Digitisation and automation in food supply is too fragile for comfort

Cybersecurity and Resilience Bill is just the beginning of what’s needed

Food supplies are part of critical national infrastructure, but the digitisation and automation within international supply chains have left the UK in a vulnerable position, argues Blockmoor CISO Ian Hill

Last week saw the publishing of the governments much anticipated Cyber security and resilience policy statement. It sets out the government’s intentions regarding the Cyber Security and Resilience Bill, which will be implemented as a series of updates to the Network and Information Systems (NIS) Regulations 2018 and goes some way towards being a UK version of the EU NIS 2 Directive.

The statement is an important piece of an overarching security framework of legislation intended to improve the security and resilience of the nation’s critical infrastructure and services.

One important aspect of the new bill is the plan to expand the scope within the regulations of what is defined as Critical National Infrastructure (CNI). Under existing regulations CNI is made up of Operators of Essential Services (OES) and Digital Service Providers (DSPs), and is primarily limited to Transport, Energy, Drinking Water, Health, and Digital Infrastructure.

However, there are actually 13 designated CNI sectors in the UK; Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport, and Water.

The new bill also recognises the importance of security and resilience within the supply chain, and singles out Managed Service Providers (MSPs) for their importance in our hyper-connected world.

Another interesting aspect of the Bill is that it gives extra powers to the regulator. One such power is the ability to ‘identify and designate specific high-impact suppliers as ‘designated critical suppliers (DCS)’.

Whilst the security element of the Bill is intuitive, resilience is subject to a much wider and complex set of influences. It’s one thing to see CNI being brought down by a cyberattack, but another to see it brought down by accident through a supplier’s mistake, as we saw last year when CrowdStrike pushed out a faulty update to its endpoint software and caused an estimated $10 billion worth of damage.

Just in time

One CNI sector that hasn’t had as much attention as it deserves is food supply. Lenin’s musing that “no society is more than three meals away from chaos” remains true, as the panic buying and fights over dwindling supplies of essential items in the early days of Covid reminded us.

Of course, there was no shortage of goods, just unprecedented demand that the supermarkets’ IT-driven systems and logistics couldn’t keep up with. As the pandemic progressed, real shortages did develop, not least because of the UK’s heavy dependency on imported goods which was being severely impacted by internal and international lockdowns and restrictions.

The pandemic highlighted the food supply chain’s vulnerability to major incidents. The complex set of CNI interdependencies within the chain, and its dependency on interconnected IT systems, means that it is finely balanced and fragile.

Supermarket chains operate sophisticated Just-In-Time (JIT) stock control and logistics systems, which minimises inventory at stores by receiving goods only as they’re needed. Good as they are at keeping costs down and spoilage to a minimum, JIT systems require precise co-ordination and are notoriously sensitive to supply chain disruption and demand surges.

In September 2000, protests over rising fuel prices saw the blockading of oil refineries and terminals across the UK. This quickly resulted in a nationwide fuel shortage followed in short order by food shortages. This happened because the supermarkets, in the early days of JIT replenishment, stopped getting regular deliveries. Panic buying started, exacerbating the problems and forcing supermarkets to ration some items.

Today JIT technology is more sophisticated and supported by AI systems that are continuously analysing and predicting demand based on everything from shopping trends, weather and sporting events, right down to local events.

Supermarkets have evolved away from any manual alternative and are completely dependent on highly complex and connected systems driven end-to-end supply chains. Even farmers rely on sophisticated connected technology in their farm machinery to maximise efficiency and yields.

Impact of failure

The impact of failure was highlighted last March, when McDonalds branches around the world were brought to a standstill - which the company blamed on a third-party supplier and a configuration change.

By sheer coincidence the following day, both Sainsbury’s and Tesco suffered what were reported as completely unrelated IT outages affecting their online ordering systems, and in Sainsbury’s case instore payments as well.

With many supermarkets now moving to cashless payments only, the failure of third-party card payment systems can have a much wider impact as it can affect multiple retailers simultaneously. In July 2024 Sainsburys, M&S, Asda and others were all unable to take card payments for over an hour due to a ‘technical issue’ at French payment provider Worldline.

The increasing shift to cashless only, and eventually towards digital currencies, will further increase this risk. It’s not difficult to imagine a scenario where supermarket shelves are full, but people are going hungry because a prolonged IT failure means they are unable to buy anything.

The UK’s reliance on supermarkets is very real. According to 2024 data from Kantar and IGD, over 90% of all retail food purchases within the UK occur within a major supermarket chain.

However, even supermarket logistics and supply chains aren’t where the resilience challenge starts. Underlying it is the UK’s production capacity and availability of growers and livestock farmers.

2023 statistics showed that only 58% of food consumed in the UK was sourced inside the country. Almost half of our fresh vegetables, for example, are imported, highlighting the risks international supply chain dependencies pose to food supply.

A trade war with the US will test this resilience, considering that in 2021 the UK imported over $8 billion worth of fresh fruit and vegetables from the States. The imposition of tariffs, or even the threat of them, introduces uncertainty into supply chains, potentially causing delays and increased administrative burdens.

Importers may have to navigate more complex compliance requirements, leading to disruptions likely to knock the supermarkets’ JIT systems off balance.

The Cyber Security and Resilience Bill is an important step towards protecting our food supplies from the increasing risk of cyberattacks and other IT related issues. Nonetheless, there are some fundamental and underlying resilience issues facing the UK’s food supply the Bill doesn’t address, and which have the potential to constitute a greater risk.