I'm an accredited journalist working at the intersections of science, food and public health. I am also a certified nutritionist.
The threat of electronic warfare against our food systems is growing. Getting the industry to adopt IoT security and privacy standards to improve its cybersecurity status is paramount. It all starts with the food industry learning from others’ past mistakes.
Cyber Threats in the Food Industry
The nature of warfare is changing over time, and it is going to involve more and more cyberattacks. We are at the beginning of a technological war in which the weapons are provided by companies that produce our algorithms and tools for social media.
A number of industries have gradually begun investing in computer security in the last five years to fight these attacks. But one sector has been slow to adjust: food. Now some experts are warning that organized cyber food crime could plague the industry in a few years’ time—from companies stealing one another’s secret formulas to hackers tampering with food.
Food manufacturing is a commodity market with low profit margins. Up until now, companies have been more worried about food quality and safety, and getting products out on time, than about cybersecurity. After all, it’s not a legal requirement.
Under the U.S. FDA’s 2011 Food Safety Modernization Act, considered one of “the most sweeping reforms of our food safety laws in more than 70 years,” companies must develop a food defense plan, but legally they do not have to address cybersecurity breaches.
However, facing an increased occurrence of cyber-attacks and their dire consequences (cost of system outages and ransomware), as well as new threats originating from cloud migration, industry leaders have been forced to adapt, according to NSF IT Security Senior Director Joseph Pelukas.
“The evolution of technology has led to the introduction of security standards from the Cloud Security Alliance that companies can follow to secure their cloud infrastructure and processes. Privacy regulations for personal data are also harmonizing across states, following California’s lead,” Pelukas told me.
“Emerging threats were also addressed in the 2005 release of ISO 27001,” Rhia Dancel, the Information Security Technical Lead at NSF, told me. “ISO 27001 provides a security framework to help organizations better manage their data and information. Another comparably efficient cybersecurity framework is that of the National Institute of Standards and Technology (NIST),” Dancel said.
On a national scale, the Department of Homeland Security created even more uniformity this year. “CISA issued an executive order last May requiring federal agencies and contractors to implement multifactor authentication and adopt a zero-trust (ZT) architecture—focusing on users rather than networks—within specified time frames,” Pelukas said.
But “while the introduction of standards has kept pace, adoption and enforcement of the new requirements happen relatively slowly and need more stringent implementation,” Pelukas explained.
The Scalable Paradigm Shift in Modern Crime
The big paradigm shift in crime has been a result of algorithmic programming, and one of the greatest threats is having our algorithms hacked for market manipulation.
Our systems of order and public safety are deeply linear, and yet the threat is entirely exponential. The potential roots of cyber threat in many sectors, including FMCG, are artificial intelligence and AI-generating algorithms, as we are all collectively turning over more and more of our companies’ information to algorithms.
Many food manufacturers, particularly small and medium-size companies, are unfamiliar with these cybersecurity threats to food supply chains and are just now getting their ducks in a row. The clock is ticking, and the industry must consider all related risks in order to be better informed on how to protect itself.
Examples of Cyber Security Attacks on Food Systems
With the interconnectedness of supply chains, attackers can take advantage of a single-entry point to infiltrate the entire system, though continuous traceability processes, like blockchain, put a damper on unauthorized record changes.
“The data is protected through the distribution of encrypted assets with blockchain so there is no single central entry point of failure, and the distribution of assets in its integrity is tightly controlled,” Pelukas told me.
But one caveat is the impact on operational costs. “It’s a good but not necessarily feasible option for small to mid-size businesses,” Dancel said. For these companies, “the focus should always be on the basics: consistent security awareness training, phishing simulations, keeping passwords secure, and maintaining updated systems by deploying patches on a timely basis,” she added.
The scenario that poses the most concern would be food tampering, with malware turning food itself into a weapon of terror. Cybercriminals could hack into food processing, transportation, and storage systems in order to spoil foods, causing cases of food poisoning or even food shortages.
