The Committee found many of Defra’s systems were outdated, no longer supported by their supplier and at high risk of failure or cyber-attack[1].
It recommended a complete IT overhaul to prevent risks to the UK’s food system, air quality and water safety monitoring.
Food and drink manufacturers may be in a similar position with some of their legacy systems, and with potentially more immediate and costly impacts, especially in the current economic conditions.
While many companies have introduced new technologies such as automation in their production environments, some older operational technologies may simply be too expensive or difficult to replace or update. This legacy equipment can’t be entirely siloed because it is often part of a chain of processes intertwined with newer systems. Ultimately, it can become a weak link.
Legacy systems tend to be less well protected against modern cyber threats. Meanwhile, adoption of new technologies has expanded the computerized infrastructure that cyber criminals can attack, giving them a much wider threat surface – more ways of targeting the business.
These factors present new cyber risks to the sector. The consequences of a cyber-attack can be severe, and may include:
To protect themselves, food and drink manufacturers should assess their vulnerabilities across all technology environments, put systematic cyber security controls in place, enhance employee education and integrate cyber into business continuity planning.
Many of Defra’s problems stemmed from prioritising new IT projects to address future challenges over bringing older systems up to date.
There are parallels in food and drink manufacturing where technologies such as robotics have often been introduced alongside older operating systems.
Firms have focused on getting these systems to work and talk to each other and less on making them secure against cyber threats. Investment in cyber security has tended to lag behind other sectors.
A Deloitte survey found that while 90% of manufacturers said they had capabilities to detect cyber events, very few consistently monitored their operational technology assets or networks.[2]
Many food manufacturers still don’t see themselves as a target, or if they do, see the threat coming from IT rather than operational technology (OT) exposures.
But with IT and OT increasingly converging, this is no longer a safe assumption – a good cyber security strategy should address both.
The number and scale of cyber-attacks on food and drink manufacturers has been increasing.
Examples of large businesses targeted over the last couple of years include a leading meat processor in Brazil, a major global fruit and vegetable processor based in the U.S., a snacks manufacturer in the UK, and a German frozen foods supplier.
The sector has become more attractive to cyber criminals, due in part to a perception that cyber security is relatively lax when compared to heavily regulated sectors such as banking or defense.
As cyber threats become increasingly sophisticated – and sensitivities around food and drink safety and standards increase – hackers can create disruption more easily, for example just by causing the wrong allergy information to be printed on a label.
As well as the potential food safety concerns, these threats can have significant knock-on consequences. For example, a cyber-attack could lead to a product being recalled.
If so, this might not be covered by product recall insurance as most policies have a cyber exclusion clause.
With supply chains increasingly relying on interconnected systems and networks, there is also an increasing risk that weaknesses in IT/OT supplier cyber defences could create a route into manufacturers’ systems.
Businesses need to take a systematic approach to protect their production systems and equipment, consider, mitigate and defend any potential entry points from attack.
WTW’s cyber specialists can help manufacturers to carry out a full assessment of cyber security controls and identify any actions needed to bring them up to the standard required by insurance markets.
If you decide to insure your risks, we can also help customize cyber cover to meet the individual needs of your business.
WTW offers insurance-related services through its appropriately licensed and authorised companies in each country in WTW operates. For further authorisation and regulatory details about our WTW legal entities, operating in your country, please refer to our WTW website. It is a regulatory requirement for us to consider our local licensing requirements.
