KANSAS CITY, MO. — All segments of manufacturing face a range of cybersecurity vulnerabilities, and the pet food industry is no exception. As processors incorporate more automation and operational technology into facilities, care must be taken to ensure that bad actors aren’t able to exploit businesses.
“The biggest challenges faced by pet food processors are safeguarding sensitive or proprietary information and avoiding profit-impacting service interruptions caused, in one way or another, by threat actors,” said Kyle Banks, technical resource partner for NorthWind Technical Services, Sabetha, Kan.
Attacks are driven by a desire to make money, so any business is vulnerable, said John Hoffman, former senior research fellow with the Food Protection and Defense Institute.
Assessing the risk
Critical infrastructure industries including energy, health care and communications are often seen as especially important to protect from cybersecurity attacks due to the large-scale ramifications of an attack on such segments. The food and agriculture segment is another area of crucial infrastructure, and any attack on the food supply or agriculture industry can impact pet food processors due to the interconnectedness of food businesses and supply chains.
As many pet food companies are owned by human food companies, an attack at an upper-level facility or a sister company could directly impact pet food products, said Adam Pichoff, director of software engineering at Allpax. As a result, pet food processors need to manage cybersecurity across both computers and servers in their information technology infrastructure, as well as the automation equipment that comprises their operational management technologies.
From an information technology perspective, data breaches of actors attempting to steal intellectual property is one of the biggest cybersecurity threats across the board. When it comes to operations, automation and other technologies have helped processors create more efficiencies, but at the same time it has created more vulnerabilities.
“All the automation equipment is networked — it’s now visible on the facility’s network,” Pichoff said. “You end up with this need to separate but then also integrate the two technologies. As more and more equipment is brought online and connected — that’s potential targets.”
Joe Agee, enterprise business development lead for the network and security services business at Rockwell Automation, Milwaukee, echoed the importance of focusing on operational technology as a part of a company-wide approach to cybersecurity.
“In the past, people used to think of security by obscurity, but in the days of the digital transformation, we have connectivity between IT and OT (operational technology) for business, and what we’ve done is made a larger threat surface for attackers to expose,” Agee said.
The costly WannaCry and NotPetya ransomware attacks in 2017 opened many eyes to the need to focus on security within operational technology and the importance of assessing supply chain vulnerabilities, Agee said. Ensuring safety across the supply chain is important because if a processor loses even one supplier, products can’t be made. He said requiring suppliers to have a certain level of security and reserving the right to audit suppliers can help improve safety.
Agee emphasized the importance of implementing five critical controls for effective security within operational technology, and these controls include having an OT-specific incident response plan with a vendor on retainer to help in the event of an attack. The other controls include having a defensible architecture, visibility, secure remote access and vulnerability management controls.
Hoffman also stressed the importance of security for operational technology.
“OT systems are the greatest vulnerability,” Hoffman said. “We spend a lot of money across all infrastructure trying to protect business and financial records because that’s where they used to target things. But most of the major penetrations occur probably as a result of a social media penetration, and what they target is gaining access to OT.”
He said most of these OT systems are maintained by a third party and are essentially unprotected.
Managing remote vendor access is important to reducing vulnerabilities, and Pichoff said limiting the systems vendors can access, implementing user credentials, using multi-factor authentication and disabling dormant accounts are all actions that can improve security when it comes to providing remote access.
Ransomware attacks are a large risk for pet food manufacturers as they are often targeted with schemes as manufacturers are perceived as vulnerable to paying ransoms to prevent costly downtime, said Ryan Thompson, CRB’s senior specialist for Industry 4.0.
“Ransomware is a game of numbers, and people throw out emails and attack because the cost is super low,” Thompson said. “It’s a numbers game. You’re not going to be targeted specifically, but you’re going to be targeted or you’re going to be hit accidentally. It will have devastating consequences.”
Training employees and making sure they understand cybersecurity risks is also critical.
