The US Food and Drug Administration’s (FDA) issued the final rule on the Food Safety Modernization Act (FSMA) in November 2015 and according to the FDA website is still current as of 10/21/2020. The rule is aimed at preventing intentional adulteration from acts intended to cause wide-scale harm to public health, including acts of terrorism targeting the food supply. FSMA requires a vulnerability assessment to identify vulnerabilities and actionable process steps for each type of food manufactured, processed, packed, or held at the food facility. According to FSMA, for each point, step, or procedure in the facility’s process, these elements must be evaluated. Specifically, a vulnerability assessment is to be conducted to determine the degree of physical access to the product with considerations including the presence of such physical barriers as gates, railings, doors, lids, seals and shields. However, cyber threats are not explicitly addressed by FSMA.
Cyber experts have long stated the food, beverage, and agriculture industries can be vulnerable to cyber threats. The current focus of control system cyber threats is electric power and with the February cyberattack of the Oldsmar water treatment facility – water. However, the same control systems from the same vendors with the same vulnerabilities are used in all industries. There is an article in Food Engineering magazine – “Control System Vulnerabilities Put Food and Beverage at Serious Risk” (https://www.foodengineeringmag.com/articles/99362-control-system-vulnerabilities-put-food-beverage-at-serious-risk) that addresses the vulnerabilities in food manufacturing. I gave a keynote on control system cyber security with actual case histories at the 2016 Food Industry Cyber Security Summit in Washington DC sponsored by the Food Protection and Defense Institute (https://www.controlglobal.com/blogs/unfettered/some-cisos-are-starting-to-get-the-importance-of-ics-cyber-security-and-they-are-in-the-food-industry). From a control system cyber perspective, a food, beverage, or agriculture facility is essentially a chemical and/or manufacturing facility. Control system cyber incidents have caused issues such as adulteration of products in chemical manufacturing facilities. My database of more than 1,300 actual control system cyber incidents includes more than 100 incidents in chemical facilities. I have identified more than 20 control system cyber incidents in food and beverage facilities including some where people were harmed and others that shut down facilities. In fact, some of the food cases came as a result of my 2016 presentation where attendees had a better idea of what incidents could be cyber-related.
Control system incidents can be very difficult to identify. Moreover, because of the lack of control system cyber forensics and the inability to distinguish motivation (malicious or not), it may not be possible to identify whether control system cyber incidents are malicious or not. Unlike the 1982 "Tylenol scare" which was a was a physical attack from the store shelves resulting in implementation of tamper-resistant, triple-sealed safety containers, control system cyber incidents occur during the manufacturing process before the food or beverage is packaged. These incidents can be unintentional or malicious. However, the impact can be the same – and it isn’t good.
A parallel to the gap in food cyber security is the February 2021 Oldsmar water hack and the 2007 Spencer, MA sodium hydroxide incident (https://www.controlglobal.com/blogs/unfettered/water-control-system-cyber-incidents-are-more-frequent-and-impactful-than-people-are-aware). In the Spencer case as well as at least one of the food cases, control system cyber issues (didn’t have to be malicious) directly led to “product adulteration” which directly led to public harm (injuries). In the food case, it is not clear if the adulteration was malicious or unintentional. However, the intent of FSMA is to prevent people from being harmed and in this case it failed.
Control system Operational Technology (OT) networks, including in food and beverage facilities, are often flat networks with direct connections to IT networks. Those food and beverage companies using SolarWinds that have not segmented their facility OT networks from their IT networks are in danger of having their OT networks compromised. Additionally, just like other industrial facilities, food and beverage facilities often have remote access for internal staff as well as to OEMs and system integrators for remote maintenance support.
Look how long it took from the Spencer, MA case in 2007 to the Oldsmar, FL case in 2021 for people to ostensibly take action to cyber secure water facilities. Similar to other industries, food facilities have been experiencing cyber incidents since the late 1990s. Isn’t it time the US food, beverage, and agriculture production require cyber protection as do other critical infrastructures?
Joe Weiss
