The subject of how information security impacts different industry sectors is an intriguing one. For example, how does the finance industry fare in terms of information security compared to the health sector, or the entertainment business? Are there some sectors that face greater cyber-threats and risks than others? Do some do a better job of keeping data secure, and if so, how and why?
A new research report from the Food Protection and Defense Institute (FPDI) at the University of Minnesota has revealed the data security risks that threaten the food processing and manufacturing industry.
The FPDI’s report outlined why the food industry could potentially become a target of cybercrime and warned that it is particularly at risk of attack due to a number of factors. These include its reliance on insecure/outdated industrial control systems (ICSs) at food processing factories/plants and a lack of security maturity compared to other sectors.
“The food industry is already a frequent target of motivated criminals. For example, transnational criminal organizations (TCOs) are heavily involved in large-scale food-related crimes such as counterfeiting, economically motivated adulteration, theft and resale, and smuggling,” the report explained.
That criminal activity could quite easily take on a cyber-nature, the FPDI warned. Significant food industry cybersecurity vulnerabilities exist in a sector that has, in the last few decades, seen computers and advances in technology quickly revolutionize food processing and manufacturing processes, without the same security improvements alongside it – which makes it vulnerable.
“Food industry ICSs not only have many of the same vulnerabilities as other sectors, but many unique ones as well. These include those stemming from the many companies still using ICSs that were developed before security was a concern and can’t be updated.”
What’s more, the report pointed out that as industries such as energy, financial and healthcare have developed a better focus on hardening security in the wake of widely-publicized cyber-attacks against those sectors, it can be assumed that criminals and other threat actors will move on to lower hanging fruit.
“This could well be the food industry, which continues to use vulnerable ICSs that are discoverable on the internet,” the FPDI stated.
There is also the fact that those responsible for operating and maintaining ICSs in the food manufacturing industry, operations technology (OT) personnel, are often experts trained in food safety and production – and not in cybersecurity.
“Thus, even though ICS cybersecurity standards and best practices are well-known and thoroughly documented, their complexity and volume overwhelm most food industry OT personnel.”
In terms of the potential consequences of cyber-attacks against the food processing and manufacturing industry, the FPDI’s research highlighted:
- Financial costs from ransomware payouts and lost productivity
- Equipment damage
- Food products becoming unsafe for sale and consumption
- Business and public health risks
Commenting on the research Dave Weinstein, CSO at Claroty, said: “While it doesn’t receive many headlines, the cyber-risk to the food and beverage manufacturing process is a serious one. Not only are most of the industrial control systems behind the manufacturing process inherently insecure, but many companies in this industry are embracing aggressive digital transformation initiatives. These efforts are great for productivity and efficiency, but they also introduce more connectivity to the manufacturing network, thus subjecting it to both commodity malware from the IT network and targeted threats.”
To conclude its report, the FPDI identified several steps that food companies can take to protect themselves:
- Foster more communication between OT and IT staff
- Begin conducting risk assessments that include inventorying both ICSs and IT systems
- Involve staff with cybersecurity expertise in the procurement and deployment process for ICS devices
- Extend your food safety and food defense culture to cybersecurity