The grocery and food supply sectors are intrinsic to the daily lives of every Canadian across the country. The work that goes behind bringing food from farm to the forks of people living in every community from coast-to-coast is a monumentally complicated task. But it’s one that’s been made easier and more efficient in recent years thanks to the advent and continued development of digital technologies. The transformation has enabled smoother, more transparent sourcing, production, and delivery processes with greater levels of predictability and agility. However, as cyberattacks continue to escalate across North America with an emphasis on targeting critical infrastructure through ransomware infiltration, the operations and systems of grocers and their food supply partners could be at risk, potentially resulting in an inability to conduct their businesses, and jeopardizing the execution of the essential services that they provide to millions of consumers. It’s a risk that concerns food and grocery expert and Senior Director, Agri-Food Analytics Lab at Dalhousie University, Sylvain Charlebois, who believes that the ramifications of a successful cyberattack on the sectors could be devastating.
“The threat of ransomware attacks should be taken very seriously by the industry,” he asserts. “I think the JBS attack was a bit of a wake-up call for everyone involved in the food ecosystem. Grocers are massive organizations that are now somewhat digitally reliant. And, from what I understand, hackers will almost always be looking for your weakest link. I can think of several weak links within the grocery business, including the store, databases and loyalty programs, cash flow, procurement strategies, and so on. When considering all of these links, the risks become pretty significant. A lot, of course, has happened over the course of the past 18 months. The entire industry has been under a lot of pressure and the last thing they wanted was more challenges. But cybersecurity has been an issue for a little while. The real problem is that most food companies are traditionally hardwired to be acutely aware of inherent risks related to the food, like food safety for example. But cyberattacks are coming right out of left field and presenting grocers with unfamiliar challenges to address.”
Rise in malicious attacks
As Charlebois points out, the threat of cyberattacks has been one that grocers and those operating in other sectors have needed to be wary of for some time now. However, a recent deluge of ransomware attacks – a form of illegal cyber aggression in which a type of malicious software infiltrates a system, blocking access to it and the data it stores, until a ransom is paid – perpetrated against critical infrastructure the world over, have served to put the providers of essential services everywhere on notice.
In May of this year, U.S. fuel supplier Colonial Pipeline was attacked, resulting in a six-day shutdown that left 10,600 gas stations without fuel for over a week before a $4.4 million ransom was paid. The same month, cyberinsurance giant AXA was victimized. And, most recently, in June of this year, JBS USA Holdings Inc., the world’s largest meat supplier, agreed to meet an $11 million ransom demand following the compromising of its systems. The problem is pervasive. In fact, it’s estimated that the cost of ransomware attacks could exceed $265 billion over the course of the next decade, crippling businesses worldwide, if the issue is not properly and effectively addressed now. And, according to Charlebois, the implications for businesses, as well as their consumers, could be wide-ranging.
“First and foremost, this impacts the consumer,” he stresses. “It’s an issue related to the integrity of the food they buy. If hackers are able to infiltrate a system and compromise a company’s procurement network, consumers can potentially be purchasing product that’s mislabeled. It obviously wouldn’t be intentional mislabeling, which is the scariest part. Secondly, we might even see store closures as a result of a successful attack, impacting access to food until systems are restored. These issues are really a matter of supply chain efficiency. However, strains placed on the supply chain could precipitate issues around food affordability as costs would likely rise in the wake of an attack. The ransoms that are being demanded by hackers are not cheap. And, combined with the low margins of the food and grocery business, consumers will ultimately be the ones paying for the consequences of successful attacks.”
Current state of Cybersecurity
In a 2020 Cybersecurity Report developed by the Canadian Internet Registration Authority (CIRA) prior to the recent barrage of ransomware attacks around the world, it was revealed that about three in ten organizations had already seen a spike in the volume of attacks during the pandemic. Slightly more than half of organizations implemented new cybersecurity protections directly in response to COVID-19. However, fewer expected to increase human resources dedicated to cybersecurity over the course of the following 12 months, with just one-third planning to do so. In addition, the report found that fully one-quarter of organizations stated to have experienced a breach of customer and/or employee data in 2020, with a further 38 percent stating that they are unsure whether they did or not. It’s a problem of paramount concern for any retailer, says Roman Coba, VP Technology and CIO at Federated Co-operatives Limited, and one that he believes poses the biggest threat to the reputation of brands, with potentially long-term implications.
