The need for sophisticated cybersecurity is becoming an increasingly crucial necessity for dairy processors.
With cyberattacks an ongoing threat and criminals using more advanced methods, it’s imperative that dairy processors leverage the most effective defensive technologies and operating strategies so they can prevent incidents that could potentially result in steep financial losses.
Indeed, high-profile incidents have grabbed the headlines in recent years.
In March 2022, for instance, Lynnfield, Mass.-based dairy supplier HP Hood LLC announced it was a victim of a “cyber security event” and had to temporarily take its plants offline as a precaution. This resulted in an inability to manufacture or receive raw materials, including milk.
In October 2021, Green Bay, Wis.-based Schreiber Foods, manufacturer of cheese and other dairy products, halted operations at its plants and distribution centers following a cyberattack in which hackers reportedly demanded a rumored $2.5 million to unlock its computer systems.
In March 2021, Laval, France-based dairy producer The Lactalis Group said it had detected an intrusion on part of its computer network from a malicious third party seeking to break into its servers. Affected information technology (IT) systems were taken offline and there was no evidence that data was stolen from its systems, it said. As a preventive measure, Lactalis also restricted access to its public internet network.
Dairy processors, in particular, may face unique challenges in defending their computer operations because of their use of legacy systems, reports the Food Protection and Defense Institute (FPDI), a University of Minnesota-based organization that focuses on protecting the global food supply through research, education and the delivery of innovative solutions.
The industrial control systems plants use to process or manufacture food, for instance, may have been developed before cybersecurity was a concern and can’t be updated to better protect operations, the FPDI states. It also points out that attacks on food producers will likely increase as other industries “harden their defenses, and the threats seek easier prey.”
Attacks have already destroyed equipment, caused environmental damage, precipitated power outages, and demonstrated the potential for injuring workers, the FPDI notes, adding that cybercriminal tools are becoming more powerful and the skill required to use the weapons is decreasing.
Incursions are imminent
“The growing dependence on technology throughout an organization’s supply chain increases the risk of when, not if, an attack will occur,” says Neil Coole, director of food and retail, Americas, for the British Standards Institution (BSI), a London-based consulting firm and provider of product and system certifications.
Dairy processors face the extra challenge of operating in a “living supply chain,” in which attacks to any part of the chain can lead to a food safety crisis, food shortage, animal welfare concerns, and reputational risk, he notes.
“The impact of an attack could be huge, not just in potential ransom payouts and reputational damage, but when it comes to the consequences for customers or suppliers,” Coole says. Indeed, along with causing irreparable harm to an organization’s brand, cyberattacks can lead to tainted products that could sicken or even result in death to the end consumer, he states.
The most prominent dairy processor threats are from criminal enterprises that can operate from anywhere in the world and launch cyberattacks for financial gain, says Paul Brucciani, cyber security advisor for WithSecure Corp., a Helsinki, Finland-based provider of security software and consulting services.
This includes ransomware attacks in which parties use “sneaky” software to lock up a company’s data until they receive payments, says Kristin Demoranville, CEO and founder of AnzenSage, a Washington, D.C.-based food industry security consulting firm.
Other threats include phishing scams, in which perpetrators trick employees into giving sensitive information or access to the systems, and a focus by hackers to break into databases and steal valuable intellectual property, she notes.
Food tampering, which can be caused by criminals breaching systems and adjusting operational controls, also is a major concern, says Michael Hemmings, manager of supply chain food safety for NSF, an Ann Arbor, Mich.-based standards developer and product certifier. Such actions can lead to food poisoning and shortages, he notes.
Operators also face the prospect of disruptions to the flow of information along the supply chain, which can impact the traceability of milk and other products, Hemmings adds.
“Without this key information, dairy businesses may not deliver on the promises of a sustainable milk supply that meets public demands for high animal welfare, food safety, and protection for the environment,” he states.
AnzenSage’s Demoranville notes that while the reasons behind attacks “can be anything under the sun, what’s certain is that they all put dairy processors’ security, finances, consumers and employees at risk.”
