May 2017, the world faced one of the most serious cyber-attacks. The Ransomware Wannacry put at risk 200,000 companies spread over 150 countries. Immediately after, every company, including those in Food & Beverage, started to assess their vulnerabilities and stance regarding their cybersecurity policy. June 2017, another ransomware, Petya, infected more than 2,000 companies. For the first time, two major Food & Beverage companies announced publicly they have been attacked.

“Because cyber-attacks on Food and Agriculture sector offer little financial gain and likely pose only minimal economic disruption, the sector does not perceive itself as a target of such an attack”, as stated in the publication  Food and Agriculture Sector - Specific Plan (2015). So, what is at stake for the Food & Beverage industry and why should cybersecurity matter for F&B companies?

Cost of Cyber-attacks

In June 27, an international F&B company published that it was impacted by the attack. A few days later, a Press Release announced the consequences of the attack: a disruption in their ability to ship and invoice during the last days of their second quarter, and a first estimate on revenue impact. Furthermore, as stated in Kaspersky Labs Security Bulletin 2016, the longer it takes to detect a security breach, the higher the mitigation costs and the greater the potential damage. From US400,000 for an instant detection to more than US1.0 Billion for a detection taking over a week. It is clear that cyber-attacks may dramatically impact your business.

Food Defense Plan

With the implementation of a Food Defence Plan as part of a Food Safety Management standard, a Threat (or Vulnerability) Assessment Critical Control Point (TACCP) is recommended (Food Safety Modernization Act Final Rule for Mitigation Strategies to Protect Food Against Intentional Adulteration). Furthermore, in Europe, the PAS96:2014 Guide to Protecting & Defending Food & Drink from Deliberate Attack states that “No Process can guarantee that Food & Food Supply are not the target of Criminal Activity”. “Cybercrime” is clearly listed as a potential threat to be addressed.

Industrial Control Systems 

Cybersecurity is also a critical topic for automation architectures such as HMIs (Human Machine Interfaces) and SCADA (Supervisory Control And Data Acquisition) systems. It becomes even more important with increased connectivity, data exchange and the use of Industrial Internet of Things (IIoT). How do you make sure your process data is protected against cyber-attacks? Do your personnel have a general awareness of cybersecurity topics related to the use of such equipment? These are key challenges to answer.

Security Implementation Is a Solution, Not a Product

Security implementation is a combination of many items. It is about understanding the system, the threats and the risks. It involves people, policies, architectures and products. Of course, it is under vendor’s responsibilities to design products and solutions with security features, to ensure they enable customers to comply with security standards and to provide recommendations and methodologies to guide implementation. But the end-users need to define security procedures, to mandate responsible people and to ensure compliance with security standards.

Finally, as Industrial security is more than just IT security, a "Defense-in-Depth" approach is recommended. This approach underlines that no single item will provide security for your entire system. In conclusion, the Food & Beverage industry is also vulnerable to cyber-attacks and cyber-threats which increase in complexity. Therefore, cybersecurity policies should be assessed regularly using the evolving regulations and standards as part of your Food Defence Plan.

-----------------------

Originally posted on SE Blog