Food and beverage producers are tapping into the power of smart manufacturing at a rapidly accelerating pace. They recognize the value of connectivity and the opportunities it provides to gain better insights into production processes; improve food safety visibility and practices; and resolve or help prevent food safety issues. However, with this important trend comes another, more concerning issue: vulnerabilities from insufficient cybersecurity.
You Might Also Like
Explore This IssueApril/May 2019
Security threats now come in more forms than ever before: physical and digital, internal and external, malicious or unintentional. The truth is that no organization is immune to a security incident. And, more connected operations create more security risks—particularly the cyber variety.
There are a wide assortment of potential adversaries in the world, all with different goals and methods. Food and beverage companies could be targeted specifically with threats tied directly to food safety and the integrity of the nation’s food supply. They also could be targeted as a means of testing attack methods ultimately intended for other organizations or industries. All potential threats pose significant risks to food and beverage operations, brands, and the consumers they serve.
More stringently regulated industries were forced to connect and grapple with increased security needs much earlier than other industries. For a time, the focus among many food and beverage producers remained on more traditional, physical security considerations associated with food safety and quality. Now, many companies are taking a fresh look at their security approach to make it comprehensive and cohesive in a connected environment.
Cybersecurity is a journey—there’s no silver bullet or catch-all to create a permanently secure environment. Producers need to introduce a variety of capabilities and controls that allow them to respond and adapt to emerging and evolving threats.
A risk-based approach identifies the unique people-, process-, and technology-related risks an organization faces and implements policies and procedures to address them. This allows producers the flexibility to right-size their efforts and allocate the right resources to mitigate risk down to the acceptable level for their organization.
Done right, this approach offers value beyond the most obvious security implications—it also fuels improved productivity and helps prevent unnecessary losses. With cybersecurity programs in place, producers have better visibility into their full range of assets, as well as the ability to identify and correct issues more effectively. As an example, when engineers have remote access to a programmable logic controller (PLC) in a production environment, it’s a benefit that helps sustain productivity levels. However, without the right controls in place, an engineer could access the wrong PLC, causing unnecessary disruption and inhibiting productivity.
So, how can producers evaluate their existing security program and find ways to take a more comprehensive, risk-based approach? There are three key areas to consider: the organization’s cyber hygiene, a defense-in-depth strategy, and planning across the attack continuum.
For food and beverage producers that have more recently introduced smart manufacturing or are in the early stages of updating their cybersecurity practices, cyber hygiene offers a natural starting point. Addressing four key programmatic areas can help an organization establish a base level of cyber hygiene.
It begins with conducting a thorough inventory of the assets connected on the plant floor, as well as their known vulnerabilities. This asset inventory must be maintained and updated regularly. Second, the organization needs to create programs to address the assets’ known vulnerabilities, patch regularly, and confirm that mature processes are in place to make and track configuration changes. Third, it’s important to employ backup and recovery mechanisms for all critical assets. This helps make sure a known good backup is on standby and can be accessed quickly. Finally, completing regular risk assessments allows an organization to measure and manage risk on an ongoing basis. These assessments provide the most up-to-date view of the level of risk the organization is exposed to and the resources required to mitigate it.