Cybersecurity attacks in the food/beverage/agricultural industry often achieve notoriety because of the large sums of monies involved—usually in the millions of dollars—resulting from large ransomware demands and payments, plus the ensuing downtime while business and supervisory systems are offline. For example, according to an Xtalks June 22, 2023 blog by Sydney Perelmutter, senior food industry journalist, five ransomware demands in 2020 and 2021 made news due to multimillion dollar ransom demands:

  • Campari Group, 2020, $15 million demanded
  • JBS Foods, 2021, $11 million demanded and paid
  • Harvest Food Distributors and Sherwood Food Distributors, 2020, $7.5 million demanded
  • NEW Cooperative, Inc., 2021, $5.9 million demanded
  • Schreiber Foods, 2021, $2.5 million demanded [1]

One problem: the above examples include the attacks we know about. According to comparitech (a company specializing in cybersecurity analysis), from 2018 to May 2023, ransomware attacks hit 157 food, beverage, and agriculture organizations. The researchers estimated such attacks have cost these organizations $1.36 billion in downtime alone. [2]

Another more troubling problem: While ransomware attacks achieve the most notoriety as they are typically focused on business systems and bring the largest immediate income to malevolent actors, more pernicious attacks can occur at the device/controls level in a plant.

Don’t leave cybersecurity to chance
Today’s process control companies are not leaving cybersecurity to chance. Emerson provides hardware and software products incorporating “baked-in” cybersecurity, as opposed to providing cybersecurity-specific offerings. Image courtesy of Emerson


Moreover, keep in mind that a ransomware attack coming in at the IT system can open the door to plant-level OT systems. “Ransomware attacks can affect any type of network and the scope of the attack can reach into any network the attacker gains access to,” warns Jesse Newman, IT manager for Concept Systems Inc., a Control System Integration Association (CSIA) certified member. And state-sponsored attackers have the will, funds, support and time to reach down into control systems.

Worse yet, aging unprotected programmable controllers, SCADA and industrial computer systems represent an easy target that—when combined with an attack on a manufacturer’s business system—can seal the deal in totally disabling a facility, potentially putting a manufacturer’s business in a precarious position.


OT Systems Are a Ripe Target

Because water utilities are typically public, we tend to hear more about attacks on their control systems than in the food industry—but food and beverage is a ripe target for unprotected equipment—and again, most food companies are not willing to talk about attacks on production equipment, which could affect food quality and safety. However, a recent attack on a water utility in Western Pennsylvania brought about recommendations from CISA (Cybersecurity & Infrastructure Agency).

The recent alert from CISA released on November 28, 2023 covered exploitation of Unitronics PLCs used in water and wastewater systems, and offered several fixes to prevent the attack of these controllers—in this case, suspected Iranian actors are to blame. The first recommendation is to change the PLC’s default password of 1111 if in use; second, require multifactor ID for any remote access to the OT network plus IT and external networks; and disconnect the PLC from the open internet—if connected in such a fashion—and use firewalls/VPNs to segregate the device. The complete list of action steps goes beyond these basics. [3], [4]

How long can a message like this be ignored
How long can a message like this be ignored before a hacker through remote access gains control of your PLC through an easy password guess—in fact, the default password that came with the system? Illustration by Wayne Labs

“Exploitation of PLCs and similar OT systems is not new nor is it uncommon,” says Marty Edwards, Tenable deputy CTO for OT/IoT. “This set of attacks takes advantage of direct internet accessibility, a highly favorable attack method as companies have turned to making their control systems assets more remotely available. PLCs are the brains of the operation and are programmed to do all of the functions that, in this case, the water treatment plant needs to perform. A threat actor having direct access to this device is a significant and egregious risk because they can turn motors and pumps on and off, manipulate the chemical settings (compromising the safety of the water), plant logic bombs that would cause disruption at a later point in time—and potentially so much more.”


The Problems with PLCs and Other Controllers

Today, most consumer-level routers ship with a password that is also their serial number, which provides a level of security as each unit will have a unique password. PLCs, however, have had their own security problems. Thomas Ruschival, cyber security specialist for controls at Festo, points out a few of these issues:

  • PLCs were developed with physical security in mind (locked in a cabinet) and were never intended for use in a network with adversaries.
  • There are many PLCs with default passwords, and without password policies in the field. There is no user management; usually there is only one user account (aka, “admin”) and the password is shared among all personnel in the maintenance workshop. Only recently have customers and suppliers started to address the issues of cybersecurity.
  • Industrial equipment has a long lifespan; firmware updates are not installed on a regular basis. It is cumbersome, and maintenance personnel do not have the awareness. Sometimes in certified processes (pharmaceutical) the setup must not change, otherwise re-certification is required. Therefore, lots of security issues that are already patched in the IT-world live on in embedded devices.

