Planning for the unexpected when it comes to food safety and food fraud can seem daunting, but companies put themselves at risk if they don’t.

The past few years have proven that the industry must be prepared for the unexpected and that challenges are changing, with cyber attacks on food companies compromising the food system. This environment has encouraged the industry to become more proactive and collaborative across the supply chain and even with government regulators.

“Cybersecurity is indeed a critical concern for food processors, as the industry’s reliance on continuous production processes makes it particularly vulnerable to IT disruptions,” said Mikael Bengtsson, strategy director, food and beverage, for New York-based Infor. “The nature of the industry’s continuous processes means that any interruption – be it from equipment failure or IT system compromise – can cascade into significant production losses, increased waste and unmet customer expectations.”

The full picture

Cybersecurity has risen to prominence as a point of vulnerability for food safety. In order to protect themselves, processors must fully understand their supply chain, focusing time and money on critical assets.

“The two biggest areas of concern are data breaches and ransomware attacks,” said Tim Pope, technical program manager and acting chief information security officer, Ever.Ag, Lewisville, Texas. “Since many organizations deal with proprietary formulations and processes, it’s important to keep that information safe. Having your intellectual property stolen and made public or provided to a competitor can have a long-lasting, sometimes permanent, impact to company competitiveness and performance.”

Such incidents carry a tangible cost, not only in terms of the ransom paid, but also in the disruption to operations.

Relationships and transparency with suppliers and third-party vendors are critical to ensuring a safe food supply. When selecting vendors anywhere along the supply chain, Pope recommends companies conduct a security review to determine what assets, people and data are involved for the entire supply chain. Some basic questions should include: What areas are in your control vs. areas controlled by a vendor or partner? Is data encrypted in transit and at rest? Do you have an inventory of all assets and data? Do you know who is responsible for securing assets and data at each point in your process?

Clearly defining cybersecurity roles, responsibilities and processes – particularly in incident response – can be a lifesaver if a problem arises. “You don’t want to wait until you are in the middle of a security incident to start figuring out who is responsible and what steps you should be taking to resolve the incident,” Pope said.

When it comes to vetting new vendors, clearly identifying, documenting and publishing security requirements is the best place to start, according to Pope, and only consider vendors that meet those requirements. Companies can insist that the vendor obtain and maintain certain security certifications or request that potential vendors provide answers to a security questionnaire that covers requirements in the company’s data security policy.

“These are all items that should be covered in your data security policy, and you should expect any third-party vendors meet your standard,” Pope said.

Remote access

The COVID-19 pandemic changed the landscape for how many businesses operate. The food sector was no exception. One particular area that saw a boon was the use of remote access technology, allowing vendors and suppliers to assess and potentially fix issues without stepping foot inside a facility. Use of externally managed secure networks to enable remote access has continued to grow, but not without hesitation.

Concern for cybersecurity with remote access is a barrier for some companies – about 43% – to adopt the technology, according to a survey conducted for PMMI Business Intelligence’s “2024 Trends in Remote Services and Monitoring” report. The main fear among end-users is malware, according to 77% of respondents. Approximately 73% also cited concerns with supply chain attacks, despite research showing that end-users are becoming overall less concerned with cybersecurity, as many report strengthening networks and improving methods of allowing remote access.

Zeroing in

In September 2023, the International Dairy Foods Association (IDFA), Washington, DC, entered a strategic partnership with the Food and Agriculture - Information Sharing Analysis Center (Food and Ag-ISAC). IDFA said working with the non-profit will bolster the dairy industry’s defenses against cyber criminals.

Food and Ag-ISAC provides threat intelligence, analysis and security practices that help food and agriculture companies through detecting attacks, responding to incidents and sharing indicators.

With the Food and Ag-ISAC partnership in place, IDFA said its members will receive regular briefings on cyber threats, as well as updates regarding best practices and access to new resources that bolster cyber defenses.

“It is clear that cyber criminals have a spotlight on dairy companies,” said Michael Dykes, president and chief executive officer, IDFA. “We need to look to always stay two steps ahead of these actors, and we can do that if we work together, share information, and share best practices for thwarting efforts to disrupt our businesses.”

The organization has published a cybersecurity guide for small- and medium-sized dairy businesses that can be accessed through IDFA’s website.

Formerly a special interest group within the Information Technology-Information Sharing and Analysis Center, Food and Ag-ISAC launched this past May, with a revised purpose to serve food and agriculture companies by providing vendor-neutral threat analysis, establishing peer-to-peer intelligence sharing and driving informed risk management.

Scott Algeier, executive director for the Food and Ag-ISAC, said maintaining a safe, secure and resilient farm-to-table supply chain depends on individual decisions at countless companies.

“We are excited about this partnership with IDFA, as they will help us share critical threat intelligence and effective mitigation strategies with the dairy industry to help it manage the array of threats it faces,” he said.

Despite ongoing concerns about potential threats to the industry from bad actors, shying away from technology isn’t the answer, according to Bengtsson. Rather, it is about leveraging best-in-class technology to create a secure foundation.

“To be competitive in the future, the question should really be what technology can do for us,” he said. “There are so many opportunities right now for the forward-thinking organizations to ensure resilience, efficiency and a future-proof business model.”

Companion bills to address cybersecurity threats

Legislation looking to strengthen cybersecurity protections within the food and agriculture sectors was introduced in both the House of Representatives and the Senate on Jan. 25.

The bipartisan bill, known as the Farm and Food Cybersecurity Act, was introduced by Sens. Tom Cotton (R-Ark.) and Kirsten Gillibrand (D-NY).

The bill would identify vulnerabilities and improve protective measures of both the government and private groups against cyber threats.

Specifically, it would direct the US Department of Agriculture (USDA) to conduct a study of cybersecurity threats and vulnerabilities in the food and agriculture sectors every two years and submit a report to Congress.

The USDA would work with the Department of Homeland Security, Health and Human Services, and National Intelligence to conduct a cross-sector simulation exercise for food-related cyber disruptions.

“Protecting our nation’s farms and food security against cyberattacks is a vital component of our national security,” Gillibrand said.

Cotton added, “America’s adversaries are seeking to gain any advantage they can against us – including targeting critical industries like agriculture. Congress must work with the Department of Agriculture to identify and defeat these cybersecurity vulnerabilities. This legislation will ensure we are prepared to protect the supply chains our farmers and all Americans rely on.”

The Farm and Food Cybersecurity Act’s companion bill would likewise require the USDA to lead a cybersecurity threat study every two years and a simulation exercise.