F&B CEO's - Cybersecure Digital Transformation a Top Priority!

F&B CEO's - Cybersecure Digital Transformation a Top Priority!

by William Fitzgerald, PhD


(Example Contextual Threat Scenarios Below)

The Food and Beverage (F&B) industry is a multi-billion dollar consumer-driven industry vertical. In today’s market, F&B CEO’s must now adopt a manufacturing technological paradigm shift if the business is going to meet the on-demand consumer preferences, consumer price expectation, demand for high quality products, supply chain traceability, environmental obligations, energy efficiencies and so forth while trying to optimize profits in a highly competitive market with tight margins. 

Industry 4.0 [1] will bring about increased productivity, reduced operational costs and deliver increased profitability for the F&B industry. It will transform the ‘factory’ into a ‘smart factory’ with intelligent automated production environments, predictive maintenance, intelligent data exchange and so forth. In essence, Industry 4.0 provides a basis to not just make incremental improvements but a strategic transformative step-change across the business’s (smart) manufacturing operations. 

How to get there is a major challenge and cannot happen at once. It therefore requires a strategic Operational Technology (OT) digital transformation roadmap in order for the business to continually learn about and optimize its F&B manufacturing operations. If cybersecurity is not front and center of the (Cybersecure) OT digital transformation then there is no doubt on the likelihood of business failure.

Operational Technology (aka ICS, CPS, IIoT) [2] are those systems that interconnect cyber space with physical space. Conceptually, it is the F&B business’s digital manufacturing environment (composed of HMI’s, Controllers, PLC's and so forth) that produces the final consumer product.

Traditionally, the F&B OT manufacturing environment was closed and isolated. Today, for economic and practical reasons, the F&B OT manufacturing environment is now becoming tightly integrated with the business IT environment. This introduces complex interconnected heterogeneous and distributed F&B business ecosystems.

The business-driven cyber networked integration of OT manufacturing systems to not just IT business systems but also to other OT manufacturing systems, in ways never previously intended, makes the F&B business more vulnerable to existing and emerging cyber-attacks.

Threats include production down time, physical harm, leaking of intellectual property, product defects, Enterprise IT environment attacks from the OT manufacturing environment and vice versa. 

Cyber-attacks within the Food & Beverage industry vertical is happening (for example [3, 4]) and will continue to increase as the industry digitally transforms towards Industry 4.0. According to [5], the F&B industry is the 3rd most likely for cyber-attacks. In fact, the Department of Homeland Security have classified Food & Agriculture as one of the 16 national critical infrastructures to be protected [6].

According to the World Health Organization, each year approximately 420,000 people die from food-related illnesses and horrifically children under 5 years old account for one 1/3 of deaths [7]. While Industry 4.0 is a necessity to sustain the longevity of the F&B business and provides a basis for strong financial growth, it also, through lack of an OT cybersecurity program, has the potential to destroy and discredit the reputational brand. An F&B business is unlikely to succeed if human life is lost as a direct result of OT cybersecurity negligence. 

While the F&B business may have its IT enterprise environment ‘cybersecure’ (from a risk management perspective) through well understood IT cybersecurity constructs, it is quite another proposition to do so for its OT manufacturing environment. There are many reasons for this including OT system legacy technical debt and misconfigured environments. It is vital that during the digital transformation that the F&B business strives meet its objectives around human safety, quality of product, protection of trade secrets, environmental impact controls and so forth. Cybersecurity is a critical component in achieving and upholding these objectives.

For ease of exposition, consider the following two scenarios as examples of threats to the reputational brand of the business.

Scenario 1: F&B Product Contamination & Tampering

Imagine for example an (Aseptic) Food Sterilization System that is OT cyber compromised which may in turn impact the efficiency of the sterilization of the product and thereby providing a basis for dangerous bacteria to cultivate beyond known safe thresholds. There would be a critical impact on the reputational brand of the F&B business due to large parts of the consumer population becoming serious ill and/or suffering death from consuming what is perceived to be a high quality product. And of course there are other forms of product contamination cyber threats such as maliciously altering the ingredients of for example baby formula making it nutritionally deficient and thereby affecting the health and development growth of babies consuming that product. Or for example altering the sugar content or salt content to affect parts of the population that have diabetes or blood pressure concerns.

