With more of the food system run online – and, increasingly, from the homes of its workers – the industry faces a rising risk of cyberattacks

The UK’s food supply chain is under attack. Hackers intent on raising millions in ransoms or wreaking nationwide disruption are attempting to invade the computer systems of every business up and down the chain, every minute of every day.

According to SonicWall analysis, there were 304.7 million ransomware attacks – where hackers encrypt data and demand cash for its release – globally within the first six months of 2021, a 151% rise on the total number of incidents in 2020. UK businesses suffered among the most, second only to the US. In the first half of 2021, cybercriminals – be they organised gangs or nation states – launched 2.5 billion malware attacks.

The supply chain is increasingly a key target. The European Union Agency for Cybersecurity (ENISA) predicts the number of such attacks on the sector will increase fourfold this year compared to last.

In the face of these ever-rising incidents, the sector’s defences are beginning to crumble. As Matthew Gribben, CTO of Signal Vision and former GCHQ cybersecurity officer puts it: “The UK supply chain is incredibly vulnerable and if anybody thinks otherwise they are kidding themselves. It is simply a matter of when, not if, an attack has a national impact.”

In part that’s due to the widespread digitisation of the food supply chain in recent years, which has increased the size of the “attack surface”. In other words, the more computers and devices involved in food production, delivery and retail, the more potential entry points for hackers.

“If a supermarket loses access to their data, they will have no idea what stock they have and where it is”

Food factories are now full of internet-connected devices that measure and monitor production processes. Manufacturing is among the fastest adopters of IoT (Internet of Things) technology, according to IDC research, and uptake is set to increase further with the arrival of 5G in the UK.

“These devices are hard to manage and monitor,” says Mike Campfield, head of EMEA operations at ExtraHop. “Companies struggle to keep track of them. The lack of device inventory and vital updates to secure these connected devices leaves systems vulnerable.”

Server

Many attack attempts can be curtailed with basic ‘cyber hygiene’

Older connected systems like SCADA (supervisory control and data acquisition) are vulnerable too. “The hardware and software used in many food processing plants were developed and implemented in the late 1980s and 1990s,” says Mark Brown, global MD, cybersecurity & information resilience at BSI. “Even technology deployed in the 2000s is obsolete.”

Furthermore, these components tend to be “hard-coded and often operating with default user credentials and passwords. This makes them highly vulnerable to cybercriminals who are able to leverage publicly available manuals and support documentation provided by vendors to attack these legacy systems,” Brown adds.

Once within a warehouse’s systems, hackers “could turn off a frozen food storage warehouse and disable the alarm systems that warned its entire contents was defrosting” Brown warns. In a food factory, “critical safety controls such as formulations, temperature and metal detection can be remotely altered without operators being aware, resulting in vast quantities of unsafe food being delivered into food distribution chains and retailers”.

How to prepare the UK food supply chain for attacks

Educate teams

Computers

“Companies need to get to grips with the new security risks of remote working to ensure their security policies are configured in a way that actually protects them,” says former GCHQ cybersecurity officer Matthew Gribben.

“Second has to be user education. Organisations really need to take this seriously because people are almost always the weakest link,” he says.

A recent Sophos report found that 70% of businesses have seen increased phishing attempts since the pandemic began.

Assess suppliers

Any given food business has multiple partners. A supermarket will have “hundreds if not thousands of suppliers” and each of them “pose varying degrees of risk” says Jonathan Wood, CEO of C2 Cyber.

For each, “you need to quantify the inherent risk. This is determined by the volume of data you share with them, its confidentiality and its criticality,” he says.

Wood recommends assessing the security of suppliers. “Define your own risk appetite, and then identify the suppliers who exceed it.”

Burn money

A ransom policy

It can be tempting to simply pay ransoms. But that can backfire. Some hacking groups are even offering “references from people they’ve attacked previously, confirming that when paid up they did release the data” says Deloitte cyber risk partner Peter Gooch.

The UK’s National Cyber Security Centre warns against it: “There is no guarantee you will get access to your data or computer, your computer will still be infected, you will be paying criminal groups, and you’re more likely to be targeted in the future,” it says.

Cyber hygiene

Many attack attempts can be curtailed with basic ‘cyber hygiene’ such as backing up critical files and updating software patches. “Doing the basics right can lower this risk,” says Chris Morgan, Digital Shadows senior cyber threat intelligence analyst.

Organisations can also call in the professionals to test their defences. “Without independent assurance, it’s criminals who will identify weaknesses, rather than professionals,” says Kimberly Carey Coffin, global technical director at Lloyd’s Register.

