The 2018 needles in strawberries episode served as a warning to all of Australian industry: failure to take security seriously can have disastrous consequences. However, it also served to highlight just how vulnerable manufacturing industry is to malicious acts, whether by disgruntled employees or by criminals as a basis for extortion. And those vulnerabilities are both physical and cyber in their natures.
When the news broke of the sabotaged strawberries in September 2018, only three Queensland brands were affected. But thanks to the wonders of social media, within a week there had been 230 claims of fruit tampering across Australia, most of which proved to be hoaxes.
Nonetheless, the consequences for the industry were calamitous, with major supermarkets removing stocks of strawberries and thousands of tonnes of fruit destroyed.
Now, Food Standards Australia New Zealand has made a number of recommendations to improve food incident response protocols and recommending national coordination of messaging and information.
In response, the larger growers have invested in metal detection technology, as used in other branches of the food manufacturing sector. And while inline metal detectors are capable of intercepting both ferrous and nonferrous metals at conveyor belt speeds, they only secure one part of the supply chain. What happens between the packaging plant and the supermarket shelves is another matter.
So what is the solution? How can consumer products be secured all the way though the manufacturing supply chain?
One solution is surveillance, and Frank Ferrara, MD of Cornick is in no doubt that today’s CCTV systems are effective both as a deterrent and as an investigative tool.
“It’s all about identifying unusual behaviour,” he says. “So while you’re not necessarily going to immediately see any instance of criminal activity, the system can flag up unusual patterns of behaviour that warrant further investigation.”
“Then,” he adds, “once people know that they are being watched and their actions recorded, the deterrent effect is clear.”
Ferrara concludes: “In the end, CCTV surveillance is an indispensable business management tool, similar in importance to your computer workstation when it comes to running your business.”
There are, however, limitations to the use of CCTV in Australia – and these vary from state to state. For example, the NSW Workplace Surveillance Act requires employees to be notified at least 14 days prior to the introduction of CCTV cameras. And in Victoria, the Surveillance Devices Act precludes the filming of “private activity” in the workplace.
However, generally the recording of video (without sound) is permissible throughout Australia.
If it took the strawberry affair to expose some of the physical security shortcomings of Australian industry, there are any number of high-profile cases that highlight our poor state of cybersecurity readiness.
What makes this all the more worrying is that the convergence of information technology with operational technology, together with the increased adoption of Internet of Things technologies is leaving gaping holes in security. And there are plenty of state actors, cyber terrorists and extortionists that recognise these easy pickings.
Incredibly, according to Fortinet nearly 90 per cent of companies with connected IT and OT structures have suffered a security breach of their control systems, and more than half of those have happened in the past 12 months. And, more specifically, cybersecurity innovator Digital Immunity says that in 2017 39% of all ransomware attacks targeted manufacturing companies, resulting in the loss of hundreds of millions in revenue.
The consequences can be devastating. For any company, the necessity to shut down a compromised IT infrastructure for any length of time can wreck normal trading practices, with severe financial penalties. But for a manufacturer, the costs of shutting down compromised control systems can be astronomical.
According to Peter Moore, MD of Adelaide-based OT/IT cybersecurity provider Logi-Tech, too many companies are operating with a false sense of security, believing they are protected, when they are not. And where proper security procedures do exist, they are all too easily compromised by human error or by sophisticated cyber attack.
“You have to ask yourself what a day’s lost production would cost you… and then multiply that by however many days,” he says. “There is no doubt that some manufacturers are behind the curve in security, and that makes them prime targets,” adds Moore.
Help is at hand, though, with the cybersecurity industry becoming ever more proactive in finding and neutralising threats. Recognising this, Industry Update will be dedicating an increasing level of coverage to security matters – both physical and cyber – with a regular feature in every edition of the magazine during 2019.