Breweries – Can they be Hacked?

100 bottles of beer on the wall, 100 bottles of beer! Has anyone thought about what goes into making beer? I recently received my “Professional Craft Brewing” certification from Johnson & Wales. Throughout the program we went out and worked in commercial breweries. With my additional career as an IT Security Specialist, I was interested in all the electronic equipment that these breweries are using, how an attacker could hack these systems, and what they’d be able to do once inside.

Many breweries are beginning to implement PLC (programmable logical controller) devices. These devices are being implemented into the brewing cycle to simplify and automate processes and lower the cost of production. These processes may include grain milling, mash tun, hop additions, fermentation temperature, canning line, etc. PLCs are the final actuators used but if we take one step back, SCADAs (supervisory control and data acquisition) and RTUs (remote terminal units) are the devices that interact with the PLCs. SCADAs transmit the telemetry data (heat, weight, flow, pressure) back to the RTUs that communicate with PLCs and tell them what to do.

Local craft breweries range in size from 7-barrel (bbl) fermenters all the way up to 300 bbl. Milling of the grain should just crack the husk to allow for the most sugar to be gathered as part of the mashing. If the husks aren’t cracked just right, there won’t have enough sugar produced and there will be a weak beer with a low ABV (alcohol by volume). Hops are added for flavor, aroma, and bitterness and they are added at specific times during the boil. Adding them at the wrong time will alter the flavor, aroma, and bitterness of the beer and it will be an off flavor of beer. Fermentation temperature is crucial in a brewery. Temperature of the fermenter is closely monitored and adjusted by a PLC device. It notices when the temperature is getting too high and adds more glycol to the jacket to lower the temperature. If it’s getting too cool, it reduces the glycol. The breweries that I’ve visited have small networks, and I’ve seen the corporate network on the same segment as the RTUs, PLC, and SDSL (symmetric digital subscriber line) environment. The corporate network usually has access out to the internet.

So, where does cybersecurity come in? We know what it takes to make beer and we know the process and the money and time expended on keeping your brand safe and secure. To increase profits and volume while reducing effort, most breweries have decided to automate systems as we previously mentioned and add remote-control abilities for other systems. If their corporate network was to be breached, say by an employee falling for a phishing email, and that corporate network was also on the same segment as those devices, a hacker could potentially disrupt your production and ruin your current batch of beer. All of the brewery’s functions, such as marketing, invoicing, scheduling, etc., could be affected. Furthermore, a breach could result in confidential formulas being revealed. Anheuser-Busch InBev, a multinational drink and brewing company based in Belgium has been collaborating with five different Israeli cybersecurity companies to ensure that their beer and revenues continue flowing.

Nile Breweries Limited, a Ugandan brewery announced this past November that their website had been hacked. The hacker removed and altered sections of the brewer’s website and discovered what appeared to be a secret beer recipe yet to be produced in the company’s files. The hacker then uploaded a video to Nile Breweries’ website stating “here is my demand - Produce this beer immediately, or the formula goes public. You have 24 hours”. Some have speculated that the whole incident is a marketing stunt staged by Nile Breweries Limited, but the company denies this claim.

Within the same month, Waterloo Brewing of Kitchener, Ontario announced that they had lost $2.1 million in a social engineering scam. The attackers impersonated a creditor employee and raised a fraudulent transfer request. By the time the brewery had realized the mistake it was too late, though no systems were breached or customer information exposed.

No industry is immune from the soaring increase in data security breaches – not even craft breweries. Too many small business owners believe they are too small to attract a hacker or fall victim to a breach. Kaspersky Lab has come out to say, “Cyber threats to industrial environments are fundamentally different to traditional threats that businesses or individuals may face both and in terms of complexity and the scale of potential damage, which can be disastrous”.

A lot of effort, time, resources, and money go into brewing good beer. Breweries, along with all organizations should work to protect their property and brand. Nothing travels faster than bad news, and nothing creates bad news faster than bad beer!