Got milk? Got cybersecurity risks! Unraveling ransomware threats in the German dairy industry

Eduard Anton, Helena Aptyka, Frank Teuteberg

Organizational Cybersecurity Journal: Practice, Process and People

ISSN: 2635-0270

Open Access. Article publication date: 30 October 2024

Issue publication date: 12 November 2024

Downloads

448

pdf (8.2 MB)

Abstract

Purpose

This study aims to explore the vulnerabilities of the dairy industry to ransomware threats, focusing particularly on the upstream supply chain and applying routine activity theory (RAT) to understand the evolving dynamics of cybercrime in critical infrastructure sectors.

Design/methodology/approach

Utilizing expert interviews and network analysis, this research investigates the exploitation of complex supply chain vulnerabilities by motivated offenders. It delves into the intricate interplay between digital threats and physical supply continuity.

Findings

The study uncovers that ransomware threats transcend digital boundaries, manifesting in disruptions to physical operations and presenting significant risks to food security. It underscores the threat posed by the convergence of information technology (IT) and operational technology (OT), emphasizing the urgent need for heightened awareness and robust defenses against this substantial menace.

Practical implications

Addressing cyber vulnerabilities in critical sectors like dairy ensures not only the security of operations but also safeguards broader societal interests such as food security. Collaboration and proactive measures are essential to mitigate potential social and economic disruptions caused by cyber incidents.

Originality/value

This research fills a knowledge gap by shedding light on the nexus between cyber threats and supply chain resilience. It emphasizes the need for industries to adapt traditional defense mechanisms in the face of sophisticated digital adversaries.

Keywords

Citation

Anton, E., Aptyka, H. and Teuteberg, F. (2024), "Got milk? Got cybersecurity risks! Unraveling ransomware threats in the German dairy industry", Organizational Cybersecurity Journal: Practice, Process and People, Vol. 4 No. 2, pp. 105-130. https://doi.org/10.1108/OCJ-02-2024-0006

Publisher

:

Emerald Publishing Limited

License

Published in Organizational Cybersecurity Journal: Practice, Process and People. Published by Emerald Publishing Limited. This article is published under the Creative Commons Attribution (CC BY 4.0) license. Anyone may reproduce, distribute, translate and create derivative works of this article (for both commercial and non-commercial purposes), subject to full attribution to the original publication and authors. The full terms of this license may be seen at http://creativecommons.org/licences/by/4.0/legalcode

1. Introduction

Owing to its important role in societal functions, nations such as Germany recognize the food sector as Critical Infrastructure [1]. This sector provides a spectrum of services, from food supply and production to processing and trade (Menrad, 2004). Like other Critical Infrastructure sectors, the food industry is increasingly targeted by cybercriminals, given that disruptions in major production or processing plants can significantly impact supply chains, erode customer trust, jeopardize food security, and hence, make it an appealing target for extortion attempts (Duncan et al., 2021; Microsoft, 2022). In recent years, the food industry has been impacted by a modern form of extortion—ransomware. Prominent companies such as JBS S.A., KP Snacks, and Dole plc faced operational disruptions due to cyber attacks of this nature. Ransomware is a type of malware that blocks access to data and systems and demands payment of a ransom to release the resources. The data is often encrypted using cryptographic methods to increase the pressure on the victim to pay the ransom. In some cases, cybercriminals may exfiltrate the data and threaten to release it if the ransom is not paid, further intensifying the extortion process (Zscaler, 2023). Recent statistics indicate that the frequency and quality of such attacks have increased drastically (Federal Criminal Police Office, 2022; Microsoft, 2022), making ransomware a severe threat to the food industry (Duncan et al., 2021; Jarjoui et al., 2021).

Ransomware attacks directed towards organizations operating in the food industry have repercussions that extend beyond the attacked targets due to their involvement within a complex networked system consisting of intra- and inter-organizational relationships and interdependencies (Duncan et al., 2021; Dupont, 2019). The food industry operates within a supply chain that spans from production to processing, trade, and logistics, with interfaces to agriculture, fisheries, packaging industry, as well as the recycling and waste management industry (Schrode et al., 2019). Given this complex network, ransomware attacks have the capacity to considerably impact both upstream and downstream businesses, potentially disrupting food supply chains and jeopardizing food security. For example, ransomware attacks on major dairy companies such as H.P. Hood Dairy have led to supply disruptions affecting school districts in New England in the year 2022, as this dairy is one of the largest producers of eight-ounce milk cartons used in schools (Mayblum, 2022). Conversely, the effects of such attacks can propagate upstream in the supply chain. The Schreiber Foods incident in 2021 exemplifies this, causing a backlog of milk at the targeted facilities and consequently leading to the distribution of “crisis milk” in the market. This situation resulted in financial repercussions for the dairy and dairy farmers (Shepel, 2021).

These instances in the dairy industry underscore that the implications and extortion potential of ransomware attacks are not confined to information technology within the organization’s immediate boundaries but also permeate the physical supply chain. Systemic disruptions, where one supply chain segment incurs negative consequences for another segment (e.g. delivery delays), are not unusual. Typically, these issues can be mitigated by drawing on inventory reserves or alternative sourcing strategies (Colon and Hochrainer-Stigler, 2023). However, the unique characteristics of the food sector make such mitigation strategies more challenging, particularly due to two factors: (1) perishable goods necessitate a “first-in, first-out” operational principle, limiting the extent of inventory holdings, and (2) in sectors such as dairy, the legal structure is distinct. Farmers, particularly in Europe, are frequently members of cooperative dairies, with contractual obligations to deliver their raw milk to the cooperative. These cooperatives aim to maximize milk prices, complicating the dynamics of supply and demand during crises (European Milk Board, 2012). Therefore, the potential for extortion is intricately intertwined with the unique supply chain dynamics of the industry.

Within the scope of information systems (IS) research, criminological frameworks, such as the Routine Activity Theory (RAT), can offer insights into the dynamics of cybercrime (Dori et al., 2023). According to RAT, the confluence of a motivated offender, a vulnerable target, and either a lack or ineffectiveness of guardianship precipitates a crime (Grabosky, 2001). While monetary benefit primarily drives ransomware attacks, they can also serve political agendas. Research suggests that attacks motivated by financial incentives often employ a systematic decision-making process focused on exploiting weak guardianship and gauging the attractiveness of a target (Cremonini and Nizovtsev, 2009). Guardianship is crucial in preventing cybercrime by deterring offenders through an increased perceived risk of detection and failure. Effective guardianship extends across industries and involves implementing both technological and organizational measures. These measures include deploying advanced cybersecurity software, training employees, establishing robust incident response protocols, and collaborating with law enforcement agencies (Leukfeldt and Yar, 2016; Reynald, 2018). On the guardianship front, IS research on ransomware largely pivots on understanding attack vectors, innovating technological countermeasures, and crafting both managerial and mitigation strategies (Bekkers et al., 2023; Cremonini and Nizovtsev, 2009; Gerlach et al., 2022; Martens et al., 2019; Masuch et al., 2021; Siregar and Chang, 2022; Straubert et al., 2021; Wang et al., 2015; Wolden et al., 2015). This body of work prioritizes forward-thinking risk management and proactive cybersecurity measures. On the other hand, a subset of academic contributions highlights the imperative of fortifying cyber resilience across supply chains (Fertier et al., 2021; Hua et al., 2018; Syrmakesis et al., 2022; Vishwanath et al., 2020) and accentuates the merits of synchronized IT investment endeavors (Gaudenzi and Siciliano, 2017; Nganje et al., 2008; Simon and Omar, 2020). Yet, while there is significant emphasis on shielding the food sector (Agarwal et al., 2022; Latino and Menegoli, 2022; van der Linden et al., 2020), focused investigations that spotlight its susceptibility to ransomware threats remain sparse. The vulnerabilities of the food system have previously centered more around repercussions from events like the Corona pandemic (Béné, 2020; Swinnen and McDermott, 2020) or adaptations to climate change (Fujimori et al., 2019; Presse et al., 2011).

Driven by the principles of the RAT, which spotlight the interplay between motivated culprits, exposed sectors, and inadequate defenses, we spot a significant research gap. Even as copious literature investigates individual entities’ defense mechanisms or broader supply chain measures, the nuanced vulnerabilities of sectors like the food industry that make the food industry an appealing target often remain underexplored. Echoing the need for empirical studies in the cybersecurity area highlighted by Hui et al. (2017), our investigation seeks to pinpoint primary vulnerabilities in the food sector that amplify ransomware’s extortion potential. We have chosen to concentrate our empirical examination on the upstream supply chain intricacies of the German dairy sector. As the European Union’s premier milk producer, contributing €11.25 billion to the economy in 2021, understanding vulnerabilities in this sector is pivotal. The German dairy sector represents significant economic value and plays a crucial role in the European food supply chain (Federal Ministry of Food and Agriculture, 2023). The upstream supply chain is particularly crucial because it involves the initial stages of production and sourcing of raw materials, where disruptions can quickly propagate downstream, affecting processing, distribution, and ultimately consumers. In the dairy sector, upstream vulnerabilities can cause significant disruptions due to the perishability of products and the just-in-time nature of delivery systems. Interruptions at this stage can lead to cascading effects, resulting in shortages and increased prices downstream. Understanding these vulnerabilities is essential for enhancing resilience across the entire supply chain. By focusing on the upstream elements, our study aims to uncover potential weaknesses that could have widespread economic and societal impacts. The core research questions are:

RQ1.

What specific factors accentuate the vulnerability of the dairy industry to ransomware attacks?

RQ2.

How do the identified vulnerabilities shape the intrinsic ransomware extortion risks within the upstream supply chain?

To dissect RQ1, we convened 15 expert discussions, encompassing dairy farmers, key industry players, and cybersecurity professionals, to uncover the sector’s unique pressure points. Addressing RQ2, we conducted a network analysis of the German dairy sector, leveraging the vulnerabilities unearthed in RQ1 to illustrate their potential extortion leverage. Consequently, our endeavor spotlights pressing vulnerabilities and crafts a roadmap for stakeholders, advocating individualized and broader structural cybersecurity enhancements.

