Precipitating the heightened concern was what has become known as the WannaCry ransomware attack in June targeting computers running on Microsoft operating systems, locking up data and demanding payment of ransom in the Bitcoin cryptocurrency. In addition to affecting systems at automakers Nissan and Renault, the attack wreaked havoc at National Health Service hospitals in England and Scotland, affecting computers, MRI scanners and blood-storage refrigerators. All-told, more than 2 million computers across 150 countries were infected in the initial wave.
For grain-based foods the episode hit still closer to home two weeks later when several global corporations, including Mondelez International, Inc., were struck by a similar cyberattack, dubbed NotPetya. In early July, Deerfield, Ill.-based Mondelez said it was “making good progress in restoring our systems” but warned the episode would shave at least three percentage points from its quarterly growth rate, suggesting a cost of about $200 million, a figure wildly beyond the Bitcoin ransom indicated to have been sought by the hackers.
Of concern in grain-based foods are potential vulnerabilities at the plant level, in industrial controllers, including programmable logic controllers that have proliferated in industries like milling for more than 25 years. Such devices serve as a plant’s “brains,” responsible for the continuous execution of an industrial process lifecycle. Initially designed and deployed during a period in which mills and other automated plants were insulated from the outside world, the isolation of P.L.C.s has been diminished by the connectivity of corporate networks. This level of connectivity is expanding steadily through advances of supply-chain management and, for certain production facilities, e-commerce. All this leaves systems more exposed to cyber threats and the risk of compromise.
Security patches, the importance of which were highlighted in the WannaCry attacks, may be difficult to apply in technologies like P.L.C.s, in part because they run continuously. As a result it is much harder to protect industrial environments against these types of threats. An attack on a P.L.C. that alters its logic may cause disruptions ranging from operation glitches to unthinkable disasters.
This threat to industrial facilities was highlighted earlier this year when cybersecurity researchers at the Georgia Institute of Technology developed a new form of ransomware that took control of a simulated water treatment plant. G.I.T. said that with access, the researchers ordered P.L.C.s to shut valves, increase the amount of chlorine added to water and display false readings.
The challenges at industrial facilities extend beyond P.L.C.s and other controllers running the so-called operator plane. Other systems entail intermittent or continuous human interaction, such as those that communicate measurements between operators and industrial equipment (the data plane) and systems that carry traffic between operations and administration (the management plane). These systems have vulnerabilities requiring attention, too.
Even as Mondelez operations approached normal, the company was working with customers and other business partners to minimize disruptions.
“The company has also engaged outside specialists, including I.T. partners and global cyber security agencies and experts, to mitigate impacts of this incident and safeguard systems going forward,” the company said.
Such steps certainly should not be limited in grain-based foods to Mondelez. Safeguarding programmable controllers in plants should be no less a priority than protecting personal computers in offices. Services should be explored to monitor control-plane activity and provide rapid and accurate alerts in the event of security breaches. Hackers willing to interrupt critical health care operations would have no compunctions about interfering with the food supply, and this threat must not be ignored.