Post-Incident Analysis & Recovery: Tips From a Security Expert on Handling Breaches in F&B Manufacturing

By Brian Van Vleet, CSSE at Rockwell Automation

The food and beverage industry is a prime target for threat actors due to the massive disruptions caused by system outages. Threats come in more forms than ever: physical and digital, internal and external, malicious and unintentional. And with food safety on the line, loss of control over quality or production poses great risk.

In this article, Brian Van Vleet, CSSE at Rockwell Automation discusses how food and beverage manufacturers can prevent, as well as recover from cyberattacks and supply chain disruptions.

What is post-incident analysis? And how does it look different in the F&B industry compared to other industries? 

Food and beverage (F&B) plant floors are intricate ecosystems. Standalone machines, integrated into production lines, create a complex environment to secure. This complexity is further amplified by the diverse range of devices, rapid technological advancements, and legacy equipment present. Limited visibility and control make securing these interconnected systems even more challenging, as does the need for production continuity and the sensitivity of data within the industry. Add to this the specific regulations and physical security concerns unique to the food and beverage sector, and the landscape becomes a veritable cybersecurity labyrinth. 

Within this complex ecosystem, post-incident analysis (PIA) emerges as a crucial tool. It provides a comprehensive review and analysis of security incidents, peeling back the layers to reveal the root cause, assess the impact, and evaluate the response’s effectiveness. This invaluable exercise helps organizations identify vulnerabilities, learn from their mistakes, and implement preventive measures to prevent future incidents. By navigating the intricacies of PIA, food and beverage plants can begin to unravel the complexities of their interconnected systems and build a more secure and resilient environment.

How does post-incident analysis in the F&B industry contribute to risk management and prevention of future incidents?

There are several facets to risk management including risk identification, risk assessment, and risk mitigation, all of which are encompassed within post-incident analysis. Once a security team is able to identify a threat actor’s point of entry and understand their tactics, techniques, and procedures (TTPs), they can proactively implement targeted risk mitigation strategies. This includes: 1) patching vulnerabilities 2) strengthening access controls, and 3) improving detection and response tools.

What are some best practices when it comes to conducting post-incident analysis?

Post-incident analysis (PIA) plays an even more crucial role in the food and beverage industry due to the heightened risks of contamination and product recalls. Food safety incidents can have devastating ripple effects, impacting public health, brand reputation, and financial stability. Therefore, conducting a thorough and swift post-incident analysis (PIA) is essential for identifying the source of contamination, preventing further harm, and minimizing the overall impact. 

Best practices include:

• Prioritize data collection: The main goal of post-incident analysis is to learn from past mistakes, collecting every piece of data will educate the risk management process in the future. 
• Establish a cross-functional team: Gathering diverse perspectives from departments beyond the security team will allow them to identify blind spots, prioritize risks more effectively, and develop solutions that are more aligned with the needs and realities of different departments.
• Assess affected networks: Understanding the specific data accessed and the potential consequence of that unauthorized access empowers organizations to develop targeted and effective mitigation strategies.
• Develop mitigation strategies: By harnessing the insights gleaned from the data, security teams can now build robust solutions to safeguard operations against potential future disruptions.

Do you have advice to share for F&B companies looking to strengthen the security of their operational technology to prevent breaches from occurring? 

Post-incident analysis is crucial, but the goal is always to prevent cyberattacks and disruptions. According to a recent report, 60% of analyzed OT/ICS incidents resulted in operational disruptions. Disruption in any industry is tough, but in the F&B industry, it can put public safety and critical supply chains at risk. Additionally, food and beverage companies face a unique challenge: protecting their aging production systems from evolving cybersecurity threats. While legacy infrastructure can pose challenges to deploying the latest security solutions, secure information convergence offers a promising path forward.

While converging all enterprise data into a unified infrastructure can enhance efficiency and productivity, it also presents an attractive “attack surface” for threat actors seeking lateral movement and widespread disruption. To mitigate this risk, organizations embracing converged IT/OT environments must establish robust security strategies such as zero trust, network segmentation, strong identity and access management, and robust firewalls.

Brian Van Vleet has been engaged in manufacturing systems sales since joining Rockwell Automation in 2014. Most recently he serves as a Commercial Lead for the Connected Services division – representing hundreds of IT/OT Project Delivery and Remote Support Engineers globally.