In today's industrialized society, a large percentage of trade is knowledge-based. The vast majority of us no longer live off the land, nor, for that matter, do many of us even have the ability to grow a substantial amount of our own food, unless you count the copious amounts of zucchini that appear in neighborhood gardens each summer. Zucchini lovers notwithstanding, last year’s pandemic-related shortages quickly demonstrated how wholly dependent we as a society are on the supply chains that provide us with life’s necessities. And it’s because of that vital role that food and beverage manufacturers are prime targets for ideologically influenced ne’er do wells, intent on wreaking havoc, whether their purpose is something as basic as financial gain or something more nefarious such as a nation-state attack.
The very nature of the food and beverage supply chain makes it an ideal target. Not only does it serve as a societal lynchpin, and fractures the foundation of our Maslow’s-like sense of security, but what’s worse, is the perishable nature of the products being delivered makes the industry particularly vulnerable to prolonged operational supply-chain disruptions.
Unlike durable goods such as tires or furniture, food and beverages come with expiration dates and, as such, are tied to public health. If a chair manufacturer is hacked, there will obviously be delays getting that chair into the showroom, but the materials themselves won’t spoil, nor is there the worry that the integrity of the product itself may have been compromised to the point of being harmful to someone’s health.
Cyberattacks come in all shapes and sizes, and while data theft tends to be what we hear about most often, when food and beverages are involved there’s also the possibility that automated systems such as those that pasteurize milk might be tampered with. Nor is it out of the realm of possibility that the systems that test for the presence of harmful bacteria or other trace elements could be hacked and the results tampered with. It’s a perfect storm from every angle.
You are the weakest link. Goodbye!
As with any supply chain, you’re only as strong as your weakest link. Unfortunately, this holds true regardless of the industry. We live in what is known as the fourth industrial revolution (IR4.0): automated plant processing systems streamline productivity, but this advantage comes with the risk that these industrial IoT (IIoT) systems are open to attacks — because they’re all connected to the internet (as well as being interconnected), they are at a high risk of exposure and exploitation from hackers.
What makes this even more worrisome is that when you drill down deep enough into the supply chain, it’s unlikely that the owner of, for example, a small dairy farm has a side hustle as a savvy cybersecurity expert. Nevertheless, that farmer’s milking systems are connected digitally to a dairy co-op that feeds into an even larger supplier network and so on up the chain until you reach the supermarket shelf. Risk exists at every link in the chain, and as you move up that risk grows exponentially.
Additional risk comes through acquisition and growth. Take this example: Big company A buys small company B. From a security standpoint, it’s tempting to think all will be well. Afterall, big companies have big problems and small companies have small problems, right? Wrong. Big companies are big companies with big problems, and small companies are small companies with big problems. Now, Bigger Company AB has even bigger problems. A large meat packer that acquires a smaller meat packer, for instance, is now taking on that smaller company’s cyber risk, exposing the entire system to a weak security posture. And the public (even promoted) nature of mergers and acquisitions send up a flare that’s hard to miss for hungry cybercriminals hunting for lucrative targets.
Why NOT you?
As the joke goes, if you want to outrun a bear, you just need to be faster than the other guy. The same theory applies when it comes to escaping (or more realistically, mitigating) cyberattacks. You can never be 100-percent protected, but it behooves you to be better protected than the other guys. If the Danny Ocean of cybercriminals wanted to hack your system, he’s probably getting in. Luckily, most cyberattacks aren’t tied to suave criminal masterminds but more closely resemble a digital version of the smash-and-grab thief who’s just looking to make a few (million) bucks. They might leverage (lease or revenue share) the sophisticated malware, but their operations aren’t as sophisticated.
So how do you make yourself an unattractive target? There are some basic steps you need to be taking today to protect your data, your business, and your brand.
Phish tales. Like seafood, if it smells too “fishy” it’s likely going off. The same goes for suspicious emails. Be on the lookout for phishing emails, especially those that are specific to your industry. They may appear to come from familiar suppliers or buyers you have worked with in the past. Hackers like to island-hop, meaning they will come in through the front office and before you know it — if your operations aren’t segmented — they have the keys to the kingdom and are moving from the finance department to your operational technology (OT) automation systems. It’s critical that your staff receives security awareness training tailored to your industry. By now most people are savvy enough not to buy the “There’s a problem with your Amazon account” scam, but are they prepared for “Overdue invoice payment. Please pay immediately” or a notice of litigation sent from your best supplier or their law firm?
Keep it clean. Hygiene is important and not just the soap-and-water kind. Cyber hygiene is vital to keeping your enterprise systems secure. At the very least:
Keep your systems updated and patched.
Make sure everything is password-protected, preferably using multi-factor authentication, which offers an added layer of security. Definitely don’t reuse passwords across multiple accounts or devices. For more advanced security, Software Defined Perimeter (SDP) solutions that rely on the principle of Zero Trust are even better, albeit more complex and costly as you will need someone with the proper expertise to properly manage them.
Limit the administrative privileges granted to employees. Need to know only. Criminals often use compromised accounts to create new shadow employee accounts and promote their privileges to allow them access to security devices and critical servers. What’s worse, full privileges are too often granted to senior employees as if rank brings IT privilege and access. Yet these senior executives, who rarely (if ever) use their administrative rights, are the preferred prey of criminals looking for a sitting target with keys to your kingdom.
Invest in virtual private networks (VPNs), which provide a secure (and encrypted) connection between systems (email servers, file shares, etc.) and ensure that cybercriminals can’t eavesdrop on confidential traffic.
Don’t leave your OT servers (those that deal with machines and the systems that run them) internet-facing and unprotected.
Ask the pros. When it comes to protecting automation technology, it’s a good idea to get advice and help from professionals. Protecting an industrial control system (ICS) controller is more advanced than securing your laptop, and ultimately, the onus for protection lies with whoever anchors the supply chain. Don’t assume that everyone further down the chain is protecting themselves adequately … or even at all. Make sure you have a plan in place for when (not if) an attack happens and talk to your insurance provider about a separate policy to cover you against cybercrime.
The food and beverage industry plays a pivotal role in our everyday lives and health. Companies need to understand that regardless of size, they could be a target for cybercrime. There are financial gains to be made for hackers and the industry is a prime target for ideologically driven attacks. As attacks on healthcare services and providers over the course of the pandemic have shown, there’s no moral code among thieves any more. The oven mitts are off. Make sure you don’t get burned.
Mark Sangster is vice president and industry security strategist at eSentire. He is the author of No Safe Harbor: The Inside Truth About Cybercrime and How to Protect Your Business, and an award-winning speaker at international conferences and prestigious stages including the Harvard Law School and RSAConference. Mark has appeared on CNN News Hour to provide expert opinion on international cybercrime issues, and is a go-to subject matter expert for leading media outlets including the Wall Street Journal and Forbes when covering major data breach events. His 20-year sales and marketing career was established with industry giants like Intel Corporation, BlackBerry and Cisco Systems.