When OT Cyber Becomes a Food Safety Issue

OT cybersecurity is more than safety. It helps with production, too. Here's how.

James Thew Stock adobe com
James Thew - stock.adobe.com

A cyberattack by hacktivists in late 2024 shut off refrigeration at an unidentified Los Angeles meat processing facility, spoiling thousands of pounds of meat and triggering an ammonia leak. But food safety problems don’t always stem from headline-grabbing cyber intrusions. They can start with various cybersecurity gaps that go unnoticed and wind up creating serious food safety risks.

Consider, for example, something as seemingly benign as a vendor logging in remotely to service a control system. If their access remains in always-on mode, what’s to stop a malicious intruder from getting into the system to steal data or wreak havoc? An outsider could easily change the cleaning parameters just enough that the clean-in- place (CIP) system never fully sanitizes. The likely result: salmonella contamination takes place in the product weeks later.

Many plants still give vendors network access without implementing cybersecurity controls. Where that access goes isn’t always clear and when it ends often isn’t tracked at all. The result: persistent remote access sessions and Virtual Private Network (VPN) connection that stay active far longer than they should. No one stops to define what “good” access control is supposed to look like and, as a result, vendor access gets handled case by case, rather than by policy.

The equipment you depend on most

Older operational technology (OT) systems employed by companies in the food and beverage sector are the hardest to secure. Through the years, they’ve not been patched frequently or they are not supported by the original equipment manufacturer to bring the equipment up to current standards.

The Windows XP operating system still runs on engineering workstations because the programmable logic controllers (PLCs) those workstations use to communicate were built twenty years ago, and they are not compatible with more modern systems. Plants either keep running XP, or they implement a workaround, including in many instances running Windows 11 on the workstation with a windows XP virtual machine running on it. Either way, they're stuck unless they rip out and upgrade the entire PLC infrastructure.

These systems are made to work for 20-30 years. That's the reality. And once they're working, plants don't often invest in them until they're broken as availability is important for the plants. Investing in the upgrades is very costly and it requires too much downtime.

That increases the temptation to take operational shortcuts. For instance, the plant might decide to forgo segmenting IT and OT to avoid the expense involved in installing extra network equipment such as firewalls or switches. But skipping segmentation means creating a flat network that dramatically increases the cybersecurity attack surface, allowing cyber threats to move laterally from business systems into critical control environments, leading to potential operational disruptions and safety risks.

A plant can start by taking an asset inventory and identifying which systems truly warrant cybersecurity attention. From there, the conversation would turn to what the organization is trying to enable next. For example, how much new technology do they plan to introduce in the near term? Are there active plans for digital transformation or the integration of AI and machine learning? Those goals will shape how cybersecurity priorities are set and how aggressively protections need to be built in.

Who owns this

CIP systems are a priority because equipment must be cleaned between food batches and before delivering products to clients. But CIP isn't the only system that is vulnerable to cybersecurity.

In the food and beverage industry, manufacturing is central, and batch production is a critical process for maintaining consistency and quality. Similar to paint or other manufacturing sectors, products are created in batches following precise recipes. However, if OT cybersecurity safeguards are not implemented, those batch recipes can be compromised, leading to significant risks. Then there's the question of how food gets stored before it ships; anything that compromises food batching and transportation —reefer systems, refrigeration units, whether they're in the facility or on a truck— matters.

Finally, there's also the security of the supply chain. As we’ve learned from previous cybersecurity attacks, that same supply chain can become a threat vector as well. How are companies’ suppliers protecting themselves? What are they being exposed to through their suppliers?

Who owns OT cybersecurity day-to-day continues to be a point of confusion. Some companies leave it to their operations teams, and whenever they hear the word "cyber" they send it over to IT. Other organizations deploy teams with experience on both the engineering side and the cybersecurity side. But those groups tend to be small with one or two people tasked with managing multiple facilities at once.

The reality is that rolling out OT cybersecurity takes time as part of a longer process. It’s not about sticking it on the IT team or the OT team and then calling it handled. You need to establish controls and define right roles and procedures across the organization.  

Doing it right

The best approach is building cybersecurity in from the beginning. Know what the company’s assets are and how to maintain them. Understand how the company monitors its systems. Know the company’s policies and procedures. All of this comes into play when thinking about cybersecurity by design. It also helps when trying to understand what regulations are out there and how to pull from different regulations to support corporate goals overall. Food and beverage plants that integrate OT cybersecurity into their operations approach it as a food safety issue, recognizing that protecting control systems is essential to safeguarding product integrity. They assess each site, list required upgrades, and sequence implementation over three to five years. That's different from companies that wait until something bad happens or drag their heels until regulation requires them to invest.

OT cybersecurity is more than safety. It helps with production, too. A cyberattack doesn't just affect product safety — it can halt production. If OT cyber is thought through properly, it has multiple benefits for the company like a competitive advantage and data integrity.

But ultimately, this is about security and wellbeing. Food and beverage directly impacts the people who consume those goods. Understanding how we protect that and what's needed to protect it, is critical.  It takes time to build OT cybersecurity, so become the leader that makes the difference at your plant.

Page 1 of 472
Next Page

Create a free Food Logistics account to continue reading