Protecting fresh fruit from cyberattacks with automation and AI

With its entire business revolving around fresh produce, UK fruit producer Berry Gardens can’t afford for its supply chain to be disrupted by cyberattacks.

heart-shaped bowl filled with fruit
Thinkstock

Managing complex supply chains can be challenging for even the largest organisations, let alone a small IT team. However, automation and machine learning-based security technologies are making it easier for lean teams to manage complex environments.

In Agriculture, ensuring timely processing and delivery of goods also means incidents need to be remediated as quickly as possible to prevent wastage, while at the same time firms are looking to balance the efficiencies automation and the internet of things offer with the increased risk profile. 

UK fruit producer Berry Gardens is looking to combine AI-based security with ambitious growth plans and growing trials with autonomous machines, while at the same time protecting a large, complicated, and time-sensitive supply chain.

Keeping UK fruit secure from cyber-threats

Founded over 40 years ago, Berry Gardens is the UK’s leading berry and stone fruit producer, supplying all of the country’s major retailers.

The company supplies fruit such as strawberries, cherries, plums, and blueberries to the likes of Waitrose, M&S, Asda, Sainsbury’s, and Aldi. As well as a number of UK farms, the firm has overseas partners and suppliers in place to offer a year-round supply of fruit outside of the British growing season. Founded as a regional co-operative, today the company is still wholly owned by growers in the UK.

According to James Judge, Berry Gardens' IT manager, the biggest risk the company faces isn’t leaking data, but ensuring resiliency and preventing operational disruption. Orders from suppliers are often made only a day ahead of time, while picking, packing, and shipping also must occur in a very short window to ensure freshness.

“Even if sales information was stolen this week our market moves so quickly that it wouldn’t give anyone a competitive advantage,” says Judge. “However, working with fresh produce, we run an extremely fast supply chain that must operate like clockwork.

“Whether it’s our email, phone system, or ERP that gets infiltrated, there is a real risk that we couldn’t service our suppliers or serve our customers, resulting in waste and financial loss.”

Aside from penetration testing with third parties, all security is managed in-house. The company’s three-person IT team controls all of the organisation’s IT – from security and networking all the way through to R&D into artificial intelligence and other software and service development.

As well as corporate IT and employee endpoints, the team is also responsible for all of the company’s industrial and operational systems including fruit packing lines, machinery, and warehousing equipment.

Fast-moving global supply chains pose security challenges

With such time-critical operations, the company’s supply chains must run as smoothly as possible.

“As well as being fast-moving as a supply chain by the very nature of our product, our prime motivation is to deliver the freshest produce to our customers and the end-consumer,” says Judge. “This means we operate around the clock and take a 'get things done' approach – so from an IT stance we try not to throw up too many hoops for users or partners to jump through to get their work done. This means we need to understand evolving networks and data movements quickly while allowing the business to continue to operate.”

The nature of fresh produce means any issues must also be resolved quickly in order to prevent waste and loss of business. However, the larger and more complex the ecosystem of suppliers, the more potential there is for failure. According to Accenture’s Technology Vision 2019 report, seven in 10 businesses may be vulnerable to malicious attacks through their ecosystem, with just 29 percent of UK business and IT executives knowing how diligently their partners are working regarding security.

“The fresh produce sector will often manage a global supply chain – meaning that those with criminal intent have many points of vulnerability that may be tested in the pursuit of compromising sensitive systems or equipment,” explains Judge. “It also means that attackers have more places to hide: the complexity of a fast-moving supply chain is their friend. And cyber-criminals are not the only adversary: even ‘trusted’ members of the supply chain introduce cyber risk. We are as vulnerable as the weakest link in our chain.”

Future growth requires automated security

Berry Gardens’ CEO, Jacqui Green, has said she wants the company to double in size by the mid-2020s, and Judge is well aware security will become even more important as the fruit seller scales up: “Even modest growth plans would be impossible to execute without a stable network and system to work from. Doubling in size means more activities and a wider supply chain that will move faster than ever before.

“In particular, we’ll need to be able to defend against insider threats, whether malicious or accidental, where access comes from trusted systems across our network. If a key system is offline due to a security incident, the disruption in our daily activity would be challenging to deal with.”

One of Berry Garden’s main security providers is Darktrace. The company has deployed the security vender’s Industrial Immune System to protect its entire digital infrastructure; corporate IT as well as operational systems like production lines and warehousing technologies, and to help ensure the company has a way to scale its security in line with the CEO’s plans for growth.

“With AI in tow, we are ready for this reality,” says Judge. “Darktrace’s AI is capable of detecting and autonomously fighting back against the most subtle anomalous behaviours that would be difficult for human security teams alone to spot.”

Judge describes Darktrace as an extra pair of hands that can help automatically protect against threats even when his team can’t be there.

“Wherever Berry Gardens’ IT team is, as long as we have a mobile device to hand, we can let Darktrace automatically take care of any anomalies, review its actions and enable counteractions as needed. Without a tool such as Darktrace analysing every data packet across our network and modelling the typical behaviour of our devices over time, knowing what is happening moment by moment or, critically, what has just changed, is impossible.”

However, Judge sees AI-based security as an additional helper to the human teams, not a replacement: “AI can’t stop threats from getting in – cybersecurity isn’t a solvable problem. But Darktrace is fast enough to stop attacks unfolding and causing damage. What’s more, the AI takes precise action to avoid business downtime.

“This isn’t a panacea, but it does help reduce the stress of managing an always-active business that is connected throughout its supply chain.”

IoT and autonomous robots present opportunity and risk

As with many companies in the agricultural sector, Berry Gardens is looking to the internet of things and autonomous machines to help increase yields. However, new technologies can introduce risk; the default security of IoT devices has been found to be notoriously lax in many devices and can introduce a significant attack vector for companies that don’t get to grips with monitoring and securing.

Judge adds: “New technology is rarely developed with security as its core consideration, and we actively engage in R&D around new technologies because we understand the advantages they could deliver to Berry Gardens. It’s up to us to provide a secure world in which these developments can work safely, without risking our ways of working or IT standing in the way of usability. Darktrace is a product which lets us do this with more confidence and agility than other solutions would.

“The advent of IoT has already fundamentally changed the game of securing ourselves from cyber-attacks. For all their convenience and appeal, most connected devices were not created with security in mind and can provide an easy inroad to sensitive systems.”

Berry Gardens has partnered with the University of Lincoln and Norway’s Saga Robotics to trial agricultural robots and see if it’s ‘project RAS-Berry’ will increase harvest efficiency. However, robotic security can be even more of a mystery than IoT; a study by IOActive into the security of software used in a number of industrial and commercial robots found a wide range of security issues in most of them including missing authorisation schemes, weak cryptography, exposed private information, weak default configurations, and used vulnerable open-source frameworks and libraries.

“Automated robots are still in their infancy, so it’s hard to know whether securing them will be fundamentally different from securing IoT we are more familiar with,” says Judge. “But that’s the beauty of having a self-learning system for cyber defence; Darktrace’s AI has no rules for how to defend a particular device, so it can work anywhere and on any bit of technology. AI embedded into machinery, or being deployed as part of a software solution, doesn’t change security fundamentals. But it does change the speed at which problems can evolve and need to be responded to.”

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!