By doing so, this research contributes to a comprehensive understanding of the vulnerabilities faced by the dairy industry with respect to ransomware threats, especially focusing on its intricate upstream supply chain dynamics in the evolving cybercrime landscape. We offer a renewed perspective on the interplay between motivated culprits, potential targets, and the state of guardianship in settings where digital intersections profoundly impact the physical world. By integrating insights from expert discussions and network analysis, our study underscores the need for a shift from reactive strategies to a proactive, resilience-centric approach, prioritizing both digital security and the unyielding continuity of physical operations in the dairy sector.

2. Theoretical background

2.1 Ransomware

Malware encompasses a wide spectrum of malicious software, including viruses, worms, trojans, rootkits, and scareware (Dreißigacker et al., 2020). Ransomware is a distinct subset of malware, engineered specifically to encrypt and/or exfiltrate data, subsequently demanding a ransom for its restitution (Federal Ministry of the Interior and Community, 2021). Encryption in ransomware often employs cryptographic techniques, intensifying the urgency of the ransom demand. During this process, criminals typically exfiltrate the data, threatening to release it publicly. This dual strategy of encryption and data exfiltration is commonly termed “double extortion” (Zscaler, 2023). According to a survey by Bitkom, ransomware is the most dreaded form of attack for businesses in industrialized countries like Germany (Berg, 2022). Criminal organizations or individuals view it as a lucrative venture, as businesses often find it more economical to pay the ransom than face the ramifications of operational downtime or data exposure (Federal Office for Information Security, 2021). High-revenue organizations tend to face higher ransom demands, ranging from hundreds of thousands to millions of dollars. Additionally, companies must grapple with the aftermath of recovery costs, which averaged $1.82 million in 2023 (Sophos, 2023). Furthermore, the ransomware business model has evolved into a Ransomware-as-a-Service (RaaS) model. Here, malicious software and services such as data exfiltration are provided to other groups or individuals for a fee, who then conduct the attacks. This expands the pool of entities capable of such malicious activities (Microsoft, 2022). Ransoms are primarily demanded via hard-to-trace payment methods, like cryptocurrencies, with no guarantee of data/system release upon payment (Dreißigacker et al., 2020). Notable ransomware strains include Wannacry and Petya, which were particularly rampant in 2016 and 2017 (Bundesamt für Sicherheit in der Informationstechnik, 2021).

Recent studies have enhanced our understanding of ransomware’s complexity and impact. Oz et al. (2022) provide a detailed examination of the evolution and categorization of ransomware, illustrating its transformation into a sophisticated threat that now targets diverse platforms, including personal computers, mobile devices, and IoT/CPS environments. They underscore the necessity for tailored defense strategies to effectively combat ransomware on these varied platforms, emphasizing the importance of understanding the specific characteristics and vulnerabilities associated with each. In addition, Beaman et al. (2021) highlight advancements in ransomware detection and prevention, emphasizing the importance of leveraging machine learning and artificial intelligence to develop more robust detection techniques. Their research also points out the critical role of socio-technical factors, advocating for a comprehensive defense approach that includes both technological and human-centric strategies, such as employee training and organizational preparedness.

Building on these insights, there is a need for research focused on developing industry-specific countermeasures that account for the operational realities and data management practices unique to each sector (Beaman et al., 2021; MacColl et al., 2024; Reshmi, 2021). Additionally, increasing awareness among industry stakeholders about the specific risks and potential impacts of ransomware is essential for mitigating vulnerabilities. Educational initiatives and training programs tailored to the needs of various sectors could enhance preparedness against ransomware attacks (Beaman et al., 2021; Reshmi, 2021). This study aims to contribute to these areas by examining the dairy industry’s specific context and the associated risks, ultimately providing insights for developing tailored mitigation strategies and enhancing sector-specific awareness and preparedness.

2.2 Cyber vulnerabilities in the German dairy industry

The German dairy sector epitomizes a lucrative target, given its economic significance. As the EU’s foremost milk producer, Germany yields approximately 32 million tonnes of milk annually (as of 2021 data, Eurostat, 2022a, b). In 2021, the dairy industry’s production value reached €11.25 billion, accounting for 43.26% of animal production and 18.95% of the agricultural sector. Dairy stands as the largest contributor to Germany’s agricultural production value, followed by pork in the animal sector and grains in the plant sector (Federal Ministry of Food and Agriculture, 2023). Contributed by over 54,000 milk producers in Germany, this sector holds significant employment importance (Federal Statistical Office of Germany, 2023). In 2021, the dairy processing industry (excluding ice cream) achieved a turnover of €29.99 billion, making up 16.1% of the total turnover of the food industry. Thus, following meat and meat products, dairy holds the second-largest revenue stream in the food industry (Minhoff, 2022). Further, the German dairy industry’s cooperative structure is robust, encompassing various sizes, with an impressive 70% of dairies functioning as cooperatives (Association of the German Dairy Industry, 2023). Such a deep-rooted cooperative system may be exploited by cybercriminals, capitalizing on legal interdependencies for leverage.

Compounding the issue is the dairy sector’s makeup of small and medium-sized enterprises (SMEs), representing about 90% of entities (Federation of German Food and Drink Industries, 2022). These SMEs, often bereft of the necessary resources and expertise for robust IT security, can become softer targets (Sukumar et al., 2023). Corroborating this, extortion studies related to mafia activities reveal that smaller enterprises are more susceptible to extortion tactics (Balletta and Lavezzi, 2023).

Drawing upon the RAT from criminology, cybercriminals—including ransomware syndicates—evaluate potential targets based on value, inertia, visibility, and accessibility. “Value” signifies the perceived reward of a successful breach. Industries that contribute significantly to the economy or hold confidential data are prime targets. “Inertia” is the inherent defense mechanisms a target has against cyber threats, while “visibility” and “accessibility” represent how easy it is for criminals to spot and access potential targets (Holt et al., 2020). Consequently, entities with high value, visibility, and accessibility but weak inertia become lucrative targets. According to a study conducted by Sophos (2023), exploited vulnerabilities serve as the primary entry vector for ransomware attacks. Within the food processing sector, vulnerabilities—whether of a technical or organizational nature—pose grave risks. Tampering with machinery can result in contamination, misprocessing, or a decline in product quality. Furthermore, these vulnerabilities may lead to critical operational disruptions or even total shutdowns. Operational consistency is especially crucial for perishable goods like milk, given the “first in, first out” principle governing their processing. Prolonged outages might lead to spoilage, delivery setbacks, or market shortages, with the impacts varying based on the outage’s duration and possible contingencies. Such disruptions can have a domino effect, hindering farmers from supplying milk to their cooperatives and affecting the broader value chain. Notably, some regulations, as delineated by cooperative dairies, exempt dairies from the responsibility of milk acceptance or compensation during disruptions outside their control, such as force majeure events or strikes. It remains ambiguous, however, if cyberattacks fall under this exemption (Meierei-Genossenschaft Gudow-Schwarzenbek eG, 2023). This lack of clarity poses added financial and logistical dilemmas for dairy farmers.

Amid rapid digital transformation and an increasing prevalence of cyberattacks on pivotal infrastructures (Berg, 2022), the threat of sweeping disruptions is palpable. In response, Germany’s BSI-KRITIS Regulation prescribes stringent security measures for food sector facilities deemed as Critical Infrastructure. This includes sites, machinery, and key IT services pivotal to the food production-to-marketing spectrum (depending on the volume associated with the production, treatment, distribution, control, monitoring, ordering, and sale of milk and dairy products) [2]. Systems vital for product planning, control, distribution—such as fleet management systems—and enterprise resource planning (ERP) systems ensuring seamless operations fall under this regulatory umbrella. Additionally, systems like electronic data interchange (EDI) dispatch and master data platforms, indispensable for dairy product orders, are also emphasized.

The global surge in cyberattacks on Critical Infrastructures highlights the vulnerabilities within these crucial systems (Plachkinova and Vо, 2023). These infrastructures increasingly attract adversaries, from state-sponsored actors to profit-driven cybercriminals, especially intense political climates. However, in Germany, the food sector, largely driven by SMEs, often functions below the prescribed thresholds (Federation of German Food and Drink Industries, 2022). As such, they remain outside the ambit of stringent security protocols mandated for more substantial entities. Alarmingly, a 2020 survey underscored that 23% of the surveyed SME food producers had been targeted by cyberattacks (German Insurance Association, 2020), emphasizing the pressing need for fortified cybersecurity measures. The imminent adoption of the European NIS2 Directive into German law will expand cybersecurity requirements, covering many previously exempted food sector organizations. This shift means these entities will soon be under tighter risk management and reporting requirements (OpenKRITIS, 2023). However, SMEs often grapple with inadequate guidance and exposure to cyber vulnerabilities (Fernandez De Arroyabe and Fernandez de Arroyabe, 2023).

Given this landscape, the German dairy industry remains vulnerable to ransomware threats and a valuable target for cybercriminals. Our study serves as an instrument in this context, by shedding light on these critical areas, we aim to guide stakeholders towards fortifying their defenses and enhancing the sector’s overall resilience.

3. Research methodology

3.1 Expert interviews

To uncover the vulnerabilities predisposing the German dairy industry to ransomware threats, we conducted 15 expert interviews. These sessions spanned a varied cohort: from dairy farmers to IT security experts, industry consultants, and executives across the food processing spectrum, including those in dairy, sugar, meat, breweries, and catering services. This ensured a holistic perspective not only of the dairy sector but also of the overarching food industry. Conducted between December 2022 and May 2023, each interview had an average duration of approximately 42 min and followed the structure outlined in the Appendix A. The selection of 15 interviews was guided by the principle of theoretical saturation, which was reached when additional interviews no longer yielded new themes or significant insights, suggesting that the data collected was sufficiently robust. While some were face-to-face at interviewee locations, most were convened via video conferencing. A detailed list of experts can be found in Table 1.

