Tag Archives: cybersecurity

Food Safety Consortium

10th Annual Food Safety Consortium Back In-Person with New Location and Focus

By Food Safety Tech Staff
No Comments
Food Safety Consortium

EDGARTOWN, MA, Feb. 23, 2022 – Innovative Publishing Company, Inc., publisher of Food Safety Tech, has announced the dates for 2022 Food Safety Consortium as well as its new location. Now in its 10th year, the Consortium is moving to Parsippany, New Jersey and will take place October 19-21.

“COVID-19’s impact on the food safety community has been significant and its impact will continue to be felt for years,” said Rick Biros, president of Innovative Publishing Company and director of the Food Safety Consortium, in his blog about the current state of the food industry. “The goal now is not to get food safety back to 2019 levels but to build it better. These issues must be discussed among peers and best practices must be shared. This year’s event will help facilitate this much needed critical thinking and meeting of the minds.”

The 2022 program will feature panel discussions and concurrent breakout sessions intended for mid-to-senior-level food safety professionals that address important industry issues, including:

  • C-Suite Communication
  • Employee Culture
  • What is the State of Food Safety and Where is it Going?
  • Audits: Blending in-person with Remote
  • Quality 4.0: Data Analytics and Continuous Improvement
  • Digital Transformation of Food Safety & Quality
  • Technology: How Far is Too Far?
  • The Days FSQA Folks Fear the Most
  • FSQA’s Role in Worker Rights and Conditions
  • Analyzing and Judging Supplier’s Human Rights and Environmental Records
  • New Trends in Food Fraud
  • Diversification of Supply Chain Capacity
  • Product Reformulation Challenges due to Supply Chain Challenges
  • Traceability
  • Preparing the Next Generation of FSQA Leaders
  • Food Defense & Cybersecurity
  • Food Safety and Quality in the Growing World of e-commerce
  • Quality Helping Improve Manufacturing Efficiency with How Does Quality Show Value to the Organization?

The event will also feature special sessions led by our partners, including the Food Defense Consortium, GFSI, STOP Foodborne Illness and Women in Food Safety.

Tabletop exhibits and custom sponsorship packages are available. Contact Sales Director RJ Palermo.

Registration will open soon. To stay up to date on registration, event keynote and agenda announcements, opt in to Food Safety Tech.

About Food Safety Tech

Food Safety Tech is a digital media community for food industry professionals interested in food safety and quality. We inform, educate and connect food manufacturers and processors, retail & food service, food laboratories, growers, suppliers and vendors, and regulatory agencies with original, in-depth features and reports, curated industry news and user-contributed content, and live and virtual events that offer knowledge, perspectives, strategies and resources to facilitate an environment that fosters safer food for consumers.

About the Food Safety Consortium

Food companies are concerned about protecting their customers, their brands and their own company’s financial bottom line. The term “Food Protection” requires a company-wide culture that incorporates food safety, food integrity and food defense into the company’s Food Protection strategy.

The Food Safety Consortium is an educational and networking event for Food Protection that has food safety, food integrity and food defense as the foundation of the educational content of the program. With a unique focus on science, technology and compliance, the “Consortium” enables attendees to engage in conversations that are critical for advancing careers and organizations alike. Delegates visit with exhibitors to learn about cutting-edge solutions, explore three high-level educational tracks for learning valuable industry trends, and network with industry executives to find solutions to improve quality, efficiency and cost effectiveness in the evolving food industry.

Food Safety Consortium Virtual Conference Series

2021 FSC Episode 8 Preview: Food Defense: Yesterday, Today and Tomorrow

By Food Safety Tech Staff
No Comments
Food Safety Consortium Virtual Conference Series

You don’t want to miss this week’s episode of the 2021 Food Safety Consortium Virtual Conference Series. The session, Food Defense: Yesterday, Today and Tomorrow, will discuss pre-FSMA IA Rule voluntary food defense programs, compliance timelines, and regulatory compliance vs. enterprise risk based approaches to food defense. Presenters will address the status of Food Defense plan quick checks and share insights on Food Defense Plan reanalysis. Participants will gain insights on threat intelligence sources and food defense-based research updates. Other topics to be covered include a brief overview of recently released insider risk mitigation reference material, cyber/IT “vulnerabilities”, critical infrastructure protection and how an all-hazards mindset to “all of the above” can help to contribute to a Food Protection Culture.

