Information Security for Cheese Cave Operations

The OT/IT Convergence Problem in Artisanal Food Production

The modern artisanal cheese cave is, whether its operators recognise it or not, an industrial control environment. It is also, increasingly, a target.

Over the past decade, a quiet transformation has taken place in maturation facilities across Australia, Europe, and North America. Caves that once relied on a cheesemaker's intuition and a mechanical hygrometer now run networked programmable logic controllers (PLCs), MQTT-connected humidity sensors, and cloud-hosted maturation databases. The affineur still turns the wheels by hand, but the environmental envelope in which those wheels age is maintained by software.

This convergence of operational technology (OT) and information technology (IT) creates a compliance landscape that neither traditional food safety frameworks nor conventional information security standards were designed to address in isolation. HACCP concerns itself with biological, chemical, and physical hazards — it has nothing to say about lateral movement from a compromised workstation to an HVAC controller. ISO 27001 provides a comprehensive information security management system (ISMS), but its guidance assumes your information processing facility has walls, a server room, and a reception desk — not limestone geology, seasonal flooding risk, and a resident population of Penicillium roqueforti.

This paper examines the specific challenges of implementing ISO 27001 in artisanal cheese cave operations. It is not a general introduction to the standard; we assume the reader has a working familiarity with ISO/IEC 27001:2022 and its Annex A controls. Rather, we address the practical decisions that arise when you attempt to draw an ISMS boundary around an environment where a temperature excursion is simultaneously a food safety incident, a business continuity event, and a potential indicator of compromise.

The guidance presented here is drawn from our consultancy work with cave operations ranging from single-room farmstead facilities to multi-cave commercial affineurs. The problems are consistent; the solutions, as always, depend on context.

Defining the ISMS Boundary When Your Processing Facility Is a Cave

ISO 27001 Clause 4.3 requires organisations to determine the boundaries and applicability of their ISMS. For a conventional office environment, this is straightforward: the scope typically follows the lease boundary. For a cheese cave operation, the question of where the ISMS begins and ends is considerably more nuanced.

The scope must encompass all information assets that support the maturation process. This includes, at minimum: environmental control systems (HVAC PLCs, humidity controllers, air circulation fans with variable frequency drives), sensor networks and their associated telemetry infrastructure, maturation databases recording batch provenance and environmental history, recipe management systems containing proprietary culture formulations, and the network infrastructure connecting these components.

The Statement of Applicability (SoA) will typically include the full set of Annex A controls, with justifications for exclusion where controls are not applicable. In our experience, very few controls can be legitimately excluded from a cave operation's SoA. Even controls that appear irrelevant at first glance — such as A.14.2 (Security in Development and Maintenance Processes) — become applicable when you consider that many operators run custom Python or Node.js scripts for data aggregation and alerting.

A common scoping error is to exclude the cave environment itself from the ISMS boundary, treating it as a purely physical facility. This is a mistake. The cave's environmental conditions are both an input to and an output of information processing. A limestone cave's natural thermal mass and humidity characteristics are variables in the control algorithm; if those characteristics change (through geological shift, water table variation, or unauthorised structural modification), the integrity of the information system is affected.

Organisations should also consider the interface points between the ISMS and external entities: milk suppliers with electronic delivery documentation, culture suppliers with remote access to fermentation systems, distribution partners receiving batch traceability data, and regulatory bodies requiring periodic food safety reporting. Each of these interfaces represents a scope boundary that must be explicitly defined and controlled.

Trade Secrets, Telemetry, and the Wheel Itself

Annex A.8 (Asset Management) requires organisations to identify information assets and define appropriate classification levels. In a cheese cave operation, the asset inventory spans a broader range than most organisations anticipate, and several asset categories present classification challenges that do not arise in conventional IT environments.

Proprietary culture starter recipes represent the most obviously sensitive information assets. A culture library developed over decades of selective propagation constitutes genuine trade secret material. These formulations — often documented only in handwritten notebooks or legacy spreadsheets — should be classified at the highest level in the organisation's scheme (typically "Confidential" or "Restricted"). The loss or disclosure of a proprietary starter culture recipe can represent an existential threat to a small producer's competitive position.