“PLCs were never initially engineered with security as a primary focus,” adds Jaime Melendez, senior systems engineer at Contec Americas, Inc., a CSIA partner. “Individuals equipped with the necessary skills and tools could perform actions like uploading, downloading, deleting or modifying programs without significant barriers. The perceived security, in the beginning, was largely due to their physical isolation within industrial panels. However, as PLCs became increasingly interconnected and the era of Industry 4.0 ushered in a multitude of IoT devices, assumptions about their security persisted, resulting in insufficient efforts to educate developers and engineers on these critical security concerns.”


Security issues abound with PLCs and OT devices

While it’s true that advancements have been made in the security of PLCs and other automation controllers, significant cybersecurity issues remain. Many manufacturers still ship these devices with no password or a default password. While this might facilitate operational setup, it poses a serious security risk if these defaults are not changed post-implementation.

Expanded concerns include:

Legacy systems: Many PLCs in use today were designed and deployed before cybersecurity became a major concern. These legacy systems often lack the capability to support modern security practices such as encryption and multifactor authentication (MFA).

Limited built-in security features: Some PLCs and industrial controllers have limited or no built-in security features. This includes the absence of encryption for data in transit or at rest, making them vulnerable to interception and unauthorized access.

Lack of regular updates and patch management: Unlike IT systems, PLCs and industrial controllers often do not receive regular security updates or patches. This leaves known vulnerabilities unaddressed and can be exploited by cyber attackers.

Network connectivity and exposure to external threats: With the increasing interconnectivity of industrial systems, PLCs are more frequently connected to IT networks or the internet. This exposes them to a broader range of cybersecurity threats, including remote attacks.

Vendor-specific vulnerabilities: Without naming brands, it’s important to note that different vendors have varying levels of security in their products. Some may have inherent vulnerabilities that are not immediately apparent to the users.

Joe Liercke, Sr. Security Engineer, Gray Solutions, a CSIA Certified Member


“Even when hacking and computer security issues were first becoming obvious, the OT environment stopped developing additional security measures like IT did because it embraced an isolated network,” says Steve Rawlins, Sr., CISSP, lead product cybersecurity officer for Emerson Discrete Automation’s controls and software. Physical isolation was considered one of the best ways to secure a network, and mitigated lots of other threats, and so other techniques and tools that IT developed were not implemented in the OT space.

“But those days are gone,” adds Rawlins. Almost no network is truly physically isolated anymore. It is necessary to update, monitor and control OT environments from places other than the production floor. PLCs and other OT environment equipment are still adding and incorporating all the lessons learned in the IT cybersecurity space to address potential and revealed vulnerabilities.

Not having a layered, multitier strategy could result in long-term exposure without detection.
Because of the complexity of ICS architectures, potential vulnerabilities and/or exploits that introduce new and evolving categories of threats to the ICS environment can have lasting consequences, and without a layered, multitier strategy could result in long-term exposure without detection. Image from CISA’s “Recommended Practice: Defense in Depth”


Around 2010, with the emergence of the Stuxnet worm, a wakeup call resonated throughout the industry, signifying that PLCs could indeed be targeted and attacked, says Melendez. However, executing an attack wasn’t a straightforward task; it required a deep understanding of how a specific PLC program operated, acting as a deterrent. Nonetheless, as interconnections expanded, the industry started fortifying these systems with additional security measures, though often unnoticed by many. This evolution signaled a pivotal shift toward recognizing and addressing the vulnerabilities that had previously been overlooked.

But PLCs aren’t the only risk. “I see industrial computers as the biggest risk here—and not from the hardware itself but from the fact that these computers are often not patched or maintained,” says Ryan Thompson, CRB senior specialist, industry 4.0. “Clients often do not patch hardware because ‘it is working’ and because of a history of patches causing software to stop working. This is especially true when the lifespan of automation equipment is much longer than an operating system life cycle—so when OS support runs out, there is no longer an easy migration path. This is why we still see Windows XP and Windows 7 on factory floors today.”

“The predominant cybersecurity challenge still prevalent in PLCs and data acquisition systems revolves around a lack of awareness regarding these critical issues,” says Melendez. The shift from solely employing physical PLCs to incorporating software-based PLCs and data acquisition systems utilizing alternative programming languages like Python, along with the integration of IoT devices relying on custom software, has introduced potential attack vectors. It’s crucial to note that singling out a particular manufacturing company or developer isn’t the solution here. The lack of awareness regarding cybersecurity is a pervasive issue that permeates all levels of society.

