAD ≥ 46) cluster around four categories: life-safety (CO2 sensor manipulation

TABLE III

DREAD SEVERITY DISTRIBUTION

T008, CO2 injection override T055/T058), unauthorized command execution (T030, T048, T073, T074), supply chain compromise (T093, T101), and regulatory exposure (compliance API key theft T095). All ten are mitigable with existing technology; none require novel research.

VI. PHYSICAL IMPACT ANALYSIS

CEA cyberattacks differ fundamentally from traditional IT breaches because the target is a biological process with irreversible damage timelines. Table IV quantifies the physical consequences of the six primary attack scenarios.

The cascading failure timeline under a full ransomware lockout is particularly severe: lights generate 30–50 BTU/sq ft/hr, driving temperature increases within 2 hours; aeroponic and NFT systems begin failing within 2–4 hours as pump circulation stops; condensation and humidity buildup create pathogen conditions within 24–48 hours; and total crop loss occurs within 72 hours to 7 days depending on substrate type and season.

For cannabis specifically, the financial exposure is disproportionate to facility size. Indoor cannabis flower yields 35– 70 g/sq ft per harvest cycle at wholesale prices of $1,000– 3,100/lb, producing $165/sq ft per cycle. A single 10,000 sq ft flowering room represents approximately $1.65 million per harvest, and a hermaphroditism event from lighting disruption can destroy 90–95% of this value in a single incident.

VII. ADVERSARIAL MACHINE LEARNING THREATS

Modern CEA platforms incorporate machine learning components that introduce a novel attack surface not covered by traditional ICS threat models. Our literature review confirms that no published work addresses adversarial ML attacks specifically against CEA control systems . We identify five novel attack classes by composing established adversarial ML techniques with CEA-specific physics, biology, and economics.

A. Stealth Destabilization of NN-Tuned PID (Novel)

The 7-3-3 MLP that auto-tunes PID gains ( Kp , Ki , Kd ) operates as an online learning system. An attacker with sensorchannel access injects slow, low-amplitude biased measurements over days or weeks. The MLP accumulates toward a local optimum that produces marginally stable gains. Control appears correct until a disturbance (door opening, lighting transition) triggers oscillation that overshoots setpoints enough to damage flowering-stage crops.

Unlike classic PID attacks (e.g., Stuxnet [32], which manipulated controller outputs ), this attack manipulates the tuner

PREPRINT

7

TABLE IV

PHYSICAL IMPACT OF CYBER-PHYSICAL ATTACKS ON CEA SYSTEMS

— leaving a much smaller forensic footprint attributable to “model drift” rather than compromise. The attack is feasible because the Jagielski et al. [33] poisoning framework for regression models applies directly to the 7-3-3 MLP’s continuous Kp/Ki/Kd output space.

(5–30 facilities vs. millions of mobile devices) dramatically increases per-attacker influence, and no CEA platform deploys Byzantine-robust aggregation (Krum, trimmed mean) — naive FedAvg is the norm.

D. Adversarial Agronomic Schedules (Novel)

B. Baseline Drift Poisoning of Anomaly Detectors (Novel)

The autoencoder-based anomaly detector retrains on rolling windows to accommodate legitimate drift from plant growth stages and seasonal HVAC behavior. An attacker gradually expands the “normal” manifold by injecting small, slowly drifting anomalies during retraining windows. After N weeks, the detector accepts clearly abnormal conditions as normal, enabling a subsequent payload attack (e.g., humidity spike) to proceed undetected.

This attack extends the constrained concealment framework of Erba et al. [34] from water treatment to CEA, exploiting the fact that legitimate concept drift in CEA provides cover for malicious drift.

C. Cross-Facility Transfer Learning Propagation (Novel)

Cross-facility transfer learning is a core CEA value proposition: models learned at Facility A are deployed to Facility B without sharing proprietary data. A compromised facility (via employee, supply chain, or intrusion) pushes a backdoored weight delta into the global model via the federated update channel. The backdoor is triggered by a specific environmental pattern (e.g., CO2=842 ppm ∧ EC=2.31 mS/cm) unlikely to occur naturally but inducible by the attacker at the target facility later.

