Your company could be undergoing a cyberattack right now and you might not even know it. If you’re at one of the larger food & beverage companies, maybe someone in your IT group is aware, assessing the threat and deciding if you need to know about it.
That’s how prevalent cyber threats have become across industry, according to several experts on cybersecurity. “If you’re running a security organization, you’re seeing them flash across your screen all the time,” says Willi Nelson, chief information security officer of cybersecurity firm Fortinet.
Despite that warning, there was just one widely reported cyber incident in food & beverage in 2022, the Nov. 6 breach of Maple Leaf Foods. So far in 2023, just one has been publicized: a February hack against Dole Foods. Both apparently were ransomware attacks.
That’s not to say the food & beverage industry is safe. “Ransomware isn’t going away any time soon,” warns Michael Sakmar, vice president of professional services at Dragos. “We expect ransomware to continue to impact manufacturers, including those in food & beverage.”
The “bad actors” remain semi-organized international groups trolling many companies in many countries for vulnerabilities. Many are at least tolerated, and some are actively supported, by countries hostile to the U.S. and Canada and generally intent on creating havoc all over the world – Russia, other Eastern Bloc nations and North Korea are the usual suspects.
But the bar to entry has been lowered so much that just about anyone can become a cyber hacker nowadays, and many are. All you need is the right software, and that’s apparently readily available.
Ransomware-as-a-service (RaaS) has become an industry, and a job so big that criminal software developers can’t do it all themselves. This “business model” has experts in developing ransomware selling their software to others, who carry out the attacks.
“RaaS kits allow affiliates lacking the skill or time to develop their own ransomware variant to be up and running quickly and affordably,” says cybersecurity firm CrowdStrike. “They are easy to find on the dark web, where they are advertised in the same way that goods are advertised on the legitimate web.
“A RaaS kit may include 24/7 support, bundled offers, user reviews, forums and other features identical to those offered by legitimate [software-as-a-service] providers,” CrowdStrike continues. “The price of RaaS kits ranges from $40 per month to several thousand dollars – trivial amounts, considering that the average ransom demand in 2021 was $6 million.”
The company adds, “A threat actor doesn’t need every attack to be successful in order to become rich.”
Interestingly, ransomware revenue fell to about $457 million in 2022, down from $766 million in 2021, according to cryptocurrency-tracking firm Chainalysis. Apparently, fewer victims were paying off their attackers and some targets improved their defenses.
From IT to OT
So far, cyberattack methods have remained the same, too: freezing computers, shutting down systems, threatening to release sensitive information. Most of the incidents originate in the information technology (IT) world, with office employees letting in the bugs via emails or personal devices or by visiting the wrong website. The bugs find ways of creeping into the operational technology (OT) side, where they can wreak the most havoc.
And they’ve all involved ransom. All the cyber criminals are happy to claim responsibility and demand payment. None has remained hidden nor altered safety or quality systems just enough to create undetectable batches of dangerous food. But one attack in 2017 at pharmaceutical manufacturer Merck & Co. did damage manufacturing equipment, “and that’s really scary,” says Joshua Corman, vice president of cyber safety strategy at Claroty.
Which raises the specter that someday the goal of a cyberattack may not be ransom but the intent to harm large numbers of consumers with food products that have been released to the market before anyone realizes they are adulterated.
Even if the goal is not to poison unaware consumers, imagine the chaos of having all of a processor’s plants shut down for even a brief period of time. In May 2021, a cyberattack on JBS USA paralyzed the meat packer, shutting down production at beef processing facilities in six states, as well as plants in Australia and Canada.
Collectively, those plants process a quarter of the beef and a fifth of the pork in this country. Wholesale meat prices immediately rose as a result of the incident, and cattle and hog slaughtering was forced to slow down. Poultry plants belonging to the Pilgrim’s Pride unit of JBS also were affected.
But don’t blame everything on the IT world. Nelson thinks more threats will originate in the OT side. “As we change environments and OT visibility increases, I think it will become harder to differentiate where the threat comes from.”
Further complicating the issue is that farming has grown increasingly automated and web-connected, too. The wrong chemical – an herbicide instead of a fertilizer – being applied to a field would wipe out that crop for a year, creating havoc in the supply chain.
With the food & beverage industry’s slow but growing dependence on connectivity – automated systems and controls within the plant, data stored in the cloud and connections between IT and OT – the potential for internal and external harm grows.
Was 2022 the quiet before the storm?
2021 was a busy year for food & beverage cyberattacks. Arizona Beverage, Molson Coors, JBS and Schreiber Foods all were hit with ransomware.
Nearly all of 2022 passed without a single reported cybersecurity incident impacting a food or beverage company. Then, on Nov. 6, Maple Leaf Foods was the victim of a breach, and just two months into 2023 Dole Foods was attacked.
Dole this Feb. 22 briefly acknowledged a “cybersecurity incident that has been identified as ransomware” and added “the impact to Dole operations has been limited.” But various media reported the incident occurred earlier that month, apparently lasted several days and impacted Dole operations in more than a limited way. The Miami CBS TV affiliate talked to local grocers who reported shortages of Dole prepackaged salads in their stores.
