Food and Beverage Sector Ransomware: Why Critical Infrastructure Classification Has Not Improved Security Outcomes

Qilin’s claimed attack on Sysco is the latest in a pattern that the food and agriculture sector has been unable to break for several years. JBS USA paid a USD 11 million ransom to REvil in 2021. Dole Food Company suffered a ransomware-induced IT shutdown affecting North America operations in 2023. Fresh Del Monte, US Foods, and multiple regional distributors have reported incidents in the intervening years. The attacks keep coming, and the sector’s security posture has not materially improved.

The food and agriculture sector has been designated US critical infrastructure since the original Presidential Policy Directive 21 framework. That designation has not prevented a single of these incidents, and it has not driven the security investment levels seen in financial services or utilities. Understanding why illuminates a structural problem in how critical infrastructure security policy actually works.

Why Critical Infrastructure Designation Does Not Translate to Security Investment

Critical infrastructure designation creates advisory bodies, information-sharing mechanisms, and voluntary security frameworks. The Food and Agriculture Information Sharing and Analysis Center (Food and Ag-ISAC) exists. CISA produces sector-specific guidance. But for most companies in this sector, none of this translates into mandatory security controls or audit-backed compliance requirements.

Compare this to financial services: banks subject to FDIC oversight have mandatory cybersecurity examination, mandatory incident reporting, and supervisory consequences for non-compliance. Healthcare covered entities have HIPAA with enforceable breach notification and security rule requirements. The food and agriculture sector has voluntary best practices and no comparable enforcement mechanism.

The result is predictable. In a sector characterised by thin margins, high capital intensity in physical infrastructure, and intense price competition, cybersecurity investment competes directly against cold storage upgrades, fleet modernisation, and logistics automation. Without a regulatory floor, the risk is chronically underpriced.

The OT Problem

Most food distribution and processing operations use operational technology that was never designed with cybersecurity in mind: warehouse management systems running on Windows 7 embedded, refrigeration controls with remote access via Modbus over unsecured Wi-Fi, logistics platforms with legacy VPN access that has not been rotated in years.

The standard enterprise IT security toolkit — endpoint detection and response, patch management, identity governance — does not map neatly onto these environments. OT systems often cannot be patched without production downtime. EDR agents cannot run on embedded PLCs. The IT/OT boundary that exists on paper is porous in practice, because the business processes that run across it were designed for operational efficiency rather than network segmentation.

When ransomware enters through a corporate IT network and reaches OT systems — as it did with JBS, which had to shut down cattle processing operations — the impact is measured in physical terms: trucks not moving, cold chain not maintained, orders not fulfilled.

What Would Actually Move the Needle

The sector’s security improvement will not come from voluntary frameworks. The companies in this sector respond to regulatory requirements, insurance conditions, and contractual obligations. The levers that work:

Insurance: Cyber insurance underwriters have begun excluding coverage for critical infrastructure sectors that cannot demonstrate baseline controls. For a distributor operating on 3–5 per cent margins, losing cyber insurance coverage is an existential risk to financing and contracts. This is beginning to drive behaviour in a way that CISA guidance has not.

Customer contractual requirements: Large customers — supermarket chains, healthcare systems, government agencies — increasingly require cybersecurity attestation from suppliers. When Sysco’s largest customers require SOC 2 Type II certification and right-to-audit clauses, the investment decisions change.

Mandatory incident reporting: CIRCIA’s mandatory reporting requirements for critical infrastructure sectors, when fully implemented, will at minimum create a public record of incident frequency. Transparency changes the risk calculus for boards and investors.

The Sysco incident, if confirmed, will have financial, operational, and reputational consequences that no CISA advisory would have created. The sector will learn from the outcome — but only if the industry treats each incident as an investment signal rather than an isolated event.