As part of Australia’s critical infrastructure, food and drink manufacturing is subject to federal safety legislation which came into force in April. Fortinet’s Michael Murphy explains how to ensure a secure risk management program.
The food and beverage manufacturing sector is a central part of Australia’s Critical Infrastructure (CI), which means that a cyberattack on an organization in this industry could compromise food supply and safety.
As a result, the sector was included in the Security (Critical Infrastructure Protection) Amendment Act 2022 (SLACIP Act), which came into force on 2 April 2022 and brought about significant changes to cyber requirements. -resilience for CI operators.
The SLACIP Act changes various definitions of infrastructure assets and requires CI operators to adopt, maintain, update, and comply with a critical infrastructure risk management program.
Other changes also require CI operators to report a critical cyberattack within 12 hours and undergo regular cybersecurity drills.
Although reporting of critical assets and disclosure of cybersecurity incidents are mandatory, regular cybersecurity drills are only required if the organization is considered a system of national importance that must meet enhanced cybersecurity obligations.
It is important that companies operating in the food and grocery industry understand what their obligations are, especially if they fall into this category, which many will.
Even though companies are not subject to mandatory cybersecurity drills, it is essential that they take steps to strengthen their cybersecurity posture to protect the valuable assets they manage as part of
of their operations.
Escalation of attacks
Manufacturers are stepping up cybersecurity efforts amid escalating factory attacks. Many of these production sites run on legacy operational technology (OT) that was not designed to connect to the internet and therefore does not necessarily incorporate cybersecurity measures.
To mitigate the risks, many companies believe that additional technology will solve the problem. however, this approach often increases complexity and creates new loopholes that cybercriminals can exploit.
To protect themselves, manufacturers need to ensure they have complete visibility into all of their systems and processes and continuously monitor for cyber threats.
The best way for food and grocery manufacturers to proactively manage risk is to establish a cybersecurity risk management framework.
Compliance with an industry-recognized security framework enables organizations to proactively manage plans to better identify, assess, assess, and address common and highly sophisticated cybersecurity challenges. This builds operational resilience to avoid disruptions, operational downtime, and ultimately loss of revenue generation.
When it comes to adopting such frameworks, manufacturers should consider three critical pillars around which to build their frameworks and better protect CI and OT assets from cybersecurity events.
1. Get Network Visibility
As cybercriminals become more sophisticated, food and beverage manufacturers need a high level of visibility into their networks not only to comply with legislation, but also to understand what assets need to be protected at all times. all cost.
Not everything in the network is equally important and manufacturers need to know what to protect and what to protect against.
They can do this by leveraging the Purdue model – formerly Purdue Enterprise Reference Architecture (PERA) – a hierarchical structure that allows CI operators to easily decompose and define CI assets on the network to gain full visibility and prepare for a offensive.
With this level of visibility, manufacturers can better understand weaknesses in their defenses, which can help prioritize and direct corrective actions.
2. Protect and control critical assets
As cyberattacks accelerate, businesses struggle to track assets and devices on their networks, making it difficult to deploy appropriate security tools.
To protect operations and prevent supply chain disruptions, manufacturers must increase their defense capabilities and understand what is needed to manage and defend against new and evolving cyber threats. However, many organizations lack the knowledge to protect their CI environments.
To address these knowledge gaps, manufacturers should leverage shared knowledge bases such as the MITER ATT&CK Framework for Industrial Control Systems (ICS) to understand real-world adversary groups and the behaviors they present as well as the software they use to help them in their attacks.
3. Prioritize highly effective and non-intrusive techniques
Food and beverage manufacturers must be able to maintain control over critical assets to withstand present and future cyberattacks.
The growing convergence of IT and OT has expanded the threat surface, and without robust security controls and architecture in place, a cyberattack can disrupt operations and cause significant downtime.
To help protect CI assets from threats, manufacturers should consider adopting non-intrusive techniques that typically involve simple scanning to identify vulnerabilities or loopholes that cybercriminals can take advantage of.
Vulnerability testing also helps prioritize risks that require immediate action before applying a multi-layered virtual remediation solution to reduce downtime and give IT teams time to close security holes before an attack. not happen.
Check the network
Beyond these three key areas, it is also critical that food and grocery manufacturers consider the risks that their expanded network poses to their environment. One of the ways organizations can better protect their environments against inherent network vulnerabilities is by adopting the MITER System of Trust (SoT) framework.
By adopting this framework, food and grocery manufacturers can establish a foundation of trust within their network by assessing the three main trust aspects of supply chain security: suppliers, supplies and services.
Subsequently, the MITER SoT framework enables companies to identify and address 14 high-level decision risk domains associated with trust.
Ultimately, food and beverage manufacturers can further strengthen their approach to cybersecurity by adopting this intuitive framework.
Like most CI operators, food and beverage manufacturers are highly vulnerable targets of cyberattacks with significant consequences on production, distribution and point of sale, if successful.
For this reason, it is crucial for agribusinesses managing CI to consider a three-pillar approach to building their cybersecurity framework. This will help drive the cybersecurity agenda forward. It will also help manufacturers understand, measure and manage their risks in order to obtain the best protection for their CI assets while continuing to generate substantial economic impact.
This article first appeared in the September issue of Food & Drink Business magazine.