This attack composes Bagdasaryan et al. ’s [35] federated learning backdoor with Turner et al. ’s clean-label technique [36]. The low participant count in CEA federations

This is the most novel and CEA-unique attack class. An adversary generates irrigation, fertigation, or lighting schedules that are:

• In-distribution for the anomaly detector (no alarm triggered)

• In-spec for regulatory compliance limits

• Agronomically sound on paper (individual parameters within accepted ranges)

Yet these schedules interact with crop biology — specific cultivar × growth stage × historical stress — to cause physiological damage: tip-burn, blossom-end rot, nutrient lockout, or flowering reversion.

This is the first reported adversarial ML attack class where the “classifier” being fooled is a living organism rather than a computational model. The perturbation budget is defined by agronomic norms rather than Lp balls, and the defender’s anomaly detector sees nothing wrong because nothing is wrong numerically — the crop nonetheless fails. This attack requires horticultural domain knowledge, but this knowledge is available in the public literature for every major CEA crop.

E. Reward Poisoning of RL Energy Optimizer (Novel)

The cascading VPD energy optimizer uses reinforcement learning with a multi-objective reward function combining energy cost minimization and environmental stability. Reward poisoning [37] biases the optimizer toward marginal setpoints that save energy measurably but degrade crop quality subtly

8

PREPRINT

(e.g., slightly lower night VPD that promotes pathogen growth while improving kWh/kg on the attacker’s chosen metric). The KPI looks better; the crop looks worse over months. Detection requires ground-truth crop quality audits — a feedback loop measured in biological time (weeks), not computational time (seconds).

VIII. CEA VENDOR SECURITY SURVEY

We surveyed the cybersecurity posture of 10 commercial CEA control system vendors. Table V summarizes the findings.

The single CVE (CVE-2022-3010) affects Priva’s TopControl Suite [42]: a weak password hash (CWE-916) with CVSS 7.5, disclosed by NorthWave via the Dutch Institute for Vulnerability Disclosure (DIVD). No other CEA vendor has received a CISA ICS-CERT advisory, conducted a public penetration test, or published a security architecture document.

This finding is striking when compared to adjacent sectors. Building automation vendors (Honeywell/Tridium, Johnson Controls, Schneider Electric) have accumulated hundreds of CVEs, operate coordinated disclosure programs, and increasingly pursue IEC 62443 certification. The CEA vendor category is a decade behind in cybersecurity maturity.

Supply chain jurisdiction is a concern: TrolMaster, the dominant vendor in U.S. cannabis cultivation, is designed and manufactured in China (Xiamen). Under the PRC National Intelligence Law (2017) and Data Security Law (2021), Chinese firms may be legally compelled to assist state intelligence operations. TrolMaster’s cloud tunnel is always-on by default, routing all facility telemetry through AWS endpoints configured by the vendor. The firmware is closed-source with no published security audit.

IX. COUNTERMEASURE FRAMEWORK

We propose a defense-in-depth framework organized by IEC 62443 security levels, with countermeasures mapped to IEC 62443-3-3 foundational requirements (FR), NIST CSF v2.0 functions, and OWASP IoT Top 10 [41] categories.

A. Network Segmentation (FR 5: Restricted Data Flow)

CEA facilities should implement the Purdue Enterprise Reference Architecture with at least four VLANs: OT-Control (PLCs, RTUs), OT-Sensors, IT-Corporate, and a DMZ between OT and IT networks. For SME farms with budgets under $10K, cost-effective implementation uses pfSense/OPNsense open-source firewalls ($300–500 hardware), managed switches with VLAN support (Cisco CBS250, Ubiquiti USW-Pro24, $200–600), and SecurityOnion for SIEM/IDS integration (free). Enterprise deployments should consider unidirectional gateways (data diodes) from Waterfall Security or Owl Cyber Defense for the OT-to-IT boundary.

B. Protocol Security (FR 4: Data Confidentiality)

BACnet Secure Connect (BACnet/SC, ASHRAE 135 Addendum bj) adds TLS 1.3 and X.509 certificate-based device authentication but has seen minimal adoption in CEA-specific

controllers. The Modbus/TCP Security Specification (2018) defines TLS wrapping on port 802 but is effectively unadopted. For practical deployment, we recommend: (1) MQTT with TLS and client certificates as the primary IoT telemetry protocol; (2) WireGuard VPN tunnels for Modbus/TCP segments crossing untrusted networks; (3) migration from analog I/O (4–20 mA, 0–10 V) to IO-Link (IEC 61131-9) for new installations; and (4) physical protection (metallic conduit, tamper-evident enclosures) for legacy analog wiring.