Our analysis adhered to a structured approach. Utilizing the transcription guidelines of Dresing and Pehl (2013), we ensured accurate verbatim transcriptions. Subsequently, we leveraged the MaxQDA software to facilitate a systematic and organized coding process. The data coding process was carried out in multiple stages. We organized the transcriptions by focus areas—production, processing, and IT security—and by the implications and potential threats of cyberattacks, especially ransomware. Initially, we applied open coding to inductively identify distinct concepts within the data, followed by axial coding to relate these concepts into broader categories that align with our research objectives. These themes were grounded in the structure of our interview guide, which included key areas such as expert background, potential cyber threats, consequences of cyberattacks, and recommendations for enhancing cybersecurity (see Appendix A for the full interview guide). As our analysis progressed, we continued to apply inductive reasoning, allowing us to identify emergent themes and patterns that were not initially anticipated, ensuring a comprehensive exploration of the data. This deep dive unraveled a wealth of insights, spotlighting the cybersecurity landscape, key vulnerabilities in the German dairy industry’s upstream supply chain, and its potential for ransomware-induced extortion.

3.2 Network analysis

To address RQ2, our objective is to elucidate how the pinpointed vulnerabilities shape the intrinsic extortion potential of ransomware. We utilize network analysis to fulfill this objective, as this method aptly models the interconnected facets of supply chains, offering the added advantage of unique network-specific metrics that enrich our ability to address the research question (Basole and Bellamy, 2014).

To begin our data preparation process, we constructed a network that closely emulates the transportation flow of the upstream supply chain, bridging dairy farms and dairies. To streamline complexity and ensure data accuracy, our focus narrowed to the federal state of Bavaria, Germany’s most prolific milk-producing region, contributing roughly a quarter of the nation’s total milk output. Trailing Bavaria, Lower Saxony stands out as another significant contributor in milk production.

In Figure 1, we visualize this by demarcating milk production across various German counties using orange nodes, with node sizes proportionate to each county’s production volume. Additionally, the locations of the ten largest dairies in Germany and their affiliated company networks are presented (in some instances including multiple sites). Through connections and consistent color coding, it is evident that the dominant dairy hubs are clustered in southern Germany and the northwest, particularly in Bavaria and Lower Saxony.

We combined data from two distinct sources. Firstly, we utilized information from the Agricultural Census conducted by the Federal and State Statistical Offices of Germany in March 2020. [3] This dataset provided us with the number of dairy farms, which amounted to 26,609, and the count of dairy cows at the county level. While the count of dairy cows was not available for certain counties, the number of dairy farms was provided. In these cases, we assumed an average of 42 cows per dairy farm in Bavaria (Bavarian State Agency for Statistics and Data Processing, 2023), resulting in a total count of 1,117,983 cows. Additionally, for milk production, we assumed an average milk yield of 7,500 kg per Bavarian cow per year (Bavarian Milk Producers Association, 2022). Based on this data, we calculated the average milk yield per dairy farm per county. From this, we assumed that 96% of the milk produced would be directed towards the dairies, as approximately 4% in Germany is used for feeding, direct marketing, or self-consumption (Association of the German Dairy Industry, 2022). The calculated milk yield delivered to the dairies amounts to 8,049 million kg of milk. Our assumptions are based on solid foundations, as our resulting milk quantity aligns with official reports from 2022. The Bavarian Milk Producers Association reported a total milk quantity of 8,050 million kilograms for that year (Bavarian Milk Producers Association, 2022).

Regarding the dairy data, we referred to the list of establishments authorized under Regulation (EC) No. 852/2004 for the trade of non-animal origin food products. [4] As of June 2023, the list comprises 1,414 registered establishments in Germany for raw milk and dairy products. From this list, we focused on the 79 Bavarian companies and conducted a thorough search on their respective websites to collect information pertaining to reported volumes of raw milk processing, ownership structure (cooperative vs. private dairy), and membership in dairy alliances. We excluded dairy plants or locations for which no information could be found or which seemed to be small-scale dairies lacking informative websites. As a result, we identified 61 dairy plants or locations with a self-reported annual milk processing capacity of 16,400 million kg. Among these, 42.19% were cooperative dairies, while 57.81% were private dairies (corporations or partnerships).

Most dairies have the objective of sourcing milk from regional locations due to two primary reasons: a) reducing transportation costs and b) supporting regional milk production. For instance, companies like Alpenhain indicate that they collect milk from dairy farmers located within a 50 km radius (Alpenhain, 2023), while Uelzena specifies a radius of 150 km (Uelzena eG, 2023). In our subsequent analysis, we have incorporated this assumption of regional focus by utilizing the Haversine formula to calculate the distances between every potential farm-dairy pair. We formulated the dairy farm and dairy connection problem as a linear optimization problem, specifically a minimum cost flow problem. The objective is to minimize the total transportation cost (based on distance) while satisfying the supply and demand constraints. We store the corresponding distance, supply (total milk per farm), and coordinates. To accommodate for county-based coordinates, we incorporated random noise within a small radius in the region to disperse the dairy farms. This was necessary because the data collected from the Agricultural Census conducted by the Federal and State Statistical Offices of Germany in March 2020 only provides information at the county level rather than at the individual farm level.

The mathematical formulation of the problem is summarized in Table 2.

We implemented the solution to this linear optimization problem in Python using the linprog function from the scipy package. This allowed us to create the connections between the dairy farms and dairies in both the cooperative and the private network while optimizing the total transportation cost.

We tapped into the explanatory potential of network analysis, placing emphasis on various centrality measures. These include degree centrality, which gauges the number of edges adjacent to a node; closeness centrality, which denotes the relative proximity of one node to others; betweenness centrality, capturing the frequency with which a node lies on the shortest path between two other nodes; and eigenvector centrality, which evaluates a node’s significance based on its connections to other pivotal nodes (Bonacich, 1972; Burger et al., 2023; Koschützki et al., 2005).

4. Results

4.1 Ransomware threats in the dairy industry

Our surveyed farmers, E1-E4, do not assign high importance to cybersecurity. Their perspectives seem to be shaped by either an absence of direct encounters with cyber threats or a belief that such incidents would not majorly affect their family farms. As E2 candidly puts it:

While losing family photos on our computers would be unfortunate, it wouldn’t halt our milking routines. (E2).

In the context of Germany’s decentralized and cooperative milk production model, these farmers pinpoint a higher cyber vulnerability at the value-added processing stage within dairies. As E1 observes:

When you strike at a dairy, you’re indirectly hitting thousands of farmers. (E1).

This viewpoint found resonance in a significant cyberattack on Schreiber Foods, a Wisconsin-based dairy processing firm. In October 2021, the company had to shut down all its operations, leading to milk and fresh cheese shortages. The repercussions were tangible, with Schreiber Foods grappling with an amassed milk supply, leaving farmers to sell at deflated “crisis-milk” prices (Shepel, 2021). The aftermath saw a 6.9% dip in fresh cheese production YoY, translating to bare store shelves (McKay, 2021).

From a critical infrastructure lens, E12 emphasizes the gravity of simultaneous disruptions:

A single dairy farm hiccup is manageable, but a synchronized collapse of multiple businesses is a risk too great, especially from Germany’s supply security perspective. (E12).

Contrasting the farmers, our interviews with food processing companies revealed their frequent brushes with cyber threats. Predominantly ransomware attacks (E7, E6, E8 and E9) laced with phishing attempts were the dominant challenges. Notably, the collusion of phishing and ransomware was universally recognized as a principal disruptor of production. E8 recalls an incident:

Attackers infiltrated our network [through phishing], patiently surveilled it, and executed a calculated strike. They aimed to encrypt extensively and simultaneously target our systems and backups. Their endgame was clear: incapacitate the business, maximize the damage, and then capitalize on the chaos for a hefty ransom. (E8)

E6 shared his confrontations with ransomware:

Two ransomware incidents came our way: one had minor consequences, while the other led to a full cessation of a production unit. A fortnight’s disruption is a blow to the affected locality, but for our entire operation, it is not catastrophic. However, should a central system […] be jeopardized, it sounds alarm bells. The extent of the incident’s impact, whether localized or widespread, is dictated by regional demarcations. (E6)

Phishing was underscored as a predominant entry strategy. It ranges from broad-brush emails hoping for a vulnerability to pinpointed spear-phishing attacks. E9 elaborates:

In earlier years, adversaries were less astute. Their phishing tactics were more random. But now, the emphasis has shifted to methodical attacks, especially against top-tier executives. Such targeted incursions are far from random. We are now navigating these troubled waters almost weekly, with a majority of these threats tracing back to regions like Russia and China. (E9)

Despite a unanimous call for enhanced awareness and contemporary countermeasures, many voiced skepticism over completely immunizing systems against breaches. The focus, they believe, should transition to bolstering infrastructure resilience. Experts like E6, E8, and E9 accentuate this view:

We should not dwell on if an attack will happen, but on how prepared we are when it does. (E8)

Given our rigorous defense investments, a breach feels inevitable. It’s less about prevention and more about containment and swift response. (E9)

A system breach’s ripple effect must be curtailed, ensuring it does not cascade across our operations. (E6)

Critical Infrastructures, especially those vital for public sustenance, prioritize uninterrupted service. The primacy of security facets, be it confidentiality, integrity, or availability, oscillates based on context. For sectors like banking, data protection might eclipse operational continuity (Henderson, 2023). Reiterating this sentiment, E6 focuses on the essence of uninterrupted services:

While data confidentiality is crucial, our core focus is the continuous availability of our systems. (E6)

In summary, companies acting as primary distributors for products like milk in dairies face an elevated threat to supply security from operational disruptions. Their central position within the value chain can trigger widespread impacts both upstream and downstream. In severe instances, this might even result in brief periods of food unavailability. According to the experts we interviewed, ransomware attacks, especially those initiated through phishing, are a predominant threat in both the food and dairy industries.

