In this guest post, Andrew Rose, Advisor with the BIO-ISAC and a speaker at the recent Indoor Ag-Con 2026, shares a practical checklist designed to help growers ask the right cybersecurity questions when evaluating technology vendors—and protect the systems their operations depend on.

Indoor agriculture runs on tech: environmental controls, nutrient dosing systems, sensors, robotics, crop analytics platforms, cloud dashboards, remote monitoring from your phone, etc. Each new device or platform increases productivity, visibility as well as your digital attack surface.

Most growers evaluate vendors based on yield improvement, labor savings, integration, and cost. That makes sense. However, rarely do they think about security and what will happen when their system gets hacked?

A ransomware bricked network can halt climate systems. A compromised sensor network can corrupt data needed for FSMA validation. A breached cloud account can expose proprietary production information or customer contracts. In a financially intensive and time-sensitive environment like indoor agriculture, downtime after an attack can sink the entire operation.

Below is a straight-forward checklist developed for growers in the Indoor Ag-Con community to use when evaluating technology vendors.

Basic Security and Password Protection

• Does the equipment or software require a password or login?
• Can I change the default password myself? How?
• Do you enforce strong password requirements (length and complexity)?
• Do you support multi-factor authentication (MFA)?
• Are there any shared passwords between customers or support staff?
• Default passwords are one of the most common attack vectors in agriculture and manufacturing environments.
• Shared accounts eliminate
• MFA dramatically reduces the risk of credential theft leading to system

Data Handling and Ownership

Indoor farms generate valuable operational data: yield rates, environmental parameters, input recipes, proprietary growing methods.

• What data does this device or platform collect?
• Where is my data stored (on the device, in the cloud, or both)?
• Who owns the data; me, your company, or both?
• Can you share or sell my farm data to third parties?
• Can I request my data be deleted? How long does that take?

Your operational data is intellectual property. It reflects years of optimization and investment. You should know who controls it, who can access it, and how it is protected.

Network and Device Security

Many indoor farms operate on flat networks. Everything is connected to the same Wi-Fi. That creates risk.

• Is the device encrypted (both data in transit and at rest)?
• Does it require its own network, or will it run on my existing Wi-Fi?
• Can the device operate if the internet goes down?
• Does it connect to other machines or systems on my farm?
• Can I limit what it connects to?
• A compromised sensor should not become a gateway into your entire
• Segmentation and encryption reduce the blast radius of an
• Offline functionality protects crops during internet outages or cyber

Updates and Patch Management

Software vulnerabilities are discovered constantly. What matters is how quickly they are fixed.

• How do you deliver security updates or patches?
• Are updates automated or manual?
• How long will you support this product with security updates?
• What happens if a vulnerability is found? How fast do you respond?
• Unpatched systems are prime ransomware
• If a vendor stops issuing updates after two years, your equipment may become a liability long before it reaches end-of-life mechanically.

Incident Response and Liability

• If your system is breached, how will you notify me and how quickly?
• Do you have a documented incident response process?
• Who is liable if your system causes downtime, crop loss, or equipment damage?
• Do you carry cyber insurance?
• Do you subcontract any part of your service (cloud hosting, customer support, sensor data processing)?
• If yes: What security standards do they follow?
• Many ag-tech companies rely on third-party cloud providers and Your risk extends beyond the logo on the invoice.

You are not just buying equipment—you are inheriting part of their supply chain risk.

Access Control and Vendor Permissions

Remote diagnostics and service are valuable. But they must be controlled.

• Does your staff have remote access to my equipment?
• Can I see when and why someone accesses my system?
• Can I turn off remote access?
• Are service technicians required to log in with individual accounts (not shared accounts)?
• Remote access without logging and accountability is a major
• You should always know who accessed your system, when, and for what

Interoperability and End-of-Life Planning

Technology companies fail. Products are discontinued. Startups pivot.

• Is the system compatible with other equipment brands, or is it locked in?
• What happens if the company stops supporting it?
• If you go out of business, will the device still work?
• Vendor lock-in combined with poor security support creates long-term operational
• A device that stops functioning when a cloud subscription ends or when a company closes can disrupt production unexpectedly.

Certifications and Standards

These are basic questions in the cyber security sector, it will demonstrate how serious they take security.

• Do you follow any recognized cybersecurity standards? (Examples: ISO 27001, NIST Cybersecurity Framework, SOC 2)
• Have you ever had a third-party cybersecurity audit?

The Short List: For Quick Vendor Conversations

If time is limited, start here:

• Can I change the default password, and do you support MFA?
• What data do you collect, and who owns it?
• Where is the data stored?
• Is the data encrypted?
• How often do you update your software or firmware?
• How quickly do you respond to discovered vulnerabilities?
• Do you carry cyber insurance?
• Who is liable if your system is hacked?
• Can your staff remotely access my equipment or data?
• If you go out of business, will my device still work?

Cybersecurity is Part of Risk Management

Indoor agriculture is infrastructure. Controlled environment farms support food security, pharmaceutical inputs, seed production, and high-value specialty crops. Our adversaries and ne’er-do-wells won’t need to destroy a facility physically to cause damage. Disrupting digital systems can be enough to cause a FSMA issue.

The goal is to normalize conversations and questions about the potential vulnerabilities in the equipment growers depend on. When operators ask these questions consistently, vendors respond by building more secure products. Over time, the entire ecosystem becomes more resilient.

The BIO-ISAC encourages the Indoor Ag-Con community to treat cybersecurity as part of due diligence, just like electrical load calculations, water quality analysis, and HVAC redundancy planning.

For more information about the BIO-ISAC, visit www.isac.bio