This article was published in the June 2022 issue of Pet Food Processing. Read it and other articles from this issue in our June digital edition.
The running of a business includes a myriad of systems to track, making the generation of data inherent. As data compounds and complexities expand, information becomes difficult to control, particularly when considering associated linked-and-joined data from suppliers and customers throughout the supply chain.
The greater the amount of data at stake, the more an organization needs reliable security to protect intellectual property and safeguard against potential losses through equipment malfunction, breakdown of IT processes, breaches and cyber-security issues, or to combat a targeted takedown of all network-connected efforts. This also includes an onus of responsibility on subject matter experts trusted to make recommendations and changes.
An impact to any of these elements could create a domino effect within the organization as well as to other suppliers and customers. A system hack or a cybersecurity threat could reflect badly on the entire industry and leave consumers questioning the safety and/or reliability of a product or service.
Assess and address
Within the industry, pet health is a big risk factor regarding access to systems and data, according to Jim Vortherms, senior director of automation delivery, CRB, Kansas City, Mo. As the trend of pet humanization continues to grow, companies need to have confidence in their data if there’s a need to issue an effective product recall because of contamination, tampering or another incident, he continued.
“Data or intellectual property, recipes and trade secrets are what separates one business from another,” said Kyle Banks, technical resource partner at NorthWind.
Assessing vulnerability begins with an internal audit to determine what data is sensitive, which data is important, and how to protect access systems within the control system hardware and software — standalone or completely segregated from other equipment. This includes knowing how long a facility can be down in addition to concerns about market share, reputation and other critical factors.
“Data or intellectual property, recipes and trade secrets are what separates one business from another,” said Kyle Banks, technical resource partner, NorthWind, Sabetha, Kan. “This is the segregation and identity of a business.”
Ensuring protection by determining who has access and who can make changes is often a joint effort of senior management, operators, advisors and bystanders. Vortherms advised adopting a cross-departmental approach with IT (Information Technology), OT (Operational Technology) and production being equal partners in the discussion, solution, implementation and rollout of a data access system. Formal risk acceptance processes should be followed and documented by a leader and reviewed periodically and mitigated when possible, according to Banks.
IT personnel are responsible for providing access to data in order to do work in a secure manner. This includes how remote access is handled in order to limit and track who has access. The OT staff is concerned at the plant-floor level regarding who has access to which systems and data, locally and remotely, and how various systems interact with each other. Operations needs to be concerned with system security as well as how the operators are going to access the system.
IT infrastructure can vary greatly depending on the organization. Larger companies often choose to manage the data themselves. Customers who want to handle their data are left to put their own security in place and there might be just one person handling the responsibility, according to Adam Pichoff, software engineering manager, Allpax, Covington, La.
There might also be third-party vendors with remote access to their systems. This requires a balance between the original equipment manufacturer (OEM) and the facility’s IT group, he continued.
Without buy-in from all players, there’s a potential for in-fighting and the solution will be mediocre at best, Vortherms cautioned. Therefore, it’s necessary to create a balance between access to production controls and data while also protecting processes and information. This might include safeguarding data from unauthorized access to prevent changes or deletion of critical data and to protect intellectual property such as recipes from competitors.
Many organizations follow the security model of least privilege, granting only the necessary access for personnel to perform the functions required by their role. Supplementally, OEE (overall equipment effectiveness) and productivity are also heavily considered when determining access levels given the impact in profitability.
Technology acts as a necessary controlling agent and another layer of protection. One of the most common solutions is the username and password. Despite its widespread use, the password continues to be an ongoing headache for security personnel, and some would like to see its use phased out. Easily manipulatable, passwords get written down, recycled and shared, and sometimes don’t get disabled when an employee leaves the company, Pichoff shared.
Organizations looking to add extra security often consider a layered approach. Such layers use encryption to protect the confidentiality of digital data transmitted through a network or stored on a computer system. Multiple layers of identification add protection to the sign-in process in the form of a fingerprint, hand or retinal scan, facial recognition or entering a code on a phone.
While technology can monitor abnormal network traffic and virus protection, these efforts can only go so far in protecting a plant and providing security. The human element is much more difficult to predict, and in operations and manufacturing, human safety is the driving factor of risk.
“The human element is difficult to manage,” Pichoff said. “A system can have deep levels of permission, but the system is only as good as the password and the person using it. A generic password can be used by multiple users and anyone with a username and password could go in and manipulate passwords.”
In fact, security breaches are likely to be an accident of human error, he continued. The simple act of sharing a password, clicking a dubious phishing link or forgetting to change a password can leave the door open for a bad actor. Not knowing when trouble could strike, Pichoff advises taking a proactive stance: changing passwords, using physical authentication methods to boost security, and/or combining several security methods with biometric security that recognizes people based on behavioral or biological characteristics.
Companies looking to keep their systems safe must also balance the reactions of employees tasked with navigating the hurdle of multiple levels of security. While those who maintain security deem the extra steps as worth the hassle, users may not feel the same way. This can lead to the opposite problem, one where users ask for the removal of cumbersome levels of security or take it upon themselves to produce workarounds.
“Adequate processes and procedures need to be in place to make the system safe and protected while not being so intrusive that the operator cannot do their job in an efficient manner,” Vortherms said. “If the system is immensely cumbersome to the operator, they will find workarounds to the security measures in place.”
Set an example
As the pet food industry continues to grow in size and sophistication, so do the techniques of the bad actors who look to broaden their scope of opportunities. Likewise, as the sophistication of malware and ransomware continue to grow, organizations must constantly manage and mitigate risk to stay ahead of the next scam.
“A system can have deep levels of permission, but the system is only as good as the password and the person using it,” said Adam Pichoff, software engineering manager at Allpax.
Banks recommended looking to NIST (National Institute of Standards and Technology) and ISO (International Organization for Standardizations) as reputable sources for security best practices. He also suggested talking to peers to discuss common trends, cyber threat news headlines and potential tactics to help inform an organization’s risk mitigation strategy.
There are also examples of crossovers between the food and the pet food industries, including the use of similar equipment from an OEM perspective to comparable processes and procedures, which make the food industry a good source of counsel.
“In the food industry, having the data related to production secure, trustable and readily available is a necessity if there were to ever be a recall or production-related issues,” Vortherms said. “This same type of security and accessibility is pertinent for pet food manufacturing as well.”
While a security attack might not be totally preventable, advance planning could prevent extensive damage. Yet, a plan is only as good as its ability to combat the most recent threat or scam. Likewise, what might work for one system may not be appropriate for another, so each situation must be reviewed independently. Plus, bad actors will constantly test the waters. When one industry or organization ups its security, bad actors will choose a more vulnerable target.
“Security controls are achievable but since there will always be risk, security programs/initiatives must periodically be reviewed and adjusted, as necessary,” Banks concluded. “This requires finding the appropriate balance between organizationally accepted risk, security and usability.”
Read more about pet food and treat processing on our Operations page.