In Part 2 of this series,¹ we explored how cognitive security challenges are shaping the landscape of food safety. From deliberate disinformation campaigns to deceptive cyber tactics targeting supply chains, we examined how attackers exploit human psychology and digital weaknesses to create disruption. These threats are not just theoretical; they have real-world implications for government institutions, consumer trust, business continuity, and public health. As food systems continue to intertwine with digital technologies, understanding and mitigating cognitive risks has become more crucial than ever.

In this third installment, we turn our attention to how business cybersecurity, spanning both Information Technology (IT) and Operational Technology (OT), intersects with cognitive security. For food companies, IT encompasses everything from customer data systems to communication networks, while OT controls the physical processes, like food production lines and distribution mechanisms. Cyber threats targeting either domain can trigger cognitive vulnerabilities—causing misinformation, misjudgment, and panic—if not carefully managed.

Cognitive security refers to the protection of human decision-making and perception from manipulation by malicious actors. In the context of food safety, it presents a unique challenge because attackers do not merely exploit digital weaknesses; they target the very minds of people involved in the food supply chain.

Whether through spreading false information, crafting deceptive social engineering attacks, or manipulating public perception, cognitive threats have the power to destabilize operations and erode trust. The consequences can range from consumer fear and confusion to significant business disruptions.

This article dives into specific threats that impact both IT and OT in the food sector, illustrating how they can combine to amplify cognitive security risks. The authors will highlight case histories where digital attacks influenced business operations and public perception, and also explore strategies to mitigate these evolving risks.

Business Cybersecurity in Food Safety

Business cybersecurity plays an important role in safeguarding the integrity of the nation's food systems. At its core, business cybersecurity involves protecting both IT and OT systems that support food operations. IT systems manage a range of essential tasks, from handling customer orders and inventory management to communication within and outside of the company. OT systems, on the other hand, oversee the physical processes involved in food production, such as temperature controls in food processing plants or automated machinery on production lines. Together, IT and OT form the backbone of modern food operations, and their security is critical to ensuring safe and reliable food supply chains.

When cyber threats target IT systems, food companies may face disruptions to their day-to-day business functions. Hackers could steal sensitive customer data, disrupt communication networks, or launch ransomware attacks that bring operations to a grinding halt. Even a simple breach in IT security can have far-reaching consequences, causing businesses to lose customer trust, face regulatory penalties, and, in severe cases, suffer financial ruin.

While IT threats are concerning, the risks to OT systems can have more immediate and potentially dangerous impacts. Cyberattacks on OT systems can disrupt production processes, alter product quality, or even lead to food contamination if safety measures are compromised. For example, a malicious actor gaining control of temperature controls in a food plant could alter a kill step (such as cooking, pasteurization, freezing, etc.), posing a serious health risk to consumers. The convergence of IT and OT systems in the food sector means that a breach in one area can quickly spill over into the other, creating a cascade of potential threats to safety and security.

The interconnected nature of IT and OT systems in food businesses reveals just how deeply cybersecurity threats can impact food safety operations. As these systems grow more complex and integral to production processes, attackers are finding new ways to exploit weaknesses—not only in technology, but also in human perception and decision-making.

This leads to the critical issue of cognitive security, where the focus shifts to protecting the minds and trust of those involved in the food supply chain. By understanding these cognitive challenges, businesses can better prepare for the sophisticated tactics that seek to manipulate and destabilize their operations.

Cognitive Security Challenges for OT Systems

Cognitive security threats linked to Operational Technology present unique challenges due to the physical, real-world implications of compromised systems. Unlike purely digital threats, disruptions to OT systems can have immediate and tangible consequences on food safety and production.

Attackers who manipulate automated controls, for example, may introduce subtle, undetected changes that affect product quality and safety standards. These can range from altering ingredient ratios to tampering with storage conditions, leading to products of poor taste quality on one hand, or worse to products that fail safety regulations and pose potential health risks to consumers.

When OT systems are targeted, the threats to cognitive security become even more complex. An attacker gaining unauthorized access to OT systems might alter production parameters, introduce deliberate errors, or trigger unexpected shutdowns. Such incidents can create widespread anxiety and distrust among employees and management, especially if the changes have gone unnoticed for extended periods of time.

The manipulation of OT systems not only threatens food safety, but also undermines confidence in automated processes, making employees hesitant to rely on technology that is critical to their work. This hesitancy, combined with heightened vigilance, can strain resources and reduce overall operational efficiency.

The complexity of OT environments and assumptions about human nature (e.g., why would anyone target a food production system?) also means that many systems were not originally designed with cybersecurity in mind. Legacy systems often lack the sophisticated protections found in modern IT networks, making them more vulnerable to exploitation. Attackers may target these older systems precisely because they are difficult to patch or upgrade without significant cost and downtime.

