Is the oncoming cybersecurity storm already here?

Speak to enough food industry professionals and you’ll soon find one that is quietly terrified of the cybersecurity threat. For years, there has been increasing discussion (and concern) over what those with bad intentions could do to our food system through the online world.

In a rather sobering session at Food Safety Summit 2022, several experts suggested that the oncoming storm that has been so feared for so long is not actually oncoming anymore. It’s here.

More connected, more vulnerable?

The internet has enabled the food industry to achieve some wonderful things; of that there is little doubt. There are apps that can connect you to food that is about to be thrown out by retailers, not to mention the vast library of resource available online that makes our food safer by the minute.

Technology has also enabled industry to become more efficient. We can employ vast amounts of ’smart‘ equipment (more on that later) to measure temperature during transport, or to calculate complex supply chains to ensure that products arrive on shelves just in time.

But as Joshua Corman, former Chief Strategist at the Cybersecurity and Infrastructure Security Agency (CISA) and Founder of I am the Cavalry, said, every new device we connect to leaves us a little more exposed; we are overdependent on undependable technology. He questioned whether we should place so much faith in our smart equipment, which as he suggested can very often become less than useful.

The problem is, as Marcus Sachs, Deputy Director for Research at the McCrary Institute for Cyber and Critical Infrastructure Security noted, the internet was built by very trusting people, largely out of academia in the late 20^th century. Its very foundations were created on the assumption that users were to be trusted, but the infrastructure was not to be. That largely held true when academics were using infantile structures that could break frequently.

But the world has changed and so has cyberspace. The way we use the internet could not be further away from the way those early pioneers interacted. The food industry, like so many others, has embraced the capabilities of the internet with open arms. Think not only of the myriad of food service providers now existing solely online, but also of the Internet of Things (IoT) – all those pieces of equipment that communicate silently with one another to keep our food safe and moving. The message from the panel of experts couldn’t have been clearer: the more we connect, the more ways we provide for bad actors to hurt us.

What is the threat?

Cybercrime is once again not a new phenomenon, but in terms of variety of crime it has exploded recently, especially with the so-called ‘ransomware revolution’. For a long time, ransomware attacks went like so: criminal hackers break into your device, encrypt your files and demand a fee (ransom) to get them back. The advent of cloud technology was, at one point, thought to be the answer to this. If everything is backed up, then a ransomware attack becomes an inconvenience, not a critical threat. Criminals have a habit of adapting rapidly though, and so techniques changed and efforts focused on exfiltrating data and deleting backups to improve the odds of the ransom being paid.

Whilst clearly a nuisance, ransomware attacks often results in sensitive data being leaked – whether that’s the financial accounts of clients or the intimate detail of your food safety system. But what’s arguably more worrying for the food industry is denial of service (DoS) attacks, which also often involve a ransom being demanded. Corman, whose work has centred on the medical industry in the past two years, offered some stark examples and warnings of what can go wrong.

He told the tale of WannaCry, a virus which targeted older versions of Windows. The 2017 attack lasted a few days, yet an estimated 70,000 pieces of NHS equipment, ranging from computers all the way to MRI scanners and blood-storage refrigerators, were affected. At its height on 12 May 2017, some ambulances were even diverted from UK hospitals. Corman remarked that stroke patients, who often have a very short window to seek expert medical care if they are to make a full recovery, were disproportionately affected during the attack. Attacks on US hospitals have followed since, and as Corman reminded the audience, our staff to patient ratio has been greatly increased thanks to technology and our (over)reliance on it. So when that helping hand is wiped out, less patients can be seen, and people die.

The WannaCry attack disrupted healthcare services in the UK in 2017

Corman’s focus then switched to the food industry. Imagine a hacker could alter the readings given by a refrigerator in transit or take out that sensor altogether. All of a sudden, there are lorry-loads of food heading for supermarkets that are potentially unsafe. At best, the alarm will be raised in time and a mass recall implemented, which will be costly. At worst, those products make it to market and people get sick.

For so long cyberattacks have been something that we worry will cost a lot of money and may cause some embarrassment. We’re now beginning to see the real-world consequences – the life and death consequences – for poor cybersecurity.

There is, of course, the shadowy spectre of state-sponsored cybersecurity attacks too. Sachs warned that both Russia and China have the capability to launch damaging cyberattacks on the US (he was also keen to remind the audience of the US’ power in this regard too), and Corman also expressed great fear that conflict in Ukraine will bring with it cyberattacks on the 16 so-called critical infrastructures, of which the food supply is one. If you could significantly disrupt a nation’s food supply, its ability to either impose sanctions or fight back militarily would be vastly reduced. Corman’s worries are not difficult to understand.

Cybersecurity is food safety

It’s quite apparent by now that the cybersecurity threat is not something that is coming down the tracks, it’s here now and will only grow in the coming years. So is the food industry prepared? The impression Corman and Sachs gave was a resounding ‘no’.

Using the medical industry as a benchmark again, Corman revealed that 85 percent of medical institutions in the US do not have a cybersecurity expert on staff. He wagered that the food industry would tell a similar tale, and you would be brave to disagree.

So aside from keeping food safe, should manufacturers now be investing in costly cybersecurity departments? John Spink, Director of the Food Fraud Academy at Michigan State University, says they are one and the same thing. As he revealed, cybersecurity is not explicitly referred to in ISO standards (it is briefly mentioned in ISO 22000), but almost every piece of food regulation does require those it governs to assess the risk. The Food Safety Modernisation Act explicitly mandates that food retailers perform hazard analysis. And having listened to the experts speak for more than an hour on this matter of cybersecurity, it is very difficult to suggest that cyberattacks are not a hazard.

In that sense, good cybersecurity is not just business critical, it’s a food safety issue.