According to data from the Food and Agriculture Information Sharing and Analysis Center on the 200 to 300 ransomware attacks tracked each month in the U.S., approximately 10 to 20 are directed at agrifood businesses. The most famous case in recent years was the attack on JBS in May 2021, which resulted in an $11 million ransom payment after the meat giant had to close all of its beef plants across the country.
Even when no ransom is paid, the consequences of a cyberattack include high direct costs, disruptions up and down the supply chain, and damaged brand reputation, with the possible addition of theft of trade secrets and legal consequences. In April 2023, a network breach forced cold storage and logistics company Americold to take compromised servers offline, blocking all inbound and outbound deliveries. “With an attack like the one that hit Americold, you’ll have damages on both sides of the equation,” says Michael Delaney, corporate attorney at legal firm Bryan Cave Leighton Paisner, based in St. Louis. “The manufacturer will have to either stop production because they don’t have enough storage space at the plant, or find an alternative distributor. On the other side, the distributor cannot get the product out to the retailer. The manufacturer may sue the distributor, while the retailer may sue both, if they breached the contract.”
Although most cases of cyberattacks that we read about on the news affect large public companies, smaller businesses are not exempt from risk. In an FBI notification issued in September 2021, the agency warned that larger agrifood businesses “are targeted based on their perceived ability to pay higher ransom demands, while smaller entities may be seen as soft targets.”
Food Safety Risks
Ransomware attacks tend to hit IT environments, which focus on data storage and communication. For food manufacturers, however, the risk extends to the operational technology side of the business that controls production. In a hypothetical attack, cybercriminals could exploit the vulnerability of industrial control systems (ICS)—the hardware and software that control equipment and processes—finding their way to the production floor and putting the quality and safety of food products at risk. “ICS systems control all sorts of devices, such as temperature sensors, gate valves, or automatic sampling systems,” says Col. John Hoffman, senior research fellow with the Food Protection and Defense Institute at the University of Minnesota in St. Paul. “By taking control of them, one could increase the temperature of an oven, shut down a refrigerator, or change parameters of a recipe, possibly adding an unwanted allergen.”
Most ICS systems used in the food industry are built on legacy technology that wasn’t designed to be connected to the internet. Now that they are plugged in for data collection and remote monitoring and servicing, their lack of protection is putting production plants at risk. Their gradual replacement with modern IoT devices might actually create new vulnerabilities, rather than reduce them. “Smart devices that send and receive data over the internet tend to bypass a lot of the security measures—such as firewalls—that protect both modern and legacy systems, exposing them to attacks,” says Rich Witucki, principal industrial consultant at industrial cybersecurity company Dragos.
As Eran Fine, CEO and co-founder of NanoLock, an Israel-based developer of cybersecurity solutions for industrial systems, says, connectivity itself is a variable that increases risk: “Hybrid systems are not necessarily more secure, but create different problems. While legacy technology is extremely vulnerable, it’s also less connected. IoT devices bring about more connectivity. They may be harder to breach, but once that happens, intruders may jump from the legacy into the new and vice versa.”