16.07.2024
Study
Technology makes the food industry more vulnerable to cybersecurity threats
The growing use of technology in food supply chains means that the sector is more at risk of cyber breaches.
Last month, fruit and vegetable giant Dole announced that it had been the victim of a ransomware attack. The company claimed that the impact on its operations was “limited,” but it was reported that the cybersecurity breach led to shortages of some products.
“This has been devastating for the fresh fruit and vegetable division and our Chilean business in particular,” CEO Rory Byrne told analysts and investors during the company’s 2022 financial results announcement last week. “On a positive note, we quickly contained the threat and engaged leading third-party cybersecurity experts, and we will work in partnership with their internal teams to remediate the issue and secure their systems.”
Unfortunately for the food industry, the attack was not an isolated incident. In 2022, the Canadian meat processing group Maple Leaf Foods suffered what the company called a “pervasive” breach.
Michael McCain, the group’s executive chairman and CEO, said last week that the incident was “insidious and impacted our business in a number of ways.”
He added: “In real time, we have had to move the business from a highly efficient network of operations, highly automated from orders to production planning, stock picking receipts and payments, to a business that had to be run entirely manually.”
The same year, across the Atlantic in Germany, Apetito, a German frozen food supplier, discovered a cyberattack on its operations, and the UK’s KP Snacks said it was also affected by ransomware.
In 2021, meat giant JBS fell victim to a ransomware attack that disrupted the company’s operations in North America and Australia. Later, it turned out that JBS paid the gang an $11 million ransom to release its files.
And these are just the attacks we know about. According to Malwarebytes, the number of cyberattacks on the food and agriculture sector increased by 607% in 2020. In 2021, the FBI published a private industry alert warning the food sector about the dangers of ransomware attacks, and in the last quarter of last year, the US cybersecurity company Dragos reported that the food and beverage sector was the victim of more attacks than any other sector.
The threat to food industry cybersecurity is growing
Assessing the level of threat to food companies from cybercriminals is not easy. Due to the sensitive nature of the topic and the potential damage (both financial and reputational) that cyberattacks can cause, executives are reluctant to discuss the topic.
As John Hoffman, a senior fellow at the Institute for Food Safety and Defense at the University of Minnesota, explains: “Not many of these attacks are publicized because of brand protection concerns. Attacks like the one against JBS are the exception. In this case, the outages were so significant that the event could not be denied.”
According to Sue Newton, head of UK food and drink at WTW Insurance, the threat of cyberattack to the food industry is not new, but it is growing, evolving and becoming more serious.
“We’ve seen significant losses to companies in the sector from ransomware attacks, including several global food manufacturers, resulting in one brand having to pay a multi-million dollar ransom to get back up and running,” says Newton.
The threat has been exacerbated by the pandemic, which has seen many companies instantly switch to remote and hybrid work without having time to put in place appropriate security protocols and systems.
Prior to Covid-19, the food industry was already moving towards greater use of automation, robotics, artificial intelligence, and the Internet of Things (IoT) in the form of sensors in factories. The pandemic has only accelerated this push and, in turn, increased the level of risk, as the introduction of these technologies has created many vulnerabilities that were not previously on the security radar of food companies.
“The challenge for the food and beverage industry is that they are seen as more vulnerable because the operational technology underpinning production has increased, but cybersecurity measures for businesses in this sector have not been properly considered, so many companies are now having to catch up,” explains Newton.
“While other sectors have stepped up their cybersecurity efforts over the past few years, largely due to regulation, food and beverage manufacturers have not been subject to the same requirements, which has led to relatively lower cybersecurity investments in some businesses, making them easy targets for cybercriminals.”
Part of the problem, Hoffman says, is that the government has not focused on reducing the cyber risks facing the food and agriculture sectors, compared to the attention paid to cybersecurity in the financial, chemical, energy and transportation sectors. Food companies are therefore considered softer targets, he adds.
“In addition, cybercriminals have realized that many small and medium-sized food and agriculture companies lack internal IT expertise, use older systems, and are connected via the Internet to larger, wealthier firms in the supply chain. So they provide a gateway to other firms’ systems.”
This is a view shared by Jason Vandenberg, head of cybersecurity sales at Rockwell Automation, a US-based automation services provider. Vandenberg says the cybersecurity threat has been on the radar at the board level of large food companies for some time, but smaller food groups and suppliers to large groups are struggling to come to terms with the problem.
“They realize that just because they are a small regional food and beverage company with four or five plants versus a large multinational conglomerate with 100 plants, they are no less of a target,” says Vandenberg. “In fact, we would argue that what we’ve seen is more [cyberattacks] targeting these small and medium-sized companies because they don’t have the same level of budgets as the big guys and their legacy systems are the same.
Digitalization creates vulnerability
And the increased use of automation in areas such as food processing and precision agriculture has only exacerbated the problem.
