113 | Cyberattacks + food safety (3 examples) | Pathogens from permafrost |
Plus soy sauce fraud and gummy bears
Save the date: meetup on 16th/17th November
Are cyberattacks (really) a food safety issue?
Ancient pathogens ready to pounce
Food Safety News and Resources;
How gummy bears are made (just for fun);
Food fraud news, emerging issues and recent incidents
🎧 On the go? Listen now (for paying subscribers) 🎧
I got quite scared reading about new pathogens emerging from permafrost this week. But it wasn’t the pathogens that scared me. Read on to find out what scared me the most.
Also, have you ever done a food safety threat assessment on cyberattacks? I did and it was weird. Yes, a cyberattack on a food company could be catastrophic for the company, but would it cause an actual food adulteration event? Would consumers be at risk? The answer might surprise you.
Welcome to Issue 113. If you’re new here thanks for joining us. I have so many people to thank this week, including 👏👏👏 James from Primority (check out his food safety software; designed by a food safety expert, not by an IT dork!); TK; Julie, Mike, Gill, Jacinta, Jessica and Ronit. You guys pay my wages, and make it all worthwhile.
As well as cyberattacks and permafrost critters, this issue has food safety news for everyone, and food fraud news for paying subscribers. Plus gummy bears, because, frankly, I needed them after the permafrost article.
Enjoy!
Karen
P.S. I’m delighted so many readers have chosen to renew their yearly subscriptions (US$100, a bargain!). Paid subscribers get access to indexed posts, downloadable past issues and monthly supplements. Click the button to learn more.
Save the date for our last meetup of 2023
Our meetups are a chance to meet like-minded food professionals in a friendly, supportive space. Expect 5 to 20 attendees and be prepared for an intimate, interactive experience, with cameras on.
Topic: The year in review – highlights, lowlights, what’s next |
Time: November 16th UTC 21:00 | Click here to convert to your local timezone | 9:00 pm London | 08:00 am (Friday 17th) Sydney | 1:00 pm Los Angeles | 4:00 pm New York | 5:00 am (Friday) Hong Kong |
Are Cyberattacks (Really) a Food Safety Issue?
Food systems experts are increasingly warning that cyberattacks – attacks on the computer systems of a company – pose threats to food safety. And that they should therefore be addressed in every food company’s food defense plans.
Reminder: A food defense threat is an action that could result in food being intentionally adulterated with harmful materials, for the purpose of hurting consumers or the food company.
However, while protection from cyberattacks makes good business sense, is it really a food safety issue? Cyberattacks certainly cause serious financial losses and major disturbance to food supply chains - a ransomware attack on the world’s largest meat supplier, JBS S.A., in 2021 caused disruptions to every JBS processing facility in the USA - but do they actually result in direct food safety risks?
Examples of how a cyberattack could result in a malicious food adulteration event, are very hard to come by. So when I saw the headline “Ransomware: Lessons Learned from One Food Company’s Experience” in the food industry press last week I was excited to learn more and eagerly dived into the story.
Unfortunately, the article, published in Food Safety Tech, contained only lessons for IT professionals and senior managers… valuable lessons, no doubt, but not food safety lessons. Disappointing.
We are looking at connections between cyber security and public health - US FDA
The US FDA says they are concerned about risks from cyberattacks, with Jon Woody, Director of Food Defense and Emergency Coordination, saying “Cyber is something we’ve increasingly been focusing on over the past years. There are ransomware issues but we are looking at connections between cyber security and public health. Part of this process has been educating ourselves and reaching out to others who have the expertise to get up to speed.” (source)
But what, exactly, are the links between cyber security and public health, and what are the food safety vulnerabilities that food companies must mitigate?
While researching this article I found no evidence that any cyber attacker had ever caused an intentional adulteration incident from a remote location.
Threats from cyberattacks
I did, however, find some examples of potential food safety threats from a cyberattack, like this one in food-safety.com: “If a security issue occurs, say for instance, an unsecured door blows open, pathogens could inadvertently contaminate food products on the line.” (pause for experienced food safety professionals to roll their eyes).
In another example, a cyberattack that changes the gas mix in a controlled atmosphere cool room could destroy an entire harvest of apples, or potentially even endanger the workers tasked with unloading the room. Serious, but not a direct food safety risk.
More digging did eventually turn up some scenarios where cyberattacks could contribute to malicious food adulteration incidents. I share these in the examples below.