Maturation profiles — the precise temperature, humidity, and airflow parameters applied at each stage of the ageing process — are equally sensitive. These profiles represent years of empirical refinement and are as commercially valuable as the cultures themselves. Classification should reflect their trade-secret status, and access should be restricted to named individuals under A.9.1 (Business Requirements of Access Control).

Sensor telemetry data presents a more complex classification problem. Individual temperature and humidity readings may appear innocuous, but in aggregate, they reveal the maturation profile. A continuous stream of environmental data from a competitor's cave would allow a sufficiently knowledgeable analyst to reverse-engineer their process. Telemetry should therefore be classified as "Internal" at minimum, with aggregate historical datasets elevated to "Confidential."

The cheese itself occupies a unique position as an information-adjacent physical asset. A wheel of Comté ageing in a cave is not an information asset per se, but its commercial value is directly dependent on the integrity of the data systems that monitor and control its environment. A failure of data integrity — undetected sensor drift, corrupted maturation logs, or tampered environmental setpoints — can render the physical product unsaleable. The asset register should acknowledge this dependency, even if the wheel itself is not classified as an information asset under the ISMS.

Segmentation, DMZs, and the Refrigeration Contractor Problem

Annex A.13 (Network Security Management) is where many cave operations encounter their most significant compliance gap. The root cause is almost always the same: the facility's network infrastructure was designed and installed by refrigeration or HVAC contractors, not network engineers. The result is a flat Layer 2 network where Schneider Electric Modicon PLCs, Tridium Niagara building management controllers, and the office Wi-Fi all share a single broadcast domain.

The target architecture should implement a minimum of three network segments: a corporate IT zone for business systems, an OT zone for environmental control and monitoring, and a demilitarised zone (DMZ) for systems that must communicate between the two — typically the MQTT broker, the historian database, and any HMI (human-machine interface) dashboards. Where budget permits, a fourth segment for IoT sensor endpoints provides additional defence in depth.

VLAN segmentation using managed switches (we commonly see Cisco Catalyst or HPE Aruba deployed in cave environments) provides the logical separation, but the firewall rules between zones are where the real security value lies. Traffic from the OT zone to the IT zone should be denied by default, with explicit allow rules only for the specific protocols and ports required: MQTT (TCP 8883 for TLS-encrypted traffic), Modbus/TCP (port 502, though this should ideally be confined to the OT zone), and BACnet/IP (UDP 47808) for building automation integration.

The practical challenge is retrofit. Rewiring a facility that has been in operation for years — often with cable runs through stone walls, waterproof conduit in humid tunnels, and junction boxes in locations that require confined-space entry procedures — is expensive and disruptive. A phased approach is usually necessary: begin with logical segmentation (VLANs and ACLs on existing switches), then progress to physical separation as hardware refresh cycles allow. The critical first step is to get the PLCs off the same network as the office printers.

Remote access is a particular concern. Many equipment vendors — particularly those supplying Siemens S7-series or Allen-Bradley CompactLogix controllers — require VPN access for maintenance and firmware updates. This access must terminate in the DMZ, never directly in the OT zone, and should be controlled through a privileged access management (PAM) solution with session recording enabled per A.9.2.3 (Management of Privileged Access Rights).

Where Annex A.11 Meets Food Safety

Physical and environmental security (Annex A.11) is one area where cheese cave operations can achieve genuine efficiencies, because the physical access controls required for food safety substantially overlap with those required for information security. A maturation room must be access-controlled to prevent contamination (a HACCP requirement), to maintain environmental stability (an operational requirement), and to protect information processing equipment and the data it handles (an ISO 27001 requirement). One door, one lock, three compliance objectives.

Access control technology selection is heavily influenced by the cave environment. Biometric readers — particularly fingerprint scanners — perform poorly in environments with sustained relative humidity above 85%, which is typical of many maturation caves. Capacitive sensors struggle with moisture on fingertips, and optical sensors are susceptible to condensation on the reading surface. RFID proximity cards (MIFARE DESFire EV3 or similar) are the more reliable choice, though operators must account for the corrosive effects of ammonia off-gassing (common during washed-rind ageing) on card reader electronics. Sealed IP67-rated readers are recommended for installation within cave environments.

