Food Engineering logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • PRODUCTS
  • TOPICS
  • EXCLUSIVES
  • MEDIA
  • FOOD MASTER
  • EVENTS
  • RESOURCES
  • EMAGAZINE
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Latest Headlines
  • Manufacturing News
  • People & Industry News
  • Plant Openings
  • Recalls
  • Regulatory Watch
  • Supplier News
  • PRODUCTS
  • New Plant Products
  • New Retail Products
  • TOPICS
  • Alternative Protein
  • Automation
  • Cannabis
  • Cleaning | Sanitation
  • Fabulous Food Plants
  • Food Safety
  • Maintenance Strategies
  • OEE
  • Packaging
  • Sustainability
  • More
  • EXCLUSIVES
  • Plant Construction Survey
  • Plant of the Year
  • Sustainable Plant of the Year
  • State of Food Manufacturing
  • Top 100 Food & Beverage Companies
  • MEDIA
  • Podcasts
  • Videos
  • Webinars
  • White Papers
  • EVENTS
  • Food Automation & Manufacturing Symposium and Expo
  • Industry Events
  • RESOURCES
  • eNewsletter
  • Custom Content & Marketing Services
  • FE Store
  • Government Links
  • Industry Associations
  • Market Research
  • Classified Ads
  • EMAGAZINE
  • eMagazine
  • Archive Issue
  • Advertise
Food Engineering logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Food Engineering logo
  • NEWS
    • Latest Headlines
    • Manufacturing News
    • People & Industry News
    • Plant Openings
    • Recalls
    • Regulatory Watch
    • Supplier News
  • PRODUCTS
    • New Plant Products
    • New Retail Products
  • TOPICS
    • Alternative Protein
    • Automation
    • Cannabis
    • Cleaning | Sanitation
    • Fabulous Food Plants
    • Food Safety
    • Maintenance Strategies
    • OEE
    • Packaging
    • Sustainability
    • More
  • EXCLUSIVES
    • Plant Construction Survey
    • Plant of the Year
    • Sustainable Plant of the Year
    • State of Food Manufacturing
    • Top 100 Food & Beverage Companies
  • MEDIA
    • Podcasts
    • Videos
    • Webinars
    • White Papers
  • FOOD MASTER
  • EVENTS
    • Food Automation & Manufacturing Symposium and Expo
    • Industry Events
  • RESOURCES
    • eNewsletter
    • Custom Content & Marketing Services
    • FE Store
    • Government Links
    • Industry Associations
    • Market Research
    • Classified Ads
  • EMAGAZINE
    • eMagazine
    • Archive Issue
    • Advertise
  • SIGN UP!
Manufacturing News

Manufacturing News

Control system vulnerabilities put food & beverage at serious risk

By Wayne Labs, Senior Contributing Technical Editor
Claroty

While the vulnerability count for the food and agriculture industry is not at the same level as more critical manufacturing sectors, nevertheless, the significance is that out-of-control processes caused by an intruder can affect food quality and safety. Source: Claroty Ltd.

Purdue Ref Model

The Purdue Reference Model was originally developed by Theodore J. Williams with members of the Purdue University Consortium for computer integrated manufacturing. This greatly simplified diagram shows the basic manufacturing OT levels (0-3) and the IT levels at 4 and 5. Data flow can be upwards from the bottom or downwards from the top. However, for companies that wish to control OT equipment from the upper layers, care should be taken such that a minimal number of people have credentialed access to layers 0-3 from layer 4 or 5. Additional hardware protection and multiple factor logins should be required. Source: FE.

Claroty
Purdue Ref Model
March 8, 2021

While cybersecurity risks may seem only within the purview of enterprise systems and critical infrastructure—such as the power grid, wastewater and transportation—the reality of it is that cybersecurity is often more critical at the industrial control system (ICS) level—and in the food and beverage industry, there are too many gaps in protection. 