Example 1: Security camera feeds
In 2021 a security company was hacked, giving access to video feeds from more than 150,000 cameras belonging to the company and installed in their customers’ premises. The footage included material from Tesla factories, hospitals, police departments, schools, and prisons.
In a food business, security cameras are used to monitor critical areas. If the camera feeds are manipulated by hackers, a person contaminating food in an area monitored by CCTV (closed circuit television), could potentially do so undiscovered.
Security camera footage also carries information about who is allowed to access critical areas. When combined with facial recognition technology, this could allow a malicious person to track down critical food company employees in order to coerce them or steal their credentials to gain access to critical areas where contamination could be perpetrated.
Non-food safety risks from hacked security cameras include deep-faked footage for causing reputational damage: for example fake footage of animal welfare violations, and theft of intellectual property such as recipes and processes.
Example 2: Industrial control systems including PLCs
Much food processing equipment uses programmable logic controllers (PLCs) that were developed long before cybersecurity was a concern. They do not have the processing power or memory to allow for security upgrades, and they typically use older data transfer protocols which are less secure than modern systems.
A successful cyberattack on the PLC systems in a food factory would result in disruption and wastage, while the affected systems were replaced or disinfected. While food could become unsafe after an attack - for example by being undercooked or overdosed with additives - it is unlikely that unsafe food would then pass through subsequent checks and systems without being identified and quarantined.
Cleaning-in-place (CIP) systems are vulnerable to attacks on their control systems. In fact, an Ecolab representative reported that a computerised CIP system they installed, which was protected from cyberattacks, experienced 250,000 hacking attempts in its first 30 days of operation (source). Failures of CIP could result in unsafe food.
Many food facilities with older industrial control systems maintain an ‘airlock’ between their systems and the internet to prevent hackers from getting access. However, the use of USB sticks to update software or to transfer data provides a route for malware into airlocked systems, with USB drives providing a common route for malware to get into industrial control systems.
Interestingly, the need for better controls on employees’ use of USB sticks was a key learning for a US soft drink bottling company which shared details of a ransomware attack they experienced in 2021.
Example 3: Personnel access systems
Computerised systems that control access to critical areas, such as systems which make use of programmable key cards or RFID chips, could be hacked to allow unauthorised people to get into critical areas and adulterate food.
Such an attack would still require a knowledgeable insider to carry out the adulteration.
Remote and unassisted attacks: difficult
The interesting thing about the three cyberattack-food-safety vulnerabilities described above is that two of them require in-person, boots-on-the-ground actions to commit an intentional adulteration event. Security camera breaches and personnel access breaches could support a food contamination event, but not cause the event.
The other vulnerability; the malfunctioning of one or more industrial control systems, could cause a food safety hazard, but such a hazard is likely to be identified during subsequent checks and verifications.
On this basis, it seems unlikely that a bad actor sitting at a computer, with no physical assistance from someone on-site, could successfully orchestrate a food adulteration event that evades detection and sickens consumers.
Remotely perpetrated cyberattacks can cause huge problems for food companies and pose risks to their systems, employees and customers. Espionage, equipment damage, dangerously malfunctioning robots, food waste, security breaches, operational disruptions, reputational damage and financial losses are all possible - even likely - for companies with cyber vulnerabilities. However, the ability of a cyberattack to directly create dangerously adulterated food, without the assistance of a physical person in the food facility is limited.
Takeaways for food safety professionals
Cyberattacks present risks to food companies and their employees in the form of financial losses, reputational damage and operational disruptions. However, there are limited scenarios in which a cyberattack on its own could result in an undetected and intentional food safety risk.
A perpetrator with malicious intentions could use compromised computer systems to assist them in adulterating food, for example, by allowing them unauthorised access to controlled areas, or by allowing them to alter critical cleaning regimes and hide the evidence of cleaning failures.
However, without the assistance of an insider, or a physical presence in the facility, perpetrating an undetected food adulteration event using computer systems alone would be difficult.
In short: 🍏 Cyberattacks pose serious risks to food company operations 🍏 Cyberattacks could be used to assist an intentional adulteration perpetrator, for example by providing access to restricted areas, or manipulating CCTV feeds 🍏 Evidence of a cyberattacker causing an intentional food adulteration incident from a remote location could not be found 🍏 Cyberattacks on industrial control systems such as refrigeration controllers, equipment controllers (PLCs) or cleaning in place (CIP) systems could result in accidental, predictable food safety hazards which are likely to be detected 🍏
Sources:
Food-Safety.com (n.d.). Persistent Cyber Threats Focus Food Defense Efforts | Food Safety. [online] Available at: https://www.food-safety.com/articles/7275-persistent-cyber-threats-focus-food-defense-efforts.
