The food and beverage industry is keeping up with the modern times as more companies are adopting new technology solutions across the supply and value chain. However, with things such as cutting-edge software comes a whole range of risks that can seriously impact operations, end products and even a business’ financials.
Now, more than ever, is there a need to take a look at cybersecurity as threats of cyberattacks have been growing in the past few years. In May of this year, the world’s largest meat supplier JBS Foods was the target of an organised cyber security attack. It caused several U.S.- and Australia-based facilities to stop operations, loss of a day’s worth of profit, and a ransom payment of $11 million.
To get a better understanding of the risks that the F&B industry faces, Asia Food Journal spoke to Vijay Vaidyanathan, Regional Vice President of Solutions Engineering for the Asia-Pacific and Japan market at Claroty, an industrial cybersecurity firm.
What is your opinion on the role of cybersecurity in the food and beverage industry, particularly on the manufacturing side? Are manufacturers placing priority on keeping their operational technology (OT) structures safe and secure?
The food manufacturing industry has low maturity in terms of cybersecurity, and these incidents highlight the urgent need for these companies to prepare for, and learn to manage, cyber-related risks in OT, information technology (IT), such as industrial control systems (ICS), and importantly, from the convergence of IT and OT networks as a result of digital transformation. This is especially pertinent for environments where vulnerable legacy technology exists, and any downtime could result in huge ramifications for the company, and the public at large, as was the case with JBS Foods.
What makes the food and beverage industry susceptible to cyberattacks? How do these attacks occur and what are the ramifications?
To date, there are few similar precedents of cyberattacks on the Asian F&B industry. But it is highly plausible that an attack may occur in the region because many production sites still run on legacy OT that was never designed to be connected to the Internet. Moreover, it is possible that during the pandemic, these systems may have been instantly connected to the internet to control them remotely without proper security controls put in place.
OT networks often predate the Internet, yet the pressing need for digital transformation has meant that food and beverage companies are automating parts of the manufacturing process. This move has meant that OT networks have suddenly been exposed to a host of new cyber threats lurking on the web.
OT networks run on proprietary protocols, where legacy equipment can often be incompatible with traditional IT security tools, for example, the virtual private networks (VPNs) which are used in enterprise IT environments. The same security tools that work well in IT are inadequate for OT networks, which need purpose-built security measures. Connecting OT assets to the corporate IT network without taking appropriate security measures gives threat actors an expanded attack surface, with numerous pathways into the OT network, and to the critical systems and physical processes that the OT network controls.
What are the implications of the JBS Foods attack on the food and beverage industry?
Considering the size of JBS Foods’ production, which controls 20% of the U.S.’s slaughtering capacity for beef and pork production, as well as its daily cattle harvest, the company has to operate every day. Taking down servers or network equipment for patch testing and deployment is a major task, and any downtime or compatibility issues could cost millions.
Threat actors understand and are taking advantage of this dynamic, using ransomware to target these large companies that cannot afford interruptions and have the capacity to pay exorbitant extortion demands. JBS Foods paid a ransom to prevent future attacks, despite being able to restore operations for most of their systems from their backup servers.
What are key takeaways from the JBS Foods attack and strategies manufacturers can do in their own operations?
A key learning from this case study is that digital transformation expands an organisation’s attack surface, making it easier for threat actors to enter the network and gain control of OT assets. Without the correct security tools in place, organisations cannot identify vulnerabilities or detect malicious activity, giving way for cyber criminals to exploit organisations.
To protect the organisation, appropriate technology that offers complete visibility into all of their systems and processes should be put in place to continuously monitor for any threats that could result from a targeted or opportunistic attack. An accurate asset inventory is the first step toward proper vulnerability management to ensure critical systems are up to current patching levels and compensating controls are in place when appropriate.
Network segmentation is another strategy that can impede an attackers’ lateral network movement. Most operational technology (OT) networks are no longer air-gapped, and network segmentation compensates for this by preventing attackers from using stolen credentials or compromising Active Directory and other identity infrastructure in order to move from system to system stealing data and-or dropping malware or exploits.
Alternatively, virtual segmentation improves network monitoring and access control, and greatly accelerates response time. In the event an attacker does establish a foothold, virtual segmentation makes it possible to shut down specific portions of the network, regain control, and drive intruders out, saving cost and reducing downtime.
Encryption of data at rest and in motion is also important for good cyber defense and resilience with respect to ransomware. Secure, available, offline backups are also crucial to implementing rapid recovery from such attacks. Make sure you know where backups are, how to access them and that they are regularly tested.
Strategically, organisations should also regularly test their incident response plans, and conduct tabletop exercises to put those plans into motion without impacting their production environments. Training and testing improves response, and ensures business continuity.
What are the top things to consider in terms of cyber security? What should food and beverage manufacturers watch out for in their OT and network systems?
Until recently, IT and OT networks were managed differently as they have different security priorities. Specifically, IT teams typically prioritise the CIA triad, which encompasses the principles of confidentiality, integrity, and availability in the context of data or information and corresponding IT systems. Meanwhile, OT teams typically prioritise the principles of availability, reliability, and safety in the context of physical processes and corresponding OT systems.
Many organisations tend to think of IT and OT as separate networks, but it has become abundantly clear that adversaries do not see things this way. To them, a network is a network, so attacks are intertwined, particularly across the IT/OT boundary.
