Last month, fruit-and-veg giant Dole revealed it had been a victim of a ransomware attack. The company claimed the impact on its operations had been “limited” but it has been reported the cybersecurity breach resulted in a shortage of some products.
“It was disruptive to [the] fresh fruit and vegetables division and our Chilean businesses in particular,” CEO Rory Byrne told analysts and investors on the company’s 2022 financial results call last week. “More positively, we moved quickly to contain the threat and engaged leading third-party cybersecurity experts and we will be working in partnership with their internal teams to remediate the issue and secure systems.”
Unfortunately for the food industry, the attack was not an isolated incident. In 2022, Canada-based meat-processing group Maple Leaf Foods was hit by what the company said at the time was a “comprehensive” breach.
Michael McCain, the group’s executive chair and CEO, said last week the incident was “insidious, impacting our business in multiple ways”.
He added: “In real time we had to pivot the business from a highly efficient network of operations, one that is highly automated from orders to manufacturing planning, to inventory picking receipts and payment, to a business that had to run entirely on a manual basis.”
The same year, across the Atlantic in Germany, Apetito, the Germany-based frozen-food supplier, revealed a cyberattack on its operations, while UK-based KP Snacks said it too had been affected by ransomware.
In 2021, meat giant JBS was the victim of a ransomware attack that disrupted the company’s operations in North America and Australia. It later emerged JBS paid the gang a ransom of US$11m to release its files.
And those are just the attacks we know about. According to Malwarebytes, in 2020 cyberattacks against the food and agriculture sector increased 607%. In 2021, the FBI released a private industry notification warning the food sector about the danger of ransomware attacks and, in the final quarter of last year, US cybersecurity company Dragos reported the food and beverage sector was the victim of more attacks than any sector other than manufacturing.
The cybersecurity threat to food industry is growing
Assessing the threat level to food companies from cybercriminals is not easy. Due to the sensitive nature of the topic and the potential damage – both financial and reputational – cyberattacks can wreak, executives do not like to discuss the subject.
As John Hoffman, senior research fellow at the Food Protection and Defense Institute at the University of Minnesota, explains: “Few such attacks are made public due to brand protection concerns. Attacks, like the one targeting JBS, are the exception. In that case, the shutdowns were so extensive that the event could not be denied.”
The cyberattack threat to the food industry is not a new threat, but it is a growing, evolving and increasingly serious one, according to Sue Newton, GB food and drink practice leader at insurance major WTW.
“We’ve seen substantial losses to businesses in the sector from ransomware attacks, including several global food manufacturers, which resulted in one brand having to pay a multi-million-dollar ransom to restore their operations,” says Newton.
The threat has grown due to the pandemic, which saw lots of companies switch to remote and hybrid work overnight without having time to put in place relevant security protocols and systems.
Before Covid-19, the food industry was already moving towards the greater use of automation, robotics, AI and the internet of things (IoT) in the form of sensors on factory floors. The pandemic only served to accelerate this push and, in turn, heightened the risk level as embracing these technologies has introduced lots of vulnerabilities that would not have been on the security radar of food companies historically.
“The issue with the food and drink industry is that they are considered more vulnerable because the operational technology underpinning production has increased but cybersecurity measures for businesses in the sector haven’t been sufficiently considered, so many companies are now having to play catch up,” explains Newton.
“While other sectors have heightened their cybersecurity action over the last few years, mainly due to regulation, food and drink manufacturers haven’t been led by the same imperatives, which has led to comparatively lower capital investments in cybersecurity in some businesses, making them easier targets for cybercriminals.”
Hoffman says part of the problem is there has been a lack of governmental focus on reducing the cyber risks threatening the food and agriculture sector when compared to the attention paid to cybersecurity in the finance, chemical, energy and transportation sectors. Food companies, therefore, are seen as softer targets, he adds.
“Further, the cyber crooks have realised that many smaller- to mid-sized food and agriculture firms lack IT expertise in-house, they use older systems, and they are connected, via the web to the larger, wealthier firms in the supply chains. So, they offer a pathway into the systems of other firms.”
It is a view shared by Jason Vandenberg, cybersecurity services sales executive at US-based automation services supplier Rockwell Automation. Vandenberg says the cybersecurity threat has been on the radar at board level of the big food companies for some time but smaller food groups and suppliers to the larger groups are struggling to come to terms with the challenge.
“They’re realising that just because they’re a small, regional food and beverage company with four to five plants versus a large conglomerate, multinational with 100 plants, they’re not less of a target,” says Vandenberg. “In fact, we would argue that what we’ve seen is more [cyberattacks] targeted at those small- and mid-range companies because they don’t have the same level of budgets as the big guys and their legacy systems are just as unpatched and insecure as anyone else’s. The attackers can make more progress in those environments than they can with the big guys.”
Digitisation creates vulnerability
And the increased use of automation in areas such as food processing and precision agriculture has only served to exacerbate the problem.