C. Monitoring and Detection (FR 6: Timely Response)

We recommend a dual detection strategy combining network anomaly detection (Suricata 7.x with ICS rulesets on a passive SPAN tap) and process anomaly detection (statistical process control at minimum; autoencoder-based ML detection for high-value zones). Process anomaly detection is more valuable for CEA than network anomaly detection because attacks via compromised legitimate devices produce normal-looking network traffic while creating abnormal process behavior.

A CEA-unique defense opportunity exists: crop growth rate as an integrity signal . Computer vision monitoring of plant height, leaf area index, and canopy color provides an independent verification channel. If sensors report optimal conditions but visual crop health diverges from the growth model, the sensors may be compromised. This defense is unavailable in any other ICS domain.

D. AI/ML Security

Defenses against the five novel AI/ML threats (Section VII) require:

• Gain rate-of-change limiters enforced at the actuator driver level, independent of the NN tuner

• Out-of-band “golden baseline” anomaly models retained from commissioning, independent of rolling retraining

• Byzantine-robust aggregation (Krum [38], FLTrust [39]) for cross-facility transfer learning

• Plant-response-aware anomaly detection over schedule trajectories, not just point values

• Multi-objective RL reward functions with crop-quality constraints verified by ground-truth audits

E. Incident Response

CEA incident response differs critically from traditional IT: do not isolate OT systems by shutting them down . A greenhouse without climate control in summer can reach lethal temperatures within one hour. Instead, sever external access at the DMZ firewall while maintaining internal control loops, switch affected systems to manual/local mode, and deploy personnel with handheld instruments (thermometer, hygrometer, pH pen, EC pen, CO2 monitor) for physical monitoring.

F. Recommended Security Levels

Based on our threat analysis, we recommend:

9

PREPRINT

TABLE V

CEA CONTROL SYSTEM VENDOR CYBERSECURITY POSTURE

• SL 1 (Basic hygiene) : all CEA operations — change default credentials, segment networks, patch, maintain offline backups.

• SL 2 (Managed) : commercial CEA — dedicated firewalls, IDS, RBAC, encrypted protocols, incident response plan.

• SL 3 (Proactive) : high-value/regulated operations (pharmaceutical cannabis, research facilities) — certificatebased device authentication, ML anomaly detection, penetration testing, SBOM management.

X. DISCUSSION

A. Comparison with Adjacent Domains

Our enumeration of 123 threats compares favorably with adjacent threat models: Fereidooni et al. [13] identified 58 threats for precision agriculture (we cover a broader stack and find 2.1 × more), and Tripathi et al. [14] identified 126 threats for smart greenhouses (comparable count but our threats include cloud, ML, and compliance layers they did not address). The building automation security analysis [12] identifies protocollevel BACnet and Modbus vulnerabilities that transfer directly to CEA but does not address the agricultural impact layer.

B. Novel Contributions Beyond Traditional ICS

Three aspects of CEA create threat categories absent from general ICS threat models:

Biological targets : CEA is the only ICS domain where the process output is a living organism with irreversible damage timelines measured in hours. This creates asymmetric risk — a 4-hour HVAC outage in a commercial building is an inconvenience; in a flowering cannabis facility, it is a $1.65M loss.

Progressive autonomy : The L1–L4 autonomy model introduces a novel privilege escalation vector (T066) with no analogue in traditional SCADA.

Federated ML : Cross-facility transfer learning creates multi-tenant poisoning vectors (T090–T093) not addressed by IEC 62443 or NIST SP 800-82.

Safety-security coupling : CEA facilities with CO2 enrichment systems operate safety-critical interlocks (high-CO2 alarms, emergency exhaust fans) that can be disabled through the same unauthenticated OT protocols used for normal control. The TRITON/TRISIS precedent [43] demonstrated that

safety systems are not immune to targeted compromise when they share network infrastructure with control systems. ISA TR84.00.09 (Cybersecurity Related to the Safety Lifecycle) provides guidance for integrating cybersecurity into Safety Instrumented System design, but no CEA vendor or operator is known to have adopted it.