The seasonal affinage worker problem is a recurring challenge for A.11.1.2 (Physical Entry Controls). Many artisanal operations employ additional staff during peak production and maturation periods — often for contracts of 8 to 16 weeks. These temporary workers require physical access to maturation rooms and, frequently, read access to environmental monitoring dashboards. The ISMS must define a joiner/mover/leaver process that can accommodate this seasonal cycle without creating access management debt. Proximity cards should be issued with expiry dates aligned to contract end dates, and logical access should be provisioned through time-limited role-based groups.

A.11.2.1 (Equipment Siting and Protection) requires particular attention in cave environments. Network switches, PLCs, and sensor hubs installed in humid, temperature-variable locations must be housed in appropriate NEMA 4X or IP66 enclosures. We have observed significant hardware failure rates in facilities where industrial control equipment was installed without environmental protection — condensation-related failures on unprotected circuit boards are the single most common cause of unplanned OT outages in cave operations.

Securing MQTT, Modbus, and BACnet in Constrained Environments

The sensor infrastructure in a typical cheese cave relies on a mix of industrial protocols that were designed for reliability and simplicity, not security. Understanding the specific vulnerabilities of each protocol is essential for implementing appropriate controls under A.13 (Communications Security) and A.14 (System Acquisition, Development and Maintenance).

MQTT (Message Queuing Telemetry Transport) is the dominant protocol for sensor telemetry in modern cave deployments, typically running on a Mosquitto or HiveMQ broker. By default, MQTT transmits in cleartext on port 1883. All production deployments must enforce TLS on port 8883, with mutual certificate authentication (mTLS) where device capabilities permit. The broker's access control list (ACL) must restrict topic subscriptions per device — a humidity sensor in Cave A should not be able to subscribe to telemetry topics from Cave B.

Modbus/TCP remains widely used for communication between PLCs and supervisory systems, particularly in facilities using Schneider Electric or ABB controllers. Modbus has no native authentication or encryption. The protocol was designed in 1979 for serial communication within a single control cabinet; its extension to TCP/IP was never intended for deployment across routable networks. The primary mitigation is network segmentation — confine Modbus traffic to the OT VLAN and never route it across zone boundaries. Where cross-zone communication is necessary, use an OPC-UA gateway as the translation layer, as OPC-UA supports certificate-based authentication and encrypted sessions natively.

BACnet/IP (Building Automation and Control Networks) is common in facilities where the cave's climate control is integrated with a broader building management system (BMS). BACnet's security extensions (defined in Addendum 135-2008g) are rarely implemented in practice. As with Modbus, segmentation is the primary defence.

Certificate lifecycle management is a particularly acute problem for battery-powered sensors with designed lifespans of 5 to 10 years. A Sensirion SHT45 humidity sensor node running on a CR2477 lithium cell cannot perform computationally expensive certificate renewal operations without significant battery impact. Operators must plan for certificate lifetimes that align with device replacement cycles, or implement a lightweight certificate rotation protocol. The alternative — deploying sensors with certificates that expire before the device's expected end of life — creates a ticking compliance problem that will surface at the least convenient moment.

Data Retention and Business Continuity Across Multi-Year Ageing Cycles

ISO 27001 A.8.2.3 and Clause 7.5 require organisations to define retention periods for documented information. In most industries, this is a matter of policy: retain records for the regulatory minimum, then dispose of them securely. In artisanal cheese production, the problem is fundamentally different, because the product lifecycle can span years.

A wheel of Comté ages for a minimum of 4 months, with premium selections maturing for 18 to 36 months. Parmigiano-Reggiano requires a minimum of 12 months, with stravecchio classifications demanding 36 months or more. Some English territorial cheeses and Australian cave-aged hard cheeses are matured for 4 to 5 years. Throughout this entire period, the environmental history of the cheese is an active, operational record. You cannot apply a standard retention-and-disposal policy to a dataset that is still in use.

The ISMS must define retention periods that are linked to the product lifecycle, not to arbitrary calendar periods. Environmental telemetry data for a batch must be retained for the full maturation period plus any post-sale traceability requirement (typically 2 years for food products under Australian consumer law, and up to 5 years under EU product liability frameworks). For a 3-year cheese, this means a minimum data retention period of 5 to 8 years for a single batch.

