Understanding the Cybersecurity Risks Confronting CPG Organisations

When was the last time you purchased a product that was in a container? If you are a typical consumer, you probably have done so in the last few days. There is an entire industry that focuses on these containers. Consumer Packaged Goods (CPG) is an industry term for merchandise that is used and replaced on a frequent basis. CPG includes just about everything including small items such as food, beverages, cosmetics, and cleaning products all the way up to larger durable goods such as appliances, furniture, and automobiles.

Of course, the manufacture and distribution of Consumer Packaged Goods relies on technology. Like most organisations, CPG organisations are at risk of cybercrime. While typical attacks such as ransomware are a constant concern for all organisations, CPG organisations are exposed to unique risks.

Why Is the Need for Cybersecurity Growing for CPG Organisations?

There have been a lot of changes in the market that have forced CPG organisations to more digitalisation. This has been particularly true for organisations in most sectors following the COVID-19 pandemic and the rise of new work models.

What makes the story for CPG organisations unique is that they are under incredible price pressures, especially if those products are fully automated and domestically manufactured. To address this price pressure, they need to be more efficient, and for this growth and efficiency, most companies are turning to optimisation technologies such as digital twin machine learning. On top of this, if the products coming off the production line are safety-related, as is the case with food or children’s toys, there are additional regulations that organisations are required to follow.

What Cybersecurity Risks Are They Facing?

Digital attackers are targeting the production capabilities of CPG organisations. If successful, an intruder could compromise a production line to tamper with the production process, making the end product unsafe for consumption. 

A recent incident involving an Austrian food organisation can serve as an example. An attacker infiltrated the production line, pivoted to a cooling system, and adjusted the temperature so low that the cooling system stopped working. Simultaneously, the malicious actor also manipulated the sensor values so that they appeared to remain at a temperature within the normal operating thresholds. This masked the cooling system shutdown and caused the actual temperature of the food to increase, yet no one realised these problems. Ultimately, one of the production line workers observed that the temperature on the screen didn’t match the actual temperature of the food when it was physically handled, but unfortunately, this was not before 12 days of production were lost.

The cost of the incident wasn’t very high overall. Sure, the organisation could have recognised it earlier on in the incident. Most fortuitously, the company discovered the issue before the food was shipped to stores. By contrast, if it hadn’t spotted the error before the product entered the supply chain, there could have been dire health consequences as well as fines that would potentially have been imposed upon the organisation. 

Incidents on the production line aren’t the only cybersecurity risks confronting CPG organisations, either. There are also supply chain issues. Imagine a soft drink company that outsources its bottle-filling to a third party. In order to meet production demands, a certain number of bottles of particular sizes are required to be filled each second. An issue with the machine due to tampering similar to that which happened in Austria could result in improperly filled bottles. It won’t be the machine provider that will suffer reputational costs. The soft drink company will suffer the damages.

Accepting that supply chain cybersecurity is as important as a CPG organization’s policies emphasizes why CPG organizations require that their suppliers demonstrate cybersecurity measures that achieve a minimum standard of alignment with their requirements in order to outsource any work to them. 

There’s a growing regulatory environment for CPG organisations. The quality and safety standards for food have expanded to now include cybersecurity. At this moment, those standards are not very concrete, but this is changing. One may reasonably anticipate that regulatory authorities will ultimately require that CPG organisations have a full security program in place, that the program is adhered to, and that evidence of an organisation’s security practices are available for audit purposes. Just as cyber laws have increased in their prescriptive directives for other industries, it would not be surprising if CPG organisations are required to implement a quality process to ensure that cybersecurity is always state of the art. This could also include the requirement to have monitoring tools such as a Security Information and Event Management (SIEM) system and a Security Configuration Management (SCM) platform in place.

Protection of the chain of consumer products is of vital importance. CPG organisations interface with multiple areas of Critical Infrastructure, and protection of the CPG cyber operations is necessary to ensure full security across all products that are released to market.

How Can Tripwire Help?

With 24/7 systems monitoring, Tripwire can provide evidence of your security configuration at all times. This information can be easily shared with your customers and suppliers to ensure that you comply with any industry and internal compliance protocol. Tripwire works across your organisation and your entire supply chain. The system is also automated, so with very little intervention, you can ensure the safety and security of your full CPG production line.

You can learn more about Tripwire and our solutions here: https://www.tripwire.com/solutions.