How hackers could tamper with your food
Imagine a giant warehouse storing thousands of tonnes of frozen food. The food is typically distributed to retailers large and small across the country, from large-scale supermarkets to independent pubs.
Now, imagine if all the refrigerators were hacked into and switched off, so that the food thawed – rendering it unsuitable to be cooked and eaten. The financial losses could run into tens of millions of pounds, not to mention the business interruption and likely reputational damage.
Imagine if refrigerators' temperatures were turned up – producing industrial-scale food poisoning.
Or worse, imagine if all the refrigerators were hacked in the middle of the night and their temperatures were turned up so that certain key foods spoiled. Then imagine that the temperature on the display was masked, so it looked like 34 degrees when it was in fact 49, and then the temperature was turned back down – producing industrial-scale food poisoning, and ruining the reputation of various food manufacturers and retailers.
This could happen all too easily.
Storing food at the right temperature is vital to its commercial value and eventual consumption. It’s actually big business. The 'cold chain' (temperature-controlled supply chain) market is projected to grow at an annual rate of 7%, and to be valued at $271.3 billion by 2022.
With ‘smart’ fridges and the general growth in the Internet of Things, controlling the temperature of food is becoming easier for companies to do. It can, however, make frozen food a bigger target for cyber criminals.
Many of the larger storage warehouses will use a centralised point (Command Centre) or third-party provider that will monitor temperatures to ensure that, at all stages of its storage and distribution, food stock is kept at the optimal temperature.
The cold chain market is projected to be valued at $271bn by 2022.
The risk is that the third-party provider – rather than the retailer or warehouse itself – is hacked.
Some of us remember the data breach of US retailer Target in late 2013.
Target suffered a severe data breach after malware was introduced to the POS system in almost 1,800 stores. The breach was initiated through a heating, ventilation and air conditioning (HVAC) contractor that was connected to Target's systems to provide electronic billing services, contract submissions and project management services.
By allowing the HVAC contractor to connect to its internal networks, Target inadvertently created another means by which it could itself be attacked – and effectively entrusted some of its own security controls to a third party.
A similar scenario could afflict a country-wide chain of grocery stores or fast-food restaurants.
Some multi-chain hospitality companies monitor and control the temperatures in individual outlets. But many large companies with multiple chains have understandably taken to monitoring the temperature of food at a centralised level – granting them oversight of all their chains and allowing them to identify and address any problems quickly. In many cases this can also result in energy savings.
Some large multi-chain companies might be inadvertently making themselves a bigger target for hackers.
Some larger companies with hundreds or even thousands of chains across the country have gone a step further, and now adapt and control the temperature in individual chains at a central level.
As a result, they might be inadvertently making themselves a bigger target for hackers.
Gaps in protection
The worst-case scenario is a hack going undetected, food being tampered with and people becoming unwell. Even if the unsafe situation is discovered, what happens to the spoiled stock in storage and a the company's income, while it's correcting the refrigerators and its computer networks?
Some insurance policies (for example, Property and some Food Contamination policies) cover the lost revenues and business interruption resulting from food spoilage – but not if it is caused by a cyber-attack. Most product recall policies are currently silent on this risk (in other words, they neither explicitly exclude or include it).
In such a scenario, any losses would typically not be insured. This represents a big insurance gap for the food and beverage industry.
Another consideration is the requirement for processors/storage companies to adhere to retailers' specifications. So if a hacker could make a product even potentially askew from it specification, then the retailer could not sell the product as they would need to show provenance and history.
These issues may not be a huge matter for a single retailer with a few fridges, but for distribution warehouses, or multi-chain hospitality companies or retailers, the financial and BI implications of tampered or spoiled food could be huge. And that’s before we even come to the reputational costs.
For more information, please contact Max Perkins on:
+44 0)20 7933 2694