Tag Archives: cybersecurity

Craig Reeds
FST Soapbox

Cybersecurity for Food and Beverage Operational Technology (OT) Environments

By Craig Reeds
No Comments
Craig Reeds

Much of the attention that cybersecurity gets is on the IT or office network side of things, but recently people have begun paying more attention to operational technology (OT) systems that make up the country’s critical infrastructure. When people think of critical infrastructure, they automatically think of oil and gas, power generation, and water. Many people don’t realize that there are actually 16 critical infrastructure industries:

  • Energy
  • Financial
  • Dams
  • Defense
  • Critical Manufacturing
  • Water and Wastewater
  • Food and Agriculture
  • Healthcare
  • Government Facilities
  • Commercial Facilities
  • Transportation
  • Emergency Services
  • Chemical
  • Communications
  • Nuclear
  • Information Technology

One of the easily forgotten, but perhaps most important, is food and beverage manufacturing. A cyber attack on a food and beverage company might not result in the lights going out or clouds of toxic gas, but they could result in explosions, or tainted food. We need to start paying more attention to cybersecurity in the food and beverage industry. What would happen if a hacker got into the control system at a frozen foods distribution facility? They could raise the temperature in the freezers, thaw the food and then refreeze it. This could result in food poisoning for hundreds or thousands of people. Bad actors can do a lot of harm by targeting this sector.

Many companies are pushing to combine their IT and OT departments, something they call IT/OT convergence. This can be done, but you need to first understand that IT and OT have differing goals.

It is important to review the organizational structure. You will typically find that both IT and OT report organizationally to the CEO level. We also find senior management believes IT owns the industrial control system (ICS) networks and security—mainly because IT owns support, maintenance & operational budget for network and security (basically letting OT off the hook).

IT’s primary goals are confidentiality, integrity and availability, the CIA triad. While working toward these objectives IT also tries to make it possible for users to access the network from any location from which they are working, using whatever computing device they have with them. The goal is to make it as easy to work from an airport, hotel room or coffee shop as it is to work in the office itself. Technology is updated and replaced often. Service packs are loaded, new software releases are loaded, and bugs are fixed.

OT’s primary goals are availability, integrity and confidentiality—a complete reversal of the CIA triad. They strive to keep production running, be it an electric utility, an oil rig or a pop-tart factory 24/7/365. OT is all about what works, a “We’ve always done it that way” mentality. OT will always be reluctant to make any change that might bring down the production line. Remember, they are graded on widgets per minute. There must be trust and open communication between IT and OT if things are going to work properly.

When we are talking about OT cybersecurity, we usually use terms like secure or prevent, when we really should be thinking about words like containment. Securing the network and preventing attacks is important, but at some point, an attack will get past your defenses. Then it is a matter of containment: How do we keep the problem from spreading to other networks?

One thing to definitely avoid is the desire by IT to have bi-directional communications between the IT and OT networks—this should never happen. Also, avoid the desire to connect the ICS to the Internet so that you can control the process remotely. There is no reason for the plant manager to be able to go home, have a couple beers and then log on to see if he can make things run better. If the control system is going to be connected to the corporate IT or the Internet, it should only have out-going uni-directional data transmission to allow monitoring of the system.

Building a good OT cybersecurity program, you need to do three things:

  • Get C-Level support and buy-in for the changes to be made.
  • Communicate with stakeholders and vendors.
  • Make decisions as a team, make sure all the stakeholders, IT, OT, engineering are all involved.

After you have set up the structure and started communicating, you need to begin cybersecurity awareness training for the OT staff. This training should be focused on educating plant personnel on what cybersecurity is, both at work and at home, and how to respond or escalate something that seems wrong. They need to be trained what needs to be dealt with immediately and what can wait. Consider doing tabletop exercises where you practice what to do when certain things occur. This can act as a stress test for your incident response plan and help find the holes in your plan and procedures. These tabletop exercises should involve C-suite individuals as well as people from the plant floor, so everyone understand their part in a cyber-attack response.

If these concepts are followed, you will be well on your way to creating a much more cyber-secure production environment.

