Automation is a good thing for hardening food defenses. Automated control solutions using Supervisory Control and Data Acquisition (SCADA) and Programmable Logic Controller (PLC) systems have become staples for the food processing industry, providing increased security robustness and quality assurance control through continuous monitoring, data and batch reporting, traceability, and systems monitoring and integration. All of this information can be driven to mobile platforms, including smart phones.

Automation is also rapidly expanding into other parts of the food chain, starting with the producer and increasingly extending into retail environments. Several national restaurant chains allow customers to order from an automated menu at the table as well as paying the bill. In the foreseeable future, fast food venues may eliminate counter staff with orders, with consumers paying from kiosks or smartphones and robots delivering their orders.

With all of these changes, two security challenges emerge. Neither is new, but each must be carefully reconsidered by food corporations as the transition to fuller automation proceeds. First, PLC and SCADA systems are potential targets for hackers who might seek to alter processes for their own nefarious purposes or to access intellectual property (IP). Those who might seek to alter processes could include hackers wanting to prove their capabilities, hacktivists desiring to damage a corporate image, criminals seeking monetary gain, terrorists wishing to attack the food supply, and nation states looking for military or competitive advantage. Those seeking to steal IP are usually nation states seeking a competitive advantage without a major investment in either time or money.

Federal and state law enforcement are primarily responsible for investigating after a cyber crime has occurred, so the job of hardening systems is largely left to a corporation itself. Cyber defense involves an ongoing and evolving set of requirements, with the requirements now being influenced by cyber insurance carriers. And requirements obviously are influenced by the activities of of increasingly sophisticated cyber adversaries, who remain largely unconstrained.
Many small- to mid-size food companies truly struggle with the depth and breadth of requirements, while larger corporations often expend huge sums to protect their corporate assets and systems—and are not always successful. U.S. firms have on occasion fallen prey to cyber ransom events, which unfortunately sometimes end in ransoms being paid.

Without question, the cyber domain of the future will be even more complex, and evolving security requirements will require substantially increased expenditures. More than likely, specialized cyber security contractors may take over many future cyber-defense responsibilities, because these professionals are better able that most food-corporation cyber professionals to maintain their capabilities at the cutting edge of evolving threats. These specialized cyber security contractors will in particular be required to address persistent threat, nation state actors such as China, Russia, North Korea, and Iran.

The future also will bring more automation, with food production systems increasingly sealed away from human contact. This will impact lower-wage employees, so careful consideration of anticipated transitions must be considered. Some positions will be eliminated, and employees will be aware of this before the transition is actually implemented. People who know they are going to lose their jobs can quickly evolve into disgruntled employees, and disgruntled employees can make bad things happen before they leave.

The potential for this type of response is high, and determining a strategy to handle employees must be part of the plan. Part of the strategy for lowering potential risk is retraining wherever possible, and increased vigilance when no alternative is available.

Robert A. Norton, Ph.D., is chair of the Auburn University Food System Institute’s Food and Water Defense Working Group (aufsi.auburn.edu/fooddefense). He is a long-time consultant to the U.S. military and federal and state law enforcement agencies and is editor of Bob Norton’s Food Defense Blog (aufsi.auburn.edu/fooddefense/blog/). He can be reached at nortora@auburn.edu  or by phone at 334-844-7562.