Food and Beverage Industry Cyber Security Risk Management: Does a HACCP-Based Food Safety Culture Provide Solutions?
By Colonel John T. Hoffman
Information technology systems, referred to by many as cyber systems, have become ubiquitous in nearly every component of our domestic and global food supply chains. While these systems bring substantial efficiencies and economic benefit, they can also become an Achilles heel in complex production systems and supply chains. Although strict food processing steps ranging from Hazard Analysis to system monitoring has improved food safety, the cyber controls and tools that are vital components within food processing systems may not be included in food safety system monitoring. These cyber-based components are often surreptitious pathways to the most important intellectual property, financial assets or process control systems, whether they are employed in production agriculture, transportation management, financial systems or as industrial controls. The use of widely available nefarious software tools provides crooks the ability to quickly and quietly break into almost any firm to disrupt the processes and operations or steal valuable information or money. As pointed out by a former director of the Federal Bureau of Investigation, there is little reason for crooks to rob banks in person these days. They can do it remotely, with far less risk and make a lot more money! Very often, a cyber penetration is merely a precursor or gateway to the actual crime. Such penetrations have led to ransomware attacks and have facilitated cargo theft via fictitious pick-ups.
While we all see the news and read about hackers and their cybercrimes, few think they will be targeted by hackers. The truth is that it has probably already happened and many firms may not be aware they have been compromised. In recent visits to a number of diverse food firms, I have seen a disturbingly common situation where food processing control cyber systems are utterly unprotected. Owners and operators may not even have systems in place to detect compromise even though data from a variety of technology security event tracking firms confirm that the Retail and Food and Beverage sectors are more often attacked than banking and financial firms! The simple fact is that the food industry has evolved from a manual, hands-on and labor-intensive manufacturing profile to a largely automated environment that exploits a variety of information technologies and industrial controls. Some systems are based upon highly proprietary, custom software code, while others are simply off the shelf technologies that are widely used. However, nearly all are based on common and often outdated operating systems such as Windows 98, early Linux, IBM AS 400 (a version of UNIX) or even ZENIX. Even when newer, more sophisticated operating systems are employed, few protections may be in place for manufacturing floor industrial control systems. Worse, these control systems within a food manufacturing facility are often networked into other company administrative, financial, and management operating systems. For example, it is common to find the industrial controls networked with transportation management systems and purchasing management systems. Those small Internet of Things items within a firm can be the very tools used by hackers to attack or gain access to steal from or disrupt the operations of the firm.
This lack of protection of cyber-based components in food manufacturing environments is the result of many factors. These include the very manner in which the systems evolved over time to exploit the advantages of information technologies and how systems are integrated to improve efficiencies and reduce production cost. The bottom line approach to their evolution is a double-edged sword. While these cyber technologies provide direct financial benefit to the firm, they also create great risk especially when there is little to no awareness when something adverse. Adding to the perception of low risk is that the U.S. Food and Drug Administration (FDA) does not see cyber systems as a component of food safety risk. Certainly, FDA supports private sector’s need to secure their technological systems from attack, but they do not specifically include these systems in their Preventive Controls regulations or guidance. The convenience of these systems, their proven operational reliability, their efficiencies and labor cost-saving roles in the firm, the belief that “it won’t happen here” and the omission of regulatory oversight all contribute to the prevailing complacency and lack of cyber security priority and investment in the food and beverage sector.
It is understandable then that a lack of appreciation of these control system risks exists at the board room level. This lack of concern is also rooted in how these systems evolved within the sector, their phased adoption and often inadequately planned growth or expansion within food production facilities. One also must consider that historically there has been little reporting and awareness of actual cyber events within the food and beverage industry. The reluctance to share adverse experiences has also led to complacency. Observe the level of financial and technology investment in door lock systems, perimeter detection systems, area surveillance systems and compartmented access control for a modern food processing plant. However, the owners and operators of these same facilities often do not invest in network intrusion detection systems or multi-layered network defense at the most basic levels.
For example, consider the situation that involved the Target Corporation just a few years ago. The operating assumption within the firm was that their systems were not at risk because they were not aware that anyone had penetrated them. They allowed vendors to directly exchange information with internal technology systems without investing time or resources to monitor those linkages. Target did not know they had been penetrated nor that their customer’s financial information had been stolen until the banking system began to report, rather publicly, that their point of sale systems had been hacked. Some customers lost substantial amounts as a result. Target’s losses were considerable and the damage to their brand was enormous. The senior company leadership team, including the CEO, was terminated. Target is still recovering from this event even after a significant payout to the affected customers. In brief, Target lacked critical security controls on their information networks. This was not, and is not, a unique situation.
The integration of systems is the Achilles heel. There are so many points where these integrated cyber networks face or connect with the Internet that crooks have multiple pathways into and across the systems. The networks certainly provide management convenience and efficiency, but they also control or give access to many of the key production, management and safety functions on the plant’s line. They are often so integrated that virtually all of a company’s cyber functions can be accessed from any point within the network and, worse, they may be directly accessible from the Internet.
While it may be difficult to convince senior management and a board of directors to invest in an area for which there is little awareness of risk, the risk is substantial and often not lost on underwriters or investors. Premiums for business interruption and cyber system failures are rising and most underwriting firms have begun to assess the security and adversary event history of a firm’s IT systems. Indeed, many underwriters are finding lax controls within firms for their IT systems and employee cyber practices.
