Resilience: cyber security
3 April 2024
For more information read our full report.
Technology offers opportunities for the food system. Automation and advanced computing have the potential to address known issues such as labour shortages and stagnating productivity.
However, technological advancements in the food system may also create new weaknesses and greater risks.
Some are a consequence of technological complexity and skills shortages across digital and engineering. Others are a result of deliberate activities such as cyber-attacks, made possible by technological change.
A changing environment
Cyber threats are not new – computer viruses have been in circulation since at least 1982 – but risks to the UK food system may be growing, due to rapid innovation and social change, leading to greater dependency on technology.
Some technological changes can also make attacks more powerful. Inexpensive, flexible artificial intelligence (AI) increases the capability of attackers. However, AI also allows those building cybersecurity to strengthen defences from cyber-attacks.
Technological change may also create new vulnerabilities. In the food supply chain, networked devices, remote computer access and cloud data storage all create new points of access and so increase exposure.
For example, in 2022, Ukrainian hackers were able to access and electronically disable networked farm machinery looted by Russian troops. Such an attack could presumably be repeated by others. Within the UK, KP Snacks has been hit by a digital attack which threatened business operations.
Social changes which increase vulnerability include a significant shift to home working, since home systems may be less protected than office systems.
Government and regulators have a part to play, but regulation may create risk in itself if businesses cannot comply. In the EU, penalties for breaches of data protection rules could be up to €20bn or 4% of turnover.
Origin of threat
Many cyber-attacks are driven by criminals attempting financial gain at little personal risk or effort. Criminal methods include phishing and ransomware.
In the best case, these may cost businesses money, directly or indirectly. In the worst case, they may halt operations or lead to crippling data losses. Any of these may threaten food and grocery system resilience.
In 2021, global meat company JBS was hit by a ransomware attack which shut down operations in Australia, Canada and the USA. A ransom of US$11m was paid to restore systems.
Even if food and grocery businesses are not targeted directly by a hostile nation or criminals, they may be impacted by a spreading computer virus or by a shutdown of infrastructure. This could include attacks on payment systems, internet services, vehicle navigation and so on.
Despite rising geopolitical tension, in 2023, most UK businesses focused primarily on cybersecurity threats from criminals, with few concerned about attacks originated by nation states.
Governments will make use of all means to achieve their goals, including cyber operations, being anonymous, inexpensive, and fairly low risk.
The current conflict in Ukraine was accompanied by a surge in cyber operations, beginning long before actual combat. These attacks have spread beyond Ukraine and future conflicts are expected to follow a similar model.
The Russia-affiliated Killnet group has targeted Western healthcare organisations with distributed denial of service attacks in response to Western support for Ukraine. If healthcare providers are considered targets, it is unlikely the food system would be viewed differently.
Responding to the threat
Corporate defence against cyber-attacks is already well understood and being addressed by software countermeasures and increased staff awareness. However, executing this is costly and complex – many businesses report a lack of digital skills.
The fact that cyber-attacks may be used as an element of statecraft means that, ideally, business responses to cyber threats will fit within a wider national or international cyber strategy.