Data protection, security

Threat of Cyberattacks to Food Safety on the Rise

By Food Safety Tech Staff
No Comments
Data protection, security

A new report released by the University of Minnesota’s Food Protection and Defense Institute warns that the food industry is vulnerable to cyberattacks, suggesting that food companies need to beef up their security and IT systems. According to the report, “Adulterating More Than Food: The Cyber Risk to Food Processing and Manufacturing”, the systems that food companies use for processing and manufacturing could be the most vulnerable and as such, serve as an attractive target for an attack—especially as industries that are currently common targets improve their cybersecurity.

“The food industry has not been a target of costly cyberattacks like financial, energy, and health care companies have,” said Stephen Streng, lead author of the FPDI report, in a news release. “However, as companies in those sectors learn to harden their defenses, the attackers will begin looking for easier victims. This report can help food companies learn about what could be coming their way and how to begin protecting themselves.”

The report calls out that in 2011, researchers and manufacturers found more than 200 vulnerabilities in industrial control systems. In addition to the fact that these vulnerabilities are in many components from different vendors, many of these systems have obsolete operating systems and passwords that are easy to hack. Compounding this issue, “Companies often lack knowledge about how their industrial control systems and IT systems interact and lack awareness about cyber risks and threats,” the FPDI release notes.

And if you’re a small company, don’t think you’re immune, the report cautions. It cites that 74% of U.S. food manufacturers have fewer than 20 employees—yet software company Symantec Corp. points out that small companies have been targeted as often, or sometimes even more, than large companies.

How can food companies address this risk? The report recommends the following “critical” steps all companies should take:

  • Bridge the gap and facilitate more communication between OT (operational technology) and IT (information technology) personnel
  • Conduct risk assessments of inventory control systems and IT systems
  • Ensure that staff with the cybersecurity knowledge is involved in procuring and deploying inventory control system devices
  • Incorporate cybersecurity into your food safety and food defense culture.

FPDI’s full report is available on the organization’s website.

Craig Reeds

Six Ways to Prepare for a Cybersecurity Audit

By Craig Reeds
No Comments
Craig Reeds

In the food manufacturing industry, just as in any other industry, cybersecurity is very important. Your organization should be having cyber vulnerability assessments or penetration tests performed at least once a year. Like any big test you have taken in your life, this sort of assessment can be scary, but if you prepare for it, you can greatly improve the potential of passing the test. As you prepare for the assessment, there are six things you can either implement or do to make the result of this audit better for your organization.

  1. Do an inventory of what is connected to your network. You cannot expect to defend devices on your network that you are not aware of. Be sure when you perform this inventory that you include any device that connects to your network. Think past the routers, switches, desktop PCs, laptops and printers. What is connecting to your wireless network? Is your security system or HVAC system connected to the network? Creating a network device inventory can be difficult, but there are tools available to make it easier. Once you have created the initial inventory, your baseline, go back at least monthly to look for new devices or devices that are no longer connected so you can update your inventory.
  2. Determine what is running on all of your network devices. In the first step you inventoried the hardware—now we need to inventory what is running on each device. You can use tools such as Nessus to inventory the software on each computer as it scans the network to perform the device inventory. This is the quickest way to complete both of these steps. If there is old or unused software on a device, remove it. You need to document the operating system and application software on each device. This software Inventory should also be included in your baseline and verified/updated on at least a monthly basis.
  3. Use the Principle of Least Privilege. This is a very valuable cybersecurity concept. Never give a user or device more rights on the network than they/it need to perform their assigned tasks. Privileges are assigned based on roles or job functions. If a user is unable to download and install applications on their PC or laptop, you reduce the chance of a device becoming compromised. Many hackers, once in a network, move laterally through the network from machine to machine looking for information or vulnerabilities that can be used to give themselves more abilities on the network. If a hacker were to gain access to a user account or system with low privileges, it decreases the amount of damage they could do.
  4. Use Secure Configurations. All operating systems, web browsers and many other networked devices have secure configuration settings. One of the problems with doing this is that operating systems alone can have hundreds of settings to choose from. The Center for Internet Security provides benchmarks for just about every conceivable device. The CIS Benchmarks are distributed free of charge in PDF format to propagate their worldwide use and adoption as user-originated, de facto standards. CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia.
  5. Set up a policy and procedure for applying security patches. New vulnerabilities are discovered every day and when these vulnerabilities are found, vendors release updates or patches to mitigate the vulnerability. Exploiting vulnerabilities is what a hacker lives for. An unpatched vulnerability can be almost an open door for a hacker to get into your computer or network. It is mind boggling to hear that some organization was hit with ransomware because they didn’t load a security patch that was released six to 12 months ago. When an application reaches end-of-support, the vendor stops releasing patches, and that should tell you that it is time to upgrade the software to the newest version or find another tool to perform that task. Never use unsupported software on your network. Speaking as an auditor, a fully patched network is impressive.
  6. Create an Incident Response Plan. Let’s face it, no matter what you do to protect yourself, something is eventually going to go wrong. Do you have a plan to continue operations if you lose access to your office building? Do your users know what to do if they receive or fall prey to a phishing e-mail? This process starts with performing a risk assessment. Once you have determined the potential risks, you then move on to determining how to mitigate the risks. You will need to create policies and procedures and then train the employees on them, so they know what to do.

