On the Menu: Cybersecurity Risks in the Food and Beverage Industry

The table is set, and the food and beverage industry is seeing attackers serve it a bigger share of digital attacks, two recent reports have warned. 

A January World Economic Forum's report cautioned about "critical information infrastructure" breakdowns, which could lead to physical and virtual disruptions in agriculture and food resources at local and national levels. The report also highlights the targeted disruption of Ukraine's refugees, medicine, and food supplies. 

Experts contend the industry needs to take steps now to avoid further disruptions. For instance, the Cyber and Infrastructure Security Centre, part of the Australian government's Department of Home Affairs, issued a risk assessment advisory last summer focusing on the food and grocery sector. 

"Stakeholders within Australia's Food and Grocery Sector must adapt their risk management strategies to ensure risks to the operation of assets critical to the nation's economic and social wellbeing are being appropriately captured," the Cyber and Infrastructure Security Centre advised. 

Last month, food and beverage distributor Ben E. Keith was the latest to acknowledge it had suffered some type of digital attack, which caused it to disable some of its business systems resulting in inventory shortages at regional restaurants.

Needless to say, in recent years, the food and beverage industry has proven itself vulnerable. While the industry has been targeted because of its critical nature, Justin Woody, senior director of security strategy at Claroty, says many of the attacks are, in fact, acts of opportunity. 

"There's been a lot of investment in digitization, creating system dependencies which has led to unexpected and creative attack vectors," he says. 

While cyberattacks targeting the food and beverage industry don't always get the level of concern as attacks on power generation and distribution, banking and financial services, or healthcare delivery, attacks on the food and beverage industry pose similar dangers and are also attacks on critical infrastructure. 

Perhaps the most widely known attack on the food industry is the May 2021 attack on the world's largest meat processing company, JBS. The JBS ransomware incident brought the concerns around cybersecurity vulnerabilities of the global supply chain to the fore, as the incident affected delivery in Australia, Canada, and the U.S. The attackers were believed to be part of a Russian-based cybercriminal group known as REvil.

Other notable attacks on the supply chain include: 

• Mondelez International: In June 2017, confectionary, food, and beverage giant Mondelez International, most known for its Oreo, Cadbury, and Toblerone brands, had to stop production within several facilities due to a ransomware attack attributed to NotPetya. Mondelez sued its insurer for not covering the losses incurred during the attack, as the insurer claimed the event was an act of war.

• In November 2020, the Italian beverage company Campari Group fell victim to a Ragnar Locker ransomware attack. The attackers demanded a ransom of $15 million and leaked sensitive company data online when negotiations failed. Campari Group temporarily shut down its IT systems to prevent further damage.

• Bakker Logistiek: In April 2021, the Dutch transportation and warehousing vendor that serves the food and beverage industry was targeted by a ransomware attack. 

• Dole plc: As reported last month, food company Dole admitted in Security and Exchange Commission filings that a ransomware attack forced it to cease plant production within some locations. The company reported that after detecting the attack, it took steps to contain its spread, hired security experts, and notified law enforcement. Still, as Edward Kovacs reported in SecurityWeek, Dole does not expect to recover any losses through its insurance policy.

Governments Have Taken Notice

Governments, most notably the European Union, are taking steps that will help shore up the food and beverage industry. As Claroty's Woody explains, the EU's Network and Information Systems Directive, NIS2, sets out the security expectations for certain operators of essential services (OES) and digital service providers (DSP), including food companies. NIS2 aims to ensure the security of a wide range of critical infrastructure operators' networks and information systems. 

Under the NIS2 directive, food companies identified as OES or DSP must take measures to manage risks to the security of their systems. OES provide essential services in the energy, transport, and health sectors, while DSPs are defined as online marketplaces, search engines, and cloud computing services.

Food companies that are either OES or DSP must apply risk management strategies to their cybersecurity efforts, such as implementing appropriate security measures and incident response plans. They must also report any significant cybersecurity incidents to the relevant national authorities.

There are several best practices that food and beverage companies can take to better manage their risk and secure their IT systems and devices from cyberattacks. 

Food & Beverage Cybersecurity Best Practices

Some of these practices include:

• Conduct risk assessments: Companies should regularly assess their IT systems and XIoT devices to identify vulnerabilities and risks. This makes it possible to prioritize security efforts and focus on mission-critical systems.

• Implement strong access controls: Companies should implement strong access controls to ensure that only authorized personnel can access their IT systems and XIoT devices. This can include utilizing multi-factor authentication, effective password policies, and monitoring access logs. Also, consider implementing a zero-trust architecture.

• Segment Networks. Woody explains that organizations should segment their device and IT networks into smaller subnets. This contains and isolates security threats because if a device or system is compromised, the attacker's access is limited to a specific segment, making it more difficult to move laterally across networks. Such segmentation, when done right, can improve performance and manageability. 

• Patch and update software regularly: Companies should regularly patch and update their software and firmware to address known vulnerabilities and ensure they use the latest security features.

• Monitor and detect suspicious activity: Companies should implement tools to monitor and detect suspicious activity on their IT systems and XIoT devices. This can include intrusion detection systems, security information and event management systems, and endpoint detection and response tools.

• Implement backup, encryption, and data protection measures: Companies should implement encryption and data protection measures to ensure their sensitive data is secure. This often includes encryption of data at rest and in motion. Regularly practice data backup and recovery procedures.

Overall, food and beverage companies should take a proactive approach to cybersecurity and prioritize the protection of their IT systems and XIoT devices. By implementing best practices, they can give threat actors more than they can chew, metaphorically speaking and dramatically reduce their risk of a successful cyberattack.