1660317328740 Marchcyberhero

How Cybercriminals Break Into Food & Beverage Plants

Feb. 24, 2022
Legacy systems leave many food companies vulnerable to cyberattack.

Computers and the internet, properly used, can be agents of information and efficiency. But used maliciously, they can be agents of terrorism and extortion.

Cyberattacks on business in general, and the food industry in particular, have been proliferating, with at least five major food companies being hit with ransomware attacks since 2017. Arguably the highest-profile one was a ransomware attack last September on JBS USA that paralyzed the company’s operations, forcing it to pay a ransom of $11 million.

The situation has been making food and beverage processors rethink their approach to cybersecurity and try to assess their vulnerabilities. It’s a daunting task, especially as automation, data gathering and remote access become more ubiquitous and important in the industry.

The JBS attack, like some others, was especially frightening because it paralyzed the company’s operations. Companies are liable to this kind of attack when their information technology is not sufficiently separated between business and operations, experts say. This means that the operational side, which automates and controls the processing systems, isn’t sufficiently secure from attacks on the business side, which includes functions like email, accounting and revenue.

“The lack of separation between these environments — typically called segmentation — results in a ‘monolithic’ or single environment that can have different security requirements, attack vectors and ransomware impacts,” says David White, founder and president of Axio, a cyber risk advisory firm.

The situation is concerning because cyberattacks most often originate on the business side. That’s where an enterprise has the most points of connection to the internet, and thus, the most vulnerability. It’s also where phishing attacks are the most likely to occur.

“Phishing” is one of the most common methods for cyberattack. Basically, it consists of inducing an employee at the targeted company to click on links or attachments in a purportedly legitimate email, which then unleash malware.

The success of a phishing attack depends in large part on the sophistication of the fake email that introduces it. Some hackers put a great deal of effort into it, tailoring the approach to the company, or even an individual employee. One hacker in Brazil even made up a headhunting firm and “recruited” an employee at the targeted company, going so far as to conduct a remote “job interview.” Such hyper-customized efforts are sometimes called “spearphishing.”

Keeping things separate

If an attack originates from the business side, through phishing or any other means, it can easily migrate over to the operational side – potentially paralyzing production – if there is insufficient separation between the two sides.

One problem is that keeping them totally separate often isn’t practical, or even desirable. Many enterprise-wide software applications are designed to siphon, and act upon, production data from the plant floor. The key is to set things up so there is just enough connectivity, managed securely enough, for the data to get through—but no more.

“Business networks are more exposed to users and the internet, so the attack surface is simply greater,” says Walker Mattox, CEO of Gray Solutions, a member of the Control System Integrators Association. “We also need to face the reality that these networks need to be able to share information and allow for a seamless user or operating experience. A robust architecture with an iDMZ (industrial demilitarized zone) can allow business and operational networks to communicate while reducing the risk to both.”

While attacks originating on the business side are common, they’re by no means the only way in for hackers. As equipment gets more automated and more connected digitally, points of vulnerability increase on the plant floor itself.

Thomas Brittain, associate managing director for cyber risk at Kroll, says vulnerabilities for equipment or systems connected to the internet have overtaken phishing as the top cyber threat to industry. Attacks on vulnerable points went from 6% of the cases investigated by Kroll in 2020 to 44% last year.

“Vulnerability overtook phishing as the No. 1 method of access by threat actors,” Brittain says.

Recent Food Industry Cyberattacks

The food & beverage industry has increasingly become a target for cyberattacks. Here are some of the more notorious recent ones:

JBS SA got hit over the Memorial Day weekend of 2021 with one of the most notorious ransomware attacks to affect the food industry. The attack crippled its operations in the U.S. and Australia, forcing the company to pay an $11 million ransom.

KP Snacks, a British processor of savory snacks, was targeted by a ransomware attack in early February that shut it down completely. In a letter to retail customers, the company said it would be unable to “safely process orders or dispatch goods.” A wholesaler sent another letter to retailers warning that KP Snacks might not be able to fill orders until the end of March.