Scenario 2: F&B Product Mislabeling

Imagine for example a Food Labeling System that is OT cyber compromised. The labeling machine is erroneously configured to utilize the wrappers of a plain chocolate bar instead of the wrappers of chocolate bar containing nuts. Unlike Scenario 1 there is no loss of product quality through contamination. But there would still be a critical impact on the reputational brand of the F&B business due to parts of the consumer population (whom suffer from a food allergy such as from a nut allergy) having an anaphylactic shock causing serious illness and/or potential death from consuming a mislabeled product.

Of course Contaminated Products Insurance (CPI) and Cyber Insurance is part of the risk management strategy of both scenarios (and others) but this has little effect on the long term brand equity that has been lost and may not be regained.

The big challenge for the F&B industry is the lack of awareness of the OT cybersecurity threats and therefore no understanding of the core business risk. There is a skill shortage across the board from executives to engineers in this domain. There are of course standards such as, but not limited to, [8] that provide directional cybersecurity manufacturing risk guidance. However, the devil is in the detail. Does the F&B business have the correct executive leader and that leader’s organization in place to understand the various standards & best practice at 30,000ft right down to the belt-and-braces OT cybersecurity control implementations at the coal face? A traditional CISO/IT cybersecurity toolbox approach while having overlaps does not in practice readily apply with ease in the OT domain. Has the F&B business consulted an OT cybersecurity professional services organization to help?

It is now time for F&B C-suite executives to take stock of their OT manufacturing cybersecurity risk posture for example manufacturing plant, distribution facilities and factory campuses. What may be perceived as a low ‘technical’ risk (a breach from the OT environment to the IT environment, for example a food labeling system as a threat vector to compromise the corporate IT network) may in fact be a critical ‘business’ risk (safety issues and defective products due to OT cyber-attacks) and thereby greatly affect the brand equity of that F&B organization.

Bibliography

[1] https://en.wikipedia.org/wiki/Industry_4.0 

[2] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf 

[3] https://fqdn.fr/2019/05/24/fleury-michon-victime-dun-virus-informatique/

[4] https://www.reuters.com/article/us-cyber-attack-mars-idUSKBN19I2HL 

[5] https://www2.trustwave.com/rs/815-RFM-693/images/2016%20Trustwave%20Global%20Security%20Report.pdf

[6] https://www.dhs.gov/sites/default/files/publications/National-Infrastructure-Protection-Plan-2013-508.pdf 

[7] https://www.who.int/en/news-room/detail/03-12-2015-who-s-first-ever-global-estimates-of-foodborne-diseases-find-children-under-5-account-for-almost-one-third-of-deaths 

[8] https://csrc.nist.gov/publications/detail/nistir/8183a/vol-1/draft

Disclaimer

The information and opinions contained within are provided ‘as is’ and without any warranties or guarantees. The information and opinions contained within are that of the author and are not an official communication of the author’s employer.


About the Author

William Fitzgerald, PhD is an entrepreneurial-spirited executive strategic leader, technologist and engineer for a fortune 500 in the Industrial Automation, Smart Building & Internet of Things domain. Over 20 years’ expertise in cybersecurity IT & OT program development, security by design, secure software development lifecycle, research and development. A powerful blend of cybersecurity vision and business acumen that results in consistent delivery of cost-effective high performance business strategies and customer oriented value propositions. Proven track record of identifying, qualifying and building consensus for enabling product solutions and services that facilitate business critical processes and strategic commercial offerings.


The article has been originally published at: https://www.linkedin.com/pulse/fb-ceos-cybersecure-digital-transformation-top-fitzgerald-phd/


 

August 2, 2019

Leave a Reply

avatar

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
Notify of

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013