The Growing Threat of Cybercrime in the Food Chain Demands a Security Rethink
Cyberattacks remain in the headlines, with many industries finding their systems breached, their data exposed and their money lost. The food industry has been hit particularly hard by the threats posed by ransomware.
Cybersecurity experts are quick to warn that this is a case of “when,” not “if.”
But while food businesses are aware of these threats, many remain unprepared to counterattack the risk and have been slow to heed the warnings. Up until now, food suppliers and sellers have been more worried about food quality and safety and getting products on shelves on time than they’ve been about potential cyberattacks.
Cybersecurity experts are quick to warn that this is a case of “when,” not “if.” Some experts predict that organized cyber food crime could plague the industry in a few years’ time — from companies stealing one another’s secret formulas to hackers tampering with food. At the same time, the U.S. FDA’s 2011 Food Safety Modernization Act, considered one of “the most sweeping reforms of our food safety laws in more than 70 years,” is demanding that companies develop a food defense plan. Legally, however, they do not have to address cybersecurity breaches.
“Ransomware continues to be the most impactful cybercrime in the U.S. and the world, and the numbers are staggering,” says NSF IT Security Senior Director Joseph Pelukas. Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses, according to the U.S. Federal Bureau of Investigation.
“It is critical that senior leadership within food manufacturing businesses is engaged in supporting and building a culture of information security,” says Rhia Dancel, NSF’s Information Security Lead. “If management makes information security a priority, that mentality trickles down to the entire organization.”
Working closely with worldwide leaders on the front lines of cybersecurity in the food industry, our NSF experts are eager to help. Here they discuss the biggest risks currently facing the food sector, including cyberattacks, and offer these tips for increased cybersecurity and privacy standards to protect the food supply chain:
- Learn the consequences. The dire results of cyberattacks can include system outages, ransomware and more. The interconnectedness of supply chains gives attackers the advantage of a single entry point to infiltrate the entire system, according to Pelukas. One of the most serious threats is food tampering, with malware turning food itself into a weapon of terror. Cybercriminals can hack into food processing, transportation and storage systems to spoil foods and cause food poisoning and food shortages.
- Know your weak spots.
Nowadays, every step of the food supply chain involves a smart device or sensor that connects to centralized control systems.
- We know that industrial control-system machines on a manufacturing plant’s floor are particularly vulnerable. All it takes is social media combined with that vulnerability to carry out an attack.
- In a worst-case scenario, hackers could infect food supply chains with a random phishing attack, using the threat of lost profits — by switching off machinery, rerouting deliveries or delaying shipments — to demand a ransom.
- Stealing trade secrets is another realistic security threat. An insider’s view of plant processes and intellectual property is an asset that should not be stored in an electronic system. Information theft is one of the most common types of loss for U.S. companies affected by cybercrime.
- Adapt. Facing an increased occurrence of cyberattacks and their dire consequences (the cost of system outages and ransomware), as well as new threats originating from cloud migration, industry leaders have been forced to adapt, says Pelukas.
- Start with the basics. The focus should always be on the basics: consistent security awareness training, phishing simulations, keeping passwords secure and maintaining updated systems by deploying patches on a timely basis.
- Add more protection. NSF-ISR’s basic security assessment and ISO 27001 certification provide a security framework to help businesses better manage their data and information. NSF-ISR works with organizations like the National Institute of Standards and Technology (NIST) to offer such security frameworks.
- Be aware. Be keenly aware of what is going on with the cybersecurity status of competitors and within your own company by implementing an open-source intelligence program for “red-teaming” assumptions and uncovering primary threats.
- Build monitoring and intelligence into your systems. Increase situational awareness with dynamic threat intelligence built on machine learning frameworks. With more comprehensive data access, the industry can leverage opportunities to customize these frameworks within specific business processes and decision points on a global scale.
- Look to regulators. Finally, at a regulation and governance level, food manufacturers must rely on the latest guidelines released by the Department of Homeland Security, the NIST, the Federal Trade Commission and industry interest groups to address low-hanging fruit in terms of security and to minimize these threats
Foodstuffs: How To Store and Heat Leftovers Safely
Kitchen Cleaning 101: Your Ultimate Guide to Optimum Kitchen Cleaning
Keeping a Clean Home, Especially When You Share It With Your Pet
loMT: Utilize Internal Information Security Expertise to Combat Cyber Risks