Cyber Security in Food & Drink Manufacturing: BRCGS Standards
Cyber attacks and data breaches threaten the business structure, reputation, safety and profitability of the global food supply chain. As such, cyber security measures must be fit to withstand threats from hackers. The Food, Drink and Hospitality sector invests the least amount in cyber security, even though for businesses following BRCGS standards, cyber security measures are mandatory. In 2019, the average investment in cyber security for the Food & Hospitality sector was only £1,080.
With such low investment, the threat of a cyber attack is very much a real prospect for food and drink manufacturers. This article will cover the cyber security threats to manufacturers – including why cyber security is so important, outline the cyber security clauses in the BRCGS standards Issue 8, and suggest how manufacturers might avoid any potential risks.
This article covers the following:
- What are the Cyber Security Threats to Food & Drink Manufacturers?
- Why is Cyber Security Important for Food Businesses?
- BRCGS Cyber Security Standards
- How Do I Meet the BRCGS Standards in Manufacturing?
Use the links above if you’d like to jump to a certain section of the article.
What are the Cyber Security Threats to Food & Drink Manufacturers?
The most common cyber security threats and different types of security risks to an organisation are:
There are four main types of malware: viruses, worms, Trojans and ransomware. Each of these cyber security threats attack your device in a different way.
The attacker can install the malware onto your device using a variety of methods. All of which rely on downloading software.
Viruses prevent the computer from running efficiently and can result in corrupted files. In some cases, viruses allow the criminals access to your computer by creating a ‘back door’.
Worms can duplicate themselves like clones and can deplete the system resource. Worms can also allow attackers to steal data by creating a ‘back door’ into your computer.
Trojans are hidden in seemingly legitimate software, such as a screensaver or an app, so that people are misled into downloading the malware. Once the Trojan has been downloaded, the malware provides the attacker with access to your device. The attackers will then have access to your computer and will be able to copy your files, delete information, monitor what you are doing, and spread other malware.
Ransomware is malware which makes your files inaccessible until payment is given for their release or decryption. In 2017, the NHS were the victim of a ransomware attack which caused widespread disruption to the service nationwide. The ransomware attack was not targeted and affected organisations globally.
Phishing is the most common type of cyber attack in the UK. Phishing refers to any attempt made by criminals to obtain personal details or information which can then be exploited. Phishing emails appear to be from a trustworthy company or person and deceive people into sharing their confidential information.
Phishing is a social engineering tactic because it exploits human weakness by manipulating people. It is used by cyber attackers because it’s an easy way of targeting large groups of people, with a high success rate.
Social engineering is using human interaction to carry out a cyber attack. It uses psychological manipulation to deceive individuals into making security mistakes or handing over sensitive information. Social engineering tactics often have multiple steps to the attack, using identity theft or impersonation to retrieve the confidential information.
Spear phishing is a type of phishing attack that is directed at specific organisations or individuals. The content of the email is personalised to make it appear as though it is from someone you know and trust.
In 2020, there was a coordinated cyber hack of several Twitter accounts of well known public figures including Barack Obama, Elon Musk, Joe Biden and Jeff Bezos. The attackers gained access to internal systems and, by extension, the accounts through social engineering tactics targeted at internal employees.
Identity theft is defined as the theft of your personal details. Identity theft becomes identity fraud when stolen details are used to commit fraud. Criminals may use your identity details to open bank accounts or credit cards, apply for loans or to gain control of your existing accounts.
Other less well known cyber security threats are:
Denial of Service (DoS)
Structured Query Language Injection (SQL Injection)
Cross-Site Scripting (XXS)
Why is Cyber Security Important for Food Businesses?
The food sector has not yet been the target of a high profile cyber attack; however, this has resulted in the sector becoming complacent.
Smaller food business operators, for example, believe that they are at less risk of a cyber attack even though they receive the same number of malicious emails.