The following is the line up of speakers for Thursday’s episode, which begins at 12 pm ET.

  • Jason Bashura, PepsiCo (moderator)
  • Food Defense Yesterday with Raquel Maymir, General Mills
  • FBI HQ Perspectives of Food Defense with Helen S. Lawrence and Scott Mahloch, FBI
  • Food Defense Tomorrow with Frank Pisciotta, ASIS Food Defense & Ag Security Community and Cathy Baillie, Mars, Inc.
  • Risk-based Food Defense with Jessica Cox, Department of Homeland Security, Chemical Security Analysis Center
  • Food Defense & Supply Chain Perspectives: Regional Resilience Action Plan with Jose Dossantos, Department of Homeland Security/CISA

The Fall program runs every Thursday from October 7 through November 4. Haven’t registered? Follow this link to the 2021 Food Safety Consortium Virtual Conference Series, which provides access to all the episodes featuring critical industry insights from leading subject matter experts!

FDA

FDA Launches Office of Digital Transformation

By Food Safety Tech Staff
No Comments
FDA

Taking a step further in prioritizing technology and data modernization efforts, today the FDA announced the launch of a new Office of Digital Transformation. The office realigns the agency’s information technology, data management and cybersecurity roles into a central office that reports directly to the FDA commissioner. The reorganization will also help FDA further streamline its data and IT management processes, reducing duplication of processes, and promote best practices, technological efficiencies and shared services in a strategic and secure way.

“Good data management, built into all of our work, ultimately helps us meet and advance the FDA’s mission to ensure safe and effective products for American families,” said Acting FDA Commissioner Janet Woodcock, M.D., in an FDA news release. “The agency began these efforts because, as a science-based agency that manages massive amounts of data to generate important decisions and information for the public, innovation is at the heart of what we do. By prioritizing data and information stewardship throughout all of our operations, the American public is better assured of the safety of the nation’s food, drugs, medical devices and other products that the FDA regulates in this complex world. This reorganization strengthens our commitment to protecting and promoting public health by improving our regulatory processes with a solid data foundation built in at every level.”

 

Willem Ryan, AlertEnterprise
FST Soapbox

Cybersecurity: Risk Moves Squarely to Operational Technology

By Willem Ryan
No Comments
Willem Ryan, AlertEnterprise

Data breaches, ransomware attacks and now, operational shutdowns. Recent events bear out that cyber strikes are not reserved solely to data breaches and IT systems but now include Operational Technology (OT) and industrial controls to disrupt operations, distribution and the entire food supply chain.

JBS Foods, the one of the world’s largest meat producers, was leveled by a cyberattack in early June, affecting U.S. and Australia operations. In a public statement, the organization revealed that it paid the equivalent of $11 million in ransom in response to the criminal hack against its operations. “At the time of payment, the vast majority of the company’s facilities were operational. In consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated,” according to company documents.

There’s a security divide that shouldn’t be there—distinct lines between Cyber, OT and physical security teams that has resulted in disjointed and ineffective detection, mitigation and response to risk—forged by years of siloed departments.

It’s not a new problem—in fact the vulnerability of the critical infrastructure has been a discussion for decades. Moving to a converged approach across all departments, including HR, IT/cyber and OT/SCADA can effectively secure our most critical food production and distribution resources while actively enforcing compliance and company policies. Identity and Access is at the center of it all and the best way to holistically protect the enterprise.

In the example of high-profile enterprise Molson-Coors, a cyberattack in March centered on ransomware. In its SEC filing after the event, the beverage giant stated that the attack “has caused and may continue to cause a delay or disruption to parts of the company’s business,” which includes brewery operations, production and shipping.