4.2 The principal weakness: the convergence between operational technology and information technology

Discussions with food industry professionals emphasize the growing convergence of information technology (IT) and operational technology (OT). Particularly, the integral role of the ERP system in production became a recurring theme:

When the ERP software stumbles, production follows suit. (E7)

Absent the ERP system, our production machinery remains idle. (E9)

The central system steers our division’s operations. A glitch in the ERP, and we are looking at a production pause in about 30 minutes. (E6)

The cyber onslaught on JBS S.A., a dominant figure in US meat production, serves as a telling example. The five-day operational disruption in North America and Australia, caused by a ransomware assault from the Russian crime syndicate REvil, seemed rooted in a central server malfunction within their IT framework. This glitch rippled into their OT, stalling production activities. The blowback was felt across all JBS USA and Australia units, causing a meat market upheaval and surging prices, prompting the US Department of Agriculture to rally other meat producers to step up their game (Michael Hirtzer, 2021).

Recognizing these vulnerabilities, numerous surveyed companies are leaning toward partitioning their IT and OT networks. E6 and E9 detail their proactive strategies:

We are steering a project to bifurcate our IT and OT infrastructures, ensuring an attack on one does not cripple the other. While both scenarios are less than ideal, this offers a layer of insulation. (E9)

OT security is emerging as a pivotal aspect. Many companies are still navigating this domain, but we have flagged it as a keystone in our defense blueprint, both in organizational and technical terms. (E6)

Beyond the operational hurdles, the financial and reputational fallout from cyberattacks can be daunting. E9 sheds light on this dimension:

A week-long production or delivery hiccup is one thing; negative media spotlight, however, can erode our brand’s trust. (E9)

The cyber incident involving the Australian dairy entity, Lion Dairy and Drinks, which triggered a stock price dip for its parent firm, echoes this sentiment (Jarjoui et al., 2021).

The tremors of production glitches are not confined within company walls. Especially with fresh produce, the clock is ticking due to their fleeting shelf life. While industries like sugar processing or beer manufacturing might have a buffer, courtesy of stockpiles or alternate suppliers, perishables such as raw milk walk a tightrope, as E9 underscores:

In our sector, the FiFo (first in, first out) mantra is sacrosanct. Stockpiling is not feasible; we would just end up with wasted produce. (E9)

Hence, the results from the expert interviews highlight a paramount challenge in the food processing industry: ensuring the secure convergence of IT and OT. An IT failure, in the context of inadequate network security, can have widespread repercussions across multiple sites, particularly when central systems like the ERP system are compromised.

4.3 The escalating extortion threat from the convergence of OT and IT

Cyber threats have been a growing concern for the food industry over the past several years, particularly within small and medium-sized enterprises. A Forsa survey conducted a few years ago revealed that 23% of small and medium-sized food manufacturers in Germany had already experienced cyberattacks (Gesamtverband der Deutschen Versicherungswirtschaft e. V., 2020). This trend has only intensified, as reflected in the Global Cybersecurity Outlook from the World Economic Forum, which indicates that 93% of executives and 86% of business leaders now anticipate catastrophic cyberattacks within the next two years (Bueermann et al., 2023). Cyberattacks are pervasive across industries, with a 2023 Deloitte survey finding that 91% of companies reported at least one security breach, leading to various negative impacts (Deloitte Development LLC, 2023). The financial toll on the German economy is significant, with damages from cyberattacks amounting to an estimated €203 billion in 2022 alone (Berg, 2022). These statistics underscore the critical need for robust cybersecurity measures, particularly in Critical Infrastructure sectors like the dairy industry, where the average cost of a data breach is $4.82 million, significantly higher than in non-critical sectors (IBM Corporation, 2022).

These concerns were echoed in our expert interviews, which specifically highlighted the vulnerabilities introduced by the integration of IT and OT systems within the dairy industry. This integration creates risks due to the complex and layered architecture of Industrial Control Systems (ICS). Core components responsible for monitoring and controlling physical processes, such as milk pasteurization and storage, are increasingly interconnected with enterprise IT systems like ERP (Kantale et al., 2022). This convergence means that a cyber-attack on a seemingly isolated component can have cascading effects, disrupting digital workflows and also critical physical operations across multiple locations. The case of the food processing company JBS S.A. illustrates how such vulnerabilities can lead to widespread operational outages. A ransomware attack on JBS led to operational outages across multiple locations globally, disrupting not only production but also the supply chain on a massive scale. This incident highlights the cascading effects of a cyber-attack that exploits IT/OT integration, where the failure of systems in one location can ripple across the network, affecting operations in several others (Michael Hirtzer, 2021). Similarly, the attacks on SalzburgMilch in Austria and Schreiber Foods in the USA further demonstrate the critical impact of ransomware on dairy operations, where attackers targeted interconnected systems, forcing shutdowns that resulted in production delays and financial losses. These cases underscore the vulnerabilities introduced by IT/OT convergence making both physical and digital infrastructures vulnerable in the dairy supply chain and broader food supply.

To illustrate the intricate ties between these elements, we superimposed a (data) communication layer, denoted by the yellow communication edges in Figure 2 (lower illustration), onto our simulated physical milk transportation network, represented by the grey edges in Figure 2 (upper illustration). This overlay captures the structure of dairy companies with multiple branches or those under expansive conglomerates. Together, the tangible transportation pathways and the digital infrastructure constitute what we term the “extortion potential network”.

For confidentiality and security considerations, we have chosen not to specify particular dairies or counties nor provide exact geographical coordinates. This precaution aims to prevent potential misuse of this information by cybercriminals. Instead, the size of each node portrays the processing capacity of the dairies and the count of associated dairy farms within a county. The nodes’ color scheme differentiates between cooperative dairies (green), private ones (blue), and counties (red).

The dairy supply chain network comprises 61 dairies (cooperative or private), 94 counties (encompassing 26,609 dairy farms), and totals 158 nodes. Without the inclusion of (data) communication edges, nodes in this network have, on average, 1.99 connections. This value increases to 2.19 with the incorporation of (data) communication edges. Such data implies that each dairy is typically linked to approximately two counties. When (data) communication edges are considered, this average connection increases to nearly three dairies. Though our network is extensive, it demonstrates sparse connectivity, with a density of 0.0045 without (data) communication edges and 0.0055 with them. In a scenario of maximum connectivity, the network would possess a density of 1. Furthermore, the network’s structure is such that it lacks pronounced clustering. This suggests that the neighbors of any given node are unlikely to be interconnected. However, the introduction of (data) communication edges slightly alters this characteristic with a value of 0.0261.

Through the lens of potential disruptions in IT—such as central ERP system outages in expansive corporations—it is discernible that the average centrality within the network’s extortion potential undergoes modification. Without the (data) communication edges, the centrality metrics are as follows:

(1)
Degree Centrality: 0.0078
(2)
Closeness Centrality: 0.0039
(3)
Eigenvector Centrality: 0.0293

In contrast, with the inclusion of (data) communication links, the centrality averages shift to:

(4)
Degree Centrality: 0.0111
(5)
Closeness Centrality: 0.0046
(6)
Eigenvector Centrality: 0.0095

The change in these values highlights that the addition of (data) communication edges not only bolsters the network’s connectivity and cohesion but also nudges it towards a more centralized structure. Such centralization can potentially introduce vulnerabilities: the network becomes more susceptible to disruptions, emphasizing the need to protect these pivotal nodes and their associated security mechanisms. Nevertheless, delving deeper into the dairy and county network structure, the notably low average betweenness centrality (almost 0) indicates that there is not a pronounced reliance on any specific node (or a handful of nodes) for milk transportation. This is encouraging from a resilience standpoint.

However, Figure 3 elucidates the combined extortion implications of these intertwined dairies and the possible repercussions on operations. When dairies are interconnected, the maximum disruption can reach up to 3,519,537.53 kilograms daily, affecting as many as 4,141 farms. On the other end of the spectrum, the minimum disruption touches 346 farms with a daily halt of 353,017 kilograms in milk transport. Even in the absence of these interconnections, the ramifications are substantial. A single dairy could grapple with a local impact of 2,287,201 kilograms per day, impacting up to 2,627 farms. The least severe scenario would witness a disruption of roughly 67,235 kilograms daily, influencing 100 farms (supposedly, the disruption affects OT).

Examining the differences between private and cooperative dairies, we find that private dairies, on average, connect to 2.11 other dairies and have a degree centrality of 0.0106. In contrast, cooperative dairies typically have 3.17 connections with a degree centrality of 0.0160. This degree centrality data suggests that cooperative dairies hold a marginally more central or interconnected position within the network compared to private dairies. Although this interconnectedness can boost operational efficiency and facilitate seamless information sharing, it also increases the vulnerability of cooperative dairies to ransomware attacks. Ransomware actors can target these more central nodes to cause widespread disruptions throughout the network. Therefore, a higher degree centrality increases the need for implementing robust prevention and detection measures to mitigate the cascading risks posed by ransomware.

5. Discussion

5.1 Implications for theory and practice

In our research, we delved into the complexities of the German dairy industry’s vulnerabilities to ransomware threats, placing a concentrated lens on its upstream supply chain. To answer RQ1, we conducted 15 expert interviews with dairy farmers, industry leaders, and cybersecurity specialists, which provided critical insights into the sector’s challenges. Our findings indicate that the vulnerability of the dairy industry to ransomware attacks is heightened by three main factors: the high degree of IT and OT system interconnectivity, the significant presence of small and medium-sized enterprises (SMEs) with limited cybersecurity resources, and the critical role of the dairy supply chain in maintaining food security.

To address RQ2, we complemented these insights with a network analysis of the Bavarian dairy sector in Germany. The network analysis further demonstrates that these vulnerabilities directly shape the extortion risks posed by ransomware. The integration of IT and OT systems creates a complex network where disruptions can cascade across multiple locations, significantly amplifying the impact of an attack. This interconnectedness, particularly within cooperative dairies, increases the potential for widespread operational outages. Consequently, the risk of severe disruptions heightens the likelihood that affected entities may consider paying ransoms to avoid catastrophic consequences.