Prepare for the worst case

Stora Coop

“Let’s assume nothing’s going to be 100% secure,” says Gooch. Take Coop Sweden, which closed more than half of its stores for a day in July after an attack stopped tills and self-service checkouts from working. It quickly rolled out scan and go payments to affected stores.

“It’s about being ready if it does happen, minimising the impact and quickly recovering, which a lot of organisations probably haven’t put enough thought into,” Gooch explains.

Automation vulnerability

The increased use of automation in distribution centres also makes the food chain more vulnerable.

“Since all distribution centres are automated, if a supermarket loses access to their data, they will have no idea what stock they have and where it is,” says Jonathan Wood, CEO of C2 Cyber. “Most food is stored in similar-looking boxes, so the supermarkets would have no way of knowing what’s inside without looking into every single one. This would not only take days, but would also cause some of the food to perish.”

The threat of such devastating scenarios is not far-fetched. In February, a hacker gained access to the water system of Oldsmar in Florida and attempted to pump dangerous levels of sodium hydroxide into it.

While criminal gangs could threaten to extort food companies to return control, such hacks could also be used by nation state actors to “stealthily impact health or poison a population”, says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.

“The motivations of the actor in the Oldsmar incident are unclear,” Morgan adds. “However, if something similar occurred towards food or beverage products within the UK and was not detected, then the results could be catastrophic.”

Chillis

Assess your suppliers, recommends Jonathan Wood, CEO of C2 Cyber

That possibility is growing as the hacking community becomes more sophisticated. “We aren’t talking about angsty teenagers,” says Gribben. “These are well-funded organised crime groups and occasionally state-sponsored groups. This has become such big business that some of these groups even now use affiliate schemes to attract people into finding victims for them to exploit. This has become known as RAAS or ransomware as a service.”

There is, after all, a huge amount of money to be made. According to Sophos, the average ransom paid by infected businesses in 2021 was $170,404. Of those surveyed, $3.2m was the highest ransom paid, and $10,000 the most common. Ten organisations paid ransoms of $1m or more.

The overall cost to a business – including the ransom, downtime, and other associated losses – is rising, up from $761,106 in 2020 to $1.85m in 2021.

“These cybercriminals know food production and distribution companies will be faced with a decision of paying the ransom to avoid food waste and the loss of income or go under,” says ExtraHop’s Campfield. “Many may feel forced to pay to avoid disruption in the delivery of their critical product or service.”

Covid risk

What’s worse, Covid has made it easier for hackers to find a route into the food supply chain. That’s due to  “the mounting complexities of hybrid working environments” says Dmitriy Ayrapetov, VP of platform architecture at SonicWall. Remote working “means there are a multitude of loosely secured devices being used over a wider network area, making it far easier for attackers to find holes to exploit” Ayrapetov says.

When hackers are looking for a way in, “people are almost always the weakest link” explains Gribben. One of the most common cyberattack vectors is employee user accounts with access gained “often by use of simple phishing emails” he says.

“This has grown as a problem because there has been this seismic shift of people working from the office to working outside the traditional firewall,” Gribben says.

“These are well-funded organised crime groups and occasionally state-sponsored groups. This has become such big business that some of these groups even now use affiliate schemes to attract people into finding victims for them to exploit”

Phishing emails are now even more effective given the lack of training given to workers fast-tracked into factories and offices due to Covid necessity.

“This is especially true in a post-Covid environment, where people are returning to factories post-furlough schemes, creating a fluid workforce that may lead to cracks in the supply chain,” says Ayrapetov.

Personnel pressures are also making it easier for cybercriminals in other ways. “It’s easy to imagine that keeping IT teams stocked with talent is being put on the backburner as big food companies look to hire general manpower,” he adds. “Unfortunately, without a strong and well-informed IT infrastructure, the food supply chain will struggle to defend itself.”

It’s a risk the UK has to take particularly seriously due to its geography. “If an attack succeeds in compromising and shutting down logistics in the Port of Felixstowe, for example, even a few days out of commission would pose huge risks to local food stocks,” says Andrew Beckett, MD of Cyber Risk. Meanwhile the ‘just in time’ nature of the supply chain means “problems set in quickly and can escalate rapidly”, he adds.

The highly digital, highly connected UK food supply chain needs to get wise to the threat and fast, warns Gribben. “We know the sector is in a difficult position already,” he says. “A major cyber incident could be catastrophic, resulting in empty supermarket shelves nationwide and food being manufactured that can’t be distributed. This could easily escalate to the point of becoming a national emergency.”

The weak points where hackers could hijack the supply chain