By performing these six steps you will be protecting and strengthening your networks, your users, and trust me, you will impress the auditor. Also, it should be noted that these are not once and done steps—these are steps that must be repeated sometimes on a daily, if not at least on a monthly, basis.

Randy Fields, Repositrak
FST Soapbox

Food Safety Technology Disrupters

By Randy Fields
1 Comment
Randy Fields, Repositrak

We’ve all heard about the latest disrupters in the retail supply chain, like the Internet of Things, wearable computers, cognitive analytics, machine learning and even the new value chain in which these technologies intercede to provide a better and more accurate shopping experience for consumers. There are also developments like digital fabrication that interacts with both the consumer and appliances to improve the way product gets to the consumer from the point of production.

Technology disrupters can fundamentally change supply chains, destroying existing ones and creating new ones. Other disruptions can be caused by not a single technology but by several new and existing technologies that come together in innovative ways. Smart retailers and their trading partners are working to judge the impact of these technology disrupters before or at least as they occur. They need to be more proactive by investing in key areas of strategy, culture and partnership.

A company’s supply chain can be the weakest link in its food safety program. Learn how to mitigate these risks at the Food Safety Supply Chain conference | June 5-6, 2017

Many of the technology disrupters in food safety are based on the growing ability to apply analytics, including machine learning, to drive a better understanding of and increase the personalized relationships with the consumer, and to glean insight from all the data being collected. Knowing exactly what information shoppers require to feel safe with the products they are buying from you can only help build and maintain a great reputation. Further, analytics help companies predict and address the weakest links on the production floor and in their own extended supply chain to keep those customers free from potentially deadly pathogens.

Cloud computing for the delivery of IT and business processes as digital services is transforming the food safety world through the unprecedented speed and agility it enables for mobile and social engagement. Telling your customers that a recalled product could cause an illness used to require lots of phone calls or even snail mail, but now technologies in the cloud facilitate almost instantaneous messaging of the warning to whole or subsets of a population. This is just one of the ways that everyone from shoppers to business people are changing the way they interact with each other and the way we all do business due to the cloud.

Security in general and cybersecurity specifically are disrupters for companies concerned with food safety, because they can fall prey to sophisticated hackers and other crooks that try to ransom a business’ reputation in the digital world. Think how important it is to protect your own information as well as that of your consumers and customers for payment details and personal data. Now add health data to the mix and you’ll recognize the critical nature of the issue.

All of these technology disrupters have the potential to seriously impair your food safety plans and procedures, but they can also help you better deploy resources to address individual food safety emergencies and ongoing issues. Knowing the impact of the disruption is the first step in addressing it; then you need to develop a plan that helps you take advantage of the positive sides of the disruption and eliminate the negative ones.