Our research augments the foundational understanding of the RAT by highlighting the distinct vulnerabilities of the dairy industry to ransomware. We observed that traditional roles defined by RAT — motivated offenders, suitable targets, and guardianship (Holt et al., 2020) — evolve in contexts where the digital and physical worlds converge. Through our discussions with food processing experts, the critical importance of ERP systems, often integrated with OT, became evident. There was a consensus on the profound implications of disruptions in an ERP system, especially when IT and OT systems are interlinked, affecting multi-site operations. As digitalization accelerates, IT components increasingly intersect with OT control systems and networks. Given the uptick in OT environment breaches via IT channels, adopting exhaustive security protocols is essential (Dragos, 2023; Ofner et al., 2023). Traditionally, OT security was somewhat sidelined during its inception. More often than not, OT was “air-gapped,” denoting a physical detachment and no internet connectivity. However, with external connections to OT systems, they become susceptible to newfound threats (Fortinet Inc, 2021). The adaptability of these roles in sectors like food processing is indicative of their shaping by systemic interdependencies. Our deep dive into the vulnerabilities of the dairy sector, particularly its supply chain nuances, offers an enriched understanding of RAT’s “suitable targets.” The evident vulnerabilities in these interconnected systems are multifaceted, arising from both digital pathways and the inherent risks associated with perishable goods. This layered complexity adds depth to RAT’s conventional understanding of “targets”.

Our study illuminates the intricate web of contemporary cybercrime. In sectors characterized by complex supply chain architectures, a singular act by a cybercriminal can induce cascading consequences, impacting even elements far removed from the initial breach point. This understanding broadens our perspective on the scope and scale of cybercrime. The intersection of IT and OT, as underscored by our findings, recalibrates the boundaries of RAT’s guardianship concept. This suggests that protective measures should not be limited to just digital defenses, as emphasized by previous works (Bagheri and Ridley, 2017), but should also ensure the persistence of physical operations. In this context, it is crucial to consider industrial control systems (ICS) as the linchpin of OT. These systems, especially in the manufacturing domain like food processing, play a pivotal role (Federal Office for Information Security, 2013), including in milk processing (Kantale et al., 2022; Yaseen et al., 2022). For instance, the German private dairy company Bechtel has implemented an ICS to facilitate seamless data transfer between machinery, processes, and the manufacturing execution and ERP systems. This integration ensures that all pertinent information, such as process and facility data, batch and consumption data, inventory levels, and maintenance measures, are captured in the MES and relayed to the ERP system. This ensures comprehensive production traceability. With rapid and location-independent access to managerial data, production errors can be swiftly pinpointed and rectified, aiming for enhanced productivity and product quality (planemos GmbH, 2022). Yet, this underscores the imperative for immediate focus, emphasizing both network segregation and fortifying IT security measures. While the prevailing standards for ICS protection predominantly hinge on a network-centric security paradigm, mirroring the Purdue Model for ICS security (specifically, ISA/IEC62443), the evolving intricacy and multifaceted nature of interconnected systems present challenges (Bordoloi et al., 2022; Boyes et al., 2018; Lezoche et al., 2020). In such a landscape, where OT represents just one aspect of the broader cyber-physical network, there emerges a critical demand for innovative, resource-oriented security approaches to safeguard the integrity and ensure the availability of these systems (Thielemann et al., 2022). Our study underscores the pressing need for heightened attention and enhancement on this aspect within the food industry, with a particular spotlight on the vulnerabilities in the dairy sector.

Additionally, our network analysis underscores vulnerabilities arising from the convergence of IT and OT, suggesting a heightened extortion risk for cybercriminals. Such vulnerabilities enable these adversaries to potentially expand their malevolent reach across thousands of dairy farms. In light of this, dairy entities bear a dual responsibility: safeguarding their suppliers and ensuring the continuity of the supply chain. This can be achieved by implementing advanced security measures, such as zero-trust architectures and network segmentation, to prevent lateral movement within systems and limit the damage of potential breaches. Furthermore, employing AI-driven intrusion detection systems can enhance the ability to identify and respond to ransomware threats early, thereby protecting both digital and physical assets. In the context of RAT, cybercriminals often target less fortified entities that present opportunities for considerable impact. Echoing Cremonini and Nizovtsev (2009), an astute deterrence strategy would involve transparently showcasing IT security robustness. For the dairy sector, this means emphasizing that, even in the face of IT adversities, operations and milk supply remain unhampered. The goal is to shift the multitude of dairy processes out of the potential crosshairs of attackers.

Moreover, our analysis underscores that cooperatives hold a central position in the upstream supply chain. Dairy farms associated with cooperatives have a commitment to exclusively provide their milk to their designated cooperatives. Conversely, these cooperatives have a responsibility to accept and process the supplied milk. When faced with disruptions, like ransomware attacks, such arrangements can hinder the ability of dairy farms to reallocate their milk supply to other processors or dairies. Consequently, we advocate that cooperative dairies, together with their member farms, urgently reevaluate and integrate provisions related to potential cyberattacks in their milk delivery contracts. These provisions should address not only the immediate response to ransomware attacks but also strategies for maintaining supply chain resilience, such as diversifying processing options and ensuring that all parties are aware of the current cybersecurity landscape. Implementing these measures will help safeguard the continuity of milk supply, even in the face of potential cyber disruptions. At present, many cooperative agreements seem to overlook or inadequately address the possibilities of such cyber threats (e.g. Meierei-Genossenschaft Gudow-Schwarzenbek eG, 2023; OMIRA, 2016).

5.2 Limitations

As with all scientific endeavors, we have to emphasize that our findings need to be interpreted against the backdrop of their limitations. One limitation stems from the geographic specificity of the expert interviews, which were exclusively conducted with practitioners based in Germany. While this provides in-depth insights into the German context, it poses challenges in extrapolating the findings to a global audience. Different nations and regions often come with their unique set of cybersecurity regulations, as well as specific structural, cultural, and operational nuances that distinctly shape the dairy industry’s supply chain. As such, the generalizability of our results to other regions may be constrained. To ensure a broader and more universally applicable understanding, future research endeavors could prioritize engagement with practitioners from varied geographical backgrounds. This approach would bolster the external validity of the conclusions drawn and also shed light on regional disparities in viewpoints and methodologies concerning cybersecurity vulnerabilities and mitigation strategies, emphasizing the pervasive nature of these risks across the sector.

Furthermore, our network analysis hinges on a simulated model of transportation and communication designed to closely mirror real-world scenarios without perfectly replicating them. As such, the outcomes of this simulation should be interpreted as indicative demonstrations, illustrating the potential ramifications should these identified vulnerabilities be exploited in a worst-case scenario. It is essential to acknowledge that while simulations offer valuable insights, real-world factors can introduce complexities not accounted for in our model. Thus, while our findings serve as a valuable guide, direct real-world applications should be cautiously approached with an understanding of this limitation.

While this study is focused on the German dairy industry, the identified vulnerabilities, such as the convergence of IT and OT systems, and the recommended cybersecurity strategies, including network segmentation, robust incident response planning, enhanced employee training, and addressing the extortion potential of ransomware, may offer valuable insights for other industries that rely heavily on complex supply chains, such as agriculture, pharmaceuticals, or energy sectors. The extortion potential highlighted in this research is particularly relevant to other critical infrastructure sectors. For example, the ransomware attack on JBS S.A., the world’s largest meat processing company, in May 2021, underscores the widespread impact such vulnerabilities can have. The attack led to a five-day shutdown of operations in North America and Australia, causing significant disruptions in meat production and supply chains. This incident exemplifies how ransomware can exploit IT and OT convergence, not only halting production but also creating market-wide shortages and price spikes, as seen when the U.S. Department of Agriculture called on other meat producers to increase output in response to anticipated shortages (Michael Hirtzer, 2021). These parallels suggest that industries beyond dairy must be vigilant in assessing and mitigating similar risks. Proactive measures, such as those recommended in our study, can help mitigate the threats posed by ransomware, particularly in sectors where supply chain continuity is critical to public safety and economic stability. However, it is essential to consider industry-specific factors and regional regulatory frameworks when applying these insights to ensure their effectiveness.

6. Conclusions

Our investigation into the vulnerabilities of the dairy industry, particularly within the realm of ransomware threats, offers insights into the present challenges faced by sectors deemed as Critical Infrastructure. The interplay between digital and physical domains, combined with the intricate web of supply chain interdependencies, magnifies the ripple effects of cyber disruptions. This is especially pertinent in sectors like food processing, where supply continuity is not just a business prerogative but a societal imperative.

The emerging threat landscape, characterized by the convergence of IT and OT systems, necessitates a reimagining of traditional defense mechanisms. The findings underscore that ransomware’s extortion potential is not limited to mere data and system access but extends to disrupting physical operations and potentially jeopardizing food security. Cooperatives, integral players in the dairy sector’s upstream supply chain, find themselves at the crossroads of this digital threat and the physical supply continuity. Their unique position emphasizes the pressing need for contract reforms that proactively account for potential cyber threats.

Applying the tenets of the RAT, our research bridges a significant knowledge gap, illustrating how traditional roles evolve in a landscape where motivated offenders exploit intricate supply chain vulnerabilities. The collective focus must shift from a purely reactive stance to a proactive, resilience-based approach. As the lines between the digital and physical blur, sectors like the dairy industry must recalibrate their defenses, considering not just the digital integrity but also the continuity of physical operations.

In the face of mounting digital threats, industries, governments, and academia must collaborate, share knowledge, and innovate. Our research is a step in this direction, emphasizing the pressing need for holistic cyber-resilience in sectors intrinsic to societal well-being. As digital adversaries grow more sophisticated, so must our defenses, safeguarding not just data but the very fabric of our interconnected supply chains.