CISA’s recommended secure network architecture.
CISA’s recommended secure network architecture. Integrated architectures, if compromised, could provide a threat actor with various avenues of access to critical systems—either via the corporate LAN, the control LAN, or even the communications LAN. The very nature of such architectures demands the exchange of data from disparate information sources, a factor that could be taken advantage of by an intruder. One emerging industry strategy for ICS Defense-in-Depth uses concepts such as the implementation of “zones and conduits” to secure communication pathways between trusted environments. Image from CISA’s “Recommended Practice: Defense in Depth”


Fixing Key OT Cybersecurity Issues

What’s being done to fix controller issues just described? Festo’s Ruschival suggests a key solution. “Automation suppliers together with experts have defined the IEC62443 security standard. This standard includes a range of requirements for different applications across the entire lifecycle, including individual products, integration of products in plants, and operation of these plants.”

“The industry standard IEC 62443 is a big step forward on correcting these vulnerabilities,” says Emerson’s Rawlins. “This gives clear guidance and standard practices for manufacturers, designers and end users to agree on and work toward. At a minimum, customers should be looking at password complexity and network intrusion testing on products before they purchase them. Best practice would be buying IEC 62443-certified products and even seeking to certify their production facilities. In the future there needs to be equipment logging audit files for important events, two-factor authentication, centralized audit management, and real time network monitoring. But not all these capabilities will be able to be implemented on all product types yet.”


What is the ISA/IEC 62443 Series of Standards?

The ISA/IEC 62443 series of standards define requirements and processes for implementing and maintaining electronically secure industrial automation and control systems (IACS). These standards set best practices for security and provide a way to assess the level of security performance. Their approach to the cybersecurity challenge is a holistic one, bridging the gap between operations and information technology as well as between process safety and cybersecurity.

The ISA/IEC standards set cybersecurity benchmarks in all industry sectors that use IACS, including building automation, electric power generation and distribution, medical devices, transportation, and process industries such as chemicals and oil and gas.

(https://www.isa.org/standards-and-publications/isa-standards/isa-iec-62443-series-of-standards)


“In the case of Contec, we have been diligently implementing our CONTECSecure program and establishing the Contec Product Security Incident Response Team (PSIRT),” says Melendez. “These initiatives serve as fundamental platforms, enabling our customers to bolster their security measures. However, as a hardware manufacturer, it’s crucial to acknowledge that our efforts alone are insufficient if the entire [controls] chain doesn’t actively contribute to ensuring cybersecurity. This significance cannot be understated because attackers persistently seek any vulnerability to exploit, ranging from exploiting social engineering tactics (one of the most vulnerable aspects) to manipulating hardware design flaws to infiltrate systems.”

“I think most major [controls] companies are working proactively with OT security vendors such as Claroty or Nozomi Networks,” says CRB’s Thompson. Further, they are quick to resolve CVEs (Common Vulnerabilities and Exposures) that are posted by the Cybersecurity and Infrastructure Security Agency (CISA).

Carol Keller, security specialist with Gray Solutions (a CSIA certified member), points out some areas for equipment manufacturer improvement:

  • Build in security as a standard in PLC designs, for example, secure boot processes, encryption and integrated firewalls.
  • Provide regular security updates and patch management in a systematic approach to firmware updates and security patches.
  • Implement more sophisticated user authentication methods, such as multi-factor authentication and role-based access controls.
  • Increase focus on secure communications.
  • Provide education and training for users related to cybersecurity practices and maintenance.
  • Use physical security measures/secure locations for PLCs.

Critical infrastructure and industrial organizations must have a layered defense and ensure they are following basic security protocols like obtaining an accurate asset inventory and performing vulnerability assessments on those assets is mission critical, says Tenable’s Edwards. In addition, security teams should always change default passwords on OT and IoT devices and implement two robust multi-factor authentication programs, one to get into the enterprise network and another to get between corporate environments and sensitive OT networks—which PLCs fall within.

Protecting the decentralized automation components
Downstream from programmable controllers and industrial computers, ready-to-install control cabinet solutions offered by Festo protect the decentralized automation components, such as the valve terminal VTSA, against external influences. Image courtesy of FESTO


On Direct Internet Connections and Old, Forgotten Equipment and Bad Actors

“The idea of connecting any industrial controller directly to the internet without protection is indeed alarming and you would be shocked at how many manufacturers are currently following this bad practice,” says Gray’s Sr. Security Engineer Joe Liercke. In today’s cybersecurity landscape, basic protections like VPNs and firewalls are essential. However, the situation becomes more complex with older equipment, which might have been operational for 10 to 20 years or more.

“All too often people are quick to realize the benefits of remote connectivity or remote maintenance but where we often fail is to adequately assess the risks of such a connection,” says Tenable’s Edwards. “No cybersecurity expert would recommend a direct connection to the internet, but here we are. Organizations can leverage external attack surface management (EASM) tools to identify rogue devices that they are intentionally or inadvertently directly accessible from the internet.”