This creates significant business continuity challenges under A.17 (Information Security Aspects of Business Continuity Management). The loss of environmental history for a wheel that is mid-maturation is not merely an inconvenience — it can render the product non-compliant with food safety traceability requirements, effectively destroying its commercial value. A NAS failure that wipes 3 years of maturation data could represent a loss in the hundreds of thousands of dollars for a mid-sized operation.

Backup strategy must account for this extended lifecycle. The 3-2-1 rule (three copies, two media types, one offsite) is the minimum. We recommend immutable backups — write-once storage that cannot be overwritten or deleted by ransomware — for all maturation data. Test restoration quarterly, and ensure that the restoration process is documented at a level of detail that allows a non-specialist to execute it. Your cheesemaker should not need to understand ZFS snapshots, but they do need to know who to call at 2am when the historian database goes offline with 200 wheels of 24-month cheddar depending on it.

Integrating ISO 27001 with Food Safety Frameworks

No cheese cave operates under ISO 27001 alone. The regulatory environment is a matrix of overlapping requirements: HACCP (Hazard Analysis and Critical Control Points), ISO 22000 (Food Safety Management Systems), and — for operations exporting to or operating within the European Union — EU Regulation 852/2004 on the hygiene of foodstuffs. In Australia, the Food Standards Code administered by FSANZ adds a further layer. The opportunity, and the challenge, is integration.

An integrated management system (IMS) approach, as contemplated by ISO's Annex SL high-level structure, allows organisations to maintain a single set of documented processes that satisfy multiple standards simultaneously. The risk assessment required by ISO 27001 Clause 6.1 can be extended to incorporate food safety hazards, creating a unified risk register. Internal audit programmes (Clause 9.2) can be designed to assess both information security and food safety controls in a single pass, reducing audit fatigue and improving efficiency.

The most productive area of integration is incident management. A temperature excursion event in a maturation cave is, under HACCP, a critical control point deviation requiring immediate corrective action and root cause analysis. Under ISO 27001 A.16 (Information Security Incident Management), the same event may be an indicator of compromised environmental controls. If a temperature sensor reports a 4°C spike that the physical environment does not corroborate, this is simultaneously a food safety false alarm and a cybersecurity event indicating sensor tampering or data injection.

EU Regulation 852/2004, Annex II, Chapter IX requires that food business operators maintain adequate procedures to ensure food safety, including appropriate temperature control. While this regulation does not explicitly address cybersecurity, the implication is clear: if your temperature monitoring system can be compromised, your food safety system can be compromised. Certification bodies are increasingly recognising this link, and we anticipate that future revisions of food safety standards will incorporate explicit cybersecurity requirements. Organisations that integrate now will be ahead of the regulatory curve.

Managing the Artisanal Supply Chain Under A.15

Annex A.15 (Supplier Relationships) requires organisations to manage information security risks arising from third-party relationships. In artisanal cheese production, the supply chain includes several categories of supplier with elevated risk profiles that demand specific attention.

Culture suppliers increasingly provide digital interfaces: online ordering portals, fermentation management APIs, and in some cases, direct access to the operator's fermentation database to provide technical support. A culture supplier with read access to your fermentation logs can, over time, reconstruct your proprietary process. Supplier agreements must define data access boundaries explicitly, and access should be limited to the minimum required for the contracted service. Log all supplier access per A.12.4, and review access logs quarterly.

Equipment vendors represent the highest-risk third-party category. PLC and controller vendors routinely require VPN access for remote diagnostics, firmware updates, and warranty support. A Siemens service technician connecting remotely to troubleshoot an S7-1500 PLC has, if access is not properly scoped, the ability to modify environmental setpoints across the entire facility. All remote vendor access must be provisioned through a jump host in the DMZ, with session recording, multi-factor authentication, and time-limited access windows. The vendor should never hold persistent credentials.

Starter culture genetic databases present an emerging risk. As the artisanal sector adopts genomic characterisation of microbial cultures, operators are increasingly sharing culture data with external sequencing services and collaborative databases. While the open sharing of microbial diversity data has scientific value, operators must understand that genomic data for a proprietary culture blend could enable its replication. Classification and handling rules for genetic data should be defined in the ISMS, and any sharing arrangements should be covered by non-disclosure agreements with appropriate intellectual property protections.

