Will the Cyber Security & Resilience Bill help protect UK food supplies

Last week saw the publishing of the governments much anticipated Cyber security and resilience policy statement - GOV.UK. It sets out the governments intentions in regard to the Cyber Security and Resilience bill, which will be implemented as a series of updates to the Network and Information Systems (NIS) Regulations 2018, and in essence goes some way towards our own version of the EU NIS 2 Directive. It is another important piece of an overarching security framework of legislation intended to improve the security and resilience of the nation’s critical infrastructure and services.

One Important aspect of this new bill is the plan to expand the scope within the regulations of what is defined as Critical National Infrastructure (CNI). Under existing regulations CNI is made up of Operators of Essential Services (OES) and Digital Service Providers (DSPs) and is primarily limited to Transport, Energy, Drinking water, Health and Digital Infrastructure, whereas there are actually 13 currently designated CNI sectors in the UK, these being Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport, and Water.

The new bill also recognises the importance of security and resilience within the supply chain, and singles out Managed Service Providers (MSPs) in particular, which isn’t a surprise considering the dependency on them in our hyper-connected world. Another interesting aspect of the Bill is that it also gives extra powers to the regulator, and in particular the ability to ‘identify and designate specific high-impact suppliers as ‘designated critical suppliers (DCS)’. So, if you look at the current official list of CNI sectors, all the companies that operate in those sectors, and their critical supply chain, the revised regulations when they become law will cast a wide net. While the security element is probably easier to understand, resilience on the other hand is subject to a much wider and complex set of influences. It’s one thing CNI being brought down by a cyber-attack, but its something else when it’s brought down by accident through a supplier’s mistake, as we saw on the 19th July 2024 when CrowdStrike pushed out a faulty update to its endpoint software and caused disruption on a global scale, estimated to have caused US$10billion worth of financial damage.

One CNI sector of particular interest to me, and probably most people, that until recently didn’t get as much attention as it deserved is that of food supply. The old saying ‘no society is more than three meals away from chaos’ (often attributed to Vladimir Lenin) and variations of it, is still valid today. We had a taster of this during the COVID pandemic, when fighting broke out in supermarkets as the shelves emptied, one incident being over toilet rolls of all things. To start with there wasn’t actually a shortage of goods at all, just an unprecedented demand that the supermarkets IT driven systems and logistics couldn’t keep up with. However, as the pandemic progressed, real shortages started to take effect and not least because of the UK’s heavy dependency on imported goods which was being severely impacted by both internal and international lockdowns and restrictions.

The COVID pandemic was unprecedented but did highlight the fragility of the food supply chain to major incidents. The complex set of CNI interdependencies within the food supply chain and the heavy dependency on interconnected IT systems, means that it is continually balanced on a knife edge. This is mainly because supermarket chains operate sophisticated Just-In-Time (JIT) stock control and logistics systems, which is all about minimising inventory at stores by receiving goods only as they’re needed, thus lowering costs and reducing the risk of spoilage. However, JIT systems require precise co-ordination and are notoriously sensitive to supply chain disruption, demand surges and sometimes even the weather.

In simple form, the local electronic point-of-sale (ePOS) systems feed live data to centralised database processes, triggering automatic restocking requests to centralised distribution centres (DCs) based on real-time demand, with deliveries timed precisely through advanced optimised route planning, sometimes multiple times per day. While at the same time, the DCs processes will place automated requests to food suppliers and processors against strict contractual fulfilment timelines.

In September 2000, protests over rising fuel prices saw the blockading of oil refineries and terminals across the UK. This quickly resulted in a nationwide fuel shortage, which had a knock-on effect to food supplies because the supermarkets, who back then had started to adopt JIT stock replenishment, were not getting regular deliveries. This then led to panic buying, which exasperated the problem and forced the supermarkets to ration some items. 

Today JIT technology is much more sophisticated and supported by AI systems that are continuously analysing and predicting demand based on shopping trends, weather, sporting events etc, even to the extent of events at a local level. The last time I was at the Isle of Man TT, the Douglas branch of Tesco was piled high with camping equipment, disposable barbecues and mountains of bottled water to meet a predictable localised demand. Supermarkets have evolved, no longer have any manual alternative and are completely dependent on highly complex and connected IT systems driven end-to-end supply chains, from the farmers all the way to the in-store payment systems. Yes, even the farmers these days rely on sophisticated connected technology in their farm machinery in order to maximise efficiency and yields.

The impact of things failing was highlighted recently when on the 15th March 2024 McDonalds was brought to a complete standstill when its global IT systems decided to take the day off, and which the company blamed on a third-party supplier. And by some bizarre coincidence the day after, both Sainsbury’s and Tesco’s suffered what was reported as completely unrelated IT outages affecting their on-line ordering systems, and in Sainsbury’s case instore payments as well.

With many supermarkets now moving to cashless payments only, the failure of third-party card payment systems can have a much wider impact as it can affect multiple retailers simultaneously. On the morning of the 11th July 2024 Sainsburys, M&S, Asda and others were all unable to take card payments for over an hour due to a ‘technical issue’ at French payment provider Worldline. The increasing shift to cashless only and eventually towards digital currencies, will only increase this risk. I can imagine a future ‘Black Mirror’ type scenario, where supermarket shelves are all full, and yet people are going hungry because a prolonged IT failure means they are unable to actually buy the food.

If we put this into context, according to 2024 data from Kantar and IGD, over 90% of all retail food purchases within the UK are through the major supermarket chains. The problem of food supply resilience isn’t just confined to the supply chain and logistics IT systems of the big supermarket chains, it drills down to the much more fundamental level, and one in which the Cyber Security & Resilience Bill will have no impact whatsoever; that is the UK’s production capacity and availability of the growers and livestock farmers themselves.

I know we’re drifting off topic slightly, but bear with me, we are still talking about resilience of the food supply chain. 2023 statistics showed that only 58% of food consumed in the UK was sourced within the UK (down from 80% in the early 1980’s), and within this, 45% of our fresh vegetables are imported, just highlighting the risk of international supply chain dependencies on the availability of a sufficient food supply to feed the UK’ s near 70million population. The trade war recently instigated by President Trump is likely to severely test this resilience, when you consider figures from 2021 show that the UK imported over $8billion worth of fresh fruit and vegetables from the USA. The imposition of tariffs introduces uncertainty into supply chains, potentially causing delays and increased administrative burdens. Importers might need to navigate complex compliance requirements, leading to disruptions which will undoubtably unbalance the supermarkets JIT systems. This also highlights that one of the biggest risks to the resilience of our food supplies, is the uncertainty and fickle whims of global and national politics, not least the fanatical obsession with Net-Zero, I live in the Cambridgeshire Fens and have seen for myself thousands of acres of the most fertile arable land in the country being covered in solar panels.

So back on topic, the Cyber Security and Resilience Bill is amongst other things an important step towards protecting our food supplies from the increasing risk of cyber-attacks and other IT related issues, yet there are some fundamental and underlying resilience issues facing the UK’s food supply chain which it doesn’t address, and which in such uncertain times has the potential to be the greater risk.