Unfortunately the number of vulnerabilities to sensitive ICS equipment isn’t improving. These vulnerabilities are largely caused either by “zero day” holes in vendor ICS equipment or the lack of an effective vendor software/firmware patch—or a patch that hasn’t been applied by the end user, a food or beverage processor or other manufacturer. A zero day hole is a vulnerability yet to be discovered by the ICS vendor, but may have already been found and exploited by an attacker.

It’s one thing for a business system (e.g., ERP or inventory control) to be the victim of ransomware, but if attackers take over industrial control systems, the very safety of food can be threatened—for example, by undermining a kill step, changing ingredient additions, or altering a cleaning system by hacking into the CIP/process control system.

 

Number of ICS vulnerabilities headed in the wrong direction

Throughout the second half (2H) of 2020, 71% of ICS vulnerabilities disclosed were remotely exploitable through network attack vectors, according to the  second “Biannual ICS Risk & Vulnerability Report,” released by Claroty, an industrial cybersecurity company. The report also reveals a 25% increase in ICS vulnerabilities disclosed compared to 2019, as well as a 33% increase from the first half of 2020.

At the very day of writing this story, ICS CERT (Industrial Control Systems Cyber Emergency Response Team) released two ICS advisories for major automation suppliers. The first is for a controller with a buffer overflow vulnerability, and the second is for HMIs “missing authentication for a critical function” vulnerability.

The current Claroty Vulnerability Report discloses 449 vulnerabilities affecting ICS products from 59 vendors. Of these, 70% were assigned high or critical Common Vulnerability Scoring System (CVSS) scores, and 76% do not require authentication for an intruder to exploit the system.

While we have extolled the virtues of the convergence of IT and OT networks, the problem is that this integration increases the attack surface available to adversaries, says Amir Preminger, Claroty VP of research. “Nation-state actors are clearly looking at many aspects of the network perimeter to exploit, and cybercriminals are also focusing specifically on ICS processes, which emphasizes the need for security technologies such as network-based detection and secure remote access in industrial environments. It is heartening to see a growing interest in ICS within the security research community, as we must shine a brighter light on these vulnerabilities in order to keep threats at arm’s length.”

 

Food and beverage is not exempt from attacks

Obviously, critical manufacturing, energy, water and wastewater and commercial facilities sectors—all designated as critical infrastructure—were the most affected by vulnerabilities disclosed in the 2H report. For example, the critical manufacturing sector saw 194 reported vulnerabilities; energy, 186; water and wastewater, 111; commercial facilities, 108; and transportation, 70. But, next in the running was food and agriculture with 70 vulnerabilities reported in the sector. See the chart, “Vulnerability count by infrastructure sector.”

Opportunistic attackers went especially “low” throughout 2020, elevating extortion and ransomware attacks within their arsenals and targeting these critical industries including food. This dynamic created a race between attackers, researchers and defenders to find exploitable vulnerabilities, especially in industrial control/SCADA systems and operational technology (OT) protocols and networks.

 

Why are the numbers up?

The number of ICS vulnerabilities disclosed in 2020 increased by nearly 33% compared to 2018 and almost 25% compared to 2019. The primary factors for the increase, says the report, are likely heightened awareness of the risks posed by these vulnerabilities and increased focus from researchers and vendors identifying and remediating such vulnerabilities as effectively and efficiently as possible. This growth also indicates security research focused on ICS products maturing. 

There were nearly 61% of vulnerabilities discovered by third-party companies making them the most dominant research group. Among all third-party companies, there were 22 that reported their first disclosures, further evidence of growth in the ICS vulnerability research market.

 

Turning vulnerabilities into exploits

While IT/OT integrated manufacturing networks are great for monitoring and improving processes, they’re also a perfect entryway for attackers. The Claroty report found that 72% of ICS vulnerabilities are exploited through a network attack vector (that is, they are remotely exploitable). Nearly half (46.32%) of vulnerabilities found affect the basic control (Level 1) and supervisory control (Level 2) levels of the Purdue Model of network hierarchy or configuration (see “The Purdue Reference Model (simplified)”). 