“If you’re operating a retail business, hackers are likely trying to infiltrate and compromise your systems multiple times a week,” he asserts. “And, if you suffer a successful cyberattack, particularly for those operating in the food sector, the negative impacts on the integrity of the brand could be devastating. It would have a significant influence on the loyalty of customers to that brand, dramatically reducing their trust in the company and its products. As a result of decreased trust and loyalty, there would be a long-term residual impact on sales, forcing organizations to work doubly hard in efforts to make up for their losses.”
Increased prevention efforts
The CIRA report also explored the preparedness efforts of organizations with respect to training and safeguards instituted in order to protect their operations. It found that 94 percent of those surveyed currently conduct cybersecurity awareness training for employees, with 56 percent providing training around cyber threats directly related to COVID-19. In addition, all organizations stated to be consistently measuring the impact of cybersecurity awareness training programs through the monitoring of training results and risk scores, the reduced costs and saved time on security incidents, benchmarking against industry peers and other performance indicators. It’s tireless work that Coba says is “never-ending”, but critically important to the survival of any organization today.
“The awareness and efforts of those working to prevent cyberattacks within the food industry is very high,” he says. “There’s a lot being invested into cybersecurity. And, combined with the maturity of grocers with respect to their need to protect their environments, the issue is a top priority. In order to properly address these threats, grocers should continue to constantly increase their security posturing and validate their vulnerabilities. Ensuring that those two things are happening on a rotational basis is key in combatting cybercriminals. And, consistently strengthening supplier partnerships and tightening supply chains will help grocers eliminate any susceptibilities they might have in their operations.”
Responding to the threat
Despite the best efforts of grocers and their food supply partners, however, due to the ever-increasing sophistication of cybercriminals and the complex nature of the ransomware that they create, experts say that it’s all but inevitable that at least a percentage of their attacks will be successful. And, it’s only a small percentage of success that’s required, says Stephen O’Keefe, industry expert and President of retail consultancy Bottom Line Matters, in order for hackers to affect the chaos, confusion and turmoil that they intend to create. Echoing Coba’s comments, he says that the job of today’s grocery loss prevention and cybersecurity teams in withstanding and preventing the efforts of hackers is a monumental one, adding that the response of organizations in the aftermath of a successful breach could be just as critical as the prevention efforts they have in place.
“When we talk about the threat of cyberattacks on the food industry, we have to not only consider the financial aspect of a breach, but the added element of food safety,” says O’Keefe. “And if a hacker is able to target the health and safety aspect of food, then the level of vulnerability goes way up. So, any business operating in this space needs to ensure that they have redundant systems in place in the event of an attack. For instance, if an organization’s refrigeration is automated, you’ve got to have the ability to override the system and operate those fridges manually. Today, you can’t rely 100 percent on the IT system.”
Executing a plan
O’Keefe goes on to explain that in order to support the IT infrastructure of an organization, the right people have got to be in place. In addition, he stresses the development and maintenance of a robust business continuity plan that can help address any and all threats that an organization might face, including those that are posed by cybercriminals and their malicious attacks.
“All manufacturers have a food safety expert assigned to the business,” he says. “They lead food safety divisions within these organizations and are responsible for conducting spot-checks to identify issues related to listeria, salmonella, E. coli or any other contaminants. That person is often part of the company’s crisis management or incident response teams, allowing them to be deeply involved from the start in the case of a compromised system. Their involvement would be critical in order to determine the vulnerability of the food. And, their role, as well as everyone else’s, along with all of the procedures, protocols and steps involved in responding to a threat of this nature, should be outlined, in detail, in an organization’s business continuity plan which should serve as the guiding reference with respect to the ways it would counter such a threat.
Protecting against the worst
Though the need to respond to a successful cyberattack is not a pleasant thought for any company operating within the food industry, O’Keefe underscores the importance of any organization’s preparation, suggesting that an analysis of vulnerabilities to a cyberattack should become a top priority in order to understand the safeguards that need to be put in place. And, given the escalation of cybercriminal activity, combined with the success rate that they’re currently generating, it seems like sage advice. Charlebois agrees, proposing that now is the best time for grocers and their food manufacturing partners to revisit their systems and ensure that they’re protected against some of the worst possible outcomes.
“I’d presume that grocers believe they’re ready to guard against a cyberattack. But, if JBS and others weren’t ready and were, in the end, forced to pay a ransom to their attackers, then everyone has to wonder about their company’s readiness to respond. Systems are evolving at an incredible pace today. So, too, are the capabilities of the hackers and the effectiveness of the ransomware that they deploy. And, given all of the factors that are at play, the stakes are very high for grocers and their food manufacturing partners. There’s no question that the topic of cybersecurity and ransomware attacks will only increase in significance going forward as those operating within the industry continue to enhance their preparedness efforts in order to protect their businesses and the health and safety of their customers across the country.”