Legacy and vendor-failure risk : The CEA industry faces a growing population of stranded control systems from vendor failures. Between 2022 and 2023, five major indoor farming operators — InFarm, AeroFarms (Chapter 11), Fifth Season, Kalera, and AppHarvest — declared bankruptcy [49], each leaving behind custom control stacks with no ongoing security support. Hoogendoorn’s flagship iSii process computer reached end-of-sale on January 1, 2026, creating a population of Linux-based controllers that will operate for 15–20 years with declining patch cadence. These legacy systems represent an expanding attack surface with no responsible party for vulnerability management.

C. Regulatory Implications

The U.S. regulatory vacuum for CEA cybersecurity — voluntary CISA guidelines with no mandatory requirements, no FSMA cybersecurity component, no state-level cannabis cybersecurity mandates — stands in contrast to the EU NIS2 Directive, which explicitly includes food production as an “important entity” subject to mandatory risk management. We argue that CEA systems managing controlled substances (cannabis), food crops under FSMA jurisdiction, or facility environments with worker-safety-critical CO2 systems should be subject to mandatory cybersecurity baselines aligned with IEC 62443 SL 2.

D. Limitations

This threat model is developed against a single vendor’s architecture. While the three-tier pattern (field/edge/cloud) and the protocol portfolio (Modbus, BACnet, MQTT) are representative of the broader CEA industry, vendor-specific implementation details (e.g., TrolMaster’s proprietary bus protocol, Priva’s Windows-based supervisory layer) introduce threats not captured here. The DREAD scoring methodology, while practical, is subjective; future work should apply FAIR quantitative risk analysis with Monte Carlo simulation. The expert validation (Delphi) planned for this work was not

10

PREPRINT

completed within the submission timeline and will be reported in a follow-up study.

E. Ethical Considerations

This paper discloses no zero-day vulnerabilities. All threats are derived from publicly documented protocol weaknesses, published CVEs, and architectural analysis. The decision to publish aligns with the Kohnfelder and Shostack [21] position that published threat models improve collective defense. Specific facility locations, IP addresses, and customer identities are not disclosed.

XI. CONCLUSION

This paper presents the first comprehensive threat model for IoT-enabled Controlled Environment Agriculture systems. Systematic STRIDE analysis of a production platform deployed across 30+ facilities yields 123 unique threats across 25 DFD elements and 15 communication protocols, mapped to 19 MITRE ATT&CK for ICS techniques and scored using DREAD risk assessment. We identify five novel attack classes unique to AI-driven CEA, including adversarial agronomic schedules — the first adversarial ML attack targeting a biological organism rather than a computational model.

The near-total absence of public cybersecurity posture among CEA vendors (one CVE across ten vendors, zero bug bounties, zero IEC 62443 certifications) represents a systemic risk to a critical infrastructure sector. The U.S. regulatory vacuum — no mandatory cybersecurity requirements despite critical infrastructure designation — leaves CEA operators without compliance incentives or guidance.

We recommend that: (1) CEA operators adopt IEC 62443 SL 2 as a minimum baseline; (2) regulatory bodies extend mandatory cybersecurity requirements to CEA facilities managing food crops, controlled substances, or workersafety-critical systems; (3) CEA vendors establish coordinated vulnerability disclosure programs and pursue IEC 62443-41 product development certification; and (4) the research community develop CEA-specific digital twin cyber ranges to enable safe security testing without risking production crops.

The complete threat catalog, DFD artifacts, and DREAD scoring matrices are provided as supplementary materials accompanying this paper.

REFERENCES

• [1] Research Nester, “Controlled environment agriculture market size, share & trends analysis report,” 2025. [Online]. Available: Controlled Environment Agriculture Market Size, Share & Growth Forecast 2026-2035

• [2] A. Vakhnovskyi, “IOGRUCloud: A scalable AI-driven IoT platform for climate control in controlled environment agriculture,” arXiv preprint arXiv:2604.07586 , 2026.

• [3] Cybersecurity and Infrastructure Security Agency, “Food and agriculture sector,” 2024. [Online]. Available: https://www.cisa.gov/topics/criticalinfrastructure-security-and-resilience/critical-infrastructure-sectors/foodand-agriculture-sector

• [4] Federal Bureau of Investigation, “Ransomware attacks on agricultural cooperatives potentially timed to critical seasons,” Private Industry Notification, Apr. 2022.

• [5] Halcyon, “Ransomware attacks targeting agriculture and food production doubled in 2025,” Halcyon Blog, 2025.