A thorough risk assessment is necessary to establish full visibility of potential threats. Effective industrial cybersecurity starts with knowing what needs to be secured, which includes a comprehensive and up-to-date inventory of all IT, OT, Internet of Things (IoT), and Industrial IoT (IIoT) assets, processes, and connectivity paths in the network.
Assessing risk to these areas requires highly specialised tools that can work with the countless proprietary protocols across different assets. Additionally, OT systems often have limited bandwidth, so tools must be able to run without disrupting operations.
Once visibility is established, the next step is to enable real-time threat detection and response. Speed is always essential for fighting any cyber threat but is especially important for OT. The smallest disruption can result in catastrophic issues such as food contamination.
Detection mechanisms should account for both known and unknown attack types. It is also important to have a unified view of both IT and OT systems to identify attackers attempting to exploit connectivity on both fronts simultaneously. Automatically grouping related alerts together can also help to establish a higher signal-to-noise ratio and make it easier to identify serious threats.
The third step is continuous vulnerability management. Since OT networks usually consist of legacy equipment dating back many years, there is likely a high volume of potential vulnerabilities that have gone unnoticed. The limited operational bandwidth afforded by OT systems means genuine vulnerabilities can be hard to detect amongst all the false positives. As a result, a security strategy needs to address both incoming active attacks and existing weaknesses that could be exploited in the future.
Automatically identifying and comparing individual OT, IoT, and IIoT assets to a database of known vulnerabilities helps to bring potential risks under control. A variety of sources, such as the latest Common Vulnerabilities and Exposures (CVE) data from the National Vulnerability Database (NVD) can help act as controls.
In a time where there’s more push to adopt technology and automation in operations, how can manufacturers prevent these cyberattacks from happening?
There are three industrial cybersecurity best practices that are recommended in order to mitigate cyber threats.
The first is to ensure operational visibility. One of the biggest challenges for securing OT environments is the lack of telemetry, and therefore, visibility into OT networks. Real-time visibility into all operational systems linked to food production and distribution enables security teams to notice if there is anything out of the ordinary going on in the systems, meaning they can quickly act to detect, investigate and resolve malicious activity.
For example, visibility into process values—such as temperatures, chemical composition, and product formulas—can help ensure the quality and consistency of outputs. It helps establish a behavioral baseline against which to monitor the network and understand the vulnerabilities, threats, and risks that may be present—including anomalies that may indicate an early-stage attack—in order to take pre-emptive actions.
Additionally, such visibility can help identify vulnerabilities such as out-of-date operating systems and software, and also any common vulnerabilities and exposures associated with products, allowing them to take action.
Second, organisations need to use secure remote access solutions that are purpose built for industrial environments that allow for auditing, control and monitoring capabilities. This includes extremely granular role- and policy-based access controls for industrial assets at multiple levels and geographic locations while supporting Zero Trust and Least Privilege security principles.
Ideally, to protect their facilities, manufacturers should deploy specialists that embrace OT and the IT/OT connection when it comes to securing remote access to critical environments. Purpose-built OT solutions far better address OT needs than general remote access solutions. The investment is worthwhile as remote work will likely continue in some capacity long after the pandemic is over.
It’s also key to stay up-to-date on cybersecurity standards by referring to recommendations given by respective government agencies. Singapore, for instance, is setting up a panel comprising global experts to offer advice on OT cybersecurity as part of the country’s latest cybersecurity blueprint.
Organisations involved in the food supply chain can also refer to OT security recommendations released by US security agencies the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA).
What does the future look like for cyber security in the food and beverage industry? What trends or innovations do you see moving forward?
As more enterprises within the industry modernise their industrial processes by connecting to the Internet and the cloud, threat actors will have more ways to compromise industrial operations through ransomware and extortion attacks.
For instance, Claroty reported a rising number of industrial control system (ICS) vulnerability disclosures in our third Biannual ICS Risk & Vulnerability Report. The report highlights that 71% of these vulnerabilities are classified as high or critical severity, 90% have low attack complexity, and 61% are remotely exploitable. This showcases the growing number of industrial assets that are now connected to the Internet and that are potentially exposed to threat actors, who can exploit these vulnerabilities easily.
On the flip side, the recent surge in high profile ransomware attacks against industrial organisations have also heightened the importance of industrial cybersecurity among board-level business leaders, who now understand that OT security plays a vital role in creating business resiliency.
Moreover, protection of critical national infrastructure is now viewed as a national security issue. For example, in response to the Colonial Pipeline ransomware attack, the U.S. government promptly moved to mandate incident-reporting procedures and to ensure that hardened cybersecurity practices be installed and required of private companies that operate in critical infrastructure sectors, such as energy, oil and gas, transportation, finance, healthcare, and food and beverage.
Some governments in Asia have already been broaching the issue. In October 2019, the Singapore government’s Cybersecurity Agency, CSA, outlined an OT Master Plan, which includes adopting technologies for cyber resilience through public-private partnerships to protect Singapore from cyber-attacks on critical sectors.
In May 2021, the CSA announced the formation of the OT Cybersecurity Expert Panel. The panel complements CSA’s OT Master Plan and members will meet in October 2021, to discuss ways to strengthen local cybersecurity capabilities and competencies in the operational technology sector.