Protecting our Food Infrastructure
The manufacturing industry, while leading the way with connected production systems and supply chains, is still seen as emerging in effectively applying cybersecurity to protect its systems. The same can be said of food and beverage manufacturers.
Making food and beverage manufacturers tough to target
“Food safety is something we all care about,” says Umair Masud, product manager, cybersecurity services at Rockwell Automation. And like conventional manufacturing, food and beverage producers exhibit connected systems and suppliers while facing increasing threats to intellectual property, formulas, recipes and operational efficiencies.
“We’ve seen a lot of focus on the “before,” or what can be done to prevent cyberattacks, but not so much on the “during” and “after” – what capabilities do you have for effective reaction, response and recovery?” adds Dawn Capelli, Rockwell Automation’s vice president of global security and chief information security officer. You need a holistic strategy that looks at the entire enterprise ecosystem to make sure products and systems are secure. This involves organizing and getting the input of security teams across IT, operations and engineering and having strategic and tactical discussions to establish a common language and framework when it comes to cybersecurity.
The U.S. Department of Homeland Security (DHS) works closely with the thousands of registered food manufacturing, processing and storage facilities to assess and implement risk management for cyber and physical threats. With input from the Department of Agriculture and the Department of Health and Human Services, DHS also pursues a model of “collective defense” in cybersecurity, meaning government and industry take collaborative, tangible actions together to mitigate threats and reduce the most serious, enduring and collective strategic cyber risks. “Collective defense is central to our long-term DHS Cyber Strategy of managing national cyber risks, especially in the area of vulnerability and threat reduction,” the department replied in a statement.
Is there “best advice” for food and beverage processors to improve cybersecurity? The DHS’s National Cybersecurity and Communications Integration Center (NCCIC) continues to observe that lapses in basic cybersecurity practices are the most prevalent type of vulnerability “stumble.”
From critical infrastructure control system assessments conducted, NCCIC found the most frequently identified vulnerabilities to be: (1) boundary protection—this was the single most prevalent area of concern; (2) continuing a four-year trend, identification and authentication of legitimate system users; and (3) allocation of resources.
In response, NCCIC offers free tools that can help companies and industries address many of their cybersecurity challenges. The Cyber Security Evaluation Tool (CSET) is a no-cost, voluntary technical assessment that provides a snapshot of an organization’s cybersecurity posture. It helps asset owners and operators assess cybersecurity strengths and weaknesses within their control system environments and can also be used to assess traditional IT infrastructure. In addition, DHS offers Cyber Resilience Reviews, a no-cost, voluntary, non-technical assessments to evaluate operational resilience and cybersecurity capabilities of an organization, and industrial control system (ICS) cybersecurity training either online or instructor-led classes at their Idaho Falls facility.
Rockwell Automation’s Dawn Cappelli also advises not letting down your guard when it comes to mitigating insider threats. There are common sense tips for everyone to implement on the plant level:
- Identify and classify key information and technology. Know who has access to critical information.
- Conduct training for managers on at-risk behavioral traits that indicate an increased likelihood of insider spying, including unreported foreign trips, seeking proprietary or classified information unrelated to work duties, paranoia about being investigated and disproportionate anger over career disappointments.
- Ensure coordination and collaboration between HR, security, IT and all employees, not only for updating passwords and security patches, but for creating a culture of accountability and security where data protection is seen as everyone’s responsibility.
Cyber or not, the best security asset in any organization are employees with the training, awareness and dedication to spot an issue and raise it to management.