The Necessity of Cybersecurity in the Food Industry
Currently, the food industry is increasingly adopting intelligent manufacturing in line with the trends of Industry 4.0. A growing number of ICT (Information and Communication Technology) solutions are being utilized to optimize production lines, enhance quality and efficiency, and meet the high standards that consumers have for food safety. However, within the deep digital transformation of the food industry, cybersecurity has become a pressing issue. Should the computer systems controlling valves, monitoring temperatures, or adjusting food additive mixtures be tampered with, the result would translate to severe food safety issues. Recent events have highlighted the vulnerability of this industry, demonstrating how cybercriminals are increasingly targeting the food supply chain. Below is a summary of some key incidents:
Table 1. 2020-2022 Cybersecurity Incidents in the Food Industry
Kroger Food Company’s subsidiary, Home Chef, faced a security breach, with its users' login details being sold on the dark web. This security incident did not pose a threat to the food supply, but it increased risks for consumers.
Hackers carried out an attack on the company using REvil ransomware, stealing a large volume of sensitive files and threatening to publicize them. This attack exposed several sets of data within the corporate sphere, including financial and personal details.
In a larger-scale event involving a Blackbaud attack, sensitive customer information of Loaves & Fishes was compromised. Although there is no evidence at the moment to suggest that this data has been sold online, the potential risk lingers.
A primary distributor of Asian foods suffered a ransomware attack, resulting in the shutdown of several IT systems. Although the company quickly resumed normal operations, the incident still affected JFC International’s European group.
One of the world’s largest meat processing groups faced a serious cyberattack, causing several factories in the United States, Canada, and Australia to halt production. This incident created significant bottlenecks in the global meat supply chain, affecting market prices and supply volumes.
Schreiber Foods, a company that mainly concentrates on yogurt, processed cheese, natural cheese, and cream cheese, experienced system paralysis in its factories and distribution centers due to a ransomware attack, meaning the systems necessary for their operations could not be used.
UK’s major leisure food manufacturer, KP Snacks, was attacked by Conti ransomware. This resulted in disruptions to their manufacturing and transportation processes that not only hindered the company’s product output, but also affected numerous large supermarkets that were distributing its products.
Frozen meals mixed manufacturer Apetito and its owner Wiltshire Farm Foods both suffered a Hive ransomware attack in June, rendering IT-supported systems inaccessible. This stymied the process of placing orders and interrupted distributions, affecting the ready-made meal supplies for many hospitals and nursing homes.
From the cases above, it is clear that many links in the food supply chain are interdependent. When a problem occurs in one link, it has the potential to affect the entire ecosystem. Therefore, maintaining cybersecurity is not just about protecting individual companies from attacks, but it is also a critical factor in ensuring the stability and sustainable development of the entire food industry. To this end, every company within the industry must strengthen its cybersecurity defenses and raise employee awareness about this vital issue.
Cybersecurity Challenges Facing the Food Supply Chain
Despite the national food supply chain being one of the 16 critical infrastructure sectors as designated by the US Department of Homeland Security and also a crucial entity under the EU’s NIS2 directive, cybersecurity in this sector often takes a back seat compared to other sectors such as aviation or power grids. One reason for this reduced focus on vulnerability and potential threats is the history of smooth operations in industrial automation, which has established a precedent.
Cybersecurity Modernization Lagging Behind Digitalization
The food and agriculture industry relies on high levels of automation to maintain low prices and steady distribution. However, the dependency on this technology has surpassed the pace of cybersecurity modernization. Criminal organizations have begun exploiting various avenues to attack and infiltrate the food supply chain, with a series of events from 2020 to 2022 illustrating the escalation of threats faced by the supply chain. Firstly, it must be acknowledged that IT and cybersecurity are distinct domains requiring different strategies and skills. Second, small and medium enterprises (SMEs) need to understand that they are prime targets for cyberattacks and should not rely solely on external IT service providers for cybersecurity. Additionally, the interconnectivity of modern and legacy systems often introduces security vulnerabilities, while cost-cutting measures can impede necessary system updates and upgrades.
The Myth of Air-Gapped ICS/OT Networks
It is generally believed that food production systems are isolated from the internet, and thus safe from the threat of cyberattacks. However, this has proven to be a false sense of security, as attackers might exploit certain temporary channels (such as remote maintenance), misconfigurations, deceive employees or contractors into installing bogus software updates and patches, or introduce malicious software into the industrial network through USB drives. In fact, as demonstrated by the REvil ransomware attack, attackers do not necessarily need direct access to these production systems to halt production. They can first gain access to corporate networks or exploit vendor systems, and then pivot to OT/ICS networks to achieve this goal.
Vulnerabilities of Legacy Systems
Food processing systems often rely on legacy software platforms, with some having a history of over 20 years, featuring ancient codes that cannot be updated or patched. This situation heightens the vulnerability of the food industry as it offers attackers more opportunities to exploit these weaknesses. It is crucial for stakeholders in the food supply chain to acknowledge and address these challenges, fostering a more secure environment for the food industry’s infrastructure, and subsequently ensuring the safety and stability of the food supply to the populace.
