How vulnerable is the food supply chain to a cyber-attack?

Cyber-attacks on businesses are increasing, and it’s not just digital or finance businesses which are at risk. The UK government recently advised that food supply organisations are in the sights of malicious actors in cyberspace. A major ransomware attack on the world’s largest meat processor, JBS, in June 2021 extorted a payment of eleven million dollars. Shortly after this, in September, the FBI also issued a warning document for the food industry which included several examples of hacking and outlined how cyber-criminal actors are targeting the food and agriculture sector with ransomware attacks:

• In July 2021, a US bakery company lost access to their server, files, and applications, halting their production, shipping, and receiving as a result of Sodinokibi/REvil ransomware which was deployed through software used by an IT support managed service provider (MSP). The bakery company was shut down for approximately one week, delaying customer orders and damaging the company’s reputation.    
• In May 2021, cyber actors using a variant of the Sodinokibi/REvil ransomware compromised computer networks in the US and overseas locations of a global meat processing company, which resulted in the possible exfiltration of company data and the shutdown of some US-based plants for several days. The temporary shutdown reduced the number of cattle and hogs slaughtered, causing a shortage in the US meat supply and driving wholesale meat prices up as much as 25 per cent, according to open source reports.

The FBI paper details several other cases, entailing losses and damage to companies' reputations in this critical sector of the economy. The JBS attack shut down 13 meat producing plants in the USA and Australia. "The hackers recognise that they have the ability to impact individuals through very straightforward, simple attacks that can impact critical infrastructure, that impact food supply and ultimately come down to the lives of everyday citizens," said Kiersten Todt, the managing director of the Cyber Readiness Institute.

The challenges that food businesses face

The pandemic has shaken up a lot of industries. Apart from the health issue, it has brought to the fore home-working and sped-up the uptake of mobile working in many sectors. People are using laptops and mobile platforms like smartphones and tablets, and they often connect via the public internet, sometimes to conduct what should be secured transactions.  

It looks like hybrid working is here to stay, and businesses need to address this as part of their cybersecurity strategy.  Unfortunately, employees are often the weakest link in the cybersecurity chain. "88% of UK data breaches caused by human error, not cyber-attacks,” according to data obtained from the UK’s Information Commissioner’s Office (ICO).  This is a concern for any industry, but the food industry in particular lags behind other sectors in terms of security awareness.   

What are the biggest threats?

Phishing is well-known, where a user clicks on a link that takes them to a fake site or downloads malware onto the user's computer. However, a newer and more insidious version is a spoof email, apparently coming from inside your own company or an external client company. If the accounts department of some company in your supply chain sends a query or a document, employees are more likely to click on it and enable a cyber-attack.

Many companies in the food industry use outdated software, or legacy applications and services, which hackers more easily compromise. Supervisory control and data acquisition (SCADA) systems throughout industry are operating on elderly software applications. Some managers take the view that if the system is working adequately, there is no need to upgrade to newer software. This is taking a chance – as JBS found out, once a hacker gets in, the company can be in big trouble.

Automated systems are particularly vulnerable. If a computer system controlling valves, monitoring temperatures and regulating mixes of additives to food gets tampered with, that is a serious food safety issue. If news of a hack gets into the media, the public will rightfully be alarmed. The company involved will inevitably suffer severe reputational damage and an event like this will need professional reputation management to restore.

How can companies protect themselves from a cyber-attack?

Firstly, equip all devices with up-to-date technology tools to operate securely, such as password managers, two-factor authenticators and virtual private networks (VPNs). Beyond that, everyone in the company needs to be educated on the best practices to keep the danger contained. This is not a one-time course or video viewing, but a continuing process as new threats emerge.

Like all cybersecurity measures, good cyber hygiene relies on a three-pronged approach: people, technology and environment. People require mandatory educational training to spot threats like phishing, including the newer types detailed above. Company leadership must be security-aware and set a valuable example to others.

For a hybrid problem, there needs to be a hybrid solution. Improving employee education can include intensive company-wide workshops, online instruction and third-party training services. Some staff respond better to one method than another, so flexibility is essential. However, enforcement is also important, as HLB’s recent cybersecurity survey found that although 90% of businesses said they educate their staff, 33% constantly deal with non-compliance. 

Conclusion – be active, not passive

Cybercrime is a serious threat. Hackers can attack from anywhere in a networked world, and ransomware usually demands hard-to-track cryptocurrency payments. Legacy systems are particularly vulnerable, as they do not have the latest safeguards, and their software may have gaping holes in its defences.

Employees can be caught out by wily hackers and can also make simple mistakes. It’s really important to create a security conscious culture within the business and implement an ongoing programme of training for everyone from interns to C-Level.  HLB's Chief Innovation Officer Abu Bakkar says, "Cybersecurity needs to be done at a higher level. It needs to be run at the senior level. Otherwise, it doesn't get the traction it needs."

Finally, food is a critical sector of the economy. Although many food supply chain companies are not household names, supermarkets are, this means reputational damage will be widespread. It should not be underestimated.  At a time when food supply chains are feeling particularly vulnerable, a cybersecurity attack could cause lasting damage.

For a more in-depth view of current cybersecurity issues and how you can protect your business read HLB’s latest cybersecurity report: Threat or opportunity: Addressing the cyber-risk landscape in the age of hybrid work.