This website uses cookies primarily for visitor analytics. Certain pages will ask you to fill in contact details to receive additional information. On these pages you have the option of having the site log your details for future visits. Indicating you want the site to remember your details will place a cookie on your device. To view our full cookie policy, please click here. You can also view it at any time by going to our Contact Us page.

Showing resilience in the face of an attack

10 September 2023

Looming cyber security legislation should be prompting broader reflection over vulnerabilities. Paul Hingley highlights a typical attack and looks at how food manufacturers can shore-up their systems to deter bad actors.

A cleaner at a large UK food manufacturer is approached to undertake a small task for a handsome reward. Simply, take a USB provided and insert it into a company computer. The task, completed, would appear for months to have been a victimless crime. 
 
Unbeknownst to the manufacturer, the covertly planted USB had parked cyber criminals in its company systems. Malicious actors in hiding would acquire data and meticulously study the network they’ve breached until they are ready for attack.
 
The criminals, at the perfect time, instigate a denial-of-service (DoS) that sends operations into shutdown, paralysing the manufacturer. A hefty £5 million ransom is demanded to unlock the networks and equipment, while losses mount up from halted production.
 
This is a true and recent story. And it is one that is not uncommon in the food processing sector. 
 
Studies suggest anywhere from half to three-quarters of manufacturers have experienced a serious cyber-attack in recent years, from DoS to intellectual property theft by organised gangs and state actors.
 
Encouragingly, authorities are now reacting to the danger. New legislation in Europe – the Cyber Resilience Act – is expected to come into play in 2026 to bolster technology's defences against cyber-attack. The UK will follow suit with, if not the same then similar, legislation to combat the industrial cyber threat.
 
However, the robustness of technology is just one part of the security puzzle. And food processors can’t rest on their laurels following their introduction – particularly as the sector continues to march towards digitisation.
 
The new weapon in authorities’ legislative arsenal is the EU’s upcoming Cyber Resilience Act (CRA). 
 
Expected in 2025/26, this will usher in more stringent requirements for new technology and machinery to provide protections against all known vulnerabilities, lowering the risk of factory floor operational technology (OT) or PCs and other IT from acting as a backdoor into company networks. It is expected that tech on the UK market will also need to be compliant with the upcoming EU rules.
 
So, cyber criminals may soon have fewer opportunities to compromise a food processor’s network which is encouraging, But the CRA is unlikely to shut the backdoor to attackers completely, which will keep engineers and insurers awake at night.
 
The attack surface layer of food processers’ systems is expanding and becoming more complex as data increasingly flows through the supply chain as the sector digitises. 
 
For example, a milk producer might collect data from a farm, with that data coming back into the dairy and on to the bottling plant for traceability.
 
So, where the CRA may rebalance cyber threats more in the favour of manufacturers, digitisation will create new headaches for engineers. 
 
It’s incumbent on food processors to reflect on these remaining vulnerabilities, which could stem from a system’s integrator to policies of their own.
  
The CRA is expected to be based on internationally recognised standards including IEC 62443 – the main cybersecurity standard for industrial systems.
 
This standard lays out best-practice for a well-rounded approach to information security. It not only applies to the component supplier, which is the likely foundations of the CRA, but it applies measures for the system integrator and the asset owner too.
 
Asset owners, like food processors, will increasingly need to demonstrate to insurers their compliance with IEC 62443 with watertight policies.
 
For example, manufacturers often overlook the huge risk presented by external service engineers plugging into their systems. 
 
Any engineer could have picked up a vulnerability from a preceding customer, and inadvertently transferred the hidden threat into a new company’s network. Siemens engineers, for example, continually monitor their PCs before they plug into a customer’s network to mitigate this risk. Customers striving to meet IEC 62443 may also have a policy to enforce practices like this from onsite external engineers.
 
Health, safety and cyber
Another important vulnerability that can be overlooked is the risk to health and safety presented by a cyber-attack. 
 
A DoS attack could take out the safety control of hazardous equipment – like a machine used to crush ingredients – putting staff at risk. For this reason food processors need to work alongside system integrators and technology vendors to ensure that emergency stop procedures can be activated manually if digital systems are inaccessible.
 
Measures like this are typically covered by the IEC 61508 standard, which outlines various techniques and measures for the functional safety of electrical safety-related systems.
 
Back to the story
Back to the intitial story. Three weeks after facing the £5 million ransom, the food manufacturer was back up and running, with the cyber criminals being no better off. Production lines were replaced and were hit again by the attackers, but Siemens was able to resolve and reengineer the systems back into safe, secure operation. The manufacturer faced a fraction of the cost-impact compared to the ransom fee. 
 
Industry, including food processing, is headed towards digital transformation. Cyber security needs to be at the forefront of that change. While new legislation is a step in the right direction, your technology supplier should be able to help to navigate complex standards, while shoring up any vulnerabilities and maintaining machine and process safety.
 
Paul Hingley is business manager for cyber security at Siemens.


Contact Details and Archive...

Print this page | E-mail this page