It’s been just 12 months since a cyber attack on global food processing company JBS Foods impacted the company’s operations around the world, including those in Australia where it caused system outages across 47 meat processing facilities.
You would expect such a high-profile attack to have been a wake-up call to the entire industry, prompting it to review its cyber security measures and significantly reinforce them.
Unfortunately, this has not happened. There have been some slight improvements, but much more needs to be done.
Food and beverage organisations are already struggling to keep track of the assets and devices on their networks, making it very difficult for them to deploy adequate security tools.
Both these goals require considerable budget allocations for people, processes and technology (and cybersecurity skills are becoming an increasingly scarce commodity).
Without solid investment into cybersecurity, another high profile high impact attack like the one suffered by JBS is inevitable.
However, another development is likely to prove more effective because it carries the force of law. The Security Legislation Amendment (Critical Infrastructure Protection) Act 2022 came into force in April.
It greatly expands the range of what is considered critical infrastructure and imposes mandatory security requirements on organisations providing critical infrastructure and services.
Food and beverage organisations are now included in this scope, alongside traditional critical infrastructure sectors of energy, water and transport.
The Act’s impact will be felt by many of the big players that play a key role in feeding the Australian population including Coles, Woolworths, and Aldi.
The Act states: “While supermarkets are often the most visible point for consumers within the supply chain, when it comes to the purchasing and acquiring of food and groceries, there are numerous suppliers and components that are required in order for food and groceries to make it onto the shelves of supermarkets throughout each part of the large and diverse supply chain.”
Organisations to which the legislation applies are now required to undertake one or more prescribed activities requested by the Department of Home Affairs, including:
- developing cybersecurity incident response plans to prepare for a serious cyber incident;
- undertaking cybersecurity exercises to build cyber preparedness;
- undertaking vulnerability assessments to identify weak spots for remediation;
- and providing system information to build Australia’s situational awareness.
If an organisation covered by the Act is unable to respond adequately, the government has the power to intervene.
Although the legislation has been in the works for almost 18months, it caught the food and beverage sector off guard.
Organisations are now scrambling to understand their obligations, complete risk assessments, understand how the legislation will affect them, and then identify and implement the required measures.
Progress is slow. The food and beverage sector is not known for its rapid adoption of new processes and technologies.
To make matters worse, the sector’s slow technological adoption coupled with its critical role in society makes it a prime target for cybercriminals looking to extort ransoms.
Food and beverage represents a soft target compared to sectors such as financial services, energy, and mining, which tend to invest far more in cybersecurity protection. Furthermore, attackers realise that disruption of a major food and beverage player could deprive large numbers of people of food, making them more likely to give in to demands.
These risks have been exacerbated by recent geopolitical developments, in particular Russia’s invasion of Ukraine. Australia’s support for Ukraine has made local organisations of all kinds a target for cybercriminals who are tied to Russia and allied nation-states.
In April, the intelligence agencies of the Five Eyes (US, UK, Canada, Australia and NZ) issued an official alert to highlight the elevated level of attacks on critical infrastructure, which includes the food and beverage sector.
Due to several reasons, such as culture, low technology adoption and resourcing issues, the food and beverage sector continues to lag behind other industries when it comes to cyber risk maturity.