EU NIS2 Directive Mandates Cybersecurity Implementation in the Food Supply Chain
Previously, the requirements of the NIS directive were confined to seven sectors: energy, transport, banking, financial market infrastructures, health, drinking water supply, and digital infrastructure. This implied that member states were not obliged to enforce cybersecurity prerequisites in the food supply chain. Fortunately, in light of changing threat scenarios, the EU NIS2 has broadened its predecessor’s scope to recognize (i) food production, (ii) food processing, and (iii) food distribution related services as important entities, thereby formally including the food industry as a regulated sector. Consequently, all medium and large entities in the food supply chain may potentially face risk management and reporting obligations across the EU in the future. However, small enterprises remain exempt from the NIS2 requirements unless they are deemed pivotal to public security, public safety, or public health by member states.
Strengthening Responsibility and Obligations in the Food Supply Chain
Under the NIS2 requirements, food companies and other regulated service providers will assume the following responsibilities:
Entities in the food sector must notify and register with national regulatory bodies within a stipulated time period after meeting designated standards, ensuring a compiled list of all entities within the scope. Generally, EU member states permit self-registration mechanisms, where entities are required to furnish details such as name, sector and sub-sector, address, and up-to-date contact information (including email, IP range, phone number, etc.).
2. Cybersecurity Risk Management Measures
Article 21 of the NIS2 requires food companies to manage cybersecurity risks concerning networks and information systems used for service provision or maintaining operations through appropriate and proportionate technical, operational, and organizational measures. Organizations also have to consider implementation costs, and relevant European and international cybersecurity standards, ideally adhering to the principle of proportionality to avoid undue economic burdens on essential entities. This involves at least the adoption of the following security measures:
a) Risk analysis and information system security policies
b) Incident handling
c) Business continuity
d) Supply chain security
e) Safety in acquisition, development, and maintenance
f) Policies and procedures to assess the effectiveness of cybersecurity risk management measures
g) Fundamental computer hygiene and training
h) Adequate strategies for password usage and encryption
i) Human resource security
j) Utilization of multi-factor authentication, secure voice/video/SMS communication, and secure emergency communication where applicable
3. Incident Notification for Food Companies
The EU had already established incident notification obligations in Article 23 of NIS1 and asserted in Article 24(1) that Operators of Essential Services (OES) should notify, without undue delay, all significant incidents affecting the availability, confidentiality, integrity, or authenticity of the network and information systems upon which their essential services rely. Thus, incorporating the stipulations from NIS1, food companies newly categorized as essential entities are now mandated to promptly report any incidents significantly impacting their provided services.
Table 2. Incident Notifications Guide for Food Companies’ Compliance
Within 24 Hours after becoming aware
Within 72 Hours after becoming aware
Upon government request
One month after submission of initial notification
Source: European Commission
Implementing Supervision and Enforcement in Food Industries
Enforcement measures encompass inspections by national cybersecurity management agencies and auditors, followed by any subsequent corrective actions, which include: (1) issuing warnings for non-compliance; (2) releasing binding directives; (3) ordering the cessation of non-compliant behaviors, or other incident response actions. Besides the reactive approaches to supervision and enforcement, administrative fines can also be levied according to the stipulations in Article 31. These fines represent a sanction mechanism deployed if there are violations pertaining to legal obligations. Important entities could face fines up to 1.4% of their previous year’s global revenue or at least 7 million euros, whichever is higher. In certain circumstances, to reinforce improvements amongst regulated service providers under the obligation system, additional administrative penalties might be imposed, such as the suspension of certifications or a halt in managerial functions.
Keeping Food Supply Chains Secure
As stipulated by NIS2, the food industry may need to exert greater efforts in cybersecurity. Many companies in this sector can take measures to protect themselves from threats. We believe that businesses involved in the food supply chain can bolster their cybersecurity defenses and streamline NIS2 compliance through the following integral approaches:
Supply Chain Security
One of the primary threats in OT environments comes from external suppliers, contractors, and assets. Therefore, it is crucial to audit them periodically before the new and external equipment is integrated into or enters the production line, and even outside the production line. Utilizing a Portable Inspector facilitates compliance checks on each machine before deployment, including detecting installed applications on the assets, the presence of malware, and identifying open internet ports on the network. These checks help prevent supply chain attacks before they commence.
Endpoint Detection and Response
Endpoint protection is critical for detecting malicious activities and ensuring network integrity. TXOne Networks has pioneered a new model in the protection domain through TXOne Stellar. Tailored specifically for OT/ICS environments, its primary goal is to guarantee the uninterrupted operation of OT/ICS devices and physical systems. Simultaneously, it excels at identifying and promptly addressing network threats, all while consistently aligning with the objectives of both business and security teams. It employs Cyber-Physical System Detection and Response (CPSDR) to prevent any unintended system changes from affecting operations. CPSDR uniquely identifies each device and monitors changes in its normal functioning, detecting unexpected alterations and abnormal behaviors through deviation and real-time behavioral analysis. These changes are then mitigated before they can have any impact. Meanwhile, it introduces proven network threat detection and response concepts from EDR into operational threat protection, supporting common goals. With this new dual perspective, security teams can reduce the risk of cyberattacks, while OT teams can lock configurations, enabling each team to fulfill their roles without jeopardizing operational continuity.