A plethora of combatants
Because of the wide range of parties that could potentially launch cyberattacks, ranging from national states and criminal organizations to lone operators, defending systems can be arduous, WithSecure Corp.’s Brucciani says.
He reveals that many occurrences emanate from such countries as Russia, North Korea and Iran, where criminal enterprises receive tacit government support to target organizations in Western countries in pursuit of their foreign policy goals.
“Anyone can launch a cyberattack, from a hacker looking for cash to an organized crime syndicate or even a whole nation spying or in a cyber war,” Demoranville says.
Along with the potential for longstanding or permanent reputational damages from successful cyberattacks, operators also can suffer financial hardships from ransom payments, lost business and governmental fines, Demoranville notes.
With more dairy processors and other operators leveraging additional online systems, the prospect for attacks is growing, Hemmings says.
“The supply chain is becoming increasingly complex with each player using different protocols and having varying levels of protection, making it challenging to have consistent security throughout the chain,” he states.
Smaller processors that have more limited resources and budgets to invest in cybersecurity can be particularly vulnerable to threats, NSF’s Hemmings reports.
In addition, the greater sophistication of cyber technologies is making it tougher for smaller companies to stay on top of the latest security measures — and prevent cyberattacks, Demoranville says.
“Many processors also might not have their own IT staff or the right skills to prevent and deal with cyberattacks,” she states, making it increasingly difficult for dairy processors of all sizes to keep pace with threats.
The major challenge for processors is architecting and maintaining the IT systems in a manner than minimizes exposure to cyberattacks, WithSecure Corp.’s Brucciani affirms.
“This requires specialist skills that are scarce and an extra expense,” he notes. “Businesses must decide what security outcomes they are willing to pay for and work strategically toward them, but few organizations do so. They act tactically, which adds cost and complexity to security.”
Take the initiative
Reducing the possible entry points for unauthorized access into a system and placing obstacles in the path of the attacker are the most effective ways to protect operations, Brucciani says. That includes closing unneeded open ports; identifying all physical and digital elements that are accessing the network; and identifying and prioritizing for remedial action the software vulnerabilities, he states.
Operators also can better manage residual risks by implementing policies that emphasize proactive detection and responses to threats and the regular testing and validation of security incident response plans, Brucciani says.
“Since phishing accounts for 90 percent of all data breaches, businesses should conduct regular employee training on phishing awareness; implement multi-factor authentication where they can, or enforce strong passwords where they can’t,” he notes.
Dynamic measures also can include providing employees with specific role-based security training on how to spot and avoid common cyber threats and maintaining and regularly reviewing an incident response plan to minimize the damage of a cyberattack, Demoranville says.
It is essential as well for companies to invest in modern security technologies, such as firewalls, antivirus software, and intrusion detection systems, she notes while leveraging the expertise of security professionals who understand the dairy industry.
Smaller companies, meanwhile, will benefit from working with third-party security experts to keep abreast of the latest threats and best cybersecurity practices, Demoranville states.
A cybersecurity risk assessment that identifies the probability and impact of an attack, along with the most critical assets and potential vulnerabilities and threats, will enable processors to effectively prioritize their cybersecurity efforts, states Tony Giles, director of information security for NSF international strategic registrations. Such efforts include pinpointing third-party risks by vetting and monitoring vendors who have access to their systems and data, he notes.
“It also is important that processors not forget about physical plant security as some hackers will try to breach systems through physical locations by ‘tailgating,’ or following authorized employees into the plant to gain access to systems,” Giles adds.
It is critical too that food safety and quality peers understand the importance of bridging the gap between food safety and cybersecurity, Coole says, noting that initiatives can include having persons from the IT, operations, procurement, human resources, and security departments be part of a threat assessment and critical control points team.
Indeed, it is important for cybersecurity to become part of a company’s operating culture, the FPDI states, which includes involving staff with cybersecurity expertise in the procurement and deployment process for industrial control system devices.
“They can save you from ‘buying problems’ by purchasing vulnerable devices,” the FPDI notes. “You need a procurement team with the knowledge to negotiate with vendors for what your company really needs. In addition, have a team able to effectively vet the equipment before placing it on the service line.”