OT in Your Food and Drink? It's More Likely Than You Think

The heavy automation of specialised processes has led the European Union to classify many organisations within the Food and Beverage sector as pieces of Critical National Infrastructure vulnerable to cyber attack. Other countries are likely to follow suit as increased digitalisation moves the sector towards Industry 4.0 but increases the risk of attacks disturbing supply chains, affecting the organisations producing products, and those they supply. 

Annually the American Centre for Disease Control and Prevention (CDC) reports a sixth of Americans suffer from food borne illnesses, causing 3000 deaths a year. To reduce the number of incidents, the US established legislation to limit risk by setting standard methodology in production. The legislation requires the provision of well maintained records throughout the manufacturing process, allowing traceability of a product’s manufacture from farm to table, identifying areas of concern and informing decisions when mitigating problem areas. Similarly, the EU produced the General Food Law Regulation in 2002, requiring standards met with upkeeping records of food they supplied and received. Digitalisation aids these obligations by recording product data and increases productivity by automating processes of highly specialised manufacturing. 

Everything from your ready meals to your morning cup of coffee interact with OT before making their way to you.

Smart Sensors are an example of widely used digitalisation throughout the Food and Beverage sector, monitoring a variety of processes and feeding data to integrated supervisory and data analysis systems. This grants the ability to automate processes and track/store data from the manufacturing process, helping ensure standards are kept throughout production and providing traceability.


Data is shared from operational networks of an organisation to the business side, connecting existing Operational Technology networks with Information Technology networks to inform business decisions. However, the business side’s reliance on internet connectivity to operate commercially and make logistical arrangements, grants attackers an access point into an organisation’s OT environment to manipulate site operations. Most of the attacks on the sector have affected organisations productivity and distribution however, a more malicious threat could force devices to malfunction, allowing the production of consumables not meeting regulatory safety standards being sold to the general public.  

As rates of digitalisation increase, the knowledge and action required to ensure an organisation’s cyber resilience have fallen behind, making the Food and Beverage sector a popular target for cyber attacks. 2020 saw data breaches increase within the Food and Beverage sector by 1300%, with a drastic increase in ransomware attacks. A number of these attacks were smaller scale, with companies managing to recover with lesser costs, however, some larger attacks have been monumental, such as;

Mondelēz, a global snack company was hit within the infamous 2017 NotPetya attacks. It froze computer systems, limited access to corporate networks and software organising and tracking deliveries, resulting in an unmovable back-up of products stored in warehouses. With weeks of work to recover, it is estimated to have cost close to $100 million in the lost sales and replacement of computer equipment.  

Bakker Logistiek, a dutch logistics service provider was targeted for a ransomware attack in April 2021. The attack exploited a Microsoft Exchange Server vulnerability, encrypting devices across their network, disrupting their transportation and ability to take orders. The result was many dutch supermarkets shelves, partially cheese, left empty, earning the attack the name “the cheese hack”. It took Bakker Logistiek six days to recover, the company remained silent as to whether the ransom was paid.

Governments around the world are building regulations to protect Food and Beverage companies from Cyber Attacks.

JBS, the world’s largest meat processing company was hit by a ransomware attack in June 2021. The attack affected abattoirs across the US, Canada and Australia, halting cattle slaughtering for a day. The potential effects are unknown as JBS paid the $11 million ransom, allowing production to continue.

KP Snacks, the British snacks producer was hit by a ransomware attack in late January 2022. It disrupted their production for just under a month, resulting in KP being unable to fulfil delivery orders or take new ones until production was re-running. Confidential employee and financial documentation was also stolen, with the attackers threatening to leak it unless the ransom was paid. Neither the hacking group or KP have disclosed the ransom amount or whether it was paid. 

Cyber experts recommend not paying ransoms as it sets a dangerous precedent by incentivising future attacks. However, organisations are left in difficult situations such as the cost of the ransom  outweighing the loss of stopping and the recovery of production; or the attackers stealing sensitive information regarding their organisation, their employees, or clients, then threatening to release it unless the ransom is paid. This often leaves companies feeling compelled to pay.

In a number of these attacks, once an organisation is aware they are infected it is often too late to protect themselves. Many of the organisations state they were able to survive thanks to their pre-existing wealth getting them through the downtime but worry about smaller companies not having the resources to recover if hit by similar attacks.

Increased digital use and attacks within the sector led the EU to identify gaps in existing cyber security legislation scope, where key areas of critical national infrastructure were left vulnerable to attack.The EU proposed a new Network and Information Security (NIS) Directive, incorporating the Food and Beverage sector, requiring cyber resilience standards met by both Food and Beverage organisations and any third party suppliers used. Therefore companies not classed as Critical National Infrastructure will still require these standards be met to work with companies which are. 

Many of these attacks could have been avoided if preventative measures had been taken. At Awen Collective we understand the unique challenges and requirements of Operational Technologies and with years of experience in digital forensics, incident response and software engineering, we provide a variety of services to help secure typical and bespoke OT environments, with the ability to identify known vulnerabilities and mitigate against them. Furthermore, we also have the ability to check an organisation's compliance to government standards, including the NIS Directive, providing advice to help meet those requirements. If you have any questions regarding reducing your cyber risk or improving your cybersecurity feel free to get in contact at any time.

Jake Hearn
Cyber Technologist
LinkedIn Profile