Breaches in cyber security have the potential to affect any part of the supply chain as businesses accelerate digital operations. Attacks aim to disrupt operations and threaten the safety, profitability and reputation of organisations. Ransomware has the potential to halt entire food supply chains with no guarantee of files becoming accessible on payment.
Several other methods of cyber attacks could be used to gain access to systems and steal customer data. This would compromise customer trust and open your customers up to identity fraud.
Criminals wanting to tamper with the food product could access systems in place to control CCPs (Critical Control Points) resulting in harm to human health. If this occurs without detection, it would result in additional costs to the food business operator through product recalls.
Smaller businesses with legacy systems such as Windows XP pose greater security risks as the code is longer being maintained with security updates. An ‘if it’s not broken, don’t fix it’ approach could end up costing food business operators more in the long run in trust and monetary value.
An IT department is often responsible for the cyber security measures of a business however all employees should be responsible and have an awareness of cyber security.
Examples of Security Breaches
JJ Foodservice have recently increased their online security by requiring a unique purchase order ID and pin code following a case of identity fraud. ASDA, Iceland and Brakes were also affected by impersonation.
In 2016, the American food chain Wendy’s reported a cyber attack in which over 1,000 customer’s card details were stolen. The cyber criminals used malware to gain access to their internal systems.
Need a Course?
BRCGS Cyber Security Standards
Issue 8 of the BRCGS Food Safety Standard introduced cyber security requirements as part of food defence. The introduction of these requirements in 2018 may have required food business operators to implement additional measures and controls in order to fulfil the standards.
For more information on who the BRCGS are and what they do, read ‘Our Guide to Understanding BRCGS’.
The clauses which require cyber security controls are:
3.2.1. Document Control & 3.3.1. Record Completion and Maintenance
Documents stored electronically must be stored securely with authorised access, control of amendments or password protection. Files should also be backed up to prevent loss.
3.11.1 Management of Incidents, Product Withdrawal and Product Recall
Procedures must be in place to report and manage situations which impact food safety, legality or quality including cyber security failures and attacks.
6.1.2. Control of Operations
Where possible, controls should be password protected or otherwise restricted for controls critical to food safety.
How Do I Meet the BRCGS Standards in Manufacturing?
Cyber security falls under TACCP (Threat Analysis Critical Control Point) or is sometimes categorised on its own as CHACCP (Cyber Hazard Analysis Critical Control Point). A risk assessment into the threats of food safety looks into those with the intent to harm.
It could also be considered to be part of VACCP (Vulnerability Analysis Critical Control Point) for cyber attacks without the intent to harm but could cause harm if production is halted. A total food safety culture includes cyber security. TACCP and VACCP assessments often encompass more areas and individuals than a HACCP (Hazard Analysis Critical Control Point) plan as it also covers cyber security in manufacturing and employees.
Cyber security threats can be risk assessed and managed through awareness and a cyber security culture within a business, not just left to the IT department. Employees with access to internal systems should be aware of:
- Clicking on an unsafe link or attachment in an email and unknowingly downloading malware.
- Clicking on links on a website which then downloads malware when you click on it.
- Malware in fake copies of normal software, for example, pirated copies of Microsoft Office.
- Ensuring the Wi-Fi is secure when working away from the office or using a VPN when using an unsecured public Wi-Fi network.
- Frequently changing passwords and using strong (not easy to guess) passwords.
- Not leaving a computer or laptop unattended, especially when unlocked.
- Updating software to the latest version, ensuring the computer has the latest security patches.
To ensure cyber security in manufacturing, make sure all documents are stored securely, backed up and password protected where possible.
To meet standard 3.11.1, implement a whistleblowing policy and a policy to report cyber security attacks which could impact the safety of food. You should also review the cyber security measures on CCP equipment and ensure it is password protected where possible.
Complete a risk assessment of your current cyber security measures and implement a continuous improvement approach instead of an ‘if it’s not broken, don’t fix it’ mindset. Cyber security threats should be managed by every employee, consider training staff on safe practices and the consequences of not being cyber security aware.