29 June 2020

Cyber attacks on food producers are growing, the potential risks are crippling

The high levels of automation that maintain food and beverage manufacturing efficiency and enable fast processing that retains the quality of the ingredients make the industry an appealing target to cyber criminals, as the recent ransomware attack on Lion’s beverage manufacturing operations on 9 June 2020 demonstrates. Here are some of the factors food producers should be aware of.

“In the last decade we have seen major advances in technology that is being used by the food and beverage production industry,” says Stephen Elms, National Head – Food Production at Gallagher.

“Today’s fully automated factories and smarter warehouses allow producers to manage and ship their stock more efficiently. While these changes do have many positive benefits, they also carry a significant cyber risk.”

The connectivity required by this advanced technology means food production systems present a vulnerable attack surface for cyber criminals, especially as industry operators often don’t recognise this emerging risk.

Many are unaware that in recent times food and beverage sectors are more commonly attacked than banking and financial firms, according to the 2019 Trustwave Global Security Report report, while new research by the University of Minnesota has identified that the industry is under growing threat from cyber criminals.

Potential risks from cyber attacks

The University of Minnesota research states that the potential consequences of an attack on the industrial control systems used in the food industry include

  • contaminated food that threatens public health
  • physical harm to workers
  • destroyed equipment
  • environmental damage
  • massive financial losses for companies.


15June-food beverage cyber risk_blog article_600x300

Areas of concern for food production businesses

Apart from the risk of tainted products and recipe tampering, cyber-related disruptions to production in the fast-moving food industry have the potential to impact the entire supply chain, with serious legal and reputational implications for the victim of a cyber attack.

“It’s not uncommon for food producers to have large, distribution/automatic retrieval-type warehouses that utilise automation and robotics. If a food producer does suffer a cyber attack it could cripple their business immeasurably.”

Stephen Elms, Gallagher National Head – Food Production

The Lion incident, which closed down some areas of its operations, has been identified as a ransomware attack. Ransomware, malware that blocks an organisation's access to their computer system unless a ransom is paid, has increased globally by more than 97% in the past two years.

Ransomware attacks in Australia have cost businesses and the public sector up to $241 million in 2019, with business enterprises and government agencies incurring costs of roughly $1.6 billion in an overall average of 16 days’ downtime, a 2020 report by local security firm Emsisoft states.

Systems interconnectivity isn’t the only vulnerability that food and beverage producers need to protect. Increasingly cyber criminals are using social engineering to gain access to business systems.


“Systems security isn’t in itself enough to prevent a cyber attack,” says Gallagher cyber practice leader Robyn Adcock. “Every business needs to educate its employees so they can recognise a social engineering attempt that invites them to click on a link in an email.”

Robyn Adcock, Gallagher cyber practice leader


These ‘phishing’ scams are becoming increasing sophisticated as cyber crime tools evolve to keep pace with technological developments such as automation and the use of artificial intelligence, widely used in manufacturing industries.

 

Other contributing factors to vulnerability

  • A lack of knowledge about how industrial control systems and IT systems interact
  • A lack of awareness about cyber-risks and threats
  • Poor coordination and information-sharing among food system stakeholders
  • The tools required to carry out a cyber-attack are becoming more powerful and require less skill to use
The University of Minnesota research recommends that food businesses build stronger communications between operations technology and information technology staff. They should also conduct risk assessments that include inventories of both industrial control and IT systems, involve staff with cyber-security expertise in procuring and deploying new industrial control systems and extend the existing culture of food safety to include cyber-security.

 

3 essential steps for your cyber protection 

With the Federal Government warning of increased cyber threats in Australia right now, we recommend taking the immediate 3 steps below.

  1. Patch – apply updates to all software and apps to cover off existing vulnerabilities.

  2. Apply dual factor identification – nobody should be able to access any area of your organisation’s network without entering a user name and password in two separate fields.

  3. Use a virtual private network (VPN) – if possible use a secure gateway to your network and communications systems and devices.

2733-cyber attack alert - graphic


Use these measures to reassess your cyber risk policy

Insurance has a key role to play in providing food and beverage production companies with protection against the effects of a cyber attack on both the operation itself and its business partners. For any existing cyber policy, we recommend you take the following actions.

  • Review cyber policies to evaluate the scope of coverage, and how it may cover cyber losses related to the use of employee-owned devices and remote networks. Specific focus should be concentrated on how a policy might define computer networks, computer systems and other key terms.
  • Be aware that cyber claims costs for business interruption losses are almost always impacted by waiting periods before coverage applies and are limited to a specific period of restoration.
  • Review policies carefully to see whether any portion of the loss may be covered. For example, if faced with a social engineering loss, it is possible that lost funds may not be covered in the cyber policy and that other policies, such as crime policies, may apply.

Talk to our experienced food production insurance experts

Specialised industry knowledge means a food production insurance expert can identify the potential risks presented by the processes involved as well as the roll-on effects, such as the need for product recall, and collateral damage, to reputation, for example, and formulate a risk management and insurance cover program accordingly.

 

Our team of food production specialists calls on the Gallagher legacy of 75+ years in servicing food production enterprises, which means that whether you are a primary producer, in processing, transit or grocery wholesaling, we have deep understanding of the risks associated with each step of the supply chain and how to manage and mitigate them. 

 

Connect with an expert

 

Further reading

Food production insurance and risk management expertise

Insurance market update: food production challenges from farm to table

Gallagher US Spring Summer Update

Additional resources

Lion hit by cyber attack

2019 Trustwave Global Security Report

University of Minnesota report reveals growing threat of cyberattacks to food safety
The cost of ransomware in 2020


Gallagher provides insurance, risk management and benefits consulting services for clients in response to both known and unknown risk exposures. When providing analysis and recommendations regarding potential insurance coverage, potential claims and/or operational strategy in response to national emergencies (including health crises), we do so from an insurance and/or risk management perspective, and offer broad information about risk mitigation, loss control strategy and potential claim exposures. We have prepared this commentary and other news alerts for general information purposes only and the material is not intended to be, nor should it be interpreted as, legal or client-specific risk management advice. General insurance descriptions contained herein do not include complete insurance policy definitions, terms and/or conditions, and should not be relied on for coverage interpretation. The information may not include current governmental or insurance developments, is provided without knowledge of the individual recipient’s industry or specific business or coverage circumstances, and in no way reflects or promises to provide insurance coverage outcomes that only insurance carriers’ control.

Gallagher publications may contain links to non-Gallagher websites that are created and controlled by other organisations. We claim no responsibility for the content of any linked website, or any link contained therein. The inclusion of any link does not imply endorsement by Gallagher, as we have no responsibility for information referenced in material owned and controlled by other parties. Gallagher strongly encourages you to review any separate terms of use and privacy policies governing use of these third party websites and resources.

Insurance brokerage and related services to be provided by Arthur J. Gallagher & Co (Aus) Limited (ABN 34 005 543 920). Australian Financial Services License (AFSL) No. 238312