The U.S. Food and Drug Administration (FDA) issued the final rule on the Food Safety Modernization Act (FSMA) in November 2015 and, according to the FDA’s website, is still in effect as of 10/21/2020.The rule aims to prevent the intentional adulteration of acts intended to cause large-scale harm to public health, including acts of terrorism aimed at the food supply.
FSMA requires a vulnerability assessment to identify vulnerabilities and actionable process steps for each type of food manufactured, processed, packaged, or stored in the food facility. According to FSMA, for each point, step or procedure in the installation process, these elements must be evaluated. Specifically, a vulnerability assessment will be carried out to determine the degree of physical access to the product with considerations including the presence of physical barriers such as gates, railings, doors, lids, seals and shields. However, the FSMA does not explicitly address cyber threats.
Cyber experts have long stated that the food, beverage and agriculture industries can be vulnerable to cyber threats. The current focus of the control system’s cyber threats is electric power and, with the February cyberattack on the Oldsmar water treatment plant, water. However, in all industries the same control systems are used from the same suppliers with the same vulnerabilities. There is an article in the journal Food Engineering: “Control System Vulnerabilities Put Food and Beverages at Serious Risk” (https://www.foodengineeringmag.com/articles/99362-control-system-vulnerabilities-put-food-beverage-at- Serious Risk) that addresses vulnerabilities in food manufacturing. I gave a speech on control system cybersecurity with real-world case stories at the 2016 Food Industry Cybersecurity Summit in Washington DC sponsored by the Food Protection and Defense Institute (https://www.controlglobal.com/blogs/unfeitated/some-cisos —they are-starting-to-have-the-importance-of-cybersecurity-ics-and-are-in-the-food-industry).From the cybernetic perspective of a control system, a food, beverage, or agriculture facility is essentially a chemical and/or manufacturing facility. Cyber incidents of the control system have caused problems such as adulteration of products in chemical manufacturing facilities. My database of over 1,300 actual cyber control system incidents includes over 100 incidents at chemical facilities. I have identified more than 20 cyber control system incidents at food and beverage facilities, including some in which people were harmed and others that closed the facility. In fact, some of the food cases came up as a result of my 2016 presentation, where attendees had a better idea of what incidents might be related to cyberspace.
Control system incidents can be very difficult to identify. In addition, due to the lack of a cyber forensic control system and the inability to distinguish motivation (malicious or not), it may not be possible to identify whether the control system’s cyber incidents are malicious or not. Resistant to tampering, cyber incidents of the control system occur during the manufacturing process before packaging food or drink. These incidents can be unintentional or malicious. However, the impact may be the same, and it is not good.
Parallel to the breach in cybersecurity food is the Oldsmar water hack of February 2021 and the Spencer, MA incident of sodium hydroxide 2,007 (https://www.controlglobal.com/blogs/unfettered/water-control-system-cyber-incidents-are-more-frequent-e-shocking-than-people-are-aware). In Spencer’s case, as well as in at least one of the food cases, cyber control system issues (they didn’t have to be malicious) directly led to “product adulteration,” which directly led to public damage (injuries). In the case of food, it is unclear whether the adulteration was malicious or unintentional. However, the FSMA’s intention is to prevent people from suffering harm and, in this case, it failed. Control system operational technology (OT) networks, even in food and beverage facilities, are typically flat networks with direct connections to IT networks. Those food and beverage companies using SolarWinds that have not segmented their facility OT networks from their IT networks are in danger of having their OT networks compromised. In addition, like other industrial facilities, food and beverage facilities often have remote access for in-house staff, as well as for OEMs and system integrators for remote maintenance support.
Look at how long it took from the Spencer, MA case in 2007 to the Oldsmar, FL case in 2021 for people to apparently take steps to protect water facilities cybernetically. As in other industries, food facilities have been experiencing cyber incidents since the late 1990s. Isn’t it time for U.S. food, beverage and agriculture production to require cyber protection just like other critical infrastructure?