Cognitive attacks could convince operators there is no problem when in fact there is, or conversely, convince them there is a problem when there is none. Errors, even if detected, increase cost and reduce profitability.

As a result, food companies must adopt tailored strategies to secure legacy OT systems, such as network segmentation, strict access controls, and continuous monitoring for anomalies. Balancing the need for security with the operational constraints of these systems is a delicate task, but one that is essential to threat mitigation.

Additionally, the growing trend of integrating OT systems with Internet of Things (IoT) devices brings new dimensions to security risks. IoT sensors and connected devices can provide valuable data and improve operational efficiency, but they also create potential points of vulnerability. If compromised, IoT devices can serve as entry points for attackers to influence OT operations or spread false data, leading to poor decision-making and further exacerbating the cognitive security aspects of risk. To address this, companies must ensure that IoT devices are secured at every stage of their lifecycle, from procurement to decommissioning, and integrate their security management into the broader OT strategy.

“In recent years, online rumors and false narratives have been used to tarnish the reputation of food products, create panic about supply chain shortages, or spread fear regarding product safety.”

Business Cybersecurity Threats Impacting Cognitive Security

When an organization's IT systems are compromised, attackers often seek to manipulate data, disrupt services, or steal sensitive information. Such breaches can have far-reaching effects on decision-making processes. For example, a ransomware attack that locks employees out of critical systems can create confusion, fear, and rushed decision-making under pressure. This type of cognitive stress weakens the organization's ability to respond effectively, leaving it vulnerable to further exploitation or operational mistakes.

Phishing attacks remain one of the most pervasive threats to business cybersecurity and have a direct impact on cognitive security. By crafting convincing emails or messages that appear legitimate, attackers aim to trick employees into clicking malicious links or disclosing sensitive information. Once a phishing attempt succeeds, the resulting breach can extend beyond data theft, affecting employees' trust in digital communications and sowing doubt within the organization. This erosion of confidence can lead to decreased productivity, heightened stress, and even reluctance to engage with essential business systems, all of which compromise the integrity of decision-making processes.

Misinformation and disinformation represent another significant cognitive security threat to food safety. In recent years, online rumors and false narratives have been used to tarnish the reputation of food products, create panic about supply chain shortages, or spread fear regarding product safety. Such campaigns can quickly spiral out of control on social media, damaging brand reputation and influencing consumer behavior. This threat is particularly troubling because it can be difficult to combat, especially when misinformation spreads faster than facts.

Much of social media exists in what may be called a "post-fact environment," where opinion and rumor that fit a particular user's worldview are preferentially held, even when presented with opposing facts. Food companies must be prepared with rapid response plans, proactive communication strategies, and robust monitoring systems to mitigate social media risks. Mitigating the challenges of misinformation is difficult, but when the spread is deliberately engineered (as is the case with disinformation), the dilemma can be daunting.

Compromising a supplier's IT or OT infrastructure can introduce vulnerabilities across the entire food production network. For example, a tainted ingredient arriving from a compromised supplier may cause a ripple effect, sparking fear and doubt throughout the supply chain. Investigating and remediating such issues requires significant time and effort, and the uncertainty surrounding the source of the attack can lead to poor decision-making or even delays in addressing genuine food safety concerns.

One of the key components here is communicating clearly with the consumer and with other industry stakeholders. Company leaders must engage in thoughtful, responsive, and well-constructed strategic communications to mitigate the risk. This effect is akin to a run on a bank. The bank may be solvent, but the panic caused by rumor (misinformation) can be devastating. Similar cognitive effects can certainly happen in the food industry.

Case Study 1: The Meatpacking Ransomware Attack

In May 2021, JBS S.A., the world's largest meat processing company, experienced a significant ransomware attack that disrupted its operations across multiple countries. The cyberattack forced the temporary shutdown of JBS production facilities in the U.S., Canada, and Australia, leading to concerns about potential meat shortages and highlighting vulnerabilities in the food supply chain.²

The attackers, identified as the REvil ransomware group, initially targeted the company's IT network, encrypting critical files and demanding a ransom for their release. As a result, production lines that relied on interconnected IT and OT systems were brought to a halt. The attack had a cascading effect on the food supply chain, leading to delayed shipments, potential spoilage of perishable goods, and financial losses for farmers, suppliers, and retailers.

