Background and central aspects of the topic
Not least in the context of the war in Ukraine, decision-makers across Europe are concerned with the security of food supply. So far, the focus has been on import dependency for certain products and the rising costs of inputs and food prices. However, with the digitalisation and networking of technical systems, the vulnerability of companies in the food chain to threats from cyberspace is also increasing. In May this year, the agricultural machinery company AGCO had to stop work in its production facilities as a result of a ransomware attack. In the same month, the manufacturer John Deere remotely disabled Ukrainian agricultural machinery that had been stolen by Russian troops. This illustrates that digital technologies in the food supply industry are the subject of hybrid warfare and cybercrime, and could become even more so in the future.
Cyberattacks on companies in the food chain could have serious consequences for the population. Consequently, the food sector (food production, processing and trade) is one of the critical infrastructures that need special protection. With regard to information security, this is done through the BSI Act, according to which large companies in the food sector are obliged to secure their IT systems according to the current state of the art. However, agriculture and the food trade in particular are strongly characterised by SMEs, to which the obligations of the BSI Act do not apply.
It is true that the vulnerability of the food system has been intensively researched in recent years. However, most studies have focused on the consequences of the Corona pandemic and adaptations to climate change. Vulnerability and resilience to IT disruptions or cyber-attacks have received little attention so far.
Objectives and approach
The aim of the study is to take a closer look at the vulnerabilities of the food supply in Germany against the background of possible threats from cyberspace. To this end, possible vulnerabilities along the production and supply chains are to be identified and the question discussed to what extent targeted attacks have the potential to endanger the food supply.
The current threat situation for the food sector will be analysed. The extent to which the digitalisation of food production, logistics and trade in Germany can lead, or has already led, to increased vulnerability to disruptions will be examined. For this purpose, the degree of dependency of internal processes on ICT must be estimated. For this purpose, an empirical survey will be conducted in which the use of ICT along the value chain will be examined. On this basis and through the evaluation of cyber attacks that have already taken place as well as relevant specialist literature, critical ICT risk elements will be identified and plausible hypothetical (but realistic) attack scenarios on value and supply chains in the food industry will be developed.
On this basis, the impact of plausible disruptive attack scenarios on food supply will be examined. Based on the scenario analyses, the potential consequences and scope of cyber attacks can then be characterised. Possible effects can be direct, but also indirect and can occur in the short, medium and/or long term. Indirect effects include, for example, major delivery delays, declines in sales as well as production losses that affect workforce utilisation, prices on the world market or the competitiveness of companies. In addition, the interlinkages with upstream sectors such as agricultural technology, fertiliser and pesticide production and the associated possible cascade effects are to be taken into account.
Based on the findings of this vulnerability analysis, starting points for strengthening the resilience of the food sector will be derived and discussed with stakeholders.
Two expert reports were commissioned: one on cybersecurity in the area of food processing and trade and cold chain logistics of milk and dairy products, and one on cybersecurity with a focus on agriculture. The expert reports are currently being evaluated and will be used, together with the results of further research, to prepare the final report to be submitted to the responsible TA rapporteur group of the political groups for approval in spring 2024.