The February attack on a Florida Water Treatment plant, hacked by compromise to a remote access software program on a facility computer, is still another stark reminder of the growing dangers of cyber-physical threats and that even employees can be part of the problem.

You can see just how fragile and vulnerable our supply chains and critical business processes have become. Cybercriminals now realize how disruptive and lucrative attacks targeting these systems can be so they will continue unabated without immediate stop-gaps.

Because these attacks have become blended and omni-present on every part of the critical infrastructure, executives need to move beyond IT-centric cybersecurity to minimize supply threats. This emergence of new attack vectors has other implications. It highlights the dire need to transition from siloed IT, OT, HR and physical security to a converged approach, yet executives remain at odds with how to execute this while working in their own bubbles.

The threat has become even greater than the organization itself. According to predictions by Gartner liability for cyber-physical security incidents will “pierce the corporate veil to personal liability,” for 75% of CEOs by 2024.

Security Convergence Key Ingredient to Digital Transformation

As the food industry continues to digitally transform, systems and processes move to rapidly connect. Security convergence, centered around identity and access governance, links all these separate departments and operations, so communications and processes actively and collectively address and shore up risk preemptively. Events, exceptions, alerts, alarms and targeted attacks on all points, including the network, control systems and physical security can be integrated for a coordinated and cohesive response.

Securing our most important critical resource—the food supply chain—means correlating threats across underlying HR, IT, physical security and OT used in production and processing. Physical access control and identity now links to specialized plant applications like manufacturing execution systems (MES), plant historians and demand management from ERP that can deliver information directly to production. Monitoring insider and contractor access to modifying batch recipes provides alerts and detection when the addition of a preservative has been suppressed, causing a contaminated batch to be produced, for example.

Integrating seamlessly with HR applications, converged software further prevents insider threat by automating background checks and risk analysis during the on-boarding and off-boarding process for employees and contractors.

The threat landscape today demands a single solution to manage operational risk and security. The following just one example of how this converged approach works.

A fictitious company named Big Food was dealing with disgruntled production foreman Tom. Tom not only had physical access to the production floor, but was intimately familiar with the control system settings to configure recipes for the MES.

Security software’s real-time link to SAP SuccessFactors HCM provided critical real-time data that identified Tom’s history of workplace issues. When Tom accessed the plant area after his normal shift hours, the security platform detected that he was making unusual changes to the production settings to eliminate the addition of preservatives. An alert was immediately sent to security operations staff as well as the plant manager. Incident prevented, with huge savings from avoided downtime and protection from loss of reputation to the company brand.

The food and beverage industry must meet high quality standards and adhere to rapid production cycles to preserve nutrition value and freshness. Convergence and automation are the keys to achieving these goals. As OT and IT networks become increasingly interconnected, OT environments become more exposed to cyber-physical attacks, which can result in tainted products, downtime and revenue losses. Security solutions secure enterprise IT applications and plant applications deliver continuous monitoring that prevents sabotage, acts of terrorism and other malicious acts. There’s also the ability to manage other supply chain risks, including changes to master data and transactions as well as the movement of goods and arrival notifications requirements by the FDA.

Today’s malicious actors don’t think in silos but most companies still do. As security and technology leaders we are compelled to rise and meet the challenge. It’s clear that only a converged approach, beyond IT-centric cybersecurity, is the way forward.

Cybersecurity

As Cyber Threats Evolve, Can Food Companies Keep Up?

By Maria Fontanazza
No Comments
Cybersecurity

The recent cyberattack that shut down meat supplier JBS should be a wakeup call to the food industry. These attacks are on the rise across industries, and food operations both large and small need to be prepared. In a Q&A with Food Safety Tech, Brent Johnson, partner at Holland & Hart, breaks down key areas of vulnerability and how companies in the food industry can take proactive steps to protect their operations and ultimately, the consumer.

Food Safety Tech: Given the recent cyberattack on JBS, how vulnerable are U.S. food companies, in general, to this type of attack? How prepared are companies right now?