Perhaps just as important is the fact that many insurance and underwriting firms still lack sufficient historical data to write policies that provide adequate coverage. Recently, Charles Cowan, counsel to law firm Drinker Biddle & Reath’s insurance transactional and regulatory team, offered that “First and foremost in cyber risk is the need for data. Not a lot of reliable data exists about incidents and where future potential attacks might be, or of what size.” In the food and beverage sector, this is often because firms involved in such breaches are reluctant to make the event public or even make a claim due to the potential for brand damage and loss of consumer confidence in their product(s). Notwithstanding the reluctance to report, data from firms suggest the incidence of events is frequent and growing.
Cyber system protections are increasing in the financial, insurance, and regulatory sectors, but food sector clients, in which there are substantial investment in terms of money, accountability and rules compliance, have not been required to implement similar standards. Some firms explain that 24/7 access combined with convenient and rapid access across systems is vital to their production and delivery requirements. This access convenience for a firm’s production staff provides the same access convenience for those with bad intentions. If the production supervisor can simply link in from home via an open internet connection, so can anyone. Without using a secure VPN that requires two-factor authentication and a modestly complex password, the system is vulnerable. It is then not a question of if, but one of when a system will be compromised. In the food safety world, a risk assessed on when—meaning it will happen at some point—is the standard. Why is this not the case within the cyber component of food production systems?
As pointed out above, most of food and beverage firms have fully integrated network systems. The integration creates huge risk for the firm and its investors, underwriters and customers. The computer services industry used this convenience as a selling point for the networks they sought to install. Unfortunately, the risk of cybercrime can negate much of that convenience. A secure network system now requires compartmentalized networks that prevent intrusion at one point from providing access to all aspects of a facility’s networks. Even on the plant floor, production components, safety and quality assurance-quality control components, cleaning and sanitization, and packing components should all be compartmentalized. Yet, most often these production networks fully linked and are directly tied to human resources, financial, administrative, and communications networks within the firm.
A secure cyber network operating system must be maintained in the same manner that a mixer or slicer is regularly cleaned and serviced under the firm’s maintenance and Hazard Analysis and Critical Control Points (HACCP) programs. The firm must use strictly enforced access protocols, require air-gaps between network components, secure all network access ports and implement high security, user-access procedures. Certainly, a small measure of convenience will be sacrificed, but safety and security of the firm will be substantially improved. The firm’s products will be safer and their employees will have improved job security.
It must be recognized that all cyberattacks cannot be stopped. When one risk area is fixed, a new one often surfaces because systems are always evolving and technology is constantly improving. The holy grail of information technology and cyber systems security for food companies is active intrusion detection monitoring. As a comparison, if fencing around a plant is illuminated and under active surveillance, then criminals will not have the time needed to break into the plant. The same holds true for networks. No matter how secure a network is setup or how one employs the latest firewall technology and password protocols, hackers will find a way into the network if no one is actively watching the access gateways. Detection failure has been the root cause of many recent high visibility cyber events including the Target breach and a separate federal breach where millions of government employee records were stolen. Intrusion detection is not expensive, complicated or labor intensive. It requires relatively small additional investment. It does require prioritization, focus, discipline and adherence to the same standards by all network users. When an attempted breach is detected, whether via apparent employee account “phishing,” password testing, network port pinging/exploration, non-protocol-compliant access attempts or similar efforts to hack the network, network administrators can take active steps to block the attempted penetration or, if the penetration was successful, to intervene quickly, limit damage and reduce information exposure. Further, these systems can provide immediate forensic information to aid in both improving network security and identifying the source and nature of the unauthorized penetration. Employee training, discipline, up-to-date systems, segregated networks and layered defense are vital. The addition of an active intrusion detection system improves protection by providing early detection and warning of attempted breaches and providing a means to monitor network protocol compliance to aid in identifying training needs for staff.
If we think in terms of HACCP concepts to assure food safety, the leap to applying similar concepts to securing our cyber-based process control systems across our facilities is not a large. Under HACCP and the new FDA Preventive Controls rules, food sector owners and operators conduct system risk assessment, develop and implement risk mitigation for critical components, and then monitor and test the system for function and potential failures. While it took many years to prove the value of the HACCP approach and even longer for wide adoption by both regulators and operators, it has become the standard that even the new Preventive Controls rules are founded upon. Developing a framework for reducing risk to cyber systems of all types is precisely this same process. Cyber risks must be considered, within the food and beverage sector, as presenting the same risks to the firm and the consumer as any food safety risk. A system failure, or worse a system penetration, resulting in intentional harm to consumers would be catastrophic to both the company and its investors. While cyber system event mitigation has not yet become a priority for regulators, in time it most certainly will. The question for today’s owners and operators is how long will it be before industry and regulators step up and require cyber hazard reduction measures? Who will be the next victim of a high consequence cyberattack? What will be the impact on their customers and consumers? What would such an event mean for the company brand? And what can I do to prevent it?
John T. Hoffman, Colonel, USA, Retired, is Senior Research Fellow at the Food Protection and Defense Institute.
1. 2016 Trustwave Global Security Report, see also www.fbi.gov/investigate/cyber.