Figures

Figure 1

Geographical visualization of milk production in German counties (right) with major dairies and their networks (left)

Figure 2

Dairy supply chain network: physical milk pathways (upper, grey edges) and (data) communication layer (lower, yellow edges)

Figure 3

Impact of dairy network disruptions (IT and OT): comparing effects of interconnected and isolated scenarios on milk supply and farm impact

Table 1

Overview of conducted interviews

Expert	Position and affiliation	Interview focus
E1	Dairy farmer with 160 cows, member of European dairy farmers (EDF) and German agricultural society	Milk production
E2	Dairy farmer from North Rhine-Westphalia with 120 cows	Milk production
E3	Dairy farmer from Bavaria with 100 cows	Milk production
E4	Dairy farmer from lower saxony with 42 cows	Milk production
E5	In-house consultant at a German dairy company	Food processing
E6	Head of information and security in a company processing sugar and other foods	Food processing
E7	IT security officer at a German meat processing company	Food processing
E8	Manager at a German catering concept producer	Food processing
E9	IT infrastructure manager at a chocolate manufacturer	Food processing
E10	Manager of an international beverage and brewery corporation	Food processing
E11	Critical infrastructure and cybersecurity expert at a major consulting firm	Critical infrastructure
E12	Critical infrastructure and cybersecurity expert at a major consulting firm	Critical infrastructure
E13	Network security expert	IT security
E14	Awareness officer in the critical infrastructure sector	Critical infrastructure
E15	Head of compliance department in a software company	IT security

Source(s): Table created by the authors

Table 2

Mathematical formulation of the linear optimization problem

Decision variable	Let $x_{i j}$ be the flow of milk from dairy farm i to dairy j
Objective function	Minimize: $\sum_{i = 1}^{n} \sum_{j = 1}^{n} c_{i j} * x_{i j}$ , where c_ij represents the transportation cost from dairy farm i to j
Supply constraint	The total milk supplied by each dairy farm should not exceed its capacity: $\sum_{j = 1}^{n} x_{i j} \leq {s u p p l y}_{i}$ , for all i
Demand constraint	The total milk demanded by each dairy should be met: $\sum_{i = 1}^{n} x_{i j} = {d e m a n d}_{j}$ , for all j

Source(s): Table created by the authors

Notes

1.

BSI-KritisV, § 4: A regulation under German law addressing the identification of critical infrastructures.

2.

The threshold is set at 434,500 tons of food or 350 million liters of beverages according to the BSI Act (BSI Critical Infrastructure Regulation - BSI-KritisV) Appendix 3 (to § 1 Numbers 4 and 5, § 4 Paragraph 3 Numbers 1 and 2) Facility Categories and Threshold Values in the Food Sector.

3.

https://www.regionalstatistik.de/genesis//online?operation=table&code=41141-03-02-4&bypass=true&levelindex=0&levelid=1696412877556#abreadcrumb

4.

https://apps2.bvl.bund.de/bltu/app/process/bvl-btl_p_veroeffentlichung?execution=e1s4

Appendix A Interview guide

(1)
Introduction
- •
  Greeting and introduction of the interviewer and the purpose of the interview.
- •
  Confirmation of the expert’s consent to record the interview.
(2)
Expert Information
- •
  Expert’s experience and background in the field of cybersecurity and/or the specific areas along the value chain.
- •
  Expert’s perspective on the current state of cybersecurity in the industry of focus.
- •
  Insights from the expert regarding current trends and developments in terms of technologies and cyber threats within the industry.
(3)
Threats
- •
  Identification of potential cyber threats.
- •
  Explanation of how these threats could impact the value chain.
- •
  Discussion of how companies in the food industry are preparing for these threats and the measures they are already taking.
(4)
Consequences
- •
  Discussion of potential consequences in the event of a successful cyberattack on their company.
- •
  Consideration of the possible effects on supply chain security.
- •
  Evaluation of the ability of companies in the food industry to respond to and recover from such incidents.
(5)
Recommendations
- •
  Identification of recommendations to enhance cybersecurity in food processing.
- •
  Discussion of how companies along the value chain can strengthen their resilience against cyberattacks.
(6)
Conclusion

References

Agarwal, S., Rashid, A. and Gardiner, J. (2022), “Old MacDonald had a smart farm: building a testbed to study cybersecurity in smart dairy farming”, Cyber Security Experimentation and Test Workshop, New York, NY, ACM, pp. 1-9.

Alpenhain (2023), “Unsere milchlieferanten”, available at: https://www.alpenhain.de/milchlieferanten/ (accessed 15 June 2023).

Association of the German Dairy Industry (2022), “Beilage zum geschäftsbericht 2021/2022”, available at: https://milchindustrie.de/wp-content/uploads/2022/09/ZahlenDatenFakten_2022.pdf

Association of the German Dairy Industry (2023), “Genossenschaftliche molkerei”, available at: https://milchindustrie.de/milkipedia/genossenschaftliche-molkerei/ (accessed 27 December 2022).

Bagheri, S. and Ridley, G. (2017), “Organisational cyber resilience: research opportunities”, Australasian Conference on Information Systems, Hobart, Australia, p. 2017.

Balletta, L. and Lavezzi, A.M. (2023), “The economics of extortion: theory and the case of the Sicilian Mafia”, Journal of Comparative Economics, Vol. 51, pp. 1-47, doi: 10.1016/j.jce.2023.05.003.

Basole, R.C. and Bellamy, M.A. (2014), “Supply network structure, visibility, and risk diffusion: a computational approach”, Decision Sciences, Vol. 45 No. 4, pp. 753-789, doi: 10.1111/deci.12099.

Bavarian Milk Producers Association (2022), “Milchmarkt”, available at: https://www.milcherzeugerverband-bayern.de/milcherzeugung (accessed 15 June 2023).

Bavarian State Agency for Statistics and Data Processing (2023), “Landwirtschaftszählung 2020: Endgültige Ergebnisse zur Viehhaltung in Bayern liegen vor”, available at: https://www.statistik.bayern.de/presse/mitteilungen/2021/pm179/index.html#:∼:text=InsbesonderebeiderMilchkuhhaltungbestätigte,imJahr2020auf42 (accessed 15 June 2023).

Beaman, C., Barkworth, A., Akande, T.D., Hakak, S. and Khan, M.K. (2021), “Ransomware: recent advances, analysis, challenges and future research directions”, Computers and Security, Vol. 111, 102490, doi: 10.1016/j.cose.2021.102490.

Bekkers, L., van ’t Hoff-de Goede, S., Misana-ter Huurne, E., van Houten, Y., Spithoven, R. and Leukfeldt, E.R. (2023), “Protecting your business against ransomware attacks? Explaining the motivations of entrepreneurs to take future protective measures against cybercrimes using an extended protection motivation theory model”, Computers and Security, Vol. 127, 103099, doi: 10.1016/j.cose.2023.103099.

Béné, C. (2020), “Resilience of local food systems and links to food security – a review of some important concepts in the context of COVID-19 and other shocks”, Food Security, Vol. 12 No. 4, pp. 805-822, doi: 10.1007/s12571-020-01076-1.

Berg, A. (2022), “Wirtschaftsschutz 2022”, Bitkom e.V., Berlin, available at: https://www.bitkom.org/sites/main/files/2022-08/Bitkom-Charts_Wirtschaftsschutz_Cybercrime_31.08.2022.pdf

Bonacich, P. (1972), “Technique for analyzing overlapping memberships”, Sociological Methodology, Vol. 4, p. 176, doi: 10.2307/270732.

Bordoloi, T., Shapira, P. and Mativenga, P. (2022), “Policy interactions with research trajectories: the case of cyber-physical convergence in manufacturing and industrials”, Technological Forecasting and Social Change, Vol. 175, 121347, doi: 10.1016/j.techfore.2021.121347.

Boyes, H., Hallaq, B., Cunningham, J. and Watson, T. (2018), “The industrial internet of things (IIoT): an analysis framework”, Computers in Industry, Vol. 101, pp. 1-12, doi: 10.1016/j.compind.2018.04.015.

Bueermann, G., Doyle, S., Dobrygowski, D., Joshi, A., Rohland, L., Aguirre, C., Browder, T., Pruitt, J., Rohrs, M. and Stockton, L. (2023), “Global cybersecurity outlook 2023”, World Economic Forum, Cologny/Geneva, available at: https://www3.weforum.org/docs/WEF_Global_Security_Outlook_Report_2023.pdf

Burger, J., Isvoranu, A.-M., Lunansky, G., Haslbeck, J.M.B., Epskamp, S., Hoekstra, R.H.A., Fried, E.I., Borsboom, D. and Blanken, T.F. (2023), “Reporting standards for psychological network analyses in cross-sectional data”, Psychological Methods, Vol. 28 No. 4, pp. 806-824, doi: 10.1037/met0000471.

Colon, C. and Hochrainer-Stigler, S. (2023), “Systemic risks in supply chains: a need for system-level governance”, Supply Chain Management: International Journal, Vol. 28 No. 4, pp. 682-694, doi: 10.1108/scm-03-2022-0101.

Cremonini, M. and Nizovtsev, D. (2009), “Risks and benefits of signaling information system characteristics to strategic attackers”, Journal of Management Information Systems, Vol. 26 No. 3, pp. 241-274, doi: 10.2753/mis0742-1222260308.

Deloitte Development LLC (2023), “Global future of cyber survey”, available at: https://www2.deloitte.com/content/dam/Deloitte/de/Documents/risk/Deloitte_Global_Future_of_Cyber_2023.pdf

Dori, A.U., Au, C.H. and Thomas, M.A. (2023), “Seizing new possibilities for expanding the scope of cybersecurity research in information systems”, Pacific Asia Conference on Information Systems (PACIS).

Dragos (2023), “ICS/OT cybersecurity year in review 2022”, available at: https://www.dragos.com/year-in-review%0Ahttps://www.bing.com/images/search?q=ics+kill+chain&qpvt=ics+kill+chain&form=IGRE&first=1%0Ahttps://www.yokogawa.com/eu/blog/renewables/en/anatomy-cyber-attack-1/%0Ahttps://www.linkedin.com/pulse/you-aware-ics-kill-

Dreißigacker, A., von Skarczinski, B. and Wollinger, G.R. (2020), “Cyberangriffe gegen unternehmen in deutschland”, Kriminologisches Forschungsinstitut Niedersachsen e.V., Forschungsbericht Nr. 152, Hannover, available at: https://www.pwc.de/de/im-fokus/cyber-security-privacy/cyberangriffe-gegen-unternehmen-in-deutschland-folgebefragung.pdf

Dresing, T. and Pehl, T. (2013), “Praxisbuch interview, transkription & analyse”, Anleitungen Und Regelsysteme Für Qualitativ Forschende, available at: www.audiotranskription.de/praxisbuch

Duncan, S., Carneiro, R., Braley, J., Hersh, M., Ramsey, F. and Murch, R. (2021), “Beyond ransomware: securing the digital food chain”, Institute of Food Technologists, available at: https://www.ift.org/news-and-publications/food-technology-magazine/issues/2021/october/features/digital-food-chain (accessed 7 February 2023).

