In June 2018, Mondeléz International was hit by the outbreak of the NotPetya “wiper” malware, which disrupted the shipping of candy and snacks. The company only recently revealed the attack as part of its financial earnings report.
Mondeléz spent close to $180 million on the outbreak, including $84 million to investigate the incident, remove the malware, and restore its systems, according to the company’s recent financial filings.
The snack-food giant is only one example of the threats cyber breaches could have on the food supply chain. Such breaches could be so disruptive that the U.S. Department of Homeland Security labeled the food and agriculture industry one of the 16 national critical infrastructures always at a higher risk for an attack than other sectors. That’s because an attack could disrupt food access and safety for many Americans.
Attacks on the food supply chain can have other far-reaching consequences. A single security breach can run across an entire supply chain, from farmers to shippers to retailers and—ultimately—to consumers, says Andres Franzetti, president and chief operating officer at Risk Cooperative, a company that insures against security attacks.
“In the case of Mondeléz the breach created disruptions down various links of the supply chain and affected getting food to consumers,” he says. “If you start looking at it in terms of the production of beef and poultry and other mainstays to diets, you can see how a cyberattack on the supply chain of critical food providers could have a huge impact on the population.
“Folks won’t get access to these foods. Then you see how a breach could cause instability to the population at a catastrophic level,” he says.
As the food and agriculture sector continues to implement more software and hardware solutions—such as drones and soil tracking software for precision farming—it faces heightened vulnerabilities to the type of cyber threats that can impact food production levels and contamination, Franzetti says.
Companies are also stepping up implementation of artificial intelligence, machine learning, and the Internet of Things technologies to streamline the supply chain, eliminate fraud and waste, and improve the customer experience. But these new technologies introduce increased risk and complexity. Complexity is the cybercriminal’s best friend, adds Theresa Payton, chief executive officer at Fortalice Solutions, a security consulting company.
“Just as a shoplifter might strike at a retail business’s peak hours to decrease the risk of being detected, cybercriminals often wait for peak traffic and use the complexity and noise as a cloak of anonymity,” she says.
Breaches can start anywhere in the supply chain. At this point, not a single technology link in the food supply chain hasn’t been hit, she says.
The biggest impact to the food supply chain so far has been compromised customer payment data and other personal information, Payton adds.
The further the link is from the producer, however, the harder it is to detect. For instance, a 2016 Farm Bureau survey found that farmers and ranchers want to control the information their equipment collects every time it passes through a field. Yet, a 2018 survey from the same advocacy organization reported that 87 percent of farmers were unsure of what to do if a security breach affected them or a service provider.
That calls for an element of trust for all those involved in the supply chain, Payton says.
Security breaches could harm food makers in many ways, says Roger Woehl, chief technical officer at SafetyChain Software, which makes quality assurance, food safety and compliance software.
“The worst scenario would be the leaking of a trade secret; where a competitor in China hacks in and steals something about your specific formula,” Woehl says.
Other risks to food producers and distributors include a threat via ransomware, he adds.
“You need your data to pass your audits. Someone could use ransomware to get into your data and encrypt it, saying, ‘send us a million in bitcoin and then we’ll unlock your data,’” Woehl says.
Or, an activist group might try to hack into food production IT systems, he adds.
“They might feel there would be value in exposing some kind of practices they disagree with,” Woehl says.
Keep It Safe
So how can these risks be mitigated? Protecting information takes several forms.
Food producers can spend thousands of dollars on the latest lines of security defense, but they’re still vulnerable to data breaches and failed audits due to certain areas they’ve overlooked, says Chris Boyd, a threat researcher at the internet security company Malwarebytes.
Begin with a security assessment, he says. First, look at the firewall, usually the top line of defense against hackers at small- to medium-sized enterprises, Boyd says.
While producers can never really be assured their IT operations are 100-percent secure, by assessing their security methods and taking into account areas perhaps overlooked in the past, they can get a better understanding of just how secure their enterprises are, he says.
Every day, hackers run massive network scans across the internet to look for vulnerable firewalls.
“Personally, I’d start with the assumption that everything has been compromised—whether that’s the physical building security, firewall policies, malware on the network, or data leaks—then think ‘What’s the most damage that could come out of this?’” Boyd says. “Once you know the worst that can happen, you can take steps to lessen the impact.”
For her part, Payton recommends keeping all systems separate. She advocates a practice called segmentation; splitting computer networks into separate network segments. Many of the networks used by food manufacturers, producers and suppliers could be segmented, she says. That way, if one of the networks is attacked, others are safe.
Also, providers should plan for security breaches the same way they do for fires or earthquakes—with drills and with pre-determined response methods.
“Name your top three digital-disaster nightmares,” Payton says. “Then dramatize and talk about what might happen if the worst happens. Use that as the foundation to build an incident-response playbook.
“Rehearse a realistic tabletop exercise for each of your digital disaster nightmares. Document call trees, draft crisis communications to your executives and customers, determine what you need for legal support, technology support, incident response support,” she says.
One of the key components to mitigation is education, Franzetti adds. That includes educating farmers and others involved in food supply on cyber risks and potential areas for cyber breaches.
He also suggests suppliers and manufacturers consider cyber insurance that includes breach-response coverage. While insurance is not prevention or risk management, it does provide finances and resources to mitigate a breach as soon as it’s identified, he says.
“This allows damage to be contained, rather than spreading throughout the entire supply chain,” Franzetti says.
“Ultimately, a breach to the food supply chain could create a national security issue for our country,” he says. “Protecting the most valuable aspects of our food supply chain is vital.”
Jean Thilmany is a freelance writer based in St. Paul, Minnesota. She specializes in engineering, manufacturing, technology and industrial topics.