Mondelēz was hit with a ransomware attack in June 2017 that infected machines across the world when users uploaded what they thought was a routine update. This ransomware, known as NotPetya, took in hundreds of companies, but Mondelēz was among the worst hit; its systems froze and products backed up in warehouses. The attack reportedly wound up costing Mondelēz some $100 million.

MolsonCoors was victimized by what it called a “cybersecurity incident” in March 2021. In a filing with the Securities and Exchange Commission, MolsonCoors stated that while “we restored our systems after working to get the systems back up as quickly as possible,” the attack severely disrupted production and shipping, and that it cost the company $2 million to fix. It also caused up to $140 million in earnings to be shifted from the first fiscal quarter of 2021 to later in the year.

Arizona Beverages was struck with a ransomware attack in February 2021 that affected hundreds of Windows-operating computers and servers. According to TechCrunch, the company had to “effectively build the entire network from scratch” because its backup plan failed. Arizona Beverages is a private company and did not report any losses associated with the attack.

Schreiber Foods got a ransomware attack in October 2021 that shut down its operations over a weekend and disrupted its milk deliveries in Wisconsin and elsewhere. The hackers reportedly demanded a ransom of $2.5 million, but company officials did not say whether they paid.

Operational vulnerabilities

Once malware is unleashed on a company’s operational side, it can spread quickly due to a lack of security, says John Livingston, president of cybersecurity consulting firm Verve Industrial.

“Because most OT environments are not secured to the same level as IT at the endpoint level, once inside the network vulnerabilities, insecure accounts, etc., are widespread allowing an attacker to move laterally in the OT network spreading malware or taking unapproved actions,” Livingston says.

The vulnerability of industrial systems to cyberattack stems in large part from a paradox. Individual components of a system can get more sophisticated in terms of their connectivity or their ability to generate data, but often the software that operates them or that supervises production in general is legacy software. And in cyber world, “legacy” too often means “unsecured.”

“Automation may be supported by many legacy assets that do not lend themselves to security updates or improved hardening techniques, rendering them more exposed to attack,” says Axio’s White.

As the name implies, the biggest problem with legacy systems is their age. In many cases, the software suppliers are just not making updates with security patches any more.

“What we historically find is that a lot of [food processors], because of certain tools that have to run to maintain that food processing line, they end up being specifically built for the legacy operating systems that are no longer being supported by the vendors and not being patched and updated,” Brittain says.

Hackers can find vulnerabilities even in supposedly up-to-date software. One of the worst potential such holes occurred recently in Java, an open-source code that is used as a basis for many operational technology software apps. Briefly put, the hole allows an app’s data-logging function to be used as a portal to make the app execute code; if done maliciously, this could take over, or at least sabotage, digital control of a plant’s operations.

Jonathan Reed, global head of automation, electrical and digital at equipment supplier SPX Flow, declares that “lots of people right now, every single company I know of, has got a problem with” the Java vulnerability. It’s “baked into” many industrial apps that depend on Java.

Some hardware comes with security features like lockdown or time-dependent IDs designed to increase security. Photo: SPX Flow 

“This type of cybersecurity problem is a real risk for us, because we don’t know that they’re there, there are many more out there that we haven’t found yet, and normally we find them after the hackers find them,” Reed says.

Another point of vulnerability comes from allowing third-party access to a plant’s control systems, especially industrial controls. This can happen when, for instance, a vendor is allowed temporary access to a system and given credentials, including a password. If the vendor doesn’t have adequate security, hackers can duplicate its credentials and gain access to the system the vendor is working on, and then, if firewalls are weak or nonexistent, get into other systems. A 2013 hack of Target Corp. was accomplished through compromising the credentials of an HVAC vendor.

Third-party access is sometimes done on a more permanent or semi-permanent basis. One of the services offered by an increasing number of equipment manufacturers is remote servicing – troubleshooting and even alterations to software code done online. But the danger of cyberattack has led some companies to back away from granting this kind of access.

Completely eliminating remote access is a temptation, but it’s not often a good idea, because it cuts a company off from the significant benefit of instant, expert troubleshooting. Personnel might even find less secure ways to connect.