• [6] B. Fung, “JBS paid $11 million to resolve ransomware attack,” CNN Business , Jun. 2021. [Online]. Available: https://www.cnn.com/2021/06/09/business/jbs-cyberattack-ransompaid/

• [7] J. Greig, “BlackMatter ransomware hits Iowa grain cooperative NEW Cooperative,” ZDNet , Sep. 2021. [Online]. Available: https://www.zdnet.com/article/blackmatter-ransomware-hits-iowagrain-cooperative/

• [8] L. Abrams, “STIIIZY data breach exposes cannabis buyers’ IDs and purchases,” BleepingComputer , Jan. 2025. [Online]. Available: https://www.bleepingcomputer.com/news/security/stiiizy-data-breach/

• [9] M. Jbair, B. Ahmad, and R. Harrison, “Threat modelling of cyberphysical systems — a case study of a microgrid system,” Computers & Security , vol. 124, 2023.

• [10] R. Moreira, E. Cust´odio, and A. Pinto, “A systematic review of TARA methodologies for connected and automated vehicles,” IEEE Access , vol. 12, pp. 42560–42583, 2024.

• [11] M. Z. Hasan, R. Hasan, and S. Islam, “STRIDE-based threat modeling and risk assessment framework for IoT-enabled smart healthcare systems,” Sensors , vol. 25, no. 3, 2025.

• [12] R. Kaur, D. Gabrijelcic, and T. Peceny, “On building automation system security,” Internet of Things , vol. 25, p. 101063, Elsevier, 2024.

• [13] H. Fereidooni, A. Taheri, and A.-R. Sadeghi, “STRIDE-based cyber security threat modeling for IoT-enabled precision agriculture systems,” in Proc. IEEE CCNC , 2022, pp. 955–960. DOI: 10.1109/CCNC49032.2022.9732597.

• [14] N. Tripathi, N. Hubballi, and Y. Singh, “A study on threat modeling in smart greenhouses,” J. Inform. Security Cybercrimes Res. , 2021.

• [15] A. Shostack, Threat Modeling: Designing for Security . Wiley, 2014.

• [16] MITRE, “ATT&CK for Industrial Control Systems,” 2020. [Online]. Available: Matrix - ICS | MITRE ATT&CK®

• [17] ISA/IEC 62443, “Industrial automation and control systems security,” International Society of Automation, 2013–2024.

• [18] M. Howard and D. LeBlanc, Writing Secure Code , 2nd ed. Microsoft Press, 2002.

• [19] W. Xiong and R. Lagerstr¨om, “Threat modeling — a systematic literature review,” Computers & Security , vol. 84, pp. 53–69, 2019.

• [20] N. Shevchenko et al. , “Threat modeling: A summary of available methods,” SEI CMU, Tech. Rep., 2018.

• [21] D. Kohnfelder and A. Shostack, “Publish your threat models!” arXiv preprint arXiv:2511.08295 , 2025.

• [22] M. A. Ferrag et al. , “Deep learning for cyber security intrusion detection: Approaches, datasets, and comparative study,” J. Inform. Security Appl. , 2020.

• [23] M. Gupta et al. , “A review on security of smart farming and precision agriculture,” Applied Sciences , vol. 11, no. 16, 2021.

• [24] A. Alahmadi, N. Alkhatib, and M. Alardhi, “Cyber security in smart agriculture: Threat types, current status, and future trends,” Computers and Electronics in Agriculture , vol. 224, p. 109202, 2024.

• [25] M. Hossain, Y. Sani, and S. Kashem, “Cybersecurity in smart agriculture: A systematic literature review,” Computers & Security , vol. 146, p. 104051, 2024.

• [26] S. Kulkarni et al. , “A review of cybersecurity incidents in the food and agriculture sector,” Smart Agricultural Technology , 2025. arXiv:2403.08036.

• [27] R. S. Murch et al. , “Cyberbiosecurity: An emerging new discipline to help safeguard the bioeconomy,” Frontiers in Bioengineering and Biotechnology , 2018.

• [28] S. E. Duncan et al. , “Cyberbiosecurity: A new perspective on protecting U.S. food and agricultural system,” Frontiers in Bioengineering and Biotechnology , vol. 7, p. 63, 2019.

• [29] A. Humayed, J. Lin, F. Li, and B. Luo, “Threat modeling of industrial control systems: A systematic literature review,” Computers & Security , vol. 137, p. 103617, 2024.