Why would anyone connect any industrial controller to the internet? “The short answer is that sometimes people are not fully aware of the risk, and these connections are made,” says Emerson’s Rawlins. Often, it is unintentional because users are not tracking all elements of their environment. A first step for protecting against exposing old equipment to modern actors is to make a complete map of everything connected to the network/control system. This should include all equipment, internal and external connections and equipment communications capabilities.


Making remote access safer for maintenance activities

No question about it: unsupervised remote access can open a path to malevolent actors who also want to control your system. Here are some ways to keep them knocking but not coming in. 

  • Have (trained) IT oversight of any remote access solution to ensure that all possible security measures are implemented and configured correctly.
  • Use vetted network architectures that are built for security and validated.
  • Use a DMZ or iDMZ (industrial demilitarized zone) to provide remote access to any outside connections.
  • Have a backup terminal for plant floor devices inside the OT environment (on the plant floor).
  • Use a Linux server to enhance security and separate IT and OT devices.
  • Purchase equipment that requires physical access to the device under maintenance.
  • Use specialized remote access software for OT environments, which includes enhanced security features.
  • Eliminate vendor-installed 4G/5G hotspots to reduce the risk of unauthorized access.
  • Implement multi-factor authentication (MFA) to add an extra layer of security, ensuring that only authorized users gain access.
  • Implement role-based access to ensure users have access only to the resources necessary for their roles, minimizing the potential impact of compromised credentials.
  • Physically and logically segment the network to isolate critical systems and reduce the attack surface.
  • Use strong encryption for data in transit to protect against interception and unauthorized access.
  • Ensure that devices used for remote access are secured with up-to-date antivirus software, firewalls, and other endpoint protection measures.
  • In most cases these connections do not need to be on all the time. People connecting remotely should obtain admin approval by going through channels to verify their identity, location and job numbers.

Thanks to Ryan Thompson (CRB), Steve Rawlins, Sr. (Emerson), Carol Keller (Gray Solutions) and Marty Edwards (Tenable) for their input.


For example, does an installed sensor have Bluetooth capabilities? And is that connection used? Can it be shut off? If not, then this could be an access point for a malicious actor to enter behind firewalls and security devices, adds Rawlins. Once an end user knows what they have and what is connected, it becomes important to start looking at all the equipment and evaluate if it has known vulnerabilities, and then mitigate or replace them as needed. Update all systems as patches and updates are provided, and preferably sign up for notifications from the manufacturer.

The challenge of older, potentially forgotten industrial equipment poses a significant cybersecurity risk, says Contec’s Melendez. This issue highlights one of the most significant vulnerabilities in cybersecurity—knowledge gaps. It’s crucial to acknowledge that cybersecurity isn’t straightforward for users.

Addressing the security concerns associated with older equipment involves a multifaceted approach, adds Melendez. It includes not only implementing additional security layers like VPNs and firewalls but also educating users about the significance of cybersecurity practices. Moreover, there’s a need for continual updates and support for legacy systems to mitigate vulnerabilities and ensure ongoing protection against potential threats.

The NIST Cybersecurity Framework (CSF) 2.0 Reference Tool
To be finalized early this year, the NIST Cybersecurity Framework (CSF) 2.0 Reference Tool allows users to explore the Draft CSF 2.0 Core (Functions, Categories, Subcategories, Implementation Examples). The Tool helps companies establish and monitor their organization’s cybersecurity risk management strategy, expectations and policy. Visit https://www.nist.gov/cyberframework for more information. Source: NIST


All equipment, regardless of age should have every layer of security possible because individual defense mechanisms can be breached with enough time and resources, says Concept Systems’ Newman. “The more layers of defense you create, the more expensive (time and money) it will cost an attacker to access a device or network. I would recommend avoiding connecting controls equipment to a network that provides internet access. If an internet connection must be provided for purposes like VPN for remote access or for patching software, it’s best to only provide internet access when needed and disconnect when it’s not needed.”

Finally, know your own staff members! Your worst enemy could be a disgruntled fellow employee who has the complete run of your system—not some foreign actor thousands of miles away.


References:

[1] “Top 5 Ransomware Attacks that Shook the Food Industry,” Sydney Perelmutter, Xtalks blog, June 22, 2023

[2] “Since 2018, ransomware attacks on food, beverage, and agriculture organizations have cost the world economy $1.36bn in downtime alone,” Rebecca Moody, comparitech, June 5, 2023, Website study

[3] “Exploitation of Unitronics PLCs used in Water and Wastewater Systems.” Nov. 28, 2023, CISA.

[4] “Remote attacks on process/automation systems can wreak havoc,” FE, February 17, 2021.