Cybersecurity Is Like Food Safety: Digital HACCP

There are lots of calls to invest in improving cybersecurity.

But it struck me that it doesn’t work like that. Not getting hacked is not so much a question of buying the right stuff. It is a question of doing the right things and understanding what you are doing.

It is easy to demand that people ‘invest’ in something. You can even supply them with the money to do so. But that doesn’t mean that it will help. You can’t just apply more armor and be ‘cyber secure’.

A very useful analogy is food safety. We’re all aware how handling chicken badly can seriously imperil the health of the people you cook for.

In fact, we’re so aware that we created stringent rules for professional kitchens, including inspections and investigations after incidents.

Over the years, we’ve gotten a lot better at food safety, and it now extends down the entire supply chain, “from farm to fork”.

And while this does involve investing in equipment and stuff, it mostly involves.. continuously doing the right thing and measuring that you in fact are doing so:

  • Having cutting boards in four different colors is a great start, but it only works as long as people understand one of these is for vegetables only.

  • Having good refrigerators is nice, but they only work as long as you understand their limits - they won’t keep things fresh indefinitely, nor protect stuff not in them.

  • Quality hand hygiene solutions are necessary, but they only help if people actually use them.

You can’t just buy the required stuff and declare the food is now safe. It requires constant vigilance.

The analogies to cybersecurity are overwhelming. Food safety is the proper analogy for cybersecurity.

Compare:

  • The enemy is invisible (germs)
  • You can get infected via your supply chain, which is also your responsibility
  • A single employee not paying attention can sink you
  • Out of sight, bugs can fester for years before causing harm
  • Without the right infrastructure, you are doomed
  • But even if you buy the right stuff, there are no silver bullet solutions - only paths to improvement

So I looked into this a bit more, as related fields can often provide very good inspiration. And I was blown away by what I found.

Food safety has been around for a while now and they are light years ahead of us. A mainstay of providing safe food is HACCP.

Source wikipedia. Count how many safety features you see in this photo

Source wikipedia. Count how many safety features you see in this photo

Hazard analysis and critical control points (HACCP)

The origins of the ideas behind HACCP are a bit misty but it appears that experiences with end-point quality control during World War II played a role. In the 1960s, NASA formally kicked off its design while testing the safety of food meant for space missions.

The essence of HACCP is recognizing hazards & and finding “critical control points” where these can continuously be monitored.

This leads to rules like “Hot food must be held at a minimum temperature of 135°F (57°C) if it is not immediately consumed. The temperature must be checked every 4 hours or else labeled with a discard time”. Note that simply not measuring is enough to break compliance, unless you apply a label “good until 11:45”.

HACCP plans can not be ‘certified’ in advance, and plans must include their own procedures for how compliance will be verified in production (!). In addition, the plans must contain corrective measures for when things go wrong.

From how I read it, HACCP compliance can be extremely onerous if your processes are inherently dangerous. From this, I assume that food production will typically be designed such that compliance is doable. You can’t escape these rules by saying things are too complex to be monitored. Unlike in cyber.

The concepts behind HACCP have since been adopted by the water treatment and pharmaceutical industries. The seven core principles are very well worth reading.

Summarising

Cybersecurity can very usefully be compared to food safety. From that world we learn that you do need the right equipment, but that actual safety ‘is what you do’, and not some process separate from the act of preparing food.

In the food safety world, no one is selling ‘food safety appliances’, nor does anyone create ‘food safety departments’. The whole factory is a food safety department.

And although in the food safety world, freezers, thermometers and multi-colored cutting boards are vital, no one mistakes the physical equipment for the actual processes required to produce food safely.

In cyber, we could very usefully learn from food safety practices. And the least we can do is stop thinking about cybersecurity as some kind of military fortress thing, and instead look towards the kitchen for inspiration.