• [30] Food and Ag-ISAC, “72 active threat actors targeting food supply chains,” Industrial Cyber , 2025.

• [31] Hunt & Hackett, “Agriculture in the crosshairs of nation-state sponsored hackers,” 2024.

• [32] R. Langner, “Stuxnet: Dissecting a cyberwarfare weapon,” IEEE Security & Privacy , vol. 9, no. 3, pp. 49–51, 2011.

• [33] M. Jagielski, A. Oprea, B. Biggio, C. Liu, C. Nita-Rotaru, and B. Li, “Manipulating machine learning: Poisoning attacks and countermeasures for regression learning,” in Proc. IEEE S&P , 2018.

• [34] A. Erba et al. , “Constrained concealment attacks against reconstructionbased anomaly detectors in industrial control systems,” in Proc. ACSAC , 2020.

11

PREPRINT

• [35] E. Bagdasaryan, A. Veit, Y. Hua, D. Estrin, and V. Shmatikov, “How to backdoor federated learning,” in Proc. AISTATS , 2020.

• [36] A. Turner, D. Tsipras, and A. Madry, “Clean-label backdoor attacks,” in ICLR Workshop , 2019.

• [37] Y. Ma, X. Zhang, W. Sun, and J. Zhu, “Policy poisoning in batch reinforcement learning and control,” in Proc. NeurIPS , 2019.

• [38] P. Blanchard, E. M. El Mhamdi, R. Guerraoui, and J. Stainer, “Machine learning with adversaries: Byzantine tolerant gradient descent,” in Proc. NeurIPS , 2017.

• [39] X. Cao et al. , “FLTrust: Byzantine-robust federated learning via trust bootstrapping,” in Proc. NDSS , 2021.

• [40] NIST, “Guide to operational technology (OT) security,” NIST SP 800-82 Rev. 3, Sep. 2023.

• [41] OWASP, “IoT Top 10,” 2018. [Online]. Available: OWASP Internet of Things | OWASP Foundation

• [42] CISA, “Priva TopControl Suite,” ICSA-22-356-01, Dec. 2022. CVE2022-3010, CVSS 7.5.

• [43] A. Di Pinto, Y. Dragoni, and A. Carcano, “TRITON: How it disrupted safety systems and changed the threat landscape of industrial control systems forever,” in Proc. Black Hat USA , 2018.

• [44] R. M. Lee, M. J. Assante, and T. Conway, “Analysis of the cyber attack on the Ukrainian power grid,” Electricity Information Sharing and Analysis Center (E-ISAC) and SANS ICS, Mar. 2016.

• [45] CISA, “Honeywell/Tridium Niagara Framework multiple vulnerabilities,” ICS-CERT Advisories, 2025. [13 CVEs disclosed in 2025 affecting Niagara 4 Framework versions prior to 4.14.]

• [46] CISA, “Contemporary Controls BAScontrol BASC-20T unauthenticated remote code execution,” ICS-CERT Advisory, CVE-2025-13926, 2025.

• [47] U.S. Department of Justice, “Chinese citizen sentenced on charges of conspiring to steal trade secrets,” Press Release, Oct. 2016. [Online]. Available: https://www.justice.gov/opa/pr/chinese-citizen-sentencedcharges-conspiring-steal-trade-secrets

• [48] U.S. Department of Justice, “Former Monsanto scientist sentenced for stealing trade secrets,” Press Release, Nov. 2017.

• [49] H. Pham, “Indoor farming’s reckoning: AeroFarms, AppHarvest, and the vertical farming shakeout,” AgFunderNews , 2023. [Online]. Available: https://agfundernews.com/indoor-farming-shakeout

Andrii Vakhnovskyi received the B.S. degree in computer engineering and the M.S. degree in systems engineering from the National Technical University “Kharkiv Polytechnic Institute” (NTU “KhPI”), Ukraine, in 2009 and 2011, respectively. He is the Founder and CEO of IOGRU LLC, New York, NY, where he develops AI-driven IoT platforms for climate control in controlled environment agriculture. His systems have been deployed across 30+ commercial facilities in 8 U.S. climate zones, managing over 10 million square feet of cultivation space. He is a Senior Member of ISA and a Member of IEEE. His research interests include industrial IoT security, neural network control, and adversarial machine learning in cyber-physical systems.