Brent Johnson, Holland & Hart
Brent Johnson, partner, Holland & Hart

Brent Johnson: Food companies are in the same boat as other manufacturers. Cyber threats are constantly evolving and hackers are developing increasingly sophisticated delivery systems for ransomware. Food companies are obviously focused on making and delivering safe and compliant products and getting paid for them. Cybersecurity is important, but it’s difficult for manufacturers to devote the resources necessary to make their systems bulletproof when it’s an ancillary part of their overall operations and a cost driver. Unfortunately, hackers only have one job.

We tend to think of big tech and financial services companies as the prime targets for ransomware attacks because of the critical nature of their technology and data, but food companies are really no different. Plus, unlike tech companies and the financial services industry, food companies haven’t, as a general matter, developed the robust defenses necessary to thwart attacks, so they’re easier targets.

Food Safety Tech: What is the overall impact of a cyberattack on a food company, from both a business as well as a consumer safety perspective?

Johnson: It may come as a bit of a surprise to those who don’t work in the food industry, but food production (from slaughterhouses to finished products) is highly automated and data driven. That’s one of the lessons of the JBS ransomware attack. The attack shut down meat processing facilities across the United States and elsewhere. I work in Utah and the JBS Beef Plant in Hyrum was temporarily shut down. JBS cancelled two shifts at its meatpacking operation in Greeley, Colorado where my firm has a large presence as well, because of the ransomware attack. So, the impact on a food company’s business from a successful ransomware attack is dramatic.

On the consumer safety side, a ransomware attack that impacts automated safety systems would cause significant problems for a food manufacturer. Software controls much of the food industry’s safety systems—from sanitation (equipment washdowns and predictive maintenance) to traceability (possible pathogen contamination and recalls) to ingredient monitoring (including allergen detection). Every part of a food company’s production system is traced, tracked, and verified electronically. A ransomware attack on a food maker would very likely compromise the company’s ability to produce safe products.

Food Safety Tech: What proactive steps should food companies be taking to protect themselves against a cyberattack?

Johnson: I wish there was an easy and foolproof system for food companies to implement to protect against cyber attacks, but there isn’t. The threats are always changing. The Biden Administration’s recent memorandum to corporate executives and business leaders on strengthening cyber defenses is a good starting point, however. The White House’s Deputy National Security Adviser for Cyber and Emerging Tech, Anne Neuberger, reiterated the following “Five Best Practices” from President Biden’s executive order. These practices are multifactor authentication, endpoint detection and response, aggressive monitoring for malicious activities on the company’s networks and blocking them, data encryption, and the creation of a skilled cyber security team with the ability to train employees, detect threats and patch system vulnerabilities.

Food Safety Tech: Are there specific companies within the food industry that are especially susceptible?

Johnson: Not really. Hackers are opportunistic and look for the paths of least resistance. That said, as can be seen from the recent Colonial Pipeline and JBS ransomware attacks, hackers have transitioned from the early days of going after individuals and small businesses to whale hunting. The money is better.

It’s important to observe that the recent attacks have been directed at industries that present national infrastructure concerns (oil, the food supply). There’s no evidence of any involvement by a foreign government in these attacks, but it’s a fair question as to whether the hackers, themselves, expect that the federal government will step in at some point to assist the victims of cyber attacks financially due to their critical importance.

Food Safety Tech: Where do you see the issue of cybersecurity and cyberattacks related to the food industry headed in the future?

Johnson: Other than the certainty that the attacks will increase in both intensity and sophistication, I have no prediction. It’s not a time for complacency.

Cybersecurity

Cyberattack on Meat Supplier JBS Forces Shut Down of Multiple U.S. Plants

By Food Safety Tech Staff
No Comments
Cybersecurity

On Sunday Brazil-based JBS was targeted by a cyberattack that forced the shutdown of its facilities in Arizona, Colorado, Michigan, Nebraska, Pennsylvania, Texas, Utah and Wisconsin. The ransomware attack affected servers that support the company’s IT systems in North America and Australia. It is suspected to have originated from an organization based in Russia, according to reports.

It is expected that most of the company’s beef, pork, poultry and prepared food plants will be operational today, JBS said in a statement last night. Thus far the company is unaware of any customer, supplier or employee data that has been compromised.

