Is the food sector prepared for cyber attacks?

Visit BSI's Experts Corner: Home for insights from BSI’s practice directors and industry experts on Environmental, Health, Safety, Security, and Sustainability.

February 17, 2023 - As production and distribution become more automated within the food sector, the vulnerability of food manufacturers increases along with the odds of a cyberattack. With profit, efficiency, and productivity at the top of most organizations’ priority lists, security has become more of an afterthought.

A recent poll conducted by BSI revealed that 78% of respondents do not think their food organization is prepared for a cyberattack, showing that huge steps still need to be taken to enhance trust and resilience. It’s now a priority to start thinking about how we can protect society, protect our food, and protect IT systems.

Threats that face our food

There are four significant threats facing the food industry:

  • Food fraud: the act of intentionally deceiving consumers about the true nature, ingredients, or origin of food.
  • Food defence: a weak defence of the production line means a higher risk of intentional contamination or tampering.
  • Food quality: poor-quality food can potentially cause illness or harm to the consumer.
  • Food safety: consuming contaminated or spoiled food can lead to illness or injury. Food can become contaminated by a variety of means, including exposure to harmful bacteria, viruses, toxins, or chemicals.

These threats are all interconnected with digital technology and internet connectivity, with security at the heart of all of it, whether that involves the Internet of Things (IoT), operational technology (OT), or an internet-connected device.

Security means monitoring the equipment that’s being used to test for food fraud, which helps us with food defense, food quality, and food safety. With all these new digital systems, we must ask ourselves: are we doing the right things for our food? Is that technology really necessary, or is it just a ‘nice to have’ that’s making the production line more susceptible to an attack? Are we keeping our friends and family safe?

Consequences of a cyberattack in food manufacturing

If there is a cyber breach to industrial control systems (ICS), a hacker can tamper with temperature controls or sensors or even leave cattle stranded in water. For example, Hood Milk in New Hampshire, USA, was struck by a ransomware attack, resulting in schools in the county going without milk for several days.

There are several potential consequences that can follow an attack, including physical harm to workers, financial loss, and destroyed equipment. Other potential life-threating consequences include:

1. Compromised food quality

It’s not unheard of for bad actors to attack a food manufacturer’s ICS to inject chemical agents into food. This has become a stark reality and is being actively investigated by the Department of Homeland Security. Attacks like this can lead to damaged brand reputation, financial harm, and employment loss.

2. Illness or loss of life

Taking cybersecurity seriously is not just about protecting data and the availability of data; it's about protecting human lives. The World Health Organization estimates that an estimated 600 million, almost one in ten people in the world, will fall ill after eating food contaminated by chemical agents, bacteria or viruses. They also estimate that 420,000 people die each year as a result, leading to a loss of 33 million healthy lives. By prioritizing people, it puts a new spin on how you see the creation of security controls specifically and how you can interact with people in that environment to make it safer for them.

Follow along with more industry insights from BSI’s Mark Brown. To read further news on Digital Trust and Environmental, Health, and Safety topics that should be at the top of your organization's list, visit BSI's Experts Corner.

 

Mark Brown

Global Managing Director, Digital Trust Consulting Services, BSI

Mark has more than 20 years of expertise in cybersecurity, data privacy and business resilience consultancy. He has previously held roles at Wipro Ltd., and Ernst & Young (EY), amongst others. He has a wealth of knowledge including extensive proficiency on the Internet of Things (IoT) and the expanding cybersecurity marketplace.