No milk at the supermarket? The importance of cybersecurity in the food sector
Table of Contents
Companies must strengthen cybersecurity in the food sector to avoid serious incidents that paralyze their activities and cause millions in losses
A few days ago, it was announced on the Dark Web that the ransomware group Akira had successfully attacked Vicky Foods, a company specializing in the manufacture of bakery products that can be found in all Spanish supermarkets. The cybercriminals claim to possess 10 GB of corporate information, including contact details of customers and employees, company licenses, contracts with suppliers and financial information. However, for the moment, no data has been exfiltrated, and the company has not shed light on the matter.
This event shows, once again, that cybersecurity in the food sector is an absolutely strategic issue for companies. Only through robust security strategies can companies that manufacture, process and/or market food face up to the growing number of cyberattacks that are looming over them.
If we add to this the fact that, as the Federal Bureau of Investigation (FBI) warned a few months ago, the threats are increasingly complex and serious, we find that organizations must focus on cybersecurity in the food sector.
Below, we will address the landscape of threats faced by food companies, as well as the consequences of serious security incidents and the demands of the regulatory framework.
1. Behind the spaghetti lies a powerful technological infrastructure
Why is the food sector in the crosshairs of criminal groups? We could group the causes into two broad groups: its high cyber exposure and the consequences of serious incidents.
1.1. Technology, cyber exposure and lack of awareness of the dangers they face
- It is an area of the productive fabric in which technology plays a transcendental role. Food companies have undergone a true technological revolution in recent decades. The robotization and automation of processes have spread to all companies, not just large ones. Why? Only through the use of technology can they reduce manufacturing times, save costs, reduce water consumption and be competitive.
- As a result, the level of cyber-exposure in food companies is very high and has grown exponentially in recent years thanks to:
- The implementation of IIoT devices (Industrial Internet of Things) and ICS systems (Industrial Control Systems) in factories.
- The leap to the Cloud to lower costs and facilitate business scalability.
- The use of SaaS (Software as a Service) to manage the marketing of food products, relationships with customers and suppliers, logistics and finances.
- Although there are large corporations, there is also a large ecosystem of SMEs that do not prioritize cybersecurity in the food sector and do not allocate the necessary resources to strengthen their security posture.
- The high level of technological maturity of companies does not correspond to the level of maturity in cybersecurity. For this reason, food companies are a more accessible target for cybercriminals than other companies with a similar technological infrastructure.
1.2. Paralysis of activity and extortion capacity
- The consequences of serious security incidents can be extremely damaging for food companies, especially if they are forced to disconnect their systems to contain the attacks and, therefore, see their business continuity threatened.
- It is precisely the companies’ desperate situation that makes them priority targets for cybercriminals. Through ransomware attacks, they can extort companies and obtain direct and immediate financial benefits.
2. Attacks against logistics companies, another way of jeopardizing cybersecurity in the food sector
A few years ago, supermarkets in the Netherlands suffered a shortage of a product that is key to the happiness of millions of people: cheese.
The reason for this was a successful ransomware cyberattack against Bakker Logistiek, one of the country’s leading logistics companies. As a result of this incident, the company was unable to manage orders from supermarkets for several days and was therefore unable to supply them.
This incident gives us a glimpse of the role played by the logistics chain in the cybersecurity of the food sector.
Thus, food companies must not only have solid cybersecurity strategies but they must also take into account the cybersecurity requirements in the food sector when hiring their logistics providers.
3. Consequences of attacks against food companies
3.1. Paralysis of manufacturing processes
The most feared consequence for many food companies is that a cyberattack could paralyze food production or processing. In 2021, JBS, a multinational meat company, had to shut down dozens of meat processing plants in the United States and Canada for two days. To get out of this situation, JBS agreed to pay the criminals a ransom of $11 million.
In a similar scenario in 2024, Duvel, one of the big Belgian breweries, found itself in a situation where an incident brought beer production to a standstill for days.
