Cyberterrorism and Food Safety
The risk of cyber-attacks is growing in tandem with the food industry’s reliance on technology, writes David Burrows
In late January 2022 KP Snacks, owner of Hula Hoops and Tyrrells, was hit by a ransomware attack. Manufacturing and shipping was disrupted and shelves were left bare as experts surmised that the manufacturer was likely still making crisps but had no idea who had ordered what or where to send them. It was just the latest food company to succumb to a cyber attack.
Spar wholesaler James Hall suffered a “major IT outage” in December 2021, and pulled its network offline as it investigated a raid on its systems. Some 300 stores were affected, so too credit card payments, staff emails and the wholesaler’s website. The attack came with a ransom demand. Just prior to that, in October, Tesco’s website and app froze for two days as criminals attempted to “interfere” with its systems. This may have cost the company millions in lost sales (orders through its website can reach between £15 and £20m per day, according to The Grocer), and it could have been much worse.
"We've seen threat actors [that is, cyber criminals] target food manufacturers [with] increasing frequency and also ferocity,” explains Bernard Montel, technical director and security strategist at cyber security firm Tenable. These companies provide a very attractive target, he explains, and that’s partly down to the increasingly rapid adoption of cutting edge technology across the entire food supply chain but it’s also because “nutrition is pivotal to our survival”.
“[They] know they can financially exploit many in the food sector by posing a threat to production, expose sensitive or confidential data–such as secret formulas, marketing plans, customer data–or even threaten to tamper with sensitive production systems or change a component in the process that could affect the quality of the end product,” adds Montel.
Indeed, the closer you look at the potential fallouts from a cyber attack on those involved in producing, processing, preparing and distributing food, the more nightmarish the scenarios become. What’s more, the risks have only been heightened by the pandemic and the current supply chain crunch that is impacting every category and threatening the just-in-time nature of the system. “You can only operate ‘just-in-time’ in a very stable environment,” explains Michael Bell, executive director of the Northern Ireland Food and Drink Association (NIFDA). The food supply chain is facing a number of threats to its resilience and cyber security is one of them, he adds.
[They] know they can financially exploit many in the food sector by posing a threat to production, expose sensitive or confidential data–such as secret formulas, marketing plans, customer data–or even threaten to tamper with sensitive production systems or change a component in the process that could affect the quality of the end product
So how significant is the threat and is it financial, reputational and disruptive or is there a food safety scare on the cards?
Speak to cyber security experts, or read papers detailing the assumed threats, and some in the food industry might think twice before turning on their computer the next day. “When these cyber attacks are carried out on a large scale as a terrorist act (cyber terrorism), there is a severe risk that food supply networks will stop functioning – potentially leading to deaths or social unrest,” warned the authors of Cyberespionage: socioeconomic implications on sustainable food, a chapter in the book AI, Edge and IoT-based smart agriculture.
Last year, JBS, which describes itself as the largest protein producer in the world, was forced to shut all its US beef plants following an attack. “Hackers now have the commodities industry in their crosshairs,” reported Bloomberg.
Different attackers have different motivations, ranging from activism and personal revenge, to geopolitical conflict. The most common motivation, however, is financial and these criminals are an observant bunch. “One of the reasons criminals appear to be favouring attacking food manufacturers is that these organisations typically aren't as mature in their cyber security measures as others”, explains Javvad Malik from KnowBe4, a software security business, but they have “a lot to lose if systems go down and could be more likely to pay the ransom”. JBS said it paid the $11m ransom “to prevent any potential risk to our customers”.
Counting (cyber) terrorism
Just how many food businesses have been attacked is almost impossible to tell – there is no requirement to publicly report unless there is a food safety issue. Attacks jumped 20% between 2017 and 2018, but the pandemic has brought even more opportunities, according to research in the journal Computers and Security.
Criminals leveraged salient events and government announcements to craft and execute campaigns against the public but the shift to homeworking also opened up holes in systems and opportunities to catch employees off-guard with phishing emails. SonicWall reckons there were 623.3 million ransomware attacks globally last year, up 105% on 2020. These included “countless” attacks on Irish businesses, the company said.
The malware being deployed is more sophisticated and the hackers are evolving quickly, explains Daniel Hefft, academic director of the Institute of Food Sustainability and Innovation at University Centre Reaseheath and one of the authors of the Cyberespionage paper. “It’s a constant fight,” he explains.
Indeed, the global expansion of cyberspace is changing the way we live, work and communicate, and transforming the critical systems we rely on in areas such as finance, energy, healthcare, transport and food distribution. Technology is infiltrating and running more and more of the food supply chain – from the precision technologies and robotics used in agriculture to big data and mobile technology used to forecast crop yields and personalise the shopping experience for consumers.
Software also controls much of the food industry’s safety systems, like sanitation, traceability and ingredient monitoring (such as allergen detection). Electronic tracking, tracing and verification of every part of a food company’s production system has its advantages of course. “There are huge amounts of data flows taking place now,” explains Erik O’Donovan, head of digital economy policy at Ibec, “and there are huge benefits to that in everything from manufacturing efficiencies to food safety”. Digital transformation is certainly one of the key strategic drivers for food companies..
