It is no longer a question of whether companies in the food industry need to secure their supply chains. The question is: how quickly they act before negligence becomes a systemic risk.
The German government's planned KRITIS umbrella law (‘Critical Infrastructures’) and the European NIS2 Directive (Network and Information Security) are changing the rules of the game in the shadow area of production and logistics. Anyone who is considered relevant to the basic supply of the population in the future – and that ranges from packaging machine manufacturers to cleaning teams to IT service providers – will have to revamp their security architecture.
‘Many companies underestimate their relevance in the KRITIS context,’ warns Christian Heppner, an expert in strategic security management at the consulting firm SecCon Group. He adds: ‘They can be misused as easy targets to paralyse larger structures.’
The packaging industry is apparently ill-prepared. Enquiries to leading companies came to nothing. The VDMA Food and Packaging Machinery Association referred to the autumn. A spokesperson for another association, who wishes to remain anonymous, draws a sobering conclusion: ‘Despite the permanence of crises, the food supply chain is not well prepared for even more existential crises. We cannot afford to wait any longer. We must finally take action!’
The food industry is considered to be strictly regulated: hygiene, quality management, traceability – everything is documented without exception. However, when it comes to security, especially IT infrastructure, cyber defence and emergency plans, there is a dangerous gap. And this can become a threat – not only for individual companies, but for the supply situation as a whole.
Because KRITIS has long since affected more than just electricity or water. ‘Packaging is one of the processes directly involved in the food supply,’ explains Heppner. This means that packaging manufacturers, machine builders and software suppliers are now the focus of the new security requirements. In future, they will have to prove that they meet the increased requirements – for example, through access controls, alternative supply chains, risk analyses and predictive maintenance concepts.
‘If a packaging machine manufacturer fails or its systems are compromised, an entire filling line can quickly come to a standstill,’ warns Heppner. Companies along the value chain must therefore implement appropriate security measures – not only out of regulatory obligation, but also in their own operational interest. In future, only those who can prove their resilience will be considered in tenders.
The regulation affects the industry unevenly. Large corporations have long been investing in security architectures, but many small and medium-sized enterprises are lagging behind. Although awareness of the problem has increased, according to Heppner, ‘there is often a lack of resources or expertise for implementation.
Another explosive issue is that the new legislation also places obligations on management. For the first time, security breaches that lead to outages or attacks can have personal consequences. The KRITIS umbrella law thus tightens responsibility – a fact that many small and medium-sized enterprises were previously unaware of.
What used to be a matter of trust is now becoming a contractual basis: maintenance, cyber protection and reliability are now part of binding tender conditions. ‘Reliability along the supply chain is becoming a strategic success factor,’ says Heppner. This applies not only to suppliers in the narrower sense, but also to service providers such as cleaning companies or IT support. The view of security must become broader.
Networked systems in particular require access protection, patch management and transparent emergency concepts. Resilience is becoming measurable – and decisive for economic partnerships.
The technical side is only part of the problem. A cultural shift in thinking is much more crucial. In some companies, security measures are still perceived as bureaucratic red tape – a dangerous misconception. ‘There is a big gap between regulatory requirements and operational reality,’ says Heppner. ‘But it can be bridged with simple, scalable measures – if you finally get started.’
These include:
The state provides the framework with KRITIS and NIS2 – but implementation remains the responsibility of companies. And anyone who thinks that a certificate in the filing cabinet is enough is mistaken: resilience is not a state, but a continuous process in the future.
Kim Cheng, Managing Director of the Federation of German Food and Drink Industries (BVE) and former head of the German Packaging Institute (DVI), sums it up: ‘Supply chain security is being regulated in a new and more in-depth way.’ In future, companies will have to prove that their entire supply chain meets security and resilience requirements. A single weak service provider can lead to exclusion. The wake-up call is clear – whether it will be heard is another question. One thing is certain: in a world of growing hybrid threats – from cyberattacks to physical attacks – the food industry cannot afford any security breaches. That is why the packaging industry is also under increased scrutiny.
Christian Heppner puts it this way: ‘Security is no longer optional, it is mandatory. And those who ignore this obligation endanger more than just their own company – they endanger the supply of food to the population.’ Politicians and business leaders alike are called upon to act: nothing less than the resilience of our supply systems is at stake.
Guest article by Matthias Mahr