Almost 15% of vulnerabilities found affect multiple types of products (operating at various OT Purdue Model levels, IIoT and network devices). This category mostly contains vulnerabilities in third-party components. Real scary is this: 89.98% of vulnerabilities don’t require special conditions to exploit, and an attacker can expect repeatable success every time.

Adding to the scary factor is that in 76.39% of the vulnerabilities, the attacker is unauthenticated prior to attack and doesn’t require any access or privileges to the target’s setting or files. In other words, the hacker is free to come and go at any time. In 78.17% of the vulnerabilities, there is no requirement for user interaction. And, 78.92% of the vulnerabilities that require no user interaction are remotely exploitable.

According to the report, for 81% of the supervisory control vulnerabilities, user interaction is needed if exploiting via a local attack vector. This indicates a playground for social engineering attack vectors. If exploited successfully, 66% of the vulnerabilities can cause total loss of system availability. 

For 94.43% of the vulnerabilities, the impact to confidentiality is low or none, and for 80.4% of vulnerabilities the impact to integrity is zero. This demonstrates that while integrity and confidentiality of information is important in IT security, it is a lesser risk variable in OT networks, requiring further severity assessment of each vulnerability.

The top five most prevalent Common Weakness Enumerations (CWEs), manifested in the ICS vulnerabilities disclosed during 2H 2020 are all ranked highly on The MITRE Corporation’s 2020 CWE Top 25 Most Dangerous Software Weaknesses list, due their relative ease of exploitation and high potential impacts.

As for adversaries, while there wasn’t a Triton-scale malware attack in 2020, threats continue to surface from nation-state actors and cybercriminals (the inclusion of ICS processes in the SNAKE ransomware kill list). Breaching the corporate perimeter is the first hop on the Purdue Model towards reaching the OT/controls layer, and while network defenses may be enhanced, incidents such as the SolarWinds attack demonstrate the fragility of some perimeter-based defenses and the eventuality that these attacks will land on ICS and SCADA equipment.

For more on the 2020 2H “Biannual ICS Risk & Vulnerability Report,” visit Claroty’s web site.

KEYWORDS: controls cybersecurity

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Wayne labs 200px
Wayne Labs has more than 30 years of editorial experience in industrial automation. He served as senior technical editor for I&CS/Control Solutions magazine for 18 years where he covered software, control system hardware and sensors/transmitters. Labs ran his own consulting business and contributed feature articles to Electronic Design, Control, Control Design, Industrial Networking and Food Engineering magazines. Before joining Food Engineering, he served as a senior technical editor for Omega Engineering Inc. Labs also worked in wireless systems and served as a field engineer for GE’s Mobile Communications Division and as a systems engineer for Bucks County Emergency Services. In addition to writing technical feature articles, Wayne covers FE’s Engineering R&D section.

Recommended Content

JOIN TODAY
to unlock your recommendations.

Already have an account? Sign In

  • Global Organic Food & Beverage Market to Grow

    Global Organic Food & Beverage Market to Grow

    With a CAGR of 12.07%, Bonafide Research estimates this...
    People & Industry News
  • skilled MEP worker

    Predicting Food and Beverage Manufacturing Trends for 2024

    The two words that should be kept in mind are labor and...
    Automation
    By: Derrick Teal
  • cleaning and sanitation

    The basics of cleaning and sanitation in food plants

    Sanitation maintains or restores a state of cleanliness...
    Food Safety
    By: Richard F. Stier
Subscribe For Free!
  • eMagazine
  • eNewsletter
  • Online Registration
  • Manage My Preferences
  • Customer Service

