There can be no doubt cybersecurity should be a major business issue for FMCG boardrooms the world over. But how – and where – companies should invest is a critical question as they look to shore up their operations to reduce the impact of possible attacks.
One key area to consider is operational technology (OT). This technology refers to hardware and software used to control industrial equipment. Examples include industrial control systems, assembly-line robots, programmable logic controllers and building automation systems.
OT is central to modern manufacturing and supply chains more broadly – and is therefore crucial to any company that produces and/or handles physical goods, such as FMCG companies. These businesses rely on the smooth running of their manufacturing plants. Compromised industrial equipment can seriously disrupt production and, ultimately, a company’s entire supply chain. For example, even a few hours of downtime at a meat processor due to compromised machinery would result in an entire batch going off. More serious breaches can take weeks to fully resolve.
FMCG companies need to invest more in the cybersecurity of their OT environments, systems that are increasingly being targeted by threat actors. Mandiant, an industrial cybersecurity company, published a report in May 2021 in which it claimed cyberattacks on internet-exposed OT assets are increasingly frequent. This is not difficult to believe if, as Group IB, a cybersecurity company, suggests there has been a 150% increase in ransomware attacks in 2020.
Cyberattacks on OT environments are increasing because these assets are typically not well protected. There are a few key reasons for this. Firstly, more and more OT assets are both Internet- and network-connected. If breached, they can act as a gateway into the network for threat actors where they can wreak havoc. It is becoming increasingly common for OT assets to be Internet- and network-connected because it makes it easier for companies to operate the machines and monitor their operational output.
Equipment vendors also often want their machines Internet-connected when installed so that maintenance is easier. This would not be a problem if appropriate cybersecurity measures were in place to protect these exposed assets.
However, this is typically not the case. FMCG companies often operate extremely complex manufacturing networks that comprise hundreds of facilities across multiple continents. Each facility contains thousands of different OT assets. Many of these were installed years apart and are different models, from different vendors, with different firmware.
Because of the sheer number of OT assets across such vast geographical networks, these companies typically do not have sufficient visibility over all these assets and the data communicated to and from them. As a result, these unmonitored assets are often unprotected from cyberattacks. Because of the vast range of types, ages, models, and vendors, quick fixes such as regular universal patches are not viable ways to provide endpoint security. These differences will also result in different OT assets having different vulnerabilities. Moreover, many OT assets such as sensors and cameras have limited computing ability and, therefore, fully-fledged endpoint solutions such as anti-virus software cannot be installed on them.
On top of all this, cybersecurity staff are often familiar with IT but unfamiliar with OT. As a result, they do not understand what an OT asset’s role is within the network and what cybersecurity threats it might pose. Typical IT network monitoring tools are often not fully compatible with OT networks. This skills gap means cybersecurity is often poorly applied to or simply absent from OT networks.
The urgent need for OT cybersecurity solutions is being reflected in recent deals. In 2021, four leading OT cybersecurity specialists, Claroty, Armis, Dragos and Nozomi Networks, collectively attracted over US$1bn in funding.
Most recently, Google bid $5.4bn to acquire Mandiant, an industrial cybersecurity player. FMCG companies are starting to utilise these companies. The Coca-Cola Co. and Kellogg have commissioned the products and services of Claroty. Mondelez International is a client of Armis, while Johnson & Johnson is a client of Nozomi Networks.
As OT cybersecurity solutions develop, FMCG companies need to invest in them or face dire consequences.