Nowadays, every step of the food supply chain involves a smart device or sensor that connects to centralized control systems. We know that industrial control-system machines on a manufacturing plant’s floor are particularly vulnerable. All it takes is social media combined with that vulnerability to carry out an attack.
The very same RFID tags that contain the encoded supply chain data and help regulative organizations spot problems could be another route used to infiltrate networks. This means that our meat, yogurt and other foodstuffs are prone to hacking.
Infiltration models using an organization’s software supplied with this type of data are banking on the fact that these smart devices often have poorly written code and/or are unlikely to be reinforced with the self-repairing technology designed to update and fix bugs.
In a worst-case scenario, hackers could infect food supply chains with a random phishing attack, using the threat of lost profits—by switching off machinery, rerouting deliveries, or delaying shipments—to demand ransom. Ransomware attacks have already proven possible in other types of industrial plants.
Stealing trade secrets is another realistic security threat. An insider’s view of plant processes and intellectual property is a valuable asset that should not be stored in an electronic system. Information theft is one of the most common types of loss in U.S. companies affected by cybercrime.
“Ransomware continues to be the most impactful cybercrime in the U.S. and the world, and the numbers are staggering,” Pelukas said. According to law enforcement agencies’ estimates, “victims paid $350 million in ransom in 2020; that’s a 311% increase over 2019,” he told me.
No industry is spared, as “ransomware attacks targeted insurance company CNA Financial, fuel distributor Colonial Pipeline and meat supplier JBS this year alone,” Pelukas said. The average ransom payment rose by 171% from 2019 and is estimated to range between a few hundred thousand to $40 million.
“The average total cost of a data breach in 2021 was around $4.24 million, with a cumulated annual cost of $6 trillion globally. By 2025, we could see these numbers escalate to $10.5 trillion according to projections. And supply chain attacks are also on an upward trend,” Dancel told me.
Steps to Decrease the Odds of Successful Attacks
“The best protection is a combination of proactive steps,” Pelukas said.
The first step is to be keenly aware of what is going on with the cyber-security status of competitors and within one’s own company by implementing an open-source intelligence program for “red-teaming” assumptions and uncovering primary threats.
“This can take the form of a secondary ‘disaster recovery’ test site where critical systems and processes can be executed. It is important to perform this type of incident response testing across the whole organization and at all levels to prepare to respond to an attack,” Pelukas said.
The next step is to increase situational awareness with dynamic threat intelligence built on machine learning frameworks. With more comprehensive data access, the industry can leverage opportunities to customize these frameworks within specific business processes and decision points on a global scale.
“For every decision point, there should be a minimum necessary access authorized commensurate with a user’s job responsibilities, and this access should be revoked when no longer required or applicable,” Pelukas told me.
“If third parties are involved in the processing, storing or transmitting of a company’s data, they too should have implemented and tested their security controls to the same standards,” he said.
“This includes at least two distinct levels of evaluation. One is ensuring that all systems and digital infrastructures are running up-to-date and secure versions with regular vulnerability scanning and patching. The other is to do regular backups that are appropriately stored and recovery verification tests,” Pelukas went on.
Finally, at a regulation and governance level, food manufacturers must rely upon the latest guidelines released by the Department of Homeland Security, the NIST, the Federal Trade Commission, and industry interest groups to address low-hanging fruit in terms of security and to minimize these threats.
Above all, “it is critical that senior leadership within food manufacturing businesses is engaged in supporting and building a culture of information security,” Dancel said. “If management makes information security a priority, that mentality trickles down to the entire organization,” she told me.
Those sweeping ambitions, including stronger education programs for organizations, are necessary now to deal with the challenges that only the best security solutions can address.
This content is accurate and true to the best of the author’s knowledge and is not meant to substitute for formal and individualized advice from a qualified professional.
© 2022 Camille Bienvenu