Cyberattacks coming from Russia have increased at a significant rate and are likely to continue. “The fact that this kind of activity is happening with a relatively high frequency and also all signs sort of leading back to Russia, that is very disturbing,” said Javed Ali, a former National Security Council director of counterterrorism, in an ABC News report. “I don’t think we’ve seen a period of this kind of high-intensity cyber operations from Russian soil directed against a variety of different U.S. targets arguably ever, unless the government has been tracking this and the public details of those types of operations haven’t been revealed before.”

Chris Keith, FlexXray
FST Soapbox

COVID-19: We’re In This Together

By Chris Keith
No Comments
Chris Keith, FlexXray

It’s no secret that the COVID-19 pandemic had a major impact on industries and individuals around the world. According to the World Health Organization, as of June 21, 2020, there have been 8,708,008 reported cases of COVID-19 globally, including 461,715 deaths. In a recent article by Forbes, healthcare contributor William Haseltine stated that we are gathering personal stories and statistics right now around COVID-19 survivors who have suffered permanent injuries from the virus. Many experts believe that COVID-19 is also an economic downturn trigger. Author and financial planner Liz Frazier says that even as recessions are a normal part of the U.S. economic cycle, lasting about five and a half years on average, the possibility of a recession starting due to the outbreak would be unprecedented.1 The COVID-19 pandemic is a natural disaster that rocked the world and is a reminder of how connected people are in a global economy.

As quarantine regulations and temporary closures happened across the United States, businesses had to mobilize quickly, pivoting their strategies, distribution efforts, products and beyond to accommodate the new safety measures and external pressures. The food and beverage industry was no different. Although food manufacturers were deemed essential in the United States by Cybersecurity & Infrastructure Security Agency (CISA), manufacturers had to adapt to a new normal during the shutdown.2 Some of the biggest changes that occurred in the food manufacturing industry include fluctuating customers, prices, product and ingredient availability, packaging, distribution, and food quality and safety.

Shifting Demand, Customers and Food Pricing

Sharp changes in food prices and product availability shocked supply and demand and impacted the entire food supply chain across the United States. According to the USDA, there were record levels of demand for food at grocery stores, and, on the supply side, there has been a reduced supply of meat products over the period of quarantine as meatpacking plants faced temporary closures, decreased slaughter pace, and slower production due to COVID-19 regulations.3 Poultry prices took a sharp dip and have been rebounding, hot dog prices are at an all-time high due to increased demand, and beef prices have been climbing due to scarce supply and limited fresh production. Food pricing fluctuation is one of the largest food industry impacts felt directly by the general public and the on-premise sector. Restaurants and bars were crushed by the skyrocketing ingredient prices and mandatory temporary closures due to COVID-19.

As restaurants, school cafeterias and hotels were temporarily shut down due to quarantine restrictions, the food manufacturing industry’s most prominent customers practically disappeared. Before COVID-19, the USDA reported that in 2018, restaurants provided approximately 50% of meals consumed on a daily basis, up from 41% in 1984.4 When COVID-19 hit, consumer trends showed a monumental shift to eating at home. During the height of the pandemic, more people ordered take out from fast-casual dining places and ate from home. A recently published study reveals survey findings that suggest American’s food habits are shifting, as 54% of respondents confirmed they are cooking more, and 46% of respondents, baking more.5 As customers and demand changed, products and packaging had to follow suit.

Scores of manufacturing facilities had to rapidly respond with different products to meet changing consumer demand, despite already being in mid-production for products for restaurant kitchens, cafeterias, and the like. Most of these large-scale and wholesale products would never make it to their original, intended destinations. Manufacturers swiftly adapted their production, creating retail-ready goods from product made or intended for restaurant or fast food supply. These food production facilities had to creatively find ways to change product packaging sizes, salvaging good product with take-home cartons and containers. Some processors pre-sliced deli meat for grocery stores around the country, as markets were unable to slice the meat in-store, dealing with restrictions on the number of people who could work at any given time. The food manufacturing industry showed great ingenuity, repurposing food and getting creative in order to keep the country fed and bridge the gap in convenience shopping that consumers have grown used to.

