Article by Kristian Orispää

By conducting a risk assessment, you can detect existing problems, locate potential issues and review existing controls. When it comes to assessing IT risk, conducting a factory risk assessment will help you understand what improvements need to be made to bring IT systems up to standard. When preparing for digital risks and cyber-attacks, it is vital to understand that the factories you work with or are leasing, or plan to purchase, must meet security requirements as well as maintain quality and reliability of production. For companies working in the food industry, this is highly important for survival.

Understanding the risks

Danish Crown Group, a food processing company and the leading meat processing producer in Europe, has experienced an increase in malware attacks and other security related incidents. Like most of the companies in the food and beverage industry, the company places IT Security high on the corporate agenda.

As Lars Sleimann, Senior Manager, Factory Solutions with Global IT at Danish Crown explains, “It is important to minimise the risks on our IT infrastructure in administration and production. Today, cyber criminals are chasing big corporations. Cybercrime is no longer just geeks causing trouble from their bedrooms, this has become a professional 600 billion USD business, with service centres and hackers for hire.”

To mitigate cyber-attacks on its operations, Global IT at Danish Crown has a high focus on protecting its business. Lars Sleimann explains that, “In an enterprise context, hackers are chasing a company’s core values, its intellectual property, production control systems or client data, basically the type of information that will increase the likelihood of a ransom payment, when the alternative is to no longer be in business.”

a person feeding pigs.

Building a safety net

At Danish Crown the IT security consists of two areas. First, technology measurements, which is dedicated to the protection of users, software and hardware. Second, the behaviour and awareness of employees and the efforts to increase IT security awareness.

“There are many basic requirements to creating a safe IT landscape, or at least an environment that is as safe as possible. Using MFA (Multi-factor Authentification), complex passwords to protect identity, for example, and managing permissions and access to systems based on needs only. Just as importantly, employees need to be aware of digital risks and exercise caution. You also need to focus on employee behaviour, to use common sense, so they apply simple rules. One example would be to avoid using the same password across multiple apps and services.”

Up to code

Factory IT assessment places a high focus on stable and secure production environment with high availability. Evaluating the server rooms, the server platform, VLAN segmentation for production and administrators – all of which must be secured and stable. Similarly, the disaster recovery plan and industrial security are integral parts of factory IT.

By conducting an IT assessment, you can ensure that the required standards and best practices for production and automation IT are in place at each production facility.

To measure the level of IT security, Global IT at Danish Crown utilises the same standards as similar companies, specifically ISO 27002:2013 (IT Security) and IEC 62443 (Industrial Security).

All new factories in Danish Crown Group are measured as one of the first IT initiatives, to establish informed decision making. Meanwhile all factories are regularly measured to ensure progress in the agreed activities, monitor progress and make sure targets are met.

Factory IT Assessment

Phase 1 - Assessment (in orange on the left), Phase 2 - Reporting (in green on the middle), Phase 3 - Site Level Agreement (in blue on the right)

Factory IT Assessment, phase 1  assessment, phase 2 reporting, phase 3 factory level agreement

Phase 1 - Assessment

In the first phase, data is collected and analysed on the existing systems. An onsite assessment is completed of the physical and environmental security incl. production or server room, for example. Next, a Service Level Agreement is evaluated to ensure that all IT systems meet the business requirements for availability. Finally, an IT Security Assessment is completed to review relevant controls regarding IT/OT Security based on ISO27002, CIS20 and IEC62443.

Phase 2 - Reporting

Findings, conclusions and recommendations for improvement and, if any, future CAPEX investments are then collected and evaluated in Phase 2. In this stage, the average score from the IT Security Assessment for all factories will be summarised for benchmarking and reporting.

Phase 3 - Site Level Agreement

In the final stage of the Factory IT assessment, the report is presented to the factory and relevant stakeholders. Here, all IT Service Management approved activities will be registered and assigned. A Site Level Agreement between the factory and the Global IT Factory Solutions team for the services provided is also presented.

The working relationship and areas of responsibility are defined and agreed upon in the Operational Level Agreement and any approved CAPEX investment will be applied for through due process. Finally, follow-up procedures are agreed upon to ensure successful implementation of the findings and conclusions of the assessment.

IT must have a place at the board room level.

Getting to the next level

At Danish Crown, the processes are constantly evolving. As Lars Sleimann concludes, “From the technology perspective we need to be on top of our game, standard systems, with a high level of IT security, to ensure business continuity. Also, as in any company, IT must have a place at the board room level. This helps to ensure funding is in place as well as streamline decision-making for business-critical IT."

"Awareness is also key, employees need training and tools in order to understand and help protect the business from the risks involved during their daily work. In many ways these components are on the next level, as we must also focus on people and the business itself, not just hardware, to mitigate digital risks and cyber threats.”