OT Cybersecurity Vulnerabilities in Food Manufacturing Facilities

OT Cybersecurity Vulnerabilities in Food Manufacturing Facilities

Understanding Impacts of OT Cybersecurity Events in Food Manufacturing

Understanding Impacts of OT Cybersecurity Events in Food Manufacturing

Food Plant Openings and Expansions April 2025

Food Plant Openings and Expansions April 2025

FA&M 2025 in Rewind

FA&M 2025 in Rewind

More Videos

Popular Stories

Conagra Logo

Conagra Brands to Sell Chef Boyardee Brand to Hometown Food Company

Salt

FDA to Amend Standards of Identity to Include Salt Substitutes

Vilter IHP in plant

Industrial Heat Pumps: Sustainable Energy Solutions for Now and the Future

CHECK OUT OUR NEW ESSENTIAL TOPICS

Alternative ProteinAutomationCleaning/SanitationFabulous Food Plants

Food SafetyMaintenance StrategiesOEE

PackagingSustainability

Events

June 5, 2025

Mass Customization Driving Innovation in the Food and Beverage Industry

The food and beverage industry is at the nexus of transformative global manufacturing trends, driving a shift toward personalized, customer-centric solutions. 

June 5, 2025

How Cafe Spice Uses Automation to Propel Private Label

Learn about Cafe Spice’s new, state-of-the-art, highly automated manufacturing facility in Beacon, New York. 

View All Submit An Event

Products

Recent Advances in Ready-to-Eat Food Technology

Recent Advances in Ready-to-Eat Food Technology

See More Products

Plant of the Year

Related Articles

  • Don't let ransomware shut you down!

    Industrial control systems risk shutdowns and other dangerous outcomes due to cybersecurity attacks

    See More
  • microprocessor

    CPU security vulnerabilities pose broad-spectrum issues

    See More
  • Preventing Hacking

    Knowing Vulnerabilities In OT Systems Can Help Cybersecurity Efforts

    See More

Related Products

See More Products
  • cleaning-in-place

    Cleaning-in-Place: Dairy, Food and Beverage Operations, 3rd Edition

  • statical.jpg

    Statistical Process Control for the Food Industry: A Guide for Practitioners and Managers

  • small-occ.jpg

    Occupational Health and Safety in the Food and Beverage Industry

See More Products
×
While the vulnerability count for the food and agriculture industry is not at the same level as more critical manufacturing sectors, nevertheless, the significance is that out-of-control processes caused by an intruder can affect food quality and safety. Source: Claroty Ltd.
The Purdue Reference Model was originally developed by Theodore J. Williams with members of the Purdue University Consortium for computer integrated manufacturing. This greatly simplified diagram shows the basic manufacturing OT levels (0-3) and the IT levels at 4 and 5. Data flow can be upwards from the bottom or downwards from the top. However, for companies that wish to control OT equipment from the upper layers, care should be taken such that a minimal number of people have credentialed access to layers 0-3 from layer 4 or 5. Additional hardware protection and multiple factor logins should be required. Source: FE.

Elevate your expertise in food engineering with unparalleled insights and connections.

Get the latest industry updates tailored your way.

JOIN TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Food Master
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Food Engineering logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Food Engineering logo
  • NEWS
    • Latest Headlines
    • Manufacturing News
    • People & Industry News
    • Plant Openings
    • Recalls
    • Regulatory Watch
    • Supplier News
  • PRODUCTS
    • New Plant Products
    • New Retail Products
  • TOPICS
    • Alternative Protein
    • Automation
    • Cannabis
    • Cleaning | Sanitation
    • Fabulous Food Plants
    • Food Safety
    • Maintenance Strategies
    • OEE
    • Packaging
    • Sustainability
    • More
  • EXCLUSIVES
    • Plant Construction Survey
    • Plant of the Year
    • Sustainable Plant of the Year
    • State of Food Manufacturing
    • Top 100 Food & Beverage Companies
  • MEDIA
    • Podcasts
    • Videos
    • Webinars
    • White Papers
  • FOOD MASTER
  • EVENTS
    • Food Automation & Manufacturing Symposium and Expo
    • Industry Events
  • RESOURCES
    • eNewsletter
    • Custom Content & Marketing Services
    • FE Store
    • Government Links
    • Industry Associations
    • Market Research
    • Classified Ads
  • EMAGAZINE
    • eMagazine
    • Archive Issue
    • Advertise
  • SIGN UP!