CYBERSECURITY

In the second half of 2024, there was a 202% increase in overall phishing messages compared to 2023, according to SlashNext’s 2024 Phishing Intelligence Report. Why is this important for food manufacturers? Many companies’ OT devices are connected to corporate IT networks, and attackers can gain access to the plant floor via these increased phishing attacks.

FOOD ENGINEERING also revealed that inadequate authorization was another top threat for food manufacturers, via Infosec’s OT Top Security Threat for 2024 report. The report says the threat is “inadequate authentication and authorization, inadequate or nonexistent authentication and authorization control measures that can allow unauthorized individuals to gain access to OT systems.”

Cybersecurity threats are coming from many angles, and many food manufacturers are still using legacy security approaches. This article will discuss how more investments can be made for OT network security and how to convince boards to provide more support and investment.

Communicating Risk and Impacts to the Board

Food manufacturers’ OT networks are vulnerable in 2025, but many manufacturing boards and executives have been told corporate enterprise networks are secure. However, enterprise IT networks are not OT networks. For boards, the right risk profile for OT networks needs to be established and identified.

So is this happening?

In arecent FOOD ENGINEERING webinar on cybersecurity, Patrick O’Brien, assistant director of engineering at exida, polled attendees and found that only 33% have had an OT cybersecurity risk assessment and 11% have OT-focused policy and procedures. At the same time, IT-focused cybersecurity risk assessments came in at 55%.

“This means some companies are doing IT risk assessments but not employing OT risk assessments,” O’Brien says. OT network cybersecurity investment is moving slowly due to many issues, such as a lack of precise requirements from chief information systems officers (CISOs) or leadership by executive management.

Another challenge is identifying risk as it relates to production, volume and uptime. “The key to getting buy-in from CFOs and CEOs for OT security projects is highly dependent on the CISO’s ability to translate the real cybersecurity risks to operational risks that the board already has identified,” says Grant Geyer, chief strategy officer at Claroty. Claroty is a supplier of cyber-physical systems protection and asset visibility services.

CISOs and security leaders need to speak the board’s language and avoid discussing the numerous cyber vulnerabilities that can happen. The focus should be on overall risk against key performance indicators (KPIs), benchmarks and business metrics.

“The more that a CISO can demonstrate an appreciation of the broader context and speak the language that the audit committee cares about, the stronger the chance that an OT security initiative will speak the love language of CEOs and CFOs and will resonate,” Geyer adds.

“At a board level, we need to have a very simple conversation about what risks do we want to accept and the ones we want to mitigate,” notes Robert M. Lee, founder and CEO at Dragos, Inc., during a recent webinar on OT cybersecurity investments.

During the webinar, Lee discusses how CISOs can paint a broad brush when it comes to security technology requirements, which can lead to confusion for board members. Lee says what can emerge is a “piecemeal strategy or a peanut butter spread of what capabilities, which can also lead to board-driven metrics or standards that don’t mean anything at the OT level.”

Boards are driven by their peers. “The reality of what a board is doing partly is benchmarking its peers, totally appropriate, and scenario planning,” Lee says.

In a 2024 FOOD ENGINEERING article, Alexandre Peixoto, cybersecurity business director at Emerson, talked about recent OT investments in food and beverage, and specifically, investing in Managed Detection and Response (MDR) technology. Peixoto divides customers into two camps when it comes to cybersecurity approaches: cyber-for-protection and cyber-for-convenience.

Cyber-for-protection includes traditional defense-in-depth approaches between IT and OT networks. “For these customers, the most important consideration for cybersecurity is to defend their control systems against a potential cyberattack, which could lead to an OT process upset,” Peixoto says.

According to Peixoto, cyber-for-convenience customers are employing defense-in-depth strategies but also trying new technologies such as MDR in OT environments and are open to zero-trust security framework strategies.

At the board level, Lee believes new security investments can be won with the proper framing. “Boards want to hear about capabilities that can be delivered and how we are trying to reduce risk with operations,” Lee says.

The risk at the OT level is many low-level connected devices, such as fieldbuses, programmable logic controllers (PLCs) and industrial networking equipment. Adding security patches at the OT level helps when identified and MDR tools can help in this area.

According to Dragos’ 2025 OT/ICS Cybersecurity Report, interest in identifying attacks against low-level equipment and networking keeps increasing among manufacturers. The report suggests that most fieldbuses are insecure by design and can include these networking protocols: Modbus/TCP, CODESYS and CIP.

The report says these layered networking protocols pose a substantial risk and there is a general lack of detection mechanisms for attacks in this area. The report describes the layered networking risk as “turducken” protocols, and the company plans to address this issue by offering greater visibility for detecting attacks and identifying potential misconfigurations.

The report cites that “to protect fieldbus equipment, the Industrial Control System (ICS) community awareness must change. A common assumption is that field devices, and especially instruments and actuators, are insecure-by-design. What is not well-considered by owners is the accessibility of this equipment.”

As systems become more connected in the food and beverage segment, these risks will keep growing. Security leaders need to be clear with board members about risk and the impact on operations and production.

“As OT assets tend to be unpatched and even obsolescent, the new imperative is to remove entire classes of risk through securing user-to-machine, machine-to-machine, and cloud-to-machine communications,” Geyer says. “Security and risk leaders need to adjust to this new imperative to enable the business to execute on their Industry 4.0 ambitions responsibly.” FE