How did Britain's food supplies become so vulnerable?

Yahoo

2 days ago

On May 15, Wilfred Emmanuel-Jones, founder of The Black Farmer food range, received an alarming and unexpected email.
It was from a logistics firm that distributes food to UK supermarkets (including Tesco, Sainsbury's and Aldi) for him and other manufacturers, announcing it had been the victim of a cybercrime.
The hack left Emmanuel-Jones in what he called a 'desperate situation': to be precise, it meant 18 pallets of Swedish meatballs from his smorgasbord brand were stuck in limbo – and at risk of being thrown away.
Each pallet contained 160 cases; with seven packs per case, it amounted to a total of 20,160 packs of meatballs and an estimated retail value of around £100,000. If the meatballs did not make it to supermarket shelves, Emmanuel-Jones not only faced financial loss to his firm, but also scores of disappointed customers being denied one of their favourite meals.
Coming in the wake of similar cyber attacks on Marks & Spencer and the Co-op, the hacked logistics firm was Peter Green Chilled – a distribution company based near Shepton Mallet, Somerset, which transports chilled food to stores.
The attack has since cast a spotlight on how the UK's vast and vital food distribution, storage and warehousing sector operates, with questions raised about how often vulnerable the industry is to hackers – and whether more can be done to protect it.
Emmanuel-Jones, who is best known for his award-winning sausages, says it was the first time his business, founded in 2004 on his farm in Devon, had been affected by cybercrime.
'If you're like us and a lot of other small companies, you've got to get a distributor,' he explains. 'The cheapest way of sending products around is by the pallet, but not all the supermarkets necessarily want a whole pallet. Peter Green [Chilled, our distributor] will also do the picking for you, so if someone wants a certain amount they'll do that. That's why they're crucial.'
In its email, Peter Green Chilled said it had been the victim of a ransomware attack – which is when hackers encrypt a victim's data and lock them out of computer systems, demanding payment to hand back control. It left the firm unable to process or pick orders, although it later told the BBC its transport activities had continued. No one at Peter Green Chilled was available to comment to The Telegraph, but a source said it was 'busy trying to catch up'.
Emmanuel-Jones said the result was that 18 pallets of The Black Farmer meatballs were left stranded in Peter Green Chilled's warehouse, 'with the clock ticking because they have a shelf life'. By the end of last week, he had managed to cut that number to eight, after persuading some supermarkets to accept full pallet deliveries.
But, he added, 'to make matters worse', a fresh consignment of meatballs had just arrived from Malmö, Sweden – via the Port of Immingham in Lincolnshire – and he now faced the challenge of getting those to stores too. 'All of this has a dramatic impact on your cash flow,' he said. 'The distribution system does seem vulnerable.'
Phil Pluck is the chief executive of the Cold Chain Federation, which represents the UK's temperature-controlled logistics sector – covering both storage and distribution. Its 270 members operate over 450 chilled warehouses and more than 40,000 temperature-controlled vehicles, from last-mile vans to 40ft trailers, ensuring food reaches consumers safely.
Around 50 per cent of all food, whether it is produced in the UK or imported, travels through the cold chain. Walk into a supermarket and some of that produce is obvious: fresh meat, fruit and vegetables, for example. Yet other everyday items, including bread, cakes and often biscuits, also travel via it.
Sometimes, food goes from a producer, port or warehouse to a general warehouse, too, which may hold products for a number of customers. Or, it may be sent to a regional distribution centre that is owned exclusively by one supermarket.
'What the cybercriminals know very well is that 450 warehouses of food isn't actually that many and that if you can disrupt the supply chain then it becomes serious very quickly,' says Pluck. 'There may be thousands of pallets in a warehouse belonging to 100 customers and they have to be delivered to hundreds of destinations.'
He said an attack by hackers may result in a company being unable to read what is in their warehouses, or even to know where all their trucks are at a particular point.
'There are sophisticated warehouse management systems and telematics on the vehicles, tracking where they're going and what's inside them. If the hackers can get into the warehouse management system, they can effectively disable a very large quantity of food distribution, knowing full well that that causes major distribution problems that become very easily spotted in a public sense, very easily, very quickly, in that the result is bare supermarket shelves.'
Around 10 of the federation's members have said they've been victims of cyber attacks in the past few years, Pluck adds, but he guesses that the true figure is 'way more'. There has been a 'much-increased' number of attempted attacks in the past year.
The federation doesn't compile statistics on cyber attacks because, according to Pluck, they are 'guaranteed to be inaccurate' as some firms are unwilling to make it publicly known that they have been attacked, while others may resolve the impact of an attack before it becomes publicly apparent and then decide not to declare it. Most of the federation's members have cyber insurance.
'The cybercriminals don't necessarily care whether you're a supermarket, or whether you are part of the supply chain that serves that supermarket. What there is now are common software shares that allow the logistics supply chain to talk to each other. So that's another weak point,' he says.
The cyber attacks have become more sophisticated. Where once they were what Pluck called 'chance' events with the attackers sending out thousands of 'friendly-looking' emails in the hope that someone might click on an attachment and inadvertently let them in, it's now not unusual for the attackers to look at a firm's client base or an IT service provider and then send a very legitimate-looking email saying, for example, 'We need to do a server upgrade.'
'They're hoping someone says yes and then that's it, they're in the system. Or they may actually mimic someone physically and send an actual human being to your premises pretending to be an IT service engineer who attaches something to your server,' he explains.
'If everyone in the system does what they need to do, then obviously you get greater protection, but it only requires one weak link in that. So, on our side of it, everyone has to be on their guard 24 hours a day and everyone has to be 100 per cent lucky. The attacker only has to be lucky once.'
Pluck says the food distribution chain is vulnerable to cybercrime, but is no different from any other sector in that respect. However, he is calling for the Government to acknowledge the importance of the sector – which also distributes around 50 per cent of the UK's pharmaceuticals – and help to protect it with Critical National Infrastructure (CNI) recognition.
'It doesn't mean more money for the sector nor tighter or new regulation. But what it does give the cold chain is the ability to sit down with Government and create an Incident Response Plan. No such plan existed during Covid, and my sector just had to react as best it could. We got through it that time and fed the nation. But we can't be complacent and just muddle through again,' he adds.
'CNI will give us the clear platform to create a response plan as well as a recovery plan. Both are essential to supplying food and medicines to the UK citizen in the next major crisis.'
Dray Agha, the senior manager at cybersecurity firm Huntress, agrees that cybercriminals are increasingly targeting food retailers and suppliers.
'Food supply chains rely on real-time inventory management, temperature control, and rapid distribution. A cyber attack disrupting these systems could lead to spoilage of perishable items, resulting in immediate financial losses. Paying a ransom may seem cheaper than absorbing the cost of wasted stock,' he says.
Agha says firms should no longer see cybersecurity as a 'compliance issue' or a 'cost issue' but as something that can enhance a business and for which a healthy budget should be allotted.
He says: 'Firms also need to invest in cybersecurity training and make security awareness a priority among the workforce; teach them that it's not just the responsibility of IT but the responsibility of everyone.'
Broaden your horizons with award-winning British journalism. Try The Telegraph free for 1 month with unlimited access to our award-winning website, exclusive app, money-saving offers and more.