You wouldn’t want to hear that the supplier that provides your local supermarket with all the goods that fill your refrigerator has been mixing the raw materials with the cooked materials. I doubt you’re in the mood for salmonella. Well just like you’d expect the supplier to be taking essential steps to ensure that this risk management procedure, and all others, are taking full effect, you should also hope that food and beverage manufacturers are implementing comprehensive measures of cybersecurity. Yes, the term cybersecurity sounds odd when it’s mentioned in the same sentence as the words “food” and “beverage”, but bad actors are greedy and, to them, anyone is a potential target. Food manufacturers are often large corporations that generate high amounts of data that, if encrypted by a malicious actor, can be held for ransom. The cost of a ransomware attack, especially if the organization obtains proprietary recipes, formulas, and processes, can be in the realm of millions of dollars. Furthermore, a ransomware attack can seriously impact an organization’s operational capabilities, thus causing a loss of productivity and, as a result, a fall in profits. Fleury Michon, a French food manufacturer, was hit with an attack that caused its factories and logistics unit to shut down for five days and, although the monetary cost of the attack was not disclosed, being unable to operate for five days would have most likely had a significant financial impact.
The costs are not limited to the ransom amount. An attack on a food manufacturer can seriously damage its consumer trust and company’s image, causing financial consequences to profitability. Moreover, stealing company secrets, such as secret recipe ingredients, can impact innovation and, as a result, influence competitiveness.
An adversary might want to sabotage the competition and, since a lot of processes are managed by machines, manipulating the recipe of a product can be done by attacking these machines. Producing food or beverages that taste different to how they are supposed to could discourage consumers from purchasing the product again. In more serious cases, machines can be altered to stop detecting allergens and harmful substances, putting the consumers at serious risk.
Additionally, food and beverage manufacturers are part of a supply chain and therefore have access to not only their own data, but also to some data belonging to other organizations in the network. The food and beverage manufacturer might simply be an entry point for an attacker aiming for another organization within the same supply chain.
Just because this industry does not suffer from cyberattacks at the same level as other industries such as healthcare and financial services, that does not mean that cybersecurity can be ignored. Food and beverage manufacturers need to implement comprehensive measures to ensure that they are protected from bad actors seeking to cause damage. It is better to have protection measures in place rather than dealing with the consequences of not having any.