Supplier risk assessments should be conducted annually at minimum, using a methodology that considers both the supplier's access to information assets and their own security posture. For critical suppliers (culture suppliers and PLC vendors), we recommend requiring evidence of the supplier's own ISO 27001 certification or, at minimum, completion of a security questionnaire based on the NIST Cybersecurity Framework.

Dual Scenarios: When Cyber Meets Fromage

Incident response in a cheese cave operation must account for scenarios that have no parallel in conventional IT environments. The incident response plan required by A.16.1 must define procedures for events where information security and food safety risks are inextricably linked, and where the correct response to one may conflict with the correct response to the other.

Scenario: Ransomware on HVAC controllers. An attacker encrypts the control logic on the PLCs managing environmental conditions in your primary maturation cave. The cave contains 18 months' worth of aged Comté valued at approximately $380,000. Without functioning environmental controls, temperature and humidity will drift outside specification within hours. The attacker demands 4 BTC. The incident response plan must address: manual override procedures for environmental systems, backup PLC configurations stored offline, communication protocols with food safety authorities, and the economic analysis of ransom payment versus product loss. This is not a theoretical scenario — ransomware targeting industrial control systems has been documented in food production environments since 2020.

Scenario: Compromised humidity sensors. An attacker modifies the calibration offset on networked humidity sensors, causing them to report readings 8% lower than actual. The control system responds by reducing dehumidification, and actual humidity in the cave rises to 98%. Over several weeks, surface mould growth accelerates beyond normal parameters. By the time the discrepancy is detected through manual spot-checks, surface contamination has affected product quality across multiple batches. Forensic analysis reveals the compromise occurred through an unsecured Modbus/TCP interface.

Scenario: Recipe exfiltration. Network monitoring detects unusual outbound data transfer from the recipe management server. Analysis reveals that proprietary culture formulations have been exfiltrated to an external server. This is a confidentiality breach with potentially existential commercial consequences, but it has no immediate food safety impact — the challenge is that the response must be proportionate to the business impact while following the forensic preservation requirements of A.16.1.7 (Collection of Evidence).

Annual tabletop exercises should rehearse at least one dual food-safety/cyber scenario. Include your cheesemakers in these exercises. They are not your CISO, but they are the first line of observation — an experienced affineur who notices that the cave "doesn't feel right" may detect a sensor compromise faster than any monitoring dashboard.

Achieving and Maintaining Certification in a Seasonal Industry

The path to ISO 27001 certification for a cheese cave operation follows the same structural process as any other organisation: gap analysis, risk assessment, control implementation, internal audit, management review, and Stage 1/Stage 2 external audit. The differences lie in the details.

Certification body selection matters more than in most industries. Not all auditors have experience with OT environments, and fewer still have worked in food production settings. An auditor who does not understand that a PLC is an information processing asset, or who does not recognise that Modbus/TCP traffic represents an unencrypted communication channel, will not provide a meaningful assessment. We recommend selecting a certification body with demonstrable experience in industrial control systems, and requesting that the audit team include at least one auditor with OT assessment experience.

Common findings from initial certification audits of cave operations consistently cluster in several areas: inadequate network segmentation between IT and OT (A.13.1.3), default credentials on PLCs and building management controllers (A.9.4.3), absence of formal change management for PLC programming (A.12.1.2), incomplete asset inventories that omit sensor endpoints (A.8.1.1), and lack of documented backup and restoration procedures for maturation databases (A.12.3.1). Addressing these findings before the Stage 2 audit can save months.

Seasonality creates a unique challenge for continuous improvement. Many artisanal operations have distinct production seasons, with milk supply (and therefore cheesemaking activity) concentrated in spring and summer. Maturation continues year-round, but staffing, production volumes, and operational intensity vary significantly. The ISMS must demonstrate that controls operate effectively across the full annual cycle, not just during peak production. Surveillance audits should ideally be timed to observe both peak and off-peak operations over the three-year certification cycle.

The management review required by Clause 9.3 should align with the production calendar. We recommend scheduling the primary management review in late autumn, after the production season and before the quieter winter period when corrective actions can be implemented without competing with production demands. Metrics presented at management review should include OT-specific indicators: sensor uptime percentage, environmental excursion events, PLC firmware currency, and mean time to detect and respond to environmental anomalies.