To Pay or Not to Pay?

"Millions for defense, not one cent for tribute” is a fine political slogan, but it may not always be the best response to a ransomware attack.

Whether to pay the ransom is the ultimate question. The official position of the FBI and most other law agencies is not to do so. It just encourages the hackers, the reasoning goes, who are, after all, criminals – and as such, inherently untrustworthy.

But when losses are piling up, when does fiduciary duty kick in?

JBS SA, victim of one of the most notorious ransomware attacks to hit the food industry, ended up shelling out $11 million to get its production capabilities back. “We didn’t think we could take this type of risk that something could go wrong in our [data] recovery process,” Andre Nogueira, CEO of the company’s U.S. division, told the Wall Street Journal. “It was insurance to protect our customers.”

According to an estimate from cybersecurity firm Kaspersky, quoted in the New Yorker, more than half of all companies hit with ransomware attacks end up paying their attackers.

Companies that decide to pay should consider hiring a negotiator. Specialists are available who are experienced in dickering with hackers, in some cases lowering the payments or speeding up the data release.

“We don't recommend eliminating OEM remote access – this will only result in an eventual workaround through cellular connected devices or another less secure method,” says Mattox of Gray.

Instead, both internal and external security measures can be used to reduce the risks of third-party access. Vendors who are brought in on a temporary basis should be set up with a secure virtual private network (VPN) – an encrypted connection that allows access only to a specific part of the overall network. Passwords and other credentials should be temporary and set to expire upon completion of the third party’s task. Two-factor authentication, such as requiring a code that is sent to an individual’s phone, should be instituted.

For a more permanent connection, for instance to an equipment supplier, standing VPNs or other connections should be established – and continually monitored. One of the problems with such connections is that they’re dormant most of the time, and if they’re taken over by a bad actor, often no one notices.

Reed recommends shutting down such connections unless and until they’re needed and they’re set up by a phone call or other secure message. There are even routers available that use a literal lock and key to keep the data they collect shut off from the internet.

Reed likens this to lockout/tagout procedures used to keep power or equipment from being turned on when it would be dangerous to do so. “If you think about it, that’s the same type of security an electrician has. When an electrician comes and works on a dangerous piece of equipment, they turn the big switch off and put a padlock on it, and they take the key with them.”

What to do if it happens

Of course, ransomware and other malware attacks can happen despite security measures. What then?

As with any other kind of disaster, it helps to have a plan in place when it happens. The first action should be to call in IT experts, whether internal or external, to limit the damage as much as possible. This entails such steps as taking individual computers offline until the problem is dealt with; identifying and isolating the point of entry – cutting it off, as far as possible, from the rest of the system; patching the system vulnerability that allowed the attack; and resorting to backed-up data when possible.

The big question in a ransomware attack, of course, is whether to pay; there’s no consensus on that. 

Cyber insurance can help, and it’s being increasingly offered by large industrial insurers. But those policies only cover expenses directly related to stopping an attack and, to some extent, preventing another one. Losses relating to things like interrupted shipments usually are not included.

Cyberattacks are a grim specter that is increasingly threatening the food & beverage industry. As automation progresses, the potential for cyberattack grows – unless it’s dealt with intelligently, during an attack and, especially, before.

Expert Advice: Joe Weiss on Cyberthreats

Last summer, we did a podcast episode with cybersecurity expert Joe Weiss. Listen in on the episode below or read the full transcript

Sponsored Recommendations

Learn About: Micro Motion™ 4700 Config I/O Coriolis Transmitter

An Advanced Transmitter that Expands Connectivity

Micro Motion™ G-Series Coriolis Flow and Density Meter

Micro Motion G-Series: market-leading compact design featuring advanced process diagnostic capability.

Embracing Sustainability using Advanced Measurement Instrumentation

A practical guide to greeningyour brewing operationsusing advanced measurementinstrumentation.

Get Hands-On Training in Emerson's Interactive Plant Environment

Enhance the training experience and increase retention by training hands-on in Emerson's Interactive Plant Environment. Build skills here so you have them where and when it matters...