This is all good news. Traceability is paramount to food safety, for example, allowing companies and countries to manage required recalls and spot problems before they present a risk to the public. Manufacturers are also adopting IoT (Internet of Things) technology at record pace.
However, the risk of cyber attacks is growing in tandem with the industry’s reliance on technology. “I could probably list 20 different ways in which you could start to change things [in a food processing plant] that would cause food safety risks,” explains Professor Chris Elliott from QUB’s Institute for Global Food Security.
Something as simple as changing the temperature at which food is stored could result in warehouses full of food no longer being safe for consumption, for example. Some of the possible infiltrations are the stuff of sci-fi movies but regulators are wary of the repercussions if this becomes a reality. “[...] malicious cyber-attacks, or hardware/software failures within such complex automated systems raise the prospect of mislabeling or misinforming on millions of items creating serious public health issues,” noted a report by the University of Cambridge commissioned by the Food Standards Agency last year (Emerging technologies that will impact on the UK food system).
Indeed, a more subtle risk for the food industry is what one 2007 paper referred to as the “silent killer”, which aims to change food formulation to make it unsafe for human consumption. “It’s not hard to imagine a more malicious attacker changing the ingredient mix or potentially introducing unsafe substances, with potentially far more devastating results,” says Simon Walsh, an Ireland-based IT security specialist with Trend Micro.
Thankfully that hasn’t happened yet. However, in February 2021, a hacker infiltrated the systems of a water purification plant in Florida, attempting to pump in a ‘dangerous’ amount of a chemical that could have poisoned the water supply. As attacks on critical infrastructure increase, we've seen sentiment to previously off-limits targets change, as that case illustrated, notes Montel from Tenable. On back of the JBS attack, one expert claimed that a ransomware attack on a food maker would “very likely compromise the company’s ability to produce safe products".
Adulterating products, turning down cold units or editing labels are all possibilities but the majority of the attacks are more likely to involve disruption to the supply chain. “If you look at the KP example that was about messing around with the [systems] so they couldn’t do invoices, process orders and dispatch stuff,” explains Dominic Watkins, partner at law firm DWF. “It’s that level of interruption you are probably talking about.”
Adulterating products, turning down cold units or editing labels are all possibilities but the majority of the attacks are more likely to involve disruption to the supply chain.
These are high stakes, though, especially given the highly complex nature of today’s food systems. In a paper on long-term UK food security and resilience, the Food and Research Collaboration noted that the high and increasing reliance of the food system on IT for just-in-time logistics, infrastructure and financial transactions points to its “vulnerability to cyber attack”.
Hefft presents the case of a line of margherita pizzas, the production of which may rely on a number of growers in a number of countries. One “fail” in the system can see everything come crashing down (and faster than ever in the current environmental, commercial and geopolitical climate). Food processing today is highly vulnerable because “it’s got so large and so complex”, says Hefft, and also because food is cheap. High quality, safe, sustainable food comes at a price, and that price must include investment in IT infrastructure and the security to protect it.
The lack of investment in this space comes up during a number of conversations with experts. This includes not only cyber security controls and software but awareness training for staff, as well as contingency plans in the event of an attack. JBS said it spends more than $200m annually on IT in the US and employs more than 850 IT professionals globally, and still its defences were broken.
Cracks for the criminals
Older systems that have been patched together over the years can be found in many food businesses. Some say this offers a degree of resilience to attacks; others say it just means more cracks for attackers to exploit. The keys can sometimes be found on the internet in publicly available manuals. “As the energy, financial, and healthcare sectors harden their defenses in response to attacks, it’s safe to assume criminals and other threat actors will move on to lower hanging fruit,” the paper on cyberespionage reads. “This could well be the food industry.”
JBS, KP, Tesco and others can all testify to the fact they already have – and they aren’t going away. This has already led to financial and reputational costs for the victims, but future attacks could come at any even bigger price. “The consequences of suffering an attack and failing to defend it are already disastrous and will only become more grave as more and more consumer data is online,” according to retail experts at Global Data.
Health data is a particularly sensitive example, they wrote. “Consumers may soon entrust retailers with their health data so that they can select products that support their health objectives. They will take a very dim view of retailers that let such data slip.”
For many food businesses, cyber security is currently seen as an irritating necessity (cyber insurance costs have also jumped of late). But maybe it should be seen as an opportunity to win consumer trust before it’s too late? “The UK supply chain is incredibly vulnerable and if anybody thinks otherwise they are kidding themselves,” Matthew Gribben, CTO of Signal Vision and former GCHQ cybersecurity officer told The Grocer recently. The threat of cyber security on food safety and security is no joke, it seems. “Maybe it’s next year or the next five years but we will have some massive blow up,” says Hefft.
About David Burrows
David Burrows is a freelance writer specialising in sustainability within the food chain. A graduate in agricultural sciences, he researches and writes features and reports for publications including Just-Food.com, FoodNavigator.com, FoodserviceFootprint.com, Poultry Business, Pig World, The Grocer, and Transform.