The cognitive impact of the attack extended beyond the immediate operational disruption. Employees and stakeholders were thrust into crisis mode, making critical decisions under duress. Media coverage of the incident fueled public concern about potential meat shortages, further straining the company's ability to manage the crisis. In the aftermath, the company faced scrutiny over its cybersecurity practices and had to invest heavily in training, threat detection, and response capabilities to restore confidence in its systems.

Case Study 2: The Dairy Plant Sabotage

In October 2021, Schreiber Foods, a major dairy processor headquartered in Green Bay, Wisconsin, experienced a cyberattack that disrupted its operations. The attack affected the company's ability to receive raw milk and other materials, leading to the temporary shutdown of all of its plants and distribution centers.³

The attackers, believed to have gained access through a compromised supplier's network, manipulated temperature controls in storage facilities. This resulted in the spoilage of significant quantities of dairy products before the issue was detected. The attack not only led to considerable financial losses but also raised serious questions about product safety, causing the plant to recall potentially compromised goods and undergo extensive inspections.

The cognitive security impact was significant. Employees, fearful of further sabotage, became wary of automated controls and began relying heavily on manual monitoring, slowing down production and increasing operational costs. Public trust in the plant's products was temporarily shaken, leading to a dip in sales despite efforts to reassure consumers through transparency and rigorous testing.

“To counter cyber and cognitive security threats effectively, organizations must prioritize proactive risk management that bridges the gap between technology, people, and processes.”

Strengthening Resilience Against Combined Cybersecurity Threats

The interconnected nature of IT, OT, and cognitive security threats underscores the urgent need for food businesses to adopt a comprehensive approach to security—one that includes cyber and cognitive security. As demonstrated by past incidents, the ripple effects of a cyberattack can be profound, impacting operations, eroding employee confidence, and undermining public trust. To counter these threats effectively, organizations must prioritize proactive risk management that bridges the gap between technology, people, and processes.

One critical aspect of strengthening resilience is enhancing training and awareness programs for employees at all levels, and then exercising (practicing) those skills. Active, experiential learning is much more effective when it comes to retention of knowledge and putting that knowledge into practice. People remain the first line of defense against cyber threats, and attackers often exploit human vulnerabilities through social engineering and manipulation tactics. By equipping employees with the skills to recognize and respond to phishing attempts, disinformation, and other cognitive threats, food companies can reduce the likelihood of successful attacks. As mentioned previously, incorporating regular simulations and crisis drills are a critical component of a comprehensive program, and can help reinforce these lessons and ensure a rapid, coordinated response in the event of a breach.

Protecting OT systems presents its own set of challenges, given their unique role in controlling physical processes. Securing these systems requires a tailored strategy that encompasses both traditional cybersecurity measures, such as network segmentation and access controls, and advanced monitoring tools that detect anomalies in real time. Furthermore, food businesses must develop contingency plans to isolate and mitigate attacks quickly, ensuring that the impact on operations and public trust is minimized.

Collaboration within the food industry and beyond is another essential component of building resilience. Cyber threats often extend across supply chains, and no single entity can tackle these risks in isolation. By sharing threat intelligence, best practices, and response protocols, businesses, industry groups, and regulatory bodies can collectively strengthen their defenses. Public-private partnerships and Information Sharing and Analysis Centers (ISACs) can also play a central role in creating a unified front against malicious actors.

In addressing the combined challenges posed by IT, OT, and cognitive security threats, food companies must recognize that cybersecurity is not a one-time effort, but rather a continuous journey. As attackers evolve their tactics, the defenses put in place to protect critical operations and maintain public confidence must also evolve. By adopting a holistic approach that integrates technological safeguards, employee training, and collaborative initiatives, the food industry can better prepare for the complex and ever-changing landscape of cyber threats. The stakes are too high to ignore, and the time to act is now.

References

1. Gerstein, D.M., R.A. Norton, C.A. Young, M. Sachs, and A. Whiskeyman. "Cognitive Security, a Growing Concern for Food Safety: Part 2." Food Safety Magazine December 2024/January 2025. https://www.food-safety.com/articles/9994-cognitive-security-a-growing-concern-for-food-safety-part-2.
2. Durbin, D.-A. and F. Bajak. "Largest meat producer getting back online after cyberattack." AP News. June 2, 2021. https://apnews.com/article/jbs-sa-lifestyle-health-coronavirus-pandemic-technology-bf82114d3f54e5be2241bd5f9a0b2639.
3. Kirwan, H. "Disruptions at Wisconsin dairy processor highlight food and ag industry’s vulnerability to cyber attacks." October 29, 2021. Wisconsin Public Radio. https://www.wpr.org/agriculture/disruptions-wisconsin-dairy-processor-highlight-food-and-ag-industrys-vulnerability-cyber-attacks.