The U.S. Food and Drug Administration (FDA) issued the final rule on the Food Safety Modernization Act (FSMA) in November 2015 and, according to the FDA website, it is still in effect as of 21 / 10/2020. The rule aims to prevent the intentional adulteration of acts intended to cause large-scale harm to public health, including acts of terrorism targeting the food supply. FSMA requires a vulnerability assessment to identify vulnerabilities and actionable process steps for each type of food manufactured, processed, packaged, or stored in the food facility. According to FSMA, for each point, step or procedure in the installation process, these elements must be evaluated. Specifically, a vulnerability assessment will be carried out to determine the degree of physical access to the product with considerations that include the presence of physical barriers such as gates, railings, doors, covers, seals and shields. Nevertheless, la FSMA does not explicitly address cyber threats .
Cyber experts have long stated that the food, beverage and agriculture industries can be vulnerable to cyber threats. The current focus of cyber threats to the control system is electrical power and, with the February cyberattack on the Oldsmar water treatment plant, water. However, the same control systems from the same vendors with the same vulnerabilities are used in all industries. There is an article in Food Engineering magazine: "Control system vulnerabilities put food and beverages at serious risk" (https://www.foodengineeringmag.com/articles/99362-control-system-vulnerabilities-put-food-beverage-at- riesgo grave) that addresses vulnerabilities in food manufacturing. I gave a speech on control system cybersecurity with real case stories at the 2016 Food Industry Cybersecurity Summit in Washington DC sponsored by the Food Protection and Defense Institute (https://www.controlglobal.com/blogs/unfeitated/some-cisos -están-empezando-a-tener-la-importancia-de-las-ics-ciberseguridad-y-están-en-la-industria-alimentaria). From the cybernetic perspective of a control system, a food, beverage, or agriculture facility is essentially a chemical and / or manufacturing facility. Cyber control system incidents have caused problems such as product adulteration at chemical manufacturing facilities. My database of over 1.300 actual cyber incidents from the control system includes over 100 incidents at chemical facilities. I have identified over 20 cyber control system incidents at food and beverage facilities, including some in which people were harmed and others that closed the facility. In fact, some of the food cases emerged as a result of my 2016 presentation, where attendees had a better idea of which incidents could be related to cyberspace.
Control system incidents can be very difficult to identify. Furthermore, due to the lack of a cyber forensic control system and the inability to distinguish motivation (malicious or not), it may not be possible to identify whether cyber control system incidents are malicious or not. Unlike the 1982 "Tylenol scare," which was a physical attack from store shelves that resulted in the deployment of tamper-resistant, triple-sealed security containers, cyber control system incidents occur during manufacturing process before packaging the food or drink. These incidents can be unintentional or malicious. However, the impact can be the same, and it is not good.
Parallel to the breach in cyber security food is the Oldsmar water hack of February 2021 and the Spencer, MA sodium hydroxide incident 2,007 (https://www.controlglobal.com/blogs/unfettered/water-control-system-cyber-incidents- son-más-frecuentes-e-impactantes-de-lo-que-las-personas-son-conscientes ). In Spencer's case, as well as in at least one of the food cases, cyber control system issues (they didn't have to be malicious) led directly to “product adulteration”, directly resulting in public harm (injury ). In the case of food, it is not clear whether the adulteration was malicious or inadvertent. However, FSMA's intent is to prevent people from being harmed, and in this case, it failed.
Control system operational technology (OT) networks, even in food and beverage facilities, are typically flat networks with direct connections to IT networks. Those food and beverage companies using SolarWinds that have not segmented the OT networks of their facilities from their IT networks are in danger of having their OT networks compromised. Additionally, like other industrial facilities, food and beverage facilities often have remote access for in-house personnel, as well as OEMs and system integrators for remote maintenance support.
Look at how long it took from the Spencer, MA case in 2007 to the Oldsmar, FL case in 2021 for people to apparently take action to protect water facilities cybernetically. Like other industries, food facilities have been experiencing cyber incidents since the late 1990s. Isn't it about time that US food, beverage, and agriculture production required cyber protection just like other infrastructures critics?