“Giving people access to computer systems is the biggest risk, and you see that through phishing attacks specifically,” Thompson said. “You really need people to be cyber aware. Building that culture into your system is important, training people on good cyber hygiene practices, and getting them to acknowledge that they’re the biggest risk.”
Running on old operating systems and not patching or updating systems is yet another risk, Thompson said. Automation equipment needs to be upgraded before mechanical equipment does, and accounting for that in project planning and cost modeling can prevent those costs from becoming a burden on the business. Instead, Thompson said such costs should be a part of the company’s capital structure.
Combining an operating system from an outside source and linking it to company devices with unique codes also creates vulnerabilities, Hoffman said.
“Our approach to code and software and how we put things together needs to be reexamined and needs a fundamental change,” Hoffman said.
Keeping consumer information protected is also important. Direct-to-consumer pet food companies face risks by having a consumer-facing portal that requires protecting consumer data and credit card numbers, Thompson said.
Taking preventive action
Being proactive in cybersecurity is critical, and while larger companies often have dedicated employees responsible for security, smaller companies often use external sources to manage their technology and security. Smaller companies often believe their equipment is safe if it isn’t connected to the internet, but as manufacturers replace aging equipment with newer technology that includes enhanced capabilities, risk will come into play, Pichoff said.
Leveraging cloud infrastructure can also help improve security as it allows companies with expertise like Google, Amazon and Microsoft to manage security, Thompson said. Benchmarking cybersecurity standards and establishing a baseline standard and framework for security is essential. Thompson also said cybersecurity should be a part of a digital-first culture at manufacturing plants.
Having storage and backup that is isolated from the internet is important, as even cloud-based services have been penetrated, Hoffman said. When it comes to working with suppliers, he encourages processors to require suppliers to meet certain security standards when establishing contracts.
Implementing a vulnerability management program or a solution that allows a processor to plot vulnerabilities will also help reduce risks, Agee said.
An effective security program needs to take a layered approach as a part of a top-down initiative that includes robust security policies, continuous monitoring, hardened infrastructure, data backup and encryption, sensitive access controls and account management, Banks said.
“While a plant environment may be hardened or even air-gapped (a tactic used to physically disconnect a network or device), threat actors have become creative in their attempts,” Banks said. “This could be a USB drop (leaving a device in a public space, hoping it gets plugged in), employing insider threats, or even war-driving parking lots hoping to exploit wireless networks used by WHM applications or other operational software solutions.”
Achieving next-generation security
Going forward, cybersecurity will continue to focus on vulnerabilities in operational technologies, and company leaders are beginning to focus on these risks.
“I think boards of directors are starting to understand that we’ve been spending all this money on enterprise cybersecurity, but it’s really been enterprise cybersecurity on the business side and not the OT side,” Agee said. “They are starting to realize that we’ve got to protect OT.”
Not only that, but the risk of ransomware is only getting stronger.
“Ransomware as a service is something that’s grown exponentially over the past years,” Thompson said. “It’s going to keep increasing because the costs are really low, and the gains for cybercriminals are really high. That will be, at least for the foreseeable future, the biggest risk to pet food manufacturers.”
Investors are also considering the impact of attacks, and the Securities and Exchange Commission has begun requiring publicly traded companies to report a cyber offense with materiality, as well as annual information on cybersecurity risk management.
Greater regulatory protection against attacks will be necessary going forward as there are no infrastructure laws regarding cybersecurity, Hoffman said. The government prosecutes once an attack has happened, but he said there are no Department of Defense-level efforts to fend off bad actors prior to attacks.
Having a knowledgeable cybersecurity team on staff will also help pet food manufacturers mitigate risks, Hoffman added. Many companies hire consultants for security, and he said it’s important to find a competent consultant and to spend the money to properly secure systems.
As pet food processors look to incorporate the latest innovations into their plants, securing operational technology and preventing ransomware will be key to preventing costly and damaging cyberattacks.