“A consequence [of the push for automation] is that many of the cyber-controlled/controlled components are actually legacy systems that still rely on an outdated OS, but still function quite reliably, even if they are vulnerable to exploitation and attack,” Hoffman says.
“Changing/modernizing all of them in the sector is going to be a major challenge. And that automation is really growing as labor costs are rising and there are a lot of staffing issues. More functions are also being automated as robotics improve and efforts to reduce waste, lower costs, and even address climate impacts such as reducing water use and emissions become more of a priority.”
Attackers targeting the food sector range from supply chain disruptions and ransomware deployments to IP theft.
“We know that there are cybercriminals in China who focus on IP to find out who is selling what to whom, for how much, and from where,” Hoffman says. “This gives them targets to exploit or even the most lucrative U.S. food and agricultural infrastructure to buy.”
According to Newton, most food companies are well aware of the dangers of cyberattacks, but don’t necessarily have access to the right resources or profits to prevent cybersecurity incidents.
“In the past, the production line would be largely independent of the IT environment, so if there was any malicious activity, production could continue. And because there was less regulatory oversight of cybersecurity in the industry, there was less of a need to improve security and mitigate risks.
“In addition, as technology becomes more integrated into the manufacturing environment, in some cases these new technologies and operating environments are implemented, operated and managed not necessarily by cybersecurity experts, but by production or IT professionals who do not have specific cybersecurity expertise within the business, meaning they do not take appropriate measures, making them more vulnerable to attack. It’s also a challenge to attract and retain cybersecurity professionals in today’s highly competitive market.”
It’s a challenge that many food companies are struggling to meet. A survey by the US trade organization Food Industry Association last year found that 85% of food companies have increased their cybersecurity budgets in response to the growing threat.
“However, there is room for improvement, and many companies may not be doing enough to protect themselves from cyber threats,” says Christine Demoranville, CEO and founder of AnzenSage, a recently launched cybersecurity consulting firm in the United States.
According to Demoranville, food producers should consider several factors when implementing a cyber risk mitigation strategy. “First and foremost, they should make sure they have traditional, robust cybersecurity controls, firewalls, antivirus software, and intrusion detection systems in place,” she says.
“They should also regularly update and patch their software to safely address known vulnerabilities in their production environments. In addition, food manufacturers should ensure that their employees are trained in cybersecurity best practices and are aware of the risks associated with phishing emails and other social engineering tactics. Finally, food producers need comprehensive incident response and business continuity plans in place to respond quickly and effectively to cyber attacks.”
Continuously monitoring the threat of cybersecurity attacks is also vital. According to Colin Tankard, managing director of UK-based Digital Pathways, a hack takes a few minutes to complete, but it can take months to detect.
“Where we’ve worked with retailers, we see some companies that don’t have some controls and checks in place to track unusual behavior,” says Tankard. “It’s almost like an afterthought. But organizations really need to keep an eye on what’s going on.
“It comes down to looking at your logs. It can be logs from servers, from your website, from your CRM system, from your firewalls, just to see if there’s anything unusual going on. And because there’s a lot of information coming into the business, you need to really put that information into some sort of SEIM [security enterprise information management] system that will put everything into the right categories so you can see a pattern.”
Do not capitulate
If a company does fall victim to an attack, cybersecurity experts say food companies should not capitulate to hackers’ demands and pay a ransom.
I have yet to see a company pay a ransom and successfully come out ahead,” says JasonVandenberg, head of cybersecurity sales at US automation services provider Rockwell Automation.
As Tankard says: “If they know you paid once, they know you’ll pay again, so they’ll just come back and knock on your door. Even if you pay, you’re never sure that all the bad stuff is gone.”
Rockwell’s Vandenberg agrees. “I’ve yet to see a company pay a ransom and successfully come out ahead. We see companies that are still claiming legal fees three to five years after the attack because they are now being sued by someone whose data may have been exposed.”
Rockwell has found a growing aversion among companies to paying ransoms to hackers, and some governments around the world are reportedly considering outright bans on ransomware payments, he said.
It’s a threat that’s not going away anytime soon, and as a result, those companies in the food industry that haven’t yet ramped up their cybersecurity protocols need to start taking the issue seriously, or they risk falling victim to an attack that could be devastating, warns Demoranville.
“The threat of cyberattacks to food producers is a pressing issue that needs to be taken seriously,” she says. “The food industry is facing critical situations due to the increasing digitalization of the sector, which has expanded the attack surface for cybercriminals and created more opportunities for them to exploit vulnerabilities. While many food producers are taking steps to protect themselves, there is room for improvement.”
For companies operating in North America, at least, a compelling line on costs emerged from Dole’s results announcement last week, with Byrne acknowledging that the company does not expect to recover lost sales, including through insurance. “I think the simple answer to that question is no,” he told the analyst. “Insurance is prohibitive – you can’t get insurance in North America for cybersecurity right now.”