Imagine you are amid a nationwide food poisoning outbreak unfolding by the minute. You check and double-check the processing records; all batches of cooked chicken appear fine, so what is going wrong?
Unbeknown to you, a hacker, possibly a disgruntled ex-employee, penetrated and changed critical operational processes accessed remotely via an insecure IoT device resulting in a batch of chicken being undercooked and dangerous. But you don’t know which batches are affected, so a nationwide recall is on the cards.
Your product advantage is neutralized because a competitor just launched a copycat product using stolen intellectual property gained by hackers. A hacker has stolen sensitive commercial and supply chain information belonging to one of your major retail clients and demanding a huge ransom. What do you do?
Far-fetched? Think again.
Historically, it has been the financial and retail sectors that have received the most attention from cyber criminals, usually involving data breaches. More recently, healthcare and government systems have been subject to cyber-attacks and it is as these sectors improve their defences, cybercriminals move on to softer, easier targets, and the food sector sticks out like a sore thumb.
Part of the problem is the sector believes it’s immune. Why would anybody attack a food company? National and international crime organizations frequently target the food chain to commit large-scale adulteration, counterfeiting, fraud, theft and smuggling; even hacking into storage and distribution company systems to uplift counterfeit products and insert them into the legitimate supply chain. The danger is real, and food companies of all sizes must take steps to strengthen information resilience. Here’s why:
- IT and cybersecurity aren't the same thing. In most companies, IT is also responsible for cybersecurity. This is a fundamental mistake. The two disciplines are distinctly different and require different approaches, thinking and skillsets.
- "We’re an SME, why worry?" Reports demonstrate SMEs are attacked just as frequently as large companies, usually by email.
- "All of our IT and cybersecurity are outsourced, it's their problem." IT service providers offer rich pickings for hackers and consequently receive special attention. Their problem can quickly become yours.
- Cybercrime is becoming easier and more accessible. While cybercrime was once the exclusive domain of ‘masters of code’, it’s evolved to become a business in itself. Today malware authors find it’s more lucrative—and definitely safer—to offer their services and sell their products for others to launch attacks.
- Legacy systems. The food processing systems of today usually rely upon obsolete software platforms such as Linux or Windows 98; systems installed over 20 years ago. Moreover, the ancient code can’t be updated or patched.
- Powerful connections. By linking internal production processes internally with external data systems and networks via the internet, connectivity means it's possible to achieve productivity gains and process efficiencies. The downside is for modern systems to work with the obsolescent, security is often sacrificed. This also means a security breach at one point can spread quickly.
- If it isn’t broken, don’t fix it. Management is understandably reluctant to invest in better, more secure systems when an old system works just fine and believes the risk imagined. This is a false economy.
- Lack of awareness. Operational staff is trained to keep existing systems running and are not ‘cyber-savvy’.
- The ‘smart’ stampede. So-called 'dumb devices' such as bait boxes are being replaced by IoT-enabled devices. These often contain ‘off-the-shelf’ sensors with built-in insecurities running on poorly designed and supported software. These essential questions are often overlooked during the procurement process.
There are different types of cyber-attacks a food company can suffer. Maybe your product advantage is neutralized because a competitor just launched a copycat product using stolen intellectual property gained by hackers. Or maybe a hacker has stolen sensitive commercial and supply chain information belonging to one of your major retail clients and is demanding a huge ransom. In any case, being on top of risk management is essential.
What can be done?
- Enter CHACCP; Cyber Hazard Analysis Critical Control Point. Quality assurance and technical functions have been at home in the food sector with HACCP for 30 years. Think of CHACCP as extending the same risk-based approach to considering cyber vulnerabilities and linkages in a production environment and applied as an extension to the embedded food safety management system.
- Implement cyber security standards. Most companies wouldn’t think of finding out how secure they are with a penetration test nor deploying BitSight to determine the cyber risk posed to them by their suppliers and build this into their supplier selection, monitoring and evaluation. A sensible enhancement is to consider implementing ISO 27001 information management systems and mandating it for key suppliers, especially those IT platforms integrated with your organization.
- Work on the culture. All staff should become ‘cyber-savvy’ through cyber awareness training as part of their induction process and be encouraged to flag anything out of the ordinary if they think it could be cyber-related before problems get out of hand.
The good news is that companies implementing these common-sense steps not only de-risk their business, but in time they also realize it makes a substantial contribution to a strong, due diligence defence and may even deliver first mover and competitive advantage.
Author: Richard Werran
Director of Food ─ EMEA