Dole has four processing plants in the U.S. It’s uncertain how long production was shut down.
In its statement, the company said, “Upon learning of this incident, Dole moved quickly to contain the threat and engaged leading third-party cybersecurity experts, who have been working in partnership with Dole’s internal teams to remediate the issue and secure systems. The company has notified law enforcement about the incident and are cooperating with their investigation.”
Maple Leaf in 2022 was equally terse and vague in its official announcement, but later told a Canadian news medium it refused to pay the ransom.
The Maple Leaf breach occurred Nov. 6. A cyber gang calling itself Black Basta claimed credit for the attack in a posting in late November. The hackers posted screenshots of financial information and other confidential Maple Leaf data reaped in the attack in an apparent attempt to extort the company.
“Unfortunately, we know that the people behind this incident were able to gain unauthorized access to some of our data, and they are threatening to release it unless we pay a ransom, which we will not do,” Maple Leaf told IT World Canada.
Black Basta claims to have stolen information from more than 100 sources, including Sobeys, the Canadian food retail giant, according to IT World Canada.
There was a report last April that Coca-Cola had been hit by a minor cyber breach. While the company wouldn't comment, cyber experts said it looked unlikely, since the responsible group, Stormous, often inflates claims about data they have stolen, which usually turns out to be just semi-sensitive information from semi-public sources.
The reality of the cyberattack landscape, however, goes beyond the single reported incident in 2022: Although the first 10 months of 2022 saw no reported cybersecurity attacks, there apparently were numerous unreported incidents.
In its “2022 ICS/OT Year in Review” report [ICS stands for industrial control system], Dragos noted 52 incidents involving the food & beverage industry. That number ranked second only to General Manufacturing at 437; but all subsegments of General Manufacturing experienced fewer incidents than Food & Beverage (Metal Products topped that list at 42, and Automotive was second with 37).
“We are seeing this saturation of incidents in manufacturing and food and beverage because of the overall low maturity of cybersecurity in those industries,” says Sakmar. “While ransomware can and does impact organizations with high cybersecurity maturities, it is common for adversaries, especially criminal gangs like those associated with ransomware, to target those with lower cybersecurity maturity and defenses, since they are easier targets.”
Any lack of reporting won’t go on much longer. While some companies, especially the publicly held ones, feel obligated to acknowledge an attack, at least in brief, the “Cyber Incident Reporting for Critical Infrastructure Act of 2022” (CIRCIA) will require every company to report the incident within 72 hours.
How to build a cyber defense
The usual prescriptions still hold: Train employees, inventory assets, backup your systems and perform a tabletop exercise. “Segmentation is important, but we no longer live in a world where IT and OT can be separate,” says Casey Gallimore, director of regulatory policy for the North American Meat Institute (NAMI). “IT and OT should be integrated, so that those employees work seamlessly.”
Mindful that JBS and Maple Leaf were recent cyber victims, NAMI is probably the food industry’s most active association on this subject. Its board created a Cybersecurity Committee and made cybersecurity a non-competitive issue among its members.
“Companies of all sizes have shared information and best practices with each other,” Gallimore continues. “This has brought about robust debate and information sharing at the highest levels of member companies.”
NAMI also provides webinars and other programming for members. Discussions within the committee and among NAMI members have included an analysis of what other industries are doing in the cybersecurity space.
One federal reaction to these threats was the creation of the Cybersecurity and Infrastructure Security Agency within the Department of Homeland Security. A predecessor agency dates back to 2007 but CISA was created in 2018. Within its broad goal of protecting the country, it serves as a clearinghouse for information and current threats.
Prompt reporting to CISA because of CIRCIA will result in government assistance to the victimized company, identification of vulnerabilities and other relevant data, plus valuable lessons for all other companies.
Corman thinks one significant vulnerability for food & beverage may be the lack of an Information Sharing and Analysis Center (ISAC), a public-private partnership for sharing information administered by CISA. He says food is one of the few industrial sectors that does not have its own ISAC, although he’s been lobbying for one since he worked for CISA, before coming to Claroty.
Others believe the food & beverage industry is sufficiently represented in the Manufacturing or IT cyber groups.
As with many things, success depends on the buy-in from top management. “Leadership alignment is the biggest organizational impediment to OT cyber programs,” says Lauren Blocker, industrial cybersecurity consulting partner with Rockwell Automation. “If you don’t have that along the complete chain of command, it’s really hard to start a program, to resource a program, to continue a program and to measure its success.”
Educating your employees is always mentioned, since they may unwittingly bring in some threats. But increasingly the threats are more sophisticated than fishy-looking emails. Fortinet’s Nelson suggests:
- Create an education plan – both for your cybersecurity team and for all employees.
- Make sure you have segmentation, especially if you’re in the cloud.
- Create a zero threat strategy, a way of thinking that precludes all cyber threats.
- Make sure your digital transformation strategy includes security and firewalls.
- Get visibility into the cyber inner workings of your operations with a plan of what to do if you see something.
- Get threat intelligence.