So much of the public focus on cybersecurity has been on what’s considered hardcore critical infrastructure—oil and gas, water supply, power generation, etc. A cyber attack on a food and beverage company might not create the kind of explosive disaster that could be created at an energy facility, but there is still plenty of reason to take those threats seriously.
“Food and beverage does not get enough attention” when it comes to cybersecurity, commented Dave Weinstein, chief security officer for cybersecurity provider Claroty, in a recent interview. “Bad actors can do a lot of harm by targeting that sector.”
A big tipping point for food and bev producers came about two and a half years ago when the NotPetya ransomware attack counted global food maker Mondelēz International among those affected. It wasn’t because Mondelēz was a target. This attack—like the similar WannaCry attack before it—did not discriminate by industry. The intention was simply to wreak havoc, wherever it might land. Other food companies “realized they didn’t have to be a target. They could just be collateral damage,” Weinstein said. “Things don’t necessarily go boom, but you lose view and have to bring down plants.”
Kellogg’s, for one, understood the message. More connected machines and devices, advanced analytics, remote access, wireless data sharing, and decentralized plant control are all technological developments that can provide the multinational food manufacturer with more efficient, more productive, and nimbler operations. But these technologies also increase the risk for cyber attack, broadening the attack surface.
2017 was a pivotal moment in time, acknowledged Jim Tassell, senior IT security architect for Kellogg. Referencing ransomware and virus attacks—from which Mondelēz estimated losses would reach $150 million; and from which other companies like Merck, FedEx, and Maersk also experienced significant disruption and loss—he acknowledged the realization that these companies were not specifically targeted, but faced significant damage nonetheless. Kellogg did not want to be one of those headlines, he said, so needed to figure out what its next move should be.
At the Food and Beverage Forum during Automation Fair 2019, Tassell described Kellogg’s journey to manage its cybersecurity risks. Assessing the company’s vulnerability was particularly difficult given that it has about 50 manufacturing plants worldwide, including acquisitions over the past few years that complicate the range of manufacturing systems the food maker is working with.
Kellogg brought in Deloitte as an auditing consultant to get a better idea about where its operations stood. “IT was a challenge with plants located all over the world,” Tassell said. “I didn’t have a device list and didn’t understand the vulnerabilities.”
While Deloitte assessed the various sites to identify gaps, Kellogg took immediate action by communicating and executing a segmentation strategy. Inter-site segmentation, arranged in a hub-and-spoke model, contained risk to a single site; vulnerabilities at one location were contained to that location. Intra-site segmentation, meanwhile, mitigated risk by placing security between manufacturing and the business side of the company, restricting potential vulnerabilities to either the IT or the operational (OT) network.
The implications of this segmentation strategy are important. “We didn’t use words like secure or prevent,” Tassell said. “We talked about containment.”
In 2018, Kellogg faced several challenges. They lacked any kind of OT cybersecurity strategy. There was no formal detection and incident response for the OT network. They faced a heightened sense of security because of a catalyst event that had lit a fire under top executives. And the IT needed to partner with engineers to increase OT network security.
That last point was key. A relationship between IT and OT needed to be formed to make any kind of cybersecurity strategy work. In IT security for just six months, Tassell was put in charge of leading the cybersecurity organization for OT. As he saw it, he had to secure a network that he couldn’t touch. “There were strained relationships between engineering and plants because we’d had outages,” he said. “It wasn’t about technology; it wasn’t about security. It was about relationships.”
Kellogg created a dedicated manufacturing cybersecurity organization—including an OT architect, an OT network security engineer, and an OT endpoint security engineer—that partnered with global engineering. A manufacturing review board defined a standard way of working globally between IT and OT to design, deploy, secure, and maintain the infrastructure needed to support the company’s manufacturing digital transformation journey.
They put together an OT cybersecurity strategy with seven key elements:
- OT asset and network discovery
- Network segmentation
- Mitigate endpoint threats
- OT security monitoring and incident response
- Third-party connectivity and access control
- Vulnerability management
- Patch management
The catalyst event they’d had probably did more good than harm—it was a low-impact event, but gave Kellogg the impetus it needed to take action before they faced something worse. Company executives were ready to give Tassell and his team the money they needed to move forward, and the push was on to get it done quickly.
Three of the seven items in Kellogg’s OT cybersecurity strategy could be handled using Claroty. But one of the top challenges the team—Tassell and just two other people—faced was how to get all the necessary Claroty sensors deployed globally in a short period of time. To get the sensors rolled out, tuned, and monitored, Kellogg partnered with Rockwell Automation, Claroty, and Kudelski Security.
“Don’t underestimate the time it will take to tune Claroty or other sensors,” Tassell advised. “The better you tune them, the more effective they’ll be.”
Other challenges were the unknown number of security vulnerabilities to remediate; there was no integrated learning management system (LMS) used by IT/OT, so the cybersecurity awareness program was not visible to engineering; and there was no proven and tested incident response process for OT.
To start, OT cybersecurity awareness training focused on educating plant personnel on what cybersecurity is, Kellogg’s policy, and how to respond or escalate if they see something bad. “We know that these things move quickly,” Tassell said. “We needed to give them a sense of urgency, to understand when they need to call somebody right away.”
The 2020 strategy includes more training, primarily in the form of tabletop exercises to stress test the OT incident response. Those exercises, as Tassell laid them out, are focused on training exercises with new incident response teams and newly created processes; technical exercises for objective-based incident response team; executive exercises for C-suite personnel and board of directors; and war games focused on real-world attacks.
Strategy and planning for this year also include building out OT security services, piloting OT security services at two plants, and using passive sensor data to drive risk-based decision-making plant by plant. “We don’t want to just deliver technology and think it’s going to save the world,” Tassell said. “Without people and process wrapped around it, it’s not worth it to us.”
Education continues to play a key role as Tassell’s team rolls out its OT security services to Kellogg’s manufacturing, including passive sensor and incident response service, IT/OT demilitarized zone (DMZ) service, endpoint security service, and OT remote access service. “With all these services, education is called out,” Tassell said. “If we don’t have education around these services, they’re almost rogue.”
Rounding out the conversation, Tassell had some other takeaways that were important lessons learned for Kellogg:
- Attain executive sponsorship from the engineering/supply chain organization.
- Build a partnership with engineering’s trusted vendors to help implement your cybersecurity strategy.
- Make the decision on the passive sensor with engineering so they are a part of the solution.
- Beware of limited user access to passive sensor data.
- Use passive sensor data access as a way to bridge communications between engineering and IT teams.