Dupont, B. (2019), “The cyber-resilience of financial institutions: significance and applicability”, Journal of Cybersecurity, Vol. 5 No. 1, pp. 1-17, doi: 10.1093/cybsec/tyz013.

European Milk Board (2012), “Co-operatives: between myth and reality, European milk board”, available at: https://www.europeanmilkboard.org/fileadmin/Dokumente/Positions_EMB/12-02_Positions/Cooperatives.pdf

Eurostat (2022a), “Milchaufnahme (alle Milcharten) und Gewinnung von Milcherzeugnissen - jährliche Daten”, Eurostat Datenbank, available at: https://ec.europa.eu/eurostat/databrowser/view/APRO_MK_POBTA__custom_501105/bookmark/table?lang=de&bookmarkId=a2b3dd0a-f415-4605-8299-984d8bca481d (accessed 3 December 2022).

Eurostat (2022b), “Rinderbestand - jährliche daten”, Eurostat Datenbank, available at: https://ec.europa.eu/eurostat/databrowser/view/APRO_MT_LSCATL__custom_1927724/bookmark/table?lang=de&bookmarkId=2d20d374-58ba-49ab-ace0-3f7d9032a87f (accessed 3 December 2022).

Federal Criminal Police Office (2022), Cybercrime: Bundeslagebild 2021, Bundeskriminalamt, Wiesbaden, available at: https://www.bka.de/SharedDocs/Downloads/DE/Publikationen/JahresberichteUndLagebilder/Cybercrime/cybercrimeBundeslagebild2021.pdf?__blob=publicationFile&v=6

Federal Ministry of Food and Agriculture (2023), “Landwirtschaftliche gesamtrechnung”, Produktionswert Des Bereichs Landwirtschaft, available at: https://www.bmel-statistik.de/landwirtschaft/landwirtschaftliche-gesamtrechnung/ (accessed 6 March 2023).

Federal Ministry of the Interior and Community (2021), “Cybersicherheitsstrategie für deutschland 2021”, Berlin, available at: https://www.bmi.bund.de/SharedDocs/downloads/DE/veroeffentlichungen/2021/09/cybersicherheitsstrategie-2021.pdf;jsessionid=0A40ED8C42C18389737A99ED6FE6A0C8.1_cid332?__blob=publicationFile&v=2

Federal Office for Information Security (2013), “ICS-Security-Kompendium”, No. Version 1.23, available at: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/ICS/ICS-Security_kompendium_pdf.pdf?__blob=publicationFile

Federal Office for Information Security (2021), “Ransomware: bedrohungslage 2022”, available at: https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Themen/Ransomware.html

Federal Statistical Office of Germany (2023), “Agrarstrukturerhebung/landwirtschaftszählung”, Landwirtschaftliche Betriebe Mit Viehhaltung Und Zahl Der Tiere - Stichtag - Regionale Tiefe: Kreise Und Krfr, Städte, available at: https://www.regionalstatistik.de/genesis/online?language=de&sequenz=statistikTabellen&selectionname=41141#abreadcrumb (accessed 6 March 2023).

Federation of German Food & Drink Industries (2022), “Ernährungsindustrie 2022”, available at: https://www.bve-online.de/presse/infothek/publikationen-jahresbericht/bve-statistikbroschuere2022

Fernandez De Arroyabe, I. and Fernandez de Arroyabe, J.C. (2023), “The severity and effects of cyber-breaches in SMEs: a machine learning approach”, Enterprise Information Systems, Vol. 17 No. 3, pp. 386-412, doi: 10.1080/17517575.2021.1942997.

Fertier, A., Martin, G., Barthe-Delanoë, A.M., Lesbegueries, J., Montarnal, A., Truptil, S., Bénaben, F. and Salatgé, N. (2021), “Managing events to improve situation awareness and resilience in a supply chain”, Computers in Industry, Vol. 132, 103488, doi: 10.1016/j.compind.2021.103488.

Fortinet Inc (2021), “Causes and consequences of IT and OT convergence”, available at: https://www.fortinet.com/resources-campaign/secure-ot/causes-and-consequences-of-it-and-ot-convergence-3

Fujimori, S., Hasegawa, T., Krey, V., Riahi, K., Bertram, C., Bodirsky, B.L., Bosetti, V., Callen, J., Després, J., Doelman, J., Drouet, L., Emmerling, J., Frank, S., Fricko, O., Havlik, P., Humpenöder, F., Koopman, J.F.L., van Meijl, H., Ochi, Y., Popp, A., Schmitz, A., Takahashi, K. and van Vuuren, D. (2019), “A multi-model assessment of food security implications of climate change mitigation”, Nature Sustainability, Vol. 2 No. 5, pp. 386-396, doi: 10.1038/s41893-019-0286-2.

Gaudenzi, B. and Siciliano, G. (2017), “Just do it: managing IT and cyber risks to protect the value creation”, Journal of Promotion Management, Vol. 23 No. 3, pp. 372-385, doi: 10.1080/10496491.2017.1294875.

Gerlach, J., Werth, O. and Breitner, M.H. (2022), “Artificial intelligence for cybersecurity: towards taxonomy-based archetypes and decision support”, Forty-Third International Conference on Information Systems, Kopenhagen, Dänemark, pp. 1-17.

German Insurance Association (2020), “Cyberrisiken in der lebensmittelindustrie”, available at: https://www.gdv.de/resource/blob/61226/7c6e2ffb3931f2a397699d932787c3bc/d-factsheet-lebensmittelindustrie-data.pdf

Gesamtverband der Deutschen Versicherungswirtschaft e. V (2020), “Cyberrisiken in der Lebensmittelindustrie”, available at: https://www.gdv.de/resource/blob/61226/7c6e2ffb3931f2a397699d932787c3bc/d-factsheet-lebensmittelindustrie-data.pdf

Grabosky, P.N. (2001), “Virtual criminality: old wine in new bottles?”, Social and Legal Studies, Vol. 10 No. 2, pp. 243-249, doi: 10.1177/a017405.

Henderson, A. (2023), The CIA Triad: Confidentiality, Integrity, Availability, Panmore Institute, available at: https://panmore.com/the-cia-triad-confidentiality-integrity-availability (accessed 2 July 2023).

Holt, T.J., Leukfeldt, R. and van de Weijer, S. (2020), “An examination of motivation and routine activity theory to account for cyberattacks against Dutch web sites”, Criminal Justice and Behavior, Vol. 47 No. 4, pp. 487-505, doi: 10.1177/0093854819900322.

Hua, J., Chen, Y. and Luo, X.R. (2018), “Are we ready for cyberterrorist attacks?—examining the role of individual resilience”, Information and Management, Vol. 55 No. 7, pp. 928-938, doi: 10.1016/j.im.2018.04.008.

Hui, K.L., Kim, S.H. and Wang, Q.H. (2017), “Cybercrime deterrence and international legislation: evidence from distributed denial of service attacks”, MIS Quarterly, Vol. 41 No. 2, pp. 497-523, doi: 10.25300/misq/2017/41.2.08.

IBM Corporation (2022), “Cost of a data breach report 2022”, available at: https://www.ibm.com/downloads/cas/3R8N1DZJ

Jarjoui, S., Murimi, R. and Murimi, R. (2021), “Hold my beer: a case study of how ransomware affected an Australian beverage company”, 2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment, CyberSA 2021, pp. 1-6.

Kantale, R.A., Sharma, V.K., Nagaratna, P.B. and Lahamge, M. (2022), “SCADA-automation key concept of dairy industrial control system”, Vigyan Varta, Vol. 3 No. 12, pp. 45-50.

Koschützki, D., Lehmann, K.A., Peeters, L., Richter, S., Tenfelde-Podehl, D. and Zlotowski, O. (2005), “Centrality indices”, in Brandes, U. and Erlebach, T. (Eds), Network Analysis: Methodological Foundations, pp. 16-61.

Latino, M.E. and Menegoli, M. (2022), “Cybersecurity in the food and beverage industry: a reference framework”, Computers in Industry, Vol. 141, 103702, doi: 10.1016/j.compind.2022.103702.

Leukfeldt, E.R. and Yar, M. (2016), “Applying routine activity theory to cybercrime: a theoretical and empirical analysis”, Deviant Behavior, Vol. 37 No. 3, pp. 263-280, doi: 10.1080/01639625.2015.1012409.

Lezoche, M., Hernandez, J.E., Alemany Díaz, M., del, M.E., Panetto, H. and Kacprzyk, J. (2020), “Agri-food 4.0: a survey of the supply chains and technologies for the future agriculture”, Computers in Industry, Vol. 117, 103187, doi: 10.1016/j.compind.2020.103187.

MacColl, J., Hüsch, P., Mott, G., Sullivan, J., Nurse, J.R.C., Turner, S. and Pattnaik, N. (2024), “The scourge of ransomware: victim insights on harms to individuals, organisations and society”, Royal United Services Institute for Defence and Security Studies, available at: https://static.rusi.org/ransomware-harms-op-january-2024.pdf

Martens, M., De Wolf, R. and De Marez, L. (2019), “Investigating and comparing the predictors of the intention towards taking security measures against malware, scams and cybercrime in general”, Computers in Human Behavior, Vol. 92, pp. 139-150, doi: 10.1016/j.chb.2018.11.002.

Masuch, K., Hengstler, S., Schulze, L. and Trang, S. (2021), “The impact of threat and efficacy on information security behavior: applying an extended parallel process model to the fear of ransomware”, Proceedings of the 54th Hawaii International Conference on System Sciences.

