Skip to main content
main content, press tab to continue
Article

How food manufacturers can keep legacy systems safe from cyber-attacks

June 22, 2023

A Public Accounts Committee report has exposed serious cyber risks from Defra’s legacy systems. Food and drink manufacturers should heed the lessons and review the security of their older technology.
N/A

The Committee found many of Defra’s systems were outdated, no longer supported by their supplier and at high risk of failure or cyber-attack[1].

It recommended a complete IT overhaul to prevent risks to the UK’s food system, air quality and water safety monitoring.

Food and drink manufacturers may be in a similar position with some of their legacy systems, and with potentially more immediate and costly impacts, especially in the current economic conditions.

While many companies have introduced new technologies such as automation in their production environments, some older operational technologies may simply be too expensive or difficult to replace or update. This legacy equipment can’t be entirely siloed because it is often part of a chain of processes intertwined with newer systems. Ultimately, it can become a weak link.

Legacy systems tend to be less well protected against modern cyber threats. Meanwhile, adoption of new technologies has expanded the computerized infrastructure that cyber criminals can attack, giving them a much wider threat surface – more ways of targeting the business.

These factors present new cyber risks to the sector. The consequences of a cyber-attack can be severe, and may include:

  • Business interruption if production is shut down or disrupted
  • Significant response and recovery costs
  • Product contamination if hackers alter recipes or change production processes
  • Liability claims if people suffer negative health effects
  • Ransom or extortion demands
  • Reputational damage and loss of customers
  • Breaches of intellectual property and data privacy laws and regulations

To protect themselves, food and drink manufacturers should assess their vulnerabilities across all technology environments, put systematic cyber security controls in place, enhance employee education and integrate cyber into business continuity planning.

Production systems are a target

Many of Defra’s problems stemmed from prioritising new IT projects to address future challenges over bringing older systems up to date.

There are parallels in food and drink manufacturing where technologies such as robotics have often been introduced alongside older operating systems.

Firms have focused on getting these systems to work and talk to each other and less on making them secure against cyber threats. Investment in cyber security has tended to lag behind other sectors.

A Deloitte survey found that while 90% of manufacturers said they had capabilities to detect cyber events, very few consistently monitored their operational technology assets or networks.[2]

Many food manufacturers still don’t see themselves as a target, or if they do, see the threat coming from IT rather than operational technology (OT) exposures.

But with IT and OT increasingly converging, this is no longer a safe assumption – a good cyber security strategy should address both.

Cyber threats are increasing

The number and scale of cyber-attacks on food and drink manufacturers has been increasing.

Examples of large businesses targeted over the last couple of years include a leading meat processor in Brazil, a major global fruit and vegetable processor based in the U.S., a snacks manufacturer in the UK, and a German frozen foods supplier.

The sector has become more attractive to cyber criminals, due in part to a perception that cyber security is relatively lax when compared to heavily regulated sectors such as banking or defense.

As cyber threats become increasingly sophisticated – and sensitivities around food and drink safety and standards increase – hackers can create disruption more easily, for example just by causing the wrong allergy information to be printed on a label.

Impacts can be far reaching

As well as the potential food safety concerns, these threats can have significant knock-on consequences. For example, a cyber-attack could lead to a product being recalled.

If so, this might not be covered by product recall insurance as most policies have a cyber exclusion clause.

With supply chains increasingly relying on interconnected systems and networks, there is also an increasing risk that weaknesses in IT/OT supplier cyber defences could create a route into manufacturers’ systems.

Businesses need to take a systematic approach to protect their production systems and equipment, consider, mitigate and defend any potential entry points from attack.

How to reduce your cyber risk profile

Identify your mission-critical systems

What are the systems, machinery and equipment you need to protect above all others to keep operations on-track to meet existing customer demand?

Assess your vulnerabilities

Most cyber-attacks find their way into systems through weak points such as weak remote access protocols, poor security configurations, outdated firewalls, weak passwords and a lack of staff awareness and training.

Implement cyber security controls

Implement controls such as multi-factor authentication, privileged access management (PAM), encryption, endpoint security and rapid patch cadences for critical assets. Educate your employees about these controls and test them regularly to make sure they’re working.

Integrate cyber threats into business continuity plans

Make cyber a regular part of incident response and disaster recovery planning.

Assess what insurance cover is needed

Even with the best controls, incidents can still happen. Cyber insurance can protect food and beverage manufacturers from losses and third party liabilities caused by cyber-attack, human error and technical failure.

How WTW can help

WTW’s cyber specialists can help manufacturers to carry out a full assessment of cyber security controls and identify any actions needed to bring them up to the standard required by insurance markets.

If you decide to insure your risks, we can also help customize cyber cover to meet the individual needs of your business.

Footnotes

  1. House of Commons Committee of Public Accounts Tacking Defra’s ageing digital services April 2023" Return to article
  2. 2019 Deloitte and MAPI Smart Factory Study" Return to article

Disclosure

WTW offers insurance-related services through its appropriately licensed and authorised companies in each country in WTW operates. For further authorisation and regulatory details about our WTW legal entities, operating in your country, please refer to our WTW website. It is a regulatory requirement for us to consider our local licensing requirements.

Contacts


Christian Ryan
North American Industry Leader
email Email

Randi Harwood
Global Client Advocate

Related content tags, list of links Article Cyber Risk Management Manufacturing
Contact us