The food and beverage industry is as susceptible to cybersecurity threats and attacks as any other industry. The need to secure corporate private networks and intellectual property is at an all-time high, as is the need to protect the food supply.
According to Trustwave’s 2013 Global Security Report, 24 percent of all reported data breaches occurred in the food and beverage industry, second only to retail. With one attack, retailer Target lost around 40 million credit and debit card numbers, resulting in a drop in consumer confidence and a loss of trust. Similarly, the company that manages a large hospitality chain found that a cyberattack had compromised payment information at 14 of its restaurants and bars across the U.S.
Interconnectivity among franchises poses a whole other area of cyberthreat. A breach at one restaurant chain between 2008 and 2011, for example, led to the stolen card data of more than 80,000 customers and was used to make millions in unauthorized purchases. Shockingly, 70 percent of food and beverage companies that are hacked go out of business within a year of an attack.
But the risk is not just financial. Agroterrorism, or the “intentional contamination of the food supply with a goal of terrorizing the population and causing harm,” is an increasing risk. Every year, more than two million people die from food-related illnesses and more than 1.3 billion tons of food is wasted due to spoilage. Food irradiation (sometimes called electronic pasteurization), which is permitted in over 50 countries, is known as a way to help preserve food, but is not without its risks. If hackers gain access to a food supply company’s network, they could have the power to introduce dangerous amounts of chemicals to the food being treated. Programmable logic controllers, or PLCs, which are used to control processes in many settings like energy plants, water treatment plants, and other industries, are “designed to blindly obey all commands, regardless of what impact they might have.” All a hacker would need to do to cause a major catastrophe is to hack into these systems, and from there they could cause an explosion at a chemical facility or poison a food supply. Even the ability to remotely shut down refrigeration systems can be detrimental to food safety. Failing to introduce a comprehensive cybersecurity program that encompasses food quality and safety guidelines can lead to many illnesses and even fatalities.
What constitutes cybersecurity? Many companies believe perimeter point solutions, such as firewalls and antivirus software, are all it takes to become cybersecure. ANX Corp. identified eight major security gaps that affect food and beverage companies: outdated firewalls, insecure remote access, weak security configurations, operating system flaws, lack of staff training, flawed security policies, negligence, and poor change control procedures. All of these security gaps can be linked to a lack of security best practices. It’s not unusual for a company to believe it is safe, especially if it can’t see that it’s at risk. Trustwave found that of the number of organizations who were victims of a breach, only 16 percent were able to detect it themselves. The remaining 84 percent relied on outside companies to report the information.
Cybersecurity is much more than a point solution—it is a comprehensive plan that complies with company objectives, corporate requirements, and/or federal and state government regulations. Once you have identified your cybersecurity needs, you can start to address cybersecurity technical requirements. This is why simply using point solutions can provide a false sense of security, since they are typically deployed quickly to address a perceived need. This is where the trouble lies. A good cybersecurity plan begins with a risk analysis to determine the current state of security and what you need to do to improve it.
A comprehensive cybersecurity program that is regularly managed and maintained is key for protection. Simply installing firewalls and antivirus software does not guarantee that critical company assets are safe from criminals if the firewall is not maintained properly and the antivirus software is never updated with approved patches. There must also be policies and procedures, proper employee security training, and regularly updated operating system patches, to name a few. The “it won’t happen to me” mentality is no longer a valid defense.
Since cyberattacks are no longer a matter of if but when, companies in the food and beverage industry must plan for remediation if they fall prey to hackers, even if it means hiring additional specialized staff to help circumvent these attacks. It’s important to have a plan in place before an attack occurs, rather than afterwards. If companies neglect cybersecurity best practices, they risk legal issues, fines, and souring their brand. They can lose customers, money, and future business opportunities. Because most food and beverage companies use the same IT systems across their stores and franchises, it’s easy for criminals to duplicate attacks and cause extensive damage in a matter of minutes. And thieves are sure to make off with a lot of loot due to the high transaction volume of the food and beverage industry—which also contributes to its appeal to hackers.
Cybersecurity best practices should incorporate a security assessment to establish any security gaps and determine any risks to safe and reliable day-to-day business operations. Reviewing current policies and procedures on cybersecurity and comparing them to government, industry, or corporate requirements can help point out any security shortcomings, and determining how to protect critical assets from vulnerabilities and risks is key to adequately securing data. Most importantly, managing and maintaining a security program will allow food and beverage companies to adapt as new threats surface and as new technology emerges.
The National Institute of Science and Technology (NIST) Cybersecurity Framework that was released earlier this year offers guidance for businesses looking to bolster their current security programs as well as for businesses that are starting cybersecurity programs from scratch. The Framework is a best practice approach to security risk management, offering a common language that can be used across all industries—even the food and beverage industry. The NIST Framework is made up of three tenets: the Core, Profile, and Implementation Tiers. The Framework Core includes a template of activities and outcomes that organizations can use with existing best practices, suggesting ways to identify, protect, detect, respond, and recover from cyberattacks. The Framework Profile helps organizations align their cybersecurity activities with their business requirements, risk tolerances, and resources by mapping out where they are currently with their security programs and where they want to be, which helps establish security gaps. Last, the Framework Implementation Tiers help organizations rate their security readiness based on four levels of maturity: Partial, Risk Informed, Repeatable, and Adaptive. Although the framework was initially designed for critical infrastructure industries, it is readily applicable to any company, no matter its size or industry or country it is located in. The primary focus is on risk management through the implementation of the Tiers, helping organizations gauge their progress. The Framework offers a continuous improvement process, which is critical since these types of threats evolve as quickly as technology improves.
While many organizations have different approaches, they all have a common element—to establish a best practice approach to cybersecurity. Some basic practices include:
- Identifying and categorizing assets,
- Establishing a plan to eliminate significant vulnerabilities,
- Developing systems to identify and prevent potential attacks,
- Identifying, containing, and fighting back against known attacks,
- Applying and maintaining the latest operating system and application patches,
- Using current antivirus definitions,
- Updating authorized application software,
- Enabling network antivirus software,
- Not using a USB stick unless it’s been scanned and confirmed that it is free of problems,
- Hardening servers and workstations,
- Changing default admin passwords,
- Controlling user rights,
- Implementing backup and restoration,
- Taking inventory of network assets,
- Using physical network isolation when possible,
- Using logical network segmentation (secure zones) when possible with strict firewall rules,
- Enabling firewall logging,
- Using Network Management Systems,
- Not clicking links or files that aren’t verified, and
- Creating an incident response plan before an incident occurs.
Security researchers have predicted 2014 would see an increased number of these breaches and attacks, and so far, they’ve been right. There has been a 21 percent increase in incidents according to the Identity Theft Resource Center—and that’s only reported attacks. The World Economic Forum’s annual report ranked cyberattacks in the top five global risks in terms of likelihood. And research from Arbor Networks states “the number of DDos (distributed denial-of-service) events topping 20 Gbps (Gigabits per second) in the first half of 2014 are double that of 2013.” Among the largest breaches this year are several food and beverage companies. In addition, security experts are now saying hackers aren’t the biggest threat anymore. Simple mistakes and poor security best practices are quickly becoming just as dangerous.
Straka has a master’s degree in Professional and Technical Communication from the University of North Texas and currently works as a cybersecurity consultant and technical writer for the Critical Infrastructure & Security Practice at Schneider Electric. Reach her at [email protected]
References Furnished Upon Request