As we pointed out before, it is not only big companies that malicious actors target. This summer, Vital Bircher, a small Swiss farm, suffered a cyberattack on its milking and cow health monitoring systems. The criminals demanded a ransom of $10,000. The farm did not pay them, and eventually, a pregnant cow and her calf died.
3.2. Disruptions in order management
It is not only the production and processing phases that can be affected by cyberattacks. Also last summer, Alcampo, a French multinational hypermarket chain, suffered a security incident that affected its systems for ordering products from stores, which led to some products being out of stock.
The same thing had happened a few days earlier to Co-op, another supermarket company, in this case a Canadian one.
3.3. Data theft and industrial property
In addition to these consequences of security incidents, ransomware attacks can result in the theft of contact details and financial information of customers, suppliers or workers.
Furthermore, the objectives of malicious actors also include industrial espionage or the violation of intellectual and industrial property, an especially sensitive issue for food companies. After all, as the saying goes, the formula for Coca-Cola is the best-kept secret in the world.
Given the consequences outlined above, we must emphasize that cybersecurity in the food sector is critical to avoid severe and difficult-to-quantify economic losses, as well as reputational damage that can undermine companies’ relationships with their customers and jeopardize their business model.
4. Strengthening cybersecurity in the food sector is going to be a legal obligation
The severity of the consequences to which companies that suffer serious incidents are exposed highlights the need to strengthen cybersecurity in the food sector.
Even so, some companies still do not place cybersecurity at the center of their strategies. This situation will change for medium and large companies when the future Law on Cybersecurity Coordination and Governance comes into force, a law that transposes the NIS2 directive.
This law, which will be approved in 2025, establishes a series of obligations in terms of cybersecurity, vulnerability management and incident response for companies in 20 economic sectors, including the food sector.
Which companies will be legally required to strengthen their cybersecurity in the food sector?
All organizations operating in our country that meet these two requirements:
- Have 50 or more employees.
- Have recorded a global turnover of more than 10 million euros in the last year.
Therefore, optimizing cybersecurity in the food sector will become a legal obligation in the short term for dozens of companies. Non-compliant companies face millions in penalties, loss of certifications, the imposition of coercive fines, and the suspension of their CEOs.
5. Cybersecurity services to protect companies and their business models from attacks
What can food companies do to strengthen their cybersecurity strategies, improve their incident detection and response capabilities and adapt to the future Cybersecurity Law?
Organizations have at their disposal a wide range of cybersecurity services that will help them optimize their security posture and increase their resilience against attacks:
- Audits of web security, Cloud, and IoT. Performing security audits on a recurring basis is essential for monitoring all the assets of a company’s technological infrastructure and detecting vulnerabilities before malicious actors exploit them.
- Management of vulnerabilities throughout their life cycle to prioritize their remediation based on the company’s resources and the level of criticality of the vulnerability for its business model.
- Red Team services that carry out simulations of ransomware and other specific scenarios for food companies. In light of the examples we have been discussing in this article on cybersecurity in the food sector, it is clear that ransomware on their systems is one of the major threats they face. Red Team professionals replicate the techniques, tactics and procedures of malicious actors to carry out 100% realistic simulated attacks and evaluate the prevention, detection and response mechanisms of organizations.
- Proactive incident response services that start working as soon as an incident is detected can contain it, expel the malicious actor and allow the company to return to normal in the shortest possible time.
5.1. Cybersecurity in the food sector allows companies to benefit from technology and protect it
Ultimately, although not given as much attention as in other areas, cybersecurity in the food sector has become a vitally important issue for companies, given their high level of robotization and digitization.
Cyberattacks against food companies are on the increase and they are becoming increasingly complex and sophisticated. If we add to this the fact that the regulatory framework is becoming more demanding, we can conclude that companies operating in the food sector must have robust security strategies in place that enable them to prevent attacks and limit their consequences.