Food defense takes many forms: food safety programs, physical facility security, counterfeit goods, to name a few. One of the most challenging to manage is the growing threat to cybersecurity.
Closed loop data exchange is the default defense against hackers, industrial spies and other outsiders. Food and beverage manufacturers have been willing to forego benefits like third-party monitoring and troubleshooting of equipment and infrastructure performance if it meant granting access to internal communications systems. But as customer demands for more information mount and a workforce of digital natives who expect to access data via smart phones and other remote devices moves into place, the ability to just say no to the connected enterprise becomes less realistic.
Malicious attacks are a real and growing problem. In a ProFood Tech presentation describing a CIP optimization service that uses an Internet of Things platform, representatives of Ecolab said the platform’s server was attacked 250,000 times in its first 30 days of operation. Most of the attacks came in the form of phishing e-mails, prompting Ecolab to install advanced e-mail protection software to prevent criminals and hackers from gaining entry.
Industrial Ethernet switches are the greatest point of vulnerability for ERP and other business systems, suggests Roger Hill, chief technology officer at Veracity Industrial Networks (veracitysi.com), an Aliso Viejo, Calif., start-up that is rolling out what he terms a next-generation switch platform. Multiple firewalls typically are in place to protect process controls, but companies “have zero or little visibility to the communications moving through Ethernet switches,” insists Hill.
His solution is software that forwards connection requests to Veracity for approval. “The switch no longer makes the decision of which devices can connect,” explains Hill, likening the software to a firewall that can’t be breached.
The first applications are in the energy sector, with oil and gas the next targeted industry. System validation has yet to be done for any food or beverage companies, but he believes security concerns are as real for them as they are for other industries. Chemical analysis will reveal the constituents of Coca-Cola’s syrup, but the soft drink company’s most important intellectual property is the manufacturing process. “It’s not the recipe for the syrup, it’s the recipe of how those ingredients are combined,” he maintains. Industrial spies are intent on cracking Coke’s data network to learn that process.
“Spear phishing is a very effective technique” to gain access to business systems and then burrow down to process controls, says Hill. “Done right, the attacker knows just enough about the target to generate an emotional response.” During his tenure at Siemens, he demonstrated this vulnerability with an e-mail subject line, “Your expense report is being audited,” asking recipients to click on a Trojan horse T&E document.
“The first point of entry is the phishing e-mail,” agrees Tony Baker, security leader at Rockwell Automation (www.rockwellautomation.com) in Milwaukee, Wis. Click rates are in the 20-30 percent range, he adds. But there also is growing awareness of insider threats in the form of ransom ware and IP theft. To mitigate that risk, Baker advocates “defense in depth,” a multi-pronged approach that begins with policies and procedures based on a security assessment and includes more rigorous training.
He advocates multiple lines of defense against attacks, whether external or internal, and creation of operational zones that isolate successful attacks and limit the amount of damage.
“Without good segmentation, the security risks are greater,” Hill concludes. And executing a defense strategy is as important as creating one: more than a few of his clients have invested limited resources into firewalls but never followed through to configure them.