To read the news these days is to receive frequent reminders about how easily our technology can be turned against us. We know the CIA can spy on us through our smart TVs and that criminals can infiltrate millions of personal computers, wireless routers, and other smart devices. But the risks go far beyond our homes. Just as vulnerable are the network-connected devices used in critical infrastructures across the US—from hospitals to power plants.
Thanks to growing awareness of what happens when smart devices are hacked, a number of industries have gradually begun investing in computer security. But one sector in particular has been slow to adjust: Food. Now some experts are warning that the US’s massive food industry is also at risk—from soda makers stealing one another’s secret formulas to hackers spoiling your yogurt.
These days, nearly every step of the food supply chain involves a smart device or sensor that connects to a centralized control system. Shipping containers, trucks, cooled storage systems, and other machinery are becoming increasingly smart. That means they’re equipped to remotely detect temperature, heavy metals, and other environmental conditions in fields, greenhouses, and housing facilities. They track and monitor shipments on land and by sea, which can travel thousands of miles and change multiple hands, in real time. They help companies react quickly to accidents and unpredictable seasonal changes. Supply-chain data encoded in RFID tags and bar codes is also helping regulative organizations spot problems—and, maybe someday soon, will help consumers learn more about the provenance of their products.
But to keep retail costs low, smart devices often have poorly written code. They may also lack the bits of software, or patches, designed to update and fix bugs in outdated software. And that means that our meat, yogurt, and other foodstuffs are vulnerable to hacking. In a worst-case scenario, hackers could delay or prevent shipments from arriving, adulterate products, steal trade secrets—or even spoil perishable items, putting consumers in danger. And because the supply chain is so interconnected, attackers could take advantage of a single entry point to infiltrate the entire system.
“That’s the wonder of modern manufacturing, and that’s the vulnerability of modern food manufacturing,” says Brian Isle, a University of Minnesota researcher who has been a cyber-security consultant for several decades.
It’s not clear whether hackers have already succeeded in tampering with the industry. A cyber-security breach is not something a food company would necessarily want to advertise, says Isle, unless it caused them to break a law, such as food safety or labeling rules. In the meantime, he and other researchers have been considering several potential risks in order to better inform the industry on how to protect itself.
A ransomware attack, like the kind that cost a Los Angeles hospital $17,000 last year after a random phishing attack gained access to encrypted patient records, could just as easily infect a food supply chain. Criminals could use the threat of lost profits—whether by switching off machinery, rerouting delivery trucks, or canceling shipments—to demand large sums of money. Researchers have already shown this is possible by infecting a model of a water plant with ransomware and using it to manipulate monitoring systems, change chlorine levels, and shut down water valves.
An insider’s view of how a plant runs is another potentially valuable commodity which could be sold to a competitor. For a company like General Mills, whose billion-dollar business is built on the perfectly crafted crunch of a Cheerio, its intellectual property is its most coveted asset. In a 2011 study of 50 US companies affected by cybercrime, information theft (mostly from malware attacks) accounted for 40% of their overall losses.
The scenario that probably poses most the concern to consumers, however, would be food tampering. Max Kilger, a cyber-security researcher at the University of Texas-San Antonio, says malware could turn food itself into a weapon of terror.
“If I was being malicious, I might turn your refrigerator off,” Kilger says. “If I were being more terror-minded, I might tap into your refrigerator, turn it up to the temperature where certain key foods would spoil and turn. Then I would be sure to mask the temperature on the display, so it looks like 34 degrees when it is in fact 49, and then turn it back down—preferably all in the middle of the night. Now you have a nice case of food poisoning.”
Up until now, a few things may have kept the food industry from investing in cyber-security. One is a lack of awareness. Since cybercrime is not as visible as, say, a leaky roof, it can be difficult to convince a smoothly running plant that something could go wrong, says Isle. Many food manufacturers, particularly small and medium-sized companies, he says, are unfamiliar with cyber-security threats and “are just now getting their ducks in row.”
Another hindrance, Kilger says, is money. Food manufacturing is a commodity market, with relatively low profit margins. Companies may be more worried about food quality and safety, and getting their products out on time, than cyber-security.
Plus, legally, they don’t have to. Under the FDA’s Food Safety Modernization Act, called “the most sweeping reform of our food safety laws in more than 70 years” when it was enacted in 2011, companies must develop a food defense plan, but they are not specifically required to address cyber-security.
At a Congressional hearing last fall, “Understanding the Role of Connected Devices in Recent Cyber Attacks,” experts gave testimony on the real-world dangers of the Internet of Things and recommended the creation of a federal agency or testing facility dedicated to regulating all of these devices. For the time being, though, there is no such government body.
Instead, each sector must rely upon general guidelines released by the Department of Homeland Security, the National Institute of Standards and Technology, the Federal Trade Commission, and an assortment of industry interest groups. As food manufacturers begin to incorporate these safeguards, Kilger says he hopes they will leverage their somewhat delayed start to learn from the mistakes other industries have made.
“You’re just starting out,” he says. “You have the opportunity to do it right.”