New Distribution Pressures

There were also disruptions in the food industry’s distribution channel, and the logistics of distribution were adversely affected. Facilities faced increased pressure to have tighter production turnarounds from new consumer behavior and out-of-stock situations as many markets dealt with temporary panic shopping at the beginning of the crisis. Food manufacturing facilities have always faced tight deadlines when dealing with fresh and refrigerated product. However, COVID-19 introduced new critical, immediate needs to the food supply, and, more than ever before, facilities were pressed for time to deliver. Some facilities didn’t have enough dock loading time, and certain cold storage facilities could not meet the raised demands for dock times, making it harder to get product through the distribution channel to consumers. Shipping and logistics came at a premium. Drivers and logistics companies were at capacity with their service offerings, and unable to mobilize to meet the needs of every manufacturing company.

On top of the pressures from consumer demand, manufacturing facilities had to procure PPE (personal protective equipment) in mass for all employees and adjust employee schedules to meet new national and state-wide quarantine restrictions that strained the system. The PPE requirements are part of the distribution logistics, as plants are unable to distribute safe product without adhering to the system’s regulations. Senior Vice President of Regulatory and Environmental Affairs for the National Milk Producers Federation, Clay Detlefsen, said in an article for Food Shot Global that the whole food industry’s system has been turned on its head, as manufacturers are concerned that if they start running out of PPE and sanitation supplies, they would ultimately be forced into shutting down their food processing plants.6

Regulating Food Quality and Safety

Perhaps one of the biggest concerns surrounding the food supply chain during the height of COVID-19 for both producers and consumers was food safety. While safety and quality are always a high priority in the food industry, rising concern around the transmission of COVID-19 became a new and unprecedented challenge for food quality experts. In February the FDA declared that COVID-19 is unlikely to pass through food or food packaging, but that didn’t stop public concern.7 It was critical for food manufacturers and producers to ease public fear, keep the food supply stable and eliminate foreign material contamination that would adversely affect consumers and brand reputation. A mass recall due to foreign material contamination would have dire consequences for the strained food supply chain during this historic crisis. At the same time, the pandemic limited quality and food safety teams, as key teams had to work remotely, shift schedules had to drastically change to meet new safety regulations, production lines cut in half, and quality and safety teams had to make rushed decisions when it came to reworking product.

Some plants that faced potential foreign material contamination risked sending their product into distribution without a thorough rework, up against tight deadlines. And some plants adopted a multifaceted strategy and did something they’ve never done before: Reworked product on hold for potential foreign material contamination themselves. Many of these companies reworked product with their extra available lines, to keep as many of their workers as possible, despite the fact that food production employees are untrained in finding and extracting foreign contaminants. Inline detection machines are also typically limited to metal detection, often incapable of consistently catching many other types of contaminants such as glass, stones, plastic, bone, rubber, gasket material, container defects, product clumps, wood and other possible missing components. Food safety is of the utmost importance when a crisis hits as the food supply chain is crucial to our success as a nation and as an interconnected world. Facing new pressures on all sides, the food industry did not neglect food safety and quality, even while adopting new strategies. There was never a doubt that the industry would overcome the new challenges.

Looking Forward

The food industry has rapidly switched business strategies, swiftly turned around new products, found new ways to align product traceability and work remotely while still meeting industry standards and production expectations. Manufacturing facilities repackaged and repurposed food to keep the country fed, maintained job security for many employees and procured PPE in mass. The food industry is also full of manufacturers and plants that accomplished things they’ve never done before. There are shining examples of heroism in the food and beverage space as a growing list of food businesses, restaurants and delivery services have donated to healthcare workers on the front lines. Many large companies donated millions of dollars and pounds of food to feed their teams, their communities and the less fortunate.8 In the midst of a large obstacle, we have reached new heights and discovered new capabilities.