By separating production from business networks and breaking down the production network into smaller parts, food cybersecurity managers can enhance security. Logically dividing it allows for partial isolation of company infrastructure if suspicious activity is detected in another part of the network. As mentioned, even segmented infrastructure could be affected by malware introduced into a section of the network, such as during a software update. However, segmentation can prevent malware from spreading throughout the enterprise. TXOne’s network defense products can assist with network segmentation and segregation, dividing the network into distinct control zones, even down to the cell level.
Clear visibility is crucial for strong ICS security. A centralized network monitoring and control solution such as TXOne’s EdgeOne can provide defense line management and clear visibility into all installed ICS assets, including their connectivity and security status, with real-time alerts and incident events. The ability to perform all node maintenance tasks from a centralized dashboard facilitates tasks such as managing and deploying different security policies or signature-based virtual patching, editing OT protocol trust lists, or deep analysis of L2-L7 networks by node group.
Secure Remote Access
Many cyberattacks potentially involve remote access, hence it is advised that businesses deactivate all unused Remote Desktop Protocol (RDP) ports to diminish security vulnerabilities and persistently monitor remote access and RDP logs to promptly identify and respond to any suspicious activities. Furthermore, businesses should only utilize secure network connections; for instance, considering the installation and use of Virtual Private Networks (VPNs) to guarantee secure remote access. An example to note is that EdgeFire can establish secure site-to-site VPNs with remote access capabilities, thereby shielding OT networks from unauthorized access or interception.
When vulnerabilities are identified in computer systems and software, suppliers regularly offer patches and updates to protect their clients. It is essential to promptly install updates/patches for operating systems, software, and firmware as soon as they are released. If the enterprise cannot immediately update the systems due to production availability considerations, it is recommended to implement virtual patches instead. TXOne’s network defense of products facilitates a powerful and up-to-date initial defense against known threats for corporate factory networks. This enables users to have better control over the patching process, create proactive defense strategies during events, and provide additional protection for legacy systems.
Privilege Management and Password Policy
Food enterprises should employ multi-factor authentication (MFA) in all possible realms, complemented with robust password strategies to enhance account security. For instance, ensuring the periodic modification of passwords for all network systems and accounts within the shortest acceptable time range, or avoiding the use of identical passwords to safeguard multiple accounts to reduce potential security risks. Moreover, enterprises should meticulously allocate and control administrative privileges; for example, permitting only users with administrative rights to install new software, and adopting the principle of least privilege in access policies. In other words, businesses should allocate access controls based on the principle of least privilege to reduce the risks of internal and external threats.
Ensuring Business Continuity
In the food industry, ransomware attacks have emerged as a severe issue. They hinge on threat actors utilizing specially designed malicious software to restrict organizations from accessing their vital data resources. These assailants undermine the operational capacity of food manufacturers by limiting their access to core business systems, thereby increasing the likelihood of securing ransom payments. To fend off such attacks, businesses need to adopt fortified data protection and recovery strategies. A cornerstone strategy is instituting a backup solution that involves regularly creating current copies of data and isolating them to avoid becoming a target for attackers. These backups should maintain air-gapped isolation with the original files to remain unaffected during a ransomware attack. Moreover, a secure mechanism should be in place during the data backup and transfer processes to guarantee end-to-end data integrity. TXOne Networks’ Portable Inspector offers a unique method for secure data transfer and storage in an offline environment. It not only facilitates malicious software detection during the transfer process to ensure data integrity but also comes equipped with AES-256 encrypted secure storage, affording complete protection for your workplace file transfers.
The food industry is a pivotal segment of the economy, increasingly reliant on digital systems for operations, akin to healthcare, energy, transportation, and financial services. Hence, guarding against significant cyber threats is becoming more and more essential. The NIS2 directive aims to ensure that critical industries employ modern cybersecurity defenses to protect the global food supply chain. Furthermore, placing network security at the forefront is imperative when designing new automated systems. These fresh mandates will take effect in the second half of 2024. TXOne Networks stands prepared to assist the food industry in tackling cyber threats and simplifying compliance with NIS2.
Our solutions, grounded in the four cornerstones of OT zero trust, generate custom-built, OT-native, innate defense security policies to safeguard operational integrity, shield the supply chain from assaults, and maintain operational continuity. If you wish to delve deeper into the repercussions of NIS2 on your industry, we invite you to read TXOne Networks’ latest cybersecurity report: “Mastering the NIS2 Directive: Achieving Cybersecurity Compliance”.