“A consequence [of the automation push] is that many cyber controlled/managed components are actually legacy systems that still rely on outdated OS but still function quite reliably, even if vulnerable to exploitation and attack,” says Hoffman.
“Changing/upgrading all of them across the sector will be a significant challenge. And that automation is, indeed, increasing as workforce cost goes up and staffing challenges abound. More functions are also being automated as robotics improve and efforts to cut waste, lower costs and even to address climate impacts – such as cutting water use and emissions – become higher priorities.”
The objectives of the attackers targeting the food sector range from supply chain disruptions and ransomware deployment through to IP theft.
“We know China has cybercriminals focused on the IP to find out about who sells what to whom, for how much and from where,” says Hoffman. “This gives them targets to exploit or even the most lucrative to buy in the US food and agriculture infrastructure.”
Most food companies are acutely aware of the dangers of cyberattacks but do not necessarily have access to the right resources or revenue to prevent cybersecurity incidents, according to Newton.
“Previously, the production line would have been largely independent from the IT environment, so if there was any malicious activity, production could have continued. And as there has been less regulatory oversight around cybersecurity in the industry, there’s less urgency to drive better security and risk reduction.
“Also, as technology becomes more integrated into the production environment, in some cases, these new technologies and operating environments are being implemented, operated and managed not necessarily by cybersecurity experts, but by manufacturing specialists or an IT function that doesn’t specifically own cybersecurity within the business, which means they’re not putting the correct measures in place, making them more vulnerable to attack. It is also a challenge attracting and retaining cybersecurity professionals in the current highly competitive market.”
It is a challenge many food companies are trying to tackle head-on. A survey by US trade body the Food Industry Association undertaken last year found 85% of food companies have increased their cybersecurity budgets in response to the growing threat.
“However, there is room for improvement, and many companies may not be doing enough to protect themselves from cyber threats,” says Kristin Demoranville, CEO and founder at AnzenSage, a recently-launched cybersecurity consulting firm in the US.
According to Demoranville, food producers need to consider several factors when implementing a strategy to mitigate the risk of cyberattacks. “First and foremost, they must ensure that they have traditional solid cybersecurity measures, firewalls, anti-virus software, and intrusion detection systems,” she says.
“They must also regularly update and patch their software to address known vulnerabilities safely within their production environments. Additionally, food producers should ensure their employees are trained in cybersecurity best practices and are aware of the risks posed by phishing emails and other social engineering tactics. Finally, food producers need a comprehensive incident response and business continuity plans to respond quickly and effectively during a cyberattack.”
Constantly monitoring the threat of cybersecurity attacks is also vital. As Colin Tankard, managing director of UK-based Digital Pathways, says, it takes minutes to hack but it can take months to discover the breach.
“Where we have worked in retail, we do see some companies that don’t have some of those controls and some of those checks in place to monitor for unusual behaviour,” says Tankard, “Surprisingly, even the bigger organisations tend to put more of their money into IT for maintaining the business and not necessarily for maintaining security. It’s almost like it’s a secondary thing. But organisations really do need to monitor what is going on.
“That comes down to looking at your logs. That might be logs from servers, from your website, from your CRM system, from your firewalls, just to see if anything unusual is happening. And because there’s a lot of information that comes into a business you’ve got to really put that information into some sort of SEIM [security enterprise information management] system that will put everything into the right categories, so you can see a pattern.”
Don’t capitulate
If a company does find itself the victim of an attack, cybersecurity experts say food companies must not capitulate to the demands of hackers and pay a ransom.
As Tankard says: “If they know you’ve paid once, they know you’re going to pay again, so they’re just going to come back and knock on your door. Even if you do pay, you’re never sure if all the bad stuff has been taken away.”
Rockwell’s Vandenberg agrees. “I have yet to see a company pay a ransom and successfully come out ahead. We see companies that are still being pulled into legal fees three to five years after an attack because now they’re getting sued by somebody whose data may have been exposed.”
He says Rockwell has detected a growing aversion from companies to paying ransoms to hackers and some governments globally are reportedly considering introducing an outright ban on making ransomware payments.
This is a threat that is not going to go away any time soon and, as a result, those companies in the food industry that have yet to ramp up their cybersecurity protocols need to start taking the problem seriously otherwise they risk being the victim of an attack that could be devastating, warns Demoranville.
“The cyberattack threat to food producers is a pressing concern that warrants seriousness,” she says. “The food industry is facing critical situations due to the increased digitisation of the sector, which has expanded the attack surface for cybercriminals and created more opportunities for them to exploit vulnerabilities. While many food producers are taking steps to protect themselves, there is room for improvement.”
For companies operating in North America at least, an eye-catching line on costs emerged from Dole’s results call last week, with Byrne conceding the company does not expect to recover the lost sales, including through insurance. “I suppose the simple answer on that is no,” he told an analyst. “Insurance is prohibitively — you can’t actually get insurance in North America for cybersecurity at the moment.”