The challenges aren’t over. The food industry is still facing the effects of COVID-19 shutdowns on businesses even during this period of re-opening in different parts of the country. A lot of places and companies have been hit hard, some even closing their doors for good. Forbes reported at the onset of the pandemic that Smithfield Foods shut down one of its pork processing plants after hundreds of the plant’s 3,700 employees tested positive for coronavirus.8 Tyson Foods also shut down several meat processing plants under threat of the virus.8 Smithfield and Tyson were not the only ones. Food Dive has a compiled tracking system for coronavirus closures in food and beverage manufacturing facilities, recording reduced production, temporary closures, and permanent shutdowns across the industry. We expect some of the COVID-19 challenges to alleviate over time and hope that business will slowly return to normal and previously closed facilities will be able to re-open. However, we strongly hope some changes to the industry will remain: Creativity, ingenuity, resilience, adaptability, and a strong commitment to customers and partners. The bottom line is we’re in this together––together, we’re resilient.

References

  1. Frazier, L. (April 21, 2020). “How COVID-19 Is Leading The US Into A New Type Of Recession, And What It Means For Our Future.” Forbes.
  2. Krebs, C. (May 19, 2020). “Advisory Memorandum on Identification of Essential Critical Infrastructure Workers During COVID-19 Response.” Homeland Security Digital Library.
  3.  Johansson, R. (May 28, 2020) “Another Look at Availability and Prices of Food Amid the COVID-19 Pandemic.” USDA.
  4. Stewart, H. (September 2011). “Food Away From Home.” The Oxford Handbook of the Economics of Food Consumption and Policy. 646–666. Oxford University Press. doi: 10.1093/oxfordhb/9780199569441.013.0027
  5. The Shelby Report. (April 17, 2020). “New Study Reveals Covid-19 Impact On Americans’ Food Habits.”
  6. Caldwell, J. (April 16, 2020). “How Covid-19 is impacting various points in the US food & ag supply chain”. AgFunderNews.
  7. Hahn, M.D., S. (March 27, 2020). Coronavirus (COVID-19) Supply Chain Update. FDA.
  8. Biscotti, L. (April 17, 2020). “Food And Beverage Companies Evolve, Innovate And Contribute Amid COVID-19 Crisis.” Forbes.
Craig Reeds
FST Soapbox

Cybersecurity for Food and Beverage Operational Technology (OT) Environments

By Craig Reeds
No Comments
Craig Reeds

Much of the attention that cybersecurity gets is on the IT or office network side of things, but recently people have begun paying more attention to operational technology (OT) systems that make up the country’s critical infrastructure. When people think of critical infrastructure, they automatically think of oil and gas, power generation, and water. Many people don’t realize that there are actually 16 critical infrastructure industries:

  • Energy
  • Financial
  • Dams
  • Defense
  • Critical Manufacturing
  • Water and Wastewater
  • Food and Agriculture
  • Healthcare
  • Government Facilities
  • Commercial Facilities
  • Transportation
  • Emergency Services
  • Chemical
  • Communications
  • Nuclear
  • Information Technology

One of the easily forgotten, but perhaps most important, is food and beverage manufacturing. A cyber attack on a food and beverage company might not result in the lights going out or clouds of toxic gas, but they could result in explosions, or tainted food. We need to start paying more attention to cybersecurity in the food and beverage industry. What would happen if a hacker got into the control system at a frozen foods distribution facility? They could raise the temperature in the freezers, thaw the food and then refreeze it. This could result in food poisoning for hundreds or thousands of people. Bad actors can do a lot of harm by targeting this sector.

Many companies are pushing to combine their IT and OT departments, something they call IT/OT convergence. This can be done, but you need to first understand that IT and OT have differing goals.

It is important to review the organizational structure. You will typically find that both IT and OT report organizationally to the CEO level. We also find senior management believes IT owns the industrial control system (ICS) networks and security—mainly because IT owns support, maintenance & operational budget for network and security (basically letting OT off the hook).

IT’s primary goals are confidentiality, integrity and availability, the CIA triad. While working toward these objectives IT also tries to make it possible for users to access the network from any location from which they are working, using whatever computing device they have with them. The goal is to make it as easy to work from an airport, hotel room or coffee shop as it is to work in the office itself. Technology is updated and replaced often. Service packs are loaded, new software releases are loaded, and bugs are fixed.

