How to strengthen cyber resilience in the food sector

New TAB study examines the IT risk situation in the food sector and outlines options for cybersecurity policy design
Cover TAB-Fokus no. 47 Cybersecurity in the food supply
Policy brief TAB-Fokus no. 47 presents the main findings of the study

As technical systems become more digitised and networked, companies in the food production, processing and distribution chain are increasingly vulnerable to threats from cyberspace. The threat to IT security in 2023 was greater than ever before.

In agriculture, which has not been the main target of sophisticated attacks on operational technology so far, the rapid digitisation of businesses could have an impact on food production and supply in the future, particularly through supply chain attacks on manufacturers of operational technology or on external service providers. In the food processing industry, logistics and retail sectors, where the level of digitisation is comparatively higher and markets more concentrated, attacks on key IT systems such as enterprise resource planning systems] , warehouse management systems and digital point-of-sale systems pose a particular risk to supply security. Scaled attacks via software updates and indirect attacks on an external IT service provider could prove particularly serious. To date, the relatively fragmented nature of the food sector has prevented supply shortages of single suppliers from having a serious impact on public supply. This changes as systems become more digitised and interconnected.

The food sector is one of the critical infrastructures that requires special protection. In terms of information security, this is achieved through the German Federal Information Security Act (BSI-Gesetz), which requires large companies in the food sector to secure their IT systems using state-of-the-art technology. However, agriculture and food retail in particular are characterised by a large number of small and medium-sized enterprises to which the obligations of the BSI Act did not apply until now. Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive) recognises the food sector as an important sector at European level. Its transposition into German law (currently in the legislative process) will mean greater accountability for external service providers and suppliers, as well as an extension of the scope of cybersecurity obligations to medium-sized companies and a stronger focus on supply chains. These measures should reduce the scope of identified risks.

To reduce the risk of cyber-attacks for a large number of smaller companies and their service providers, support for voluntary measures should be further promoted and the transfer of knowledge from research to business practice should be ensured. In addition, education and information campaigns could raise awareness of the growing threat of cyber-attacks among micro and small enterprises, which have been less exposed so far.

The TAB report highlights the vulnerabilities of the food supply in Germany in the context of possible threats from cyberspace and outlines options for strengthening the cyber resilience of the sector. The most important results are presented in the four-page policy brief TAB-Fokus no. 47 and its web version on the project page.

On the TAB-Report: Based on a brief summary of digitisation trends and an outline of the current threat situation and the most important future challenges for cyber security in Germany, the report examines the extent to which a threat to security of supply can be assumed and which attack scenarios pose a particular threat. The findings are based on both an empirical analysis of past incidents and expert interviews. Particular attention has been paid to growing risks that result from digitalisation trends. The focus was on possible attacks with disruptive consequences. The scenarios were distinguished according to their possible main target: agricultural production systems, food processing, logistics and retail. The report identifies key factors that affect the extent of cyber-attacks and outlines possible options for future cyber-security policy in the food sector.

10.10.2024

Download und weitere Informationen