While the food and beverage industry may not be the most sought after by nefarious hackers, the industry has come in as the third-most hacked—after retail (including banking and consumer goods) and hospitality, according to the “2016 Trustwave Global Security Report.” More alarming is a 2014 Food Quality & Safety article entitled “Cybersecurity in Food,” which noted that 70 percent of food and beverage companies that are hacked go out of business within a year of an attack. Also of concern, the Trustwave study reports that 45 percent of incidents in the world occur in the US.
Scott Schober, (pictured) author of the new book Hacked Again: It Can Happen to Anyone—Even a Cyber Security Expert, sheds some light on how to prevent attacks, especially for smaller and medium-sized businesses. He’s the CEO of Berkeley Varitronics Systems, which has had its share of attacks, and he has learned prevention techniques the hard way—with hands-on experience. Schober appears regularly on “Good Morning America,” “Bloomberg,” CCTV, CBS News and CNBC as a cyber security expert with numerous appearances on other networks and shows. His company makes advanced wireless solutions for the telecommunications and security markets.
While food and beverage operations are not likely as appealing to hackers as banks, retail, electrical utilities or public water and sewage treatment systems, processors need to be aware of what might be considered valuable assets to hackers and competitors.
“I’m guessing a big part of it is intellectual property [IP],” says Schober. And it’s about the damage to a brand as was illustrated by the 2013 Target attack. “It’s fascinating how that damage trickles down through the shareholders, customers, vendor relationships—and how long it takes you to build a brand versus how quickly it’s destroyed.”
As with food safety, combating the damage caused by hackers starts with education. Schober insists on instilling cybersecurity best practices from the top down, that is, with the CIO or chief security information officer, through engineering, operations and the janitor.
“Everybody in the equation has to be part of the security solution—not the security problem,” he says. Hackers look for weak links, and often the simplest is through social engineering—be it an email with an attachment or a website download that buries itself deep in a system and is capable of secretly spilling sensitive information to the hacker’s world or demanding a large ransom to get back encrypted data.
In another social engineering example, Schober recounts the story of a hacker who sits in a car outside an office or plant and calls the plant’s number and, speaking to the receptionist, says he has an urgent document he needs to send to the CEO, and that time is of the essence to secure a major contract. So he asks for the wireless access point’s password, and the receptionist says she can’t give it to him, but when he expresses the dollar value of the project, she caves. Once in, he uploads a nefarious payload to the system so that he can now monitor network traffic from a remote location, potentially gleaning valuable IP.
Another method of social engineering uses memory sticks. Schober met Frank Abagnale, author of Catch Me If You Can, at a recent seminar. As an experiment and a few hours before his presentation on cyber security, Abagnale dumped a load of memory sticks in a parking lot. Sure enough, a couple of hours later, more than half of them had been picked up. Hopefully, those who picked up the thumb drives checked for viruses before opening any files. After all, this is how Stuxnet was introduced to the Iranian nuclear processing facility, which ultimately destroyed centrifuges. Schober warns: Before inserting a thumb drive, be sure it comes from a known and trusted source, and that your virus system scans the entire device.
Beyond a simple hack is corporate espionage, e.g., acquiring recipe or production data—or the layout of a production line. As more and more food plants are installing IoT technologies and have wireless sensors and access points everywhere, knowing who is on them and having control over them is imperative to keeping sensitive data in house, says Schober. This means that to maintain security, no mobile devices or laptops should be in the working environment unless they are company owned and administered.
Employees should check their devices before entering the plant environment. Why? Food companies have notoriously high turnover with temporary employees, and it’s possible for a worker (especially if paid by a competitor) to bring in a device capable of jumping on the wireless or cellular network and sending video or other sensitive data to a competitor’s computer.
High-end perimeter devices, routers, firewalls and a DMZ can help keep the bad guys out, but it comes down to the human element. As Schober points out, in the infamous Target break-in, the hackers initially gained access to Target’s network by going through a third-party HVAC contractor. Best advice: know your suppliers, contractors and customers—anyone that has access to your networks.