Mayblum, J. (2022), “ConVal school district to be impacted by milk shortage due to cyber attack at dairy supplier”, John Guilfoil Public Relations, 16 March, available at: https://jgpr.net/2022/03/16/conval-school-district-to-be-impacted-by-milk-shortage-due-to-cyber-attack-at-dairy-supplier/ (accessed 5 February 2023).

McKay, T. (2021), Ransomware Jerks Helped Cause the Cream Cheese Shortage, GIZMODO, available at: https://gizmodo.com/ransomware-jerks-helped-cause-the-cream-cheese-shortage-1848195368 (accessed 15 January 2023).

Meierei-Genossenschaft Gudow-Schwarzenbek eG (2023), “Milchlieferungsordnung”, available at: https://www.meiereigudow.de/index.php/downloads.html?file=files/MeiereiGudow/Downloads/Milchlieferungsordnungaktuell.pdf (accessed 24 May 2023).

Menrad, K. (2004), “Innovations in the food industry in Germany”, Research Policy, Vol. 33 Nos 6-7, pp. 845-878, doi: 10.1016/j.respol.2004.01.012.

Michael Hirtzer (2021), Meat Markets Go without Key U.S. Prices after Cyberattack on JBS, Bloomberg, 1 June, available at: https://www.bloomberg.com/news/articles/2021-06-01/no-one-knows-how-much-u-s-meat-costs-as-cyberattack-jams-report?sref=CIpmV6x8 (accessed 14 January 2023).

Microsoft (2022), “Microsoft digital defense report 2022: illuminating the threat landscape and empowering a digital defense”, available at: https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2022

Minhoff, C. (2022), “BVE-Jahresbericht 2022, Bundesvereinigung der Deutschen Ernährungsindustrie e.V”, available at: https://www.bve-online.de/presse/infothek/publikationen-jahresbericht/bve-jahresbericht-ernaehrungsindustrie-2022

Nganje, W., Bier, V., Han, H. and Zack, L. (2008), “Models of interdependent security along the milk supply chain”, American Journal of Agricultural Economics, Vol. 90 No. 5, pp. 1265-1271, doi: 10.1111/j.1467-8276.2008.01215.x.

Ofner, B., Mesika, R., Erez, N., Brizinov, S., Preminger, A., Fradkin, C., Zaks, M. and Halaban, Y. (2023), State of XIoT Security Report: 2H 2022, Claroty, New York.

OMIRA (2016), “Milchlieferordnung der omira oberland-milchverwertung GmbH”, available at: https://milcherzeuger.omira.de/fileadmin/redakteur/milchlieferordnung/milchlieferordnung-allgemein/milchlieferordnung-omira-2016.pdf

OpenKRITIS (2023), “Das NIS2 umsetzungsgesetz”, available at: https://www.openkritis.de/it-sicherheitsgesetz/nis2-umsetzung-gesetz-cybersicherheit.html (accessed 21 June 2023).

Oz, H., Aris, A., Levi, A. and Uluagac, A.S. (2022), “A survey on ransomware: evolution, taxonomy, and defense solutions”, ACM Computing Surveys, Vol. 54 No. 11, pp. 1-37, doi: 10.1145/3514229.

Plachkinova, M. and Vо, A. (2023), “A taxonomy for risk assessment of cyberattacks on critical infrastructure (TRACI)”, Communications of the Association for Information Systems, Vol. 52 No. 1, pp. 26-50, doi: 10.17705/1cais.05202.

planemos GmbH (2022), “One system for all processes”, available at: https://www.planemos.de/en/one-system-for-all-processes/ (accessed 10 May 2023).

Presse, A., Häußner, L.P. and Köke, S. (2011), Klimaschutz Und Ernährungssicherheit, 2nd ed., KIT Scientific Publishing, Karlsruhe.

Reshmi, T.R. (2021), “Information security breaches due to ransomware attacks - a systematic literature review”, International Journal of Information Management Data Insights, Vol. 1 No. 2, 100013, doi: 10.1016/j.jjimei.2021.100013.

Reynald, D.M. (2018), “Guardienship in the digital age”, Criminal Justice Review, Vol. 44 No. 1, pp. 1-14.

Schrode, A., Mueller, L.M., Wilke, A., Fesenfeld, L.P., Ernst, J., Jacob, K., Graaf, L., Mahlkow, N., Späth, P. and Peters, D. (2019), “Transformation des ernährungssystems: grundlagen und perspektiven”, Umweltbundesamt, Dessau-Roßlau, available at: https://www.umweltbundesamt.de/sites/default/files/medien/1410/publikationen/2019-08-15_texte_84-2019_transfern-ap1_0.pdf

Shepel, J. (2021), “Schreiber Foods hit with cyberattack; plants closed”, Wisconsin State Farmer, available at: https://eu.wisfarmer.com/story/news/2021/10/26/schreiber-foods-hit-cyberattack-plants-closed/8558252002/ (accessed 2 February 2023).

Simon, J. and Omar, A. (2020), “Cybersecurity investments in the supply chain: coordination and a strategic attacker”, European Journal of Operational Research, Vol. 282 No. 1, pp. 161-171, doi: 10.1016/j.ejor.2019.09.017.

Siregar, S. and Chang, K.C. (2022), “External social capital, cybersecurity incident flexibility, and cybersecurity incident management effectiveness”, Pacific Asia Conference on Information Systems.

Sophos (2023), “The state of ransomware 2023”, available at: https://assets.sophos.com/X24WTUEQ/at/c949g7693gsnjh9rb9gr8/sophos-state-of-ransomware-2023-wp.pdf

Straubert, C., Sucky, E. and Mattke, J. (2021), “Blockchain technology for tracking and tracing in supply chains: a critical viewpoint”, Proceedings of the 54th Hawaii International Conference on System Sciences, available at: https://hdl.handle.net/10125/71298

Sukumar, A., Mahdiraji, H.A. and Jafari-Sadeghi, V. (2023), “Cyber risk assessment in small and medium-sized enterprises: a multilevel decision-making approach for small e-tailors”, Risk Analysis, Vol. 43 No. 10, pp. 2082-2098, doi: 10.1111/risa.14092.

Swinnen, J. and McDermott, J. (2020), “Covid-19 and global food security”, EuroChoices, Vol. 19 No. 3, pp. 26-33, doi: 10.1111/1746-692x.12288.

Syrmakesis, A.D., Alcaraz, C. and Hatziargyriou, N.D. (2022), “Classifying resilience approaches for protecting smart grids against cyber threats”, International Journal of Information Security, Vol. 21 No. 5, pp. 1189-1210, doi: 10.1007/s10207-022-00594-7.

Thielemann, K., Voster, W., Pace, B. and Contu, R. (2022), Market Guide for Operational Technology Security, Gartner, available at: https://www.gartner.com/doc/reprints?id=1-2AUFVHK7&ct=220816&st=sb (accessed 25 May 2023).

Uelzena eG (2023), “Die uelzena-lieferkette”, available at: https://www.uelzena.de/unternehmen/uelzenas-lieferkette/ (accessed 15 June 2023).

van der Linden, D., Michalec, O.A. and Zamansky, A. (2020), “Cybersecurity for smart farming: socio-cultural context matters”, IEEE Technology and Society Magazine, Vol. 39 No. 4, pp. 28-35, doi: 10.1109/mts.2020.3031844.

Vishwanath, A., Neo, L.S., Goh, P., Lee, S., Khader, M., Ong, G. and Chin, J. (2020), “Cyber hygiene: the concept, its measure, and its initial tests”, Decision Support Systems, Vol. 128, 113160, doi: 10.1016/j.dss.2019.113160.

Wang, J., Gupta, M. and Rao, H.R. (2015), “Insider threats in a financial institution: analysis of attack-proneness of information systems applications”, MIS Quarterly, Vol. 39 No. 1, pp. 91-112, doi: 10.25300/misq/2015/39.1.05.

Wolden, M., Valverde, R. and Talla, M. (2015), “The effectiveness of COBIT 5 information security framework for reducing cyber attacks on supply chain management system”, IFAC-PapersOnLine, Vol. 48 No. 3, pp. 1846-1852, doi: 10.1016/j.ifacol.2015.06.355.

Yaseen, A., Channi, H.K. and Sharma, A. (2022), “PLC/SCADA based automation of milk processing (pasteurization) plants”, Conference: 6th National Conference on Recent Trends in Instrumentation and Control - RTIC 2022, Chennai.

Zscaler, I. (2023), “What is double extortion ransomware?”, available at: https://www.zscaler.com/resources/security-terms-glossary/what-is-double-extortion-ransomware#:∼:text=Doubleextortionransomwareisa,onlyencryptavictim’sdata (accessed 8 February 2023).

Corresponding author

Eduard Anton is the corresponding author and can be contacted at: eduard.anton@uni-osnabrueck.de

About the authors

Eduard Anton is a postdoctoral researcher at the Department of Accounting and Information Systems at the University of Osnabrück. He received his master’s degree in Information Systems in 2015 and worked as an IT project manager and IT consultant until 2019. He completed his PhD in 2022, with a focus on the business value of artificial intelligence and big data analytics. Eduard Anton has published papers on these topics in various journals and conferences, including the International Journal of Innovation and Technology Management, Information & Management, Electronic Markets, Information Systems and e-Business Management, Journal of Business Research, the International Conference on Information Systems and the European Conference on Information Systems.

Helena Aptyka has been a postdoctoral researcher at the University of Cologne since 2023. She possesses a wide array of methodological skills, particularly in the field of quantitative research. Her expertise in network analysis significantly enriches the research and contributes to the interdisciplinary approach of the project.

Frank Teuteberg is a full professor at the Osnabrück University in Germany. Since 2007 he has been Head of the Department of Accounting and Information Systems, which is part of the Institute of Information Management and Information Systems Engineering at the University of Osnabrück. He is the spokesman of the profile line Digital Society – Innovation – Regulation and the leader of several research projects. Furthermore, he is the author of more than 400 papers in numerous peer-reviewed journals and conferences in the field of cloud computing, industrial Internet of things, e-health, artificial intelligence, blockchain, and human–computer interaction.