OT’s primary goals are availability, integrity and confidentiality—a complete reversal of the CIA triad. They strive to keep production running, be it an electric utility, an oil rig or a pop-tart factory 24/7/365. OT is all about what works, a “We’ve always done it that way” mentality. OT will always be reluctant to make any change that might bring down the production line. Remember, they are graded on widgets per minute. There must be trust and open communication between IT and OT if things are going to work properly.

When we are talking about OT cybersecurity, we usually use terms like secure or prevent, when we really should be thinking about words like containment. Securing the network and preventing attacks is important, but at some point, an attack will get past your defenses. Then it is a matter of containment: How do we keep the problem from spreading to other networks?

One thing to definitely avoid is the desire by IT to have bi-directional communications between the IT and OT networks—this should never happen. Also, avoid the desire to connect the ICS to the Internet so that you can control the process remotely. There is no reason for the plant manager to be able to go home, have a couple beers and then log on to see if he can make things run better. If the control system is going to be connected to the corporate IT or the Internet, it should only have out-going uni-directional data transmission to allow monitoring of the system.

Building a good OT cybersecurity program, you need to do three things:

  • Get C-Level support and buy-in for the changes to be made.
  • Communicate with stakeholders and vendors.
  • Make decisions as a team, make sure all the stakeholders, IT, OT, engineering are all involved.

After you have set up the structure and started communicating, you need to begin cybersecurity awareness training for the OT staff. This training should be focused on educating plant personnel on what cybersecurity is, both at work and at home, and how to respond or escalate something that seems wrong. They need to be trained what needs to be dealt with immediately and what can wait. Consider doing tabletop exercises where you practice what to do when certain things occur. This can act as a stress test for your incident response plan and help find the holes in your plan and procedures. These tabletop exercises should involve C-suite individuals as well as people from the plant floor, so everyone understand their part in a cyber-attack response.

If these concepts are followed, you will be well on your way to creating a much more cyber-secure production environment.

Data protection, security

Threat of Cyberattacks to Food Safety on the Rise

By Food Safety Tech Staff
No Comments
Data protection, security

A new report released by the University of Minnesota’s Food Protection and Defense Institute warns that the food industry is vulnerable to cyberattacks, suggesting that food companies need to beef up their security and IT systems. According to the report, “Adulterating More Than Food: The Cyber Risk to Food Processing and Manufacturing”, the systems that food companies use for processing and manufacturing could be the most vulnerable and as such, serve as an attractive target for an attack—especially as industries that are currently common targets improve their cybersecurity.

“The food industry has not been a target of costly cyberattacks like financial, energy, and health care companies have,” said Stephen Streng, lead author of the FPDI report, in a news release. “However, as companies in those sectors learn to harden their defenses, the attackers will begin looking for easier victims. This report can help food companies learn about what could be coming their way and how to begin protecting themselves.”

The report calls out that in 2011, researchers and manufacturers found more than 200 vulnerabilities in industrial control systems. In addition to the fact that these vulnerabilities are in many components from different vendors, many of these systems have obsolete operating systems and passwords that are easy to hack. Compounding this issue, “Companies often lack knowledge about how their industrial control systems and IT systems interact and lack awareness about cyber risks and threats,” the FPDI release notes.

And if you’re a small company, don’t think you’re immune, the report cautions. It cites that 74% of U.S. food manufacturers have fewer than 20 employees—yet software company Symantec Corp. points out that small companies have been targeted as often, or sometimes even more, than large companies.

How can food companies address this risk? The report recommends the following “critical” steps all companies should take:

  • Bridge the gap and facilitate more communication between OT (operational technology) and IT (information technology) personnel
  • Conduct risk assessments of inventory control systems and IT systems
  • Ensure that staff with the cybersecurity knowledge is involved in procuring and deploying inventory control system devices
  • Incorporate cybersecurity into your food safety and food defense culture.

FPDI’s full report is available on the organization’s website.