Top 7 OT Cybersecurity Challenges in the Food & Beverage Industry
By Patrick Corbett of PepsiCo and ISA
Industrial control systems are the backbone of many food & beverage industry operations. Any disruption to the control system would result in significant downtime to operations. A cybersecurity attack, specifically, would not only cause downtime, but would tarnish the brand of that company and potentially cause harm to individuals.
There are seven main cybersecurity challenges in most food & beverage companies and their plants.
1.Legacy Systems
Many control systems were designed years ago when cybersecurity was not considered, leaving the legacy operational technology (OT) systems of today unsecure. Due to the cybersecurity threats that legacy systems pose, most are required to be isolated from the network, thereby introducing challenges for companies on their digital transformation journey.
Additionally, legacy systems introduce several challenges to implementing modern security applications. It is very difficult to upgrade these systems in food & beverage due to supply chain demands, compatibility issues, customization of the legacy systems, cost and vendor support.
2.Asset Visibility
Another challenge for the food and beverage industry is asset visibility. Knowing what is installed onsite is one of the most important pieces of information. How can you protect assets that you’re not aware of?
Food & beverage companies may have a network or system architecture drawing that contains a list of all assets, but the accuracy may be questionable as the document is relying on people to manually update it.
There are lots of passive network monitoring tools on the market that help can organizations with an asset inventory list by investigating ethernet headers of passing network traffic. This can provide food & beverage organizations with great insight into asset visibility; however, some drawbacks include inaccuracy and failure to detect everything.
Another method of collecting asset information is to have a spreadsheet of all hardware and software installed on the site -- but again, it’s not practical to rely on individuals to manually update it, making asset visibility a major cyber security concern.
3.Patch Management
In 2022, Rockwell Automation and ISMG performed a survey on cybersecurity preparedness in critical infrastructure whereby it was noticed that only one-third of organizations have an effective OT patch management. There are two key challenges for OT patch management for food & beverage organizations: 1. downtime is difficult to get approved, and 2. validation of the patching.
From a Microsoft Operating System perspective, usually vendors such as Rockwell Automation or Siemens have approved OS patches that have been validated in a test environment. Applying OS patches should be straightforward once the downtime has been approved.
Additionally, a robust test plan would be required to ensure all key Windows services are running, no new warning or errors introduced to the logs and that the graphics are displaying correctly with no stale or bad tags. However, firmware updates are a huge challenge for programmable logic controllers (PLCs). There are quite a lot of systems communicating with PLCs, such as barcode scanners, labellers, robots, variable speed drives, manufacturing execution systems and IT systems such as SAP. Thus, there is a lot more to validate after a firmware update to a PLC or even upgrading a PLC.
Essentially, organizations must re-do an operational qualification and/or site acceptance test. If there is a service level agreement in place with a vendor, patching also becomes more difficult as the vendor will need to agree on the updated firmware version. On top of that, some food & beverage companies may have legacy system that are not possible to patch.
4.IT/OT Convergence
With IT/OT convergence, more and more assets are connected to the OT network, creating a broader attack surface. Cybersecurity attacks don’t just affect production and operations but could have serious consequences from a human safety perspective. Some measures to help secure OT systems include:
- Implementing a demilitarized zone between IT layer (Layer 4 on Purdue model) and OT layer (Layer 3).
- Implementing firewalls with unidirectional rules.
- Employing secure network protocols.
- Securing remote access with multifactor authentication.
5.Remote Access and Access by Least Privilege
In food & beverage organizations, it’s very likely that vendors supplying equipment will offer a service level agreement, whereby they will have secure remote access to their equipment. This reliance on vendors’ VPNs inherits many risks, such as inadequate access control because the end user will not have full autonomy over when the third-party remotes into the equipment and could potentially make unauthorized changes.
Also, the end user must rely on the third-party’s security measures, such as having a strong password and valid antivirus. One way to overcome this challenge is by the end user setting up a secure remote login method. This could be achieved by providing the third party with OT user accounts on the end user domain and access to the end user VPN service to login to the OT environment. This way the PLC and HMI program software will log and audit any remote changes. Moreover, the end user can control the Remote Desktop Protocol access and the access control within the PLC and HMI software.
Another item to discuss is access by least privilege. This is probably one of the most common best practices. However, one question to consider is how many organizations follow this?
Most likely, an organization’s administration access is not handed out to everybody. Generally, operators can only do what they need to do; same goes for maintenance, engineers and supervisors. Automation/OT, however, often has access to everything.
If automation departments are lucky, they usually have some on-shift support from local system integrators who may have access to everything -- but do they need access to do everything? One thing I’ve learned from previous jobs is once a user has remote access, it’s possible for them to do whatever they like, such as download to a PLC, check out code without providing comments, update firmware on OT assets, etc.
Not everybody should have access to update firmware on PLCs and not everybody would need access to download to a PLC or modify the program. Some of these items mentioned, such as checking out code, could be considered best practices rather than security risks, but it’s important that there is a requirement for traceability.
6. Network Segmentation
Network segmentation is one of many methods for an organization to enhance their OT cybersecurity measures; however, it is a huge challenge to implement this on existing qualified systems. Another challenge for food & beverage companies when implementing network segmentation is getting downtime. However, when implementing network segmentation there are a number of steps involved before actually getting to the implementation part:
- It is important to conduct thorough assessments to ensure that the migration team has a solid understanding of the communication between all assets within the industrial automation control systems. Having up-to-date documents is a huge help, and if there is none, ensure the process is documented and that zone and conduits are well defined.
- Have robust testing in place. Create a development environment to complete development and testing so as not to impact production. This will help minimize disruption and improve confidence with stakeholders.
7.Incident response
Another challenge is developing a robust OT Incident Response Plan. Having one will certainly minimize the impact of security incidents and restore normal operations efficiently. However, it is a huge challenge to develop one as there are multiple stakeholders involved and getting everybody to agree will be a challenge.
One key step is to develop a RACI (Responsible, Accountable, Consulted, Informed) or DICE (Decides, Informed, Consulted, Executes) document and establish a clear communications plan. One of the best ways to prepare or test your incident response plan is via tabletop exercises. However, to be able to act on incidents, organizations must be set up to be able to detect, contain and mitigate, eradicate and recover from incidents. Achieving this involves software or systems that can detect malicious behavior, a segmented network and backups of OT assets.
There are more and more devices being connected within the manufacturing network. This broadens the surface for an attack, leaving food & beverage companies vulnerable. Malicious attackers are constantly evolving so it’s important that companies continue to enhance their security posture.
It’s crucial for companies to understand their environment through asset visibility and SIEM (security information and event management) solutions, and to adopt defense in depth strategy. While no industry is entirely immune to cyber threats, management must assess their risk tolerance and prioritize measures to safeguard sensitive data, product integrity and operational continuity.
Bibliography
"Are You Prepared To Deal With Rising OT Cybersecurity Threats?," Rockwell Automation, 2022 (https://www.rockwellautomation.com/en-us/capabilities/industrial-cybersecurity/services/critical-infrastructure-preparedness-report.html)
Patrick Corbett is a senior global automation engineer at PepsiCo, secretary of the ISA Ireland Section and 2024 Chair of the ISA Young Professionals. ISA is the International Society of Automation, a non-profit professional association of engineers, technicians, and management engaged in industrial automation (www.isa.org).