In 2019, 74% of enterprises have faced cyber incidents that resulted in either disruption to business continuity, financial loss, reputational damage, fines for GDPR violations, or various other complications.
While certain sectors including energy, finance, and healthcare responded to the rising threat by increasing investment in cyber-security, recent surveys and government data show that food and beverage producers have lagged. For example in the UK’s food industry (together with the hospitality sector) is placed at the bottom of the chart compared to other industries in terms of cyber-security investment.
As we enter the second half of 2020, many companies in the food industry are operating at full production to meet increased demand due to the pandemic. These same manufacturers remain under-prepared in their cyber resilience and readiness, leaving them at increased risk of becoming a target for cyber-attack. This is due to several factors, some of which are unique to the sector.
The food industry’s cyber risk factors
1. Insecure and outdated Industrial Control Systems (ICSs)
While the industry has seen major advances in digital technology to revolutionize food processing, they were not accompanied by security improvements. In fact, many food manufacturers still use legacy ICSs that are not configured to handle modern cyber threats. Even new ICSs are missing long-term cyber-security protections and are unprotected from external access through third-party channels. Moreover, while most ICSs are inherently insecure, in the food industry, ICSs also have specific vulnerabilities such as rigid controls that rely heavily on physical security.
2. Industry 4.0 and IT/OT Convergence
Being insecure-by-design, ICS is even more challenging to protect when introducing aggressive digital transformation initiatives which are becoming more and more common. These efforts improve efficiency, but also introduce an expanded attack surface by enabling greater connectivity to the manufacturing network, which exposes it to both commodity malware from the IT network (insecure HMI interfaces) and targeted attacks.
3. Cyber-Security Skill Gap
Those responsible for operating and maintaining ICSs in the food manufacturing industry, the operations technology (OT) personnel, are often experts trained in food safety and production, not in cybersecurity. Even though ICS cybersecurity standards are well-documented, their complexity and volume overwhelm most food industry personnel. Research has also found that leaders in food processing and manufacturing are typically unaware of the extent of the cyber risk present in their industrial systems and OT/IT networks.
4. Lack of Security Maturity Compared to Other Sectors
While other sectors focus on hardening security, in the wake of widely publicized cyber-attacks against them, criminals and threat actors move to still-vulnerable, lower-hanging fruit, making cyber immaturity a risk in its own right.
5. Covid-19 and the Emerging Cyber Threat
The pandemic has forced businesses to operate remotely, expanding their attack surfaces and opening new doors for hackers to exploit vulnerabilities. On top of that, food producers have had to innovate to keep pace with increased demand, with some introducing technological shifts that further increase the attack surface.
Potential cyber-attack consequences
The consequences of a successful attack on a food manufacturer could dwarf those in other sectors since disruptions to this industry can not only interrupt business continuity and bankrupt the company but also create contaminated food products that directly harm consumers. Food producers who underestimate the level of risk and the damage that could be caused by a potential breach might face:
- Production lines interruptions and shutdowns which could cripple the business
- Degradation of food products, making them unsafe for sale and consumption
- Financial loss as a result of ransomware pay-outs and loss of productivity
- IP breach of food recipes and production processes
- Physical harm to personnel and equipment
- GDPR violations resulting in fines
- Reputational damage
Steps for improving security
In a new era in which cyber-attacks are more frequent and complex than ever, food producers must make cyber-security a top priority. Leaving digital communication platforms and production environments exposed to potentially devastating cyber-attacks is no longer an option. In the interest of both companies and consumers, food companies must acknowledge the increased risk and take immediate steps, including:
- Conduct comprehensive, end-to-end cyber risk assessments that include inventorying both ICS and IT systems continuously, to keep up with a rapidly changing attack landscape
- Tailoring such security assessments to food producers’ unique cyber risk environment by focusing on business-critical assets (i.e. production and IT/OT sensitive interfaces)
- Prioritizing remediation efforts based on a clear remediation plan that takes into consideration the likelihood of exploitation of the vulnerabilities and security gaps found in the assessment
- Fostering best practice communication routines between OT and IT security staff, integrating both processes and technology into internal communication protocols between teams
- Adopting and extending food safety and food defense culture and protocols to cybersecurity, acknowledging the risk posed to food safety by cyber attacks
- Increase security vigilance and raise awareness to the cyber risk inherent to industrial sectors in general and to food producers in particular during the pandemic, and beyond