Long read

Building a proper food cybersecurity defence plan

16-Aug-2023 - Last updated on 18-Aug-2023 at 14:43 GMT

How much have you thought about your cybersecurity plan? Credit: Getty/Andrew Brookes

As food and drink processers embrace digital and connected systems, they must ensure their defence plans against cyberattacks are robust and well considered.

Whilst technology is undoubtedly transforming the food and beverage industry for the better, our increasing reliance on connected, intelligent systems also brings new risks. Namely, cyberattacks.

The Cyber Security Breaches Survey estimated that, across all UK businesses, there were approximately 2.39m instances of cybercrime and approximately 49,000 cases of fraud as a result of cybercrime in the last 12 months.

What is a cyberattack?

A cyberattack is an unauthorised and malicious attempt to breach a network or system, usually to alter, steal, destroy or expose information. These attacks come in a range of forms, including ‘phishing’ – sending fraudulent communications that appear to come from a trustworthy source – and ‘malware’ – a software that is capable of obtaining information and disrupting systems, for example – among perhaps lessen known methods like code injection – wherein malicious code is ‘injected’ into a computer or network which can be used to extract data, for example.

Why cybersecurity must be taken seriously

The banking and finance industry was understandably among the first sectors to be affected by cybercrime because of the money associated and its natural dependency on IT. However, as other industries have become more resilient against such attacks, strengthening defences and securing entry points, attention has moved to sectors which are less tech mature. The food and drink sector is one such example, as it starts to employ more and more digital and connected technologies to enable greener, safer and more efficient operations.

In a study from the University of Bristol (Cybersecurity for Food Security – Cyfood), a distinct lack of understanding of data security practices and confusion around why someone would bother to attack was identified throughout the agricultural industry. For example, members of the sector were asked what consequences a computer being stolen/data hacked, could have for the farm? In answer to this, the report gives the following example: “An attacker could manipulate the feeding plans of a large dairy, with major productivity consequences for the farm.” More details of the project can be found in the below video.

Another quote included in report flagged the limited knowledge of how things work, such as agritech devices: “I mean to be honest I don’t really understand [laugh] exactly what we’re doing. All is I know it works and it means [our staff] and I just log on but yes, it raises a question of how secure is that for somebody else.”

Commenting on the importance of cybersecurity, Venky Sundar, founder and president of Indusface, which offers security solutions, described it as “vital to integrity” regardless of whether you’re an SME or larger corporation.

He added: “With technology and the internet being an integral, useful part of how many businesses operate, it is important that every company understands the risks of it being inadequately protected. If cyberattacks occur, a business can suffer from lost business data, a degraded reputation, and potentially a large financial cost.

“While we found that email hacking is the most prevalent [form of attack], the way it is carried out is very versatile. Phishing is a much talked about threat, however, bot attacks such as account-takeover and credential stuffing could also be used to hack emails and get access to email accounts. The other method is when hackers exploit an SQL injection vulnerability […] and extract all credentials through the vulnerability.”

Stealing computer data — Hackers can do a lot of damage if they gain access to a computer. Credit: Getty/Andrew Brookes

From 2018 to May 2023, research from Comparitech found that ransomware attacks (a type of malware that is designed to block access until a sum is paid) hit at least 157 food, beverage and agriculture organisations across the globe. It estimates this cost these companies around $1.36bn in downtime.

“They [F&B sector] do not have the kind of preventative measures, the best practices that these other industries have been adopting for some time. There’s also a lack of awareness around the severity of what can happen to the safety of consumers through a successful cyberattack,” explained Neil Coole, director of food, retail and FMCG supply chain at British Standards Institute (BSI).

“If we can’t keep people fed, if we can’t keep food on shelves, society will collapse quite quickly. There’s so much reliance on connectivity and autonomy and equipment throughout the manufacturing and distribution supply chain; an attack can disrupt it all if it’s coordinated effectively.”

“Industrial companies have been tackling IT security for several decades. However, securing operational technology (OT) – the control systems that manage, monitor automate and control industrial operations – is a more recent and increasingly urgent challenge,” added Shaun Reardon, head of section, industrial systems cyber security at DNV.

“Industrial sectors like food manufacturing are becoming a growing target partly because the maturity of OT security lags IT security by approximately 15 years. And it’s not just the lower maturity of the security for OT that presents a greater risk. The consequences of a cyberattack on OT can be more severe, ranging from product manipulation to the shutdown of safety systems, and the cost of an OT attack is likely to be much higher than an attack on just IT systems.

“Food and beverage manufacturers rely heavily on automated machinery and utilise Industrial Control Systems (ICS) to automate operations. This requires essential cyber security practices to be put in place.”

Protecting your business against cyberattacks

There are a number of standards available for food manufacturers to help equip them against cyberattacks, including ISO 270001 and IEC 62443 Industrial Automation and Control Systems (IACS).

Accessing such standards is a good starting point, but food manufacturers should go further, complementing them with work to identify and manage new risks and weaknesses, such as penetration testing and intrusion detection.

Speaking with Coole, one of the best ways of improving cyber resilience is to look at your food defence team.

“Nearly every time we speak with a company, their defence team is made up of food safety and quality professionals,” he said, noting that they do not always see the threats because it is not their “wheelhouse”.

Business meeting — Food defence teams should include a diverse set of roles. Credit: Getty/jacoblund

He elaborated: “The IT infrastructure team probably won’t know how food is made – they’re not someone you’d typically call up and ask about allergen control, but they do understand protecting physical and operational technology.

“Very rarely will a food company have representatives from site security, IT, procurement, etc., in their food defence team.”

Coole explained that often attacks are a result of human error, for example accidentally clicking a malicious link. “Perhaps they didn’t know that was a risk or something they shouldn’t have done,” he suggested. “It’s communication.”

An organisation would be well placed to assess third parties it’s working with too, to identify supply chain blind spots.

“One issues can escalate or ‘domino’ into many others, meaning the supply chain is a very attractive target,” Reardon explained. “Manufacturers should ascertain the security practices of relevant third parties, conduct regular audits of their main suppliers and carry out due diligence prior to contracting new suppliers, and include cybersecurity requirements in contracts.”

On operational technology and working with others to connect and equip factories, Reardon said: “Traditionally, OT has been ‘air gapped’ – operating in siloed environments that are disconnected from other networks. The air gap is now closing fast. OT is becoming more networked and connected to IT environments, driven by companies’ increasing need for access to data and analytics. The rapidly closing air gap provides cyber criminals with new opportunities to access and control critical systems. Manufacturers need to urgently address the security of their operational technology.

Moreover, food manufacturers should rigorously question and assess their suppliers, not just about the technology being installed, but also about the people, processes and other aspects that are key to ensuring cyber resilience.

He concluded that it would be prudent for cybersecurity to be treated in the same way as food safety, stating: “Manufacturers have long asserted that work is never so important that it cannot be carried out safely. For decades, employees have been encouraged to stop work and blow the whistle if they believe safety protocols are being neglected.”

You may also enjoy this exclusive article on how far can artificial intelligence go?