As part of Australia’s critical infrastructure, food and beverage manufacturing is subject to federal security legislation that came into effect in April. Michael Murphy from Fortinet outlines how to ensure a secure risk management program.
The food and beverage manufacturing sector is a core component of Australia’s critical infrastructure (CI), which means a cyberattack on an organisation in this industry could compromise food supply and safety.
Consequently, the sector has been included in the Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 (SLACIP Act), which came into effect on 2 April 2022 and has led to significant changes relating to cyber resilience requirements for CI operators.
The SLACIP Act amends various infrastructure asset definitions and calls for CI operators to adopt, maintain, update, and comply with a critical infrastructure risk management program.
Further amendments also require CI operators to report a critical cyberattack within 12 hours and undergo regular cybersecurity exercises.
While reporting critical assets and disclosing cyber security incidents is mandatory, regular cybersecurity exercises are only required if the organisation is deemed a system of national significance that must adhere to enhanced cyber security obligations.
It is important for businesses operating in the food and grocery industry to understand what their obligations are, especially if they fall into this category, which many will.
Even if businesses aren’t subject to mandatory cybersecurity exercises, it is crucial that businesses take steps to strengthen their cybersecurity posture to protect the valuable assets that they manage as part
of their operations.
Escalating attacks
Manufacturers are gearing up cybersecurity efforts in the face of escalating attacks on the plant floor. Many of these production sites run on legacy operational technology (OT) that wasn’t designed to connect to the internet and, therefore, doesn’t necessarily have cybersecurity measures built in.
To mitigate risk, many businesses believe that additional technology will solve the problem; however, this approach often increases complexity and creates new gaps for cybercriminals to exploit.
To protect themselves, manufacturers must ensure they have complete visibility into all their systems and processes and constantly monitor for cyberthreats.
The best way for food and grocery manufacturers to proactively manage risk is by establishing a cybersecurity risk management framework.
Conforming to an industry-recognised security framework lets businesses proactively manage plans to better identify, assess, evaluate, and deal with commodity and highly sophisticated cybersecurity challenges. This builds operational resilience to prevent disruption, operational downtime, and ultimately, loss of revenue generation.
Three pillars
When it comes to adopting such frameworks, manufacturers need to consider three essential pillars around which to build their frameworks and better protect CI assets and OT from cybersecurity events.
1. Achieve network visibility
As cybercriminals become increasingly sophisticated, food and beverage manufacturers need a high level of visibility into their networks to not only comply with legislation, but to understand what assets need to be protected at all costs.
Not everything in the network is equally important and manufacturers need to know what to protect and what to protect it against.
To do this, they can leverage the Purdue Model – formerly the Purdue Enterprise Reference Architecture (PERA) – a hierarchical structure for CI operators to easily break down and define CI assets across the network to achieve complete visibility and prepare for an attack.
With this level of visibility, manufacturers can gain insights into the weaknesses in their defences, which can help prioritise and drive remediation actions.
2. Protect and control critical assets
While cyberattacks accelerate, companies are struggling to keep track of assets and devices on their networks, making it difficult to deploy appropriate security tools.
To safeguard operations and prevent supply chain disruptions, manufacturers must increase defence capabilities and understand what is needed to manage and defend against new and evolving cyberthreats. However, many organisations do not have the proper knowledge needed to protect their CI environments.
To close these knowledge gaps, manufacturers must leverage shared knowledge bases such as the MITRE ATT&CK framework for industrial control systems (ICS) to understand real-world adversary groups and the behaviours they exhibit as well as the software they employ to aid in their attacks.
3. Prioritise highly effective, non-intrusive techniques
Food and beverage manufacturers must be able to maintain control over critical assets to resist present and future cyberattacks.
The increasing convergence of IT and OT has expanded the threat surface and, without robust security controls and architecture in place, a cyberattack can disrupt operations and cause significant downtime.
To help protect CI assets against threats, manufacturers should consider adopting non-intrusive techniques that typically involve a simple scan to identify any vulnerabilities or gaps that cybercriminals can take advantage of.
Vulnerability testing also helps prioritise risks that need immediate action before applying a multi-layered virtual patching solution to reduce downtime and give IT teams time to close security gaps before an attack can occur.
Check the network
Beyond these three key areas, it is also essential for food and grocery manufacturers to consider the risks that their wider network pose to their environment. One way that organisations can better protect their environments from vulnerabilities inherent in their network is by adopting the MITRE System of Trust (SoT) framework.
By adopting this framework, food and grocery manufacturers can build a basis of trust within their network by assessing the three main trust aspects of supply chain security: suppliers, supplies, and services.
Subsequently, the MITRE SoT framework enables businesses to identify and address 14 top level decisional risk areas that are associated with trust.
Ultimately, food and beverage manufacturers can further strengthen their approach to cybersecurity by adopting this intuitive framework.
Like most CI operators, food and beverage manufacturers are highly vulnerable targets of cyberattacks with significant consequences to production, distribution, and point of sale, if successful.
For this reason, it is crucial for food and beverage companies that manage CI to consider a three-pillar approach to building their cybersecurity framework. This will help to drive the cybersecurity agenda forward. It will also help manufacturers understand, measure, and manage their risk to achieve the best protection for their CI assets while continuing to generate substantial economic impact.
This article first appeared in the September edition of Food & Drink Business magazine.