Streng, S. (2019). Adulterating More Than Food: The Cyber Risk to Food Processing and Manufacturing. [online] conservancy.umn.edu. Available at: https://hdl.handle.net/11299/217703 [Accessed 6 Nov. 2023].
Food Safety News (2022). Cyber threats and current landscape put food defense on agenda. Available at: https://www.foodsafetynews.com/2022/06/cyber-threats-and-current-landscape-put-food-defense-on-agenda/.
FoodSafetyTech. (2023). Ransomware: Lessons Learned from One Food Company’s Experience. Available at: https://foodsafetytech.com/feature_article/ransomware-lessons-learned-from-one-food-companys-experience/.
Ancient pathogens; a new food safety risk?
Roundworms get into our bodies when we ingest their eggs, which are found in soil, on plants and in contaminated food. The eggs hatch into larvae inside us. The larvae usually live in the digestive tract, causing mild symptoms or no symptoms.
Occasionally, however, roundworm larvae travel into other parts of the body, including the liver, lungs, and other organs, where they can damage tissues. Worms can even make their way into eyes where they can cause blindness.
A few months ago, we shared the story of a woman who had a worm in her brain after eating raw foraged greens contaminated with worm eggs.
A new species of roundworm
Now, scientists have carbon-dated a novel species of roundworm which survived in suspended animation (‘cryptobiosis’) in permafrost, and which they were able to reanimate after thawing. It is 46,000 years old. Woh.
Other frozen microscopic creatures, such as bdelloid rotifers, have been able to reproduce after thousands of years of cryptobiosis.
With permafrost thawing at an unprecedented rate due to global warming, do we face dangers from previously undiscovered food-borne pathogens like ancient species of roundworm? Probably. There’s already been a deadly anthrax outbreak attributed to thawing permafrost releasing anthrax from previously frozen human or reindeer remains.
Zombie viruses
Researchers have recently characterised dozens of never-seen-before viruses from thawed permafrost. One group even used the phrase “zombie viruses” in their research paper, adding that it is wrong to assume such viruses are not a threat to public health.
The biggest threat
While zombie viruses, antique strains of anthrax and new species of parasitic worms are scary, they are hardly worth worrying about compared to the carbon-related effects of permafrost melting. When permafrost melts it releases the carbon it stores into our atmosphere, rapidly accelerating the greenhouse effect and driving further global warming.
NASA estimates that permafrost in the Arctic holds 1,700 billion tons of carbon as both methane and CO2, an amount more than 50 times higher than global fossil fuel emissions in 2019. Now that’s scary.
🍏Read more about permafrost melting🍏
Food Safety News and Resources
Our news and resources section includes not-boring food safety news plus links to free training sessions, webinars and guidance documents: no ads, no sponsored content, only resources that I believe will be genuinely helpful for you.
Click the preview box below to access it.
Food Safety News and Resources
How Gummy Bears are Made (Just for Fun)
Did you know that gelatin-based sweets are shaped using moulds formed in beds of powdered starch? Me neither!
My favourite quote from this video: “Companies employ experienced food technologists and expert chemists who know what they’re doing” … love that this sentence needs the qualifier,… these experienced experts (actually (wow)) know what they’re doing.
Click the link below to watch.
What you missed in last week’s email
Cadmium and lead in chocolate (how does it get there, what’s to be done?);
From the Duh Files: Adulterated Honey study;
Yeasts, bacteria and viruses to scale (just for fun);
Food fraud news, emerging issues and recent incidents
Below for paying subscribers: Food fraud news, horizon scanning and incident reports
📌 Food Fraud News 📌
Peek inside a counterfeit spice factory (South Africa)
Thank you to Ellanor and Arlene of AAA Marinades & Spice (Pty) Ltd, for sharing these videos taken during a 2019 raid on a factory where counterfeit spices were being made.
You Tube video Print media story
Rumour alert!
The esteemed food fraud researchers at Queens University Belfast might be investigating fraud in
Keep reading with a 7-day free trial
Subscribe to The Rotten Apple to keep reading this post and get 7 days of free access to the full post archives.