Cybersecurity is a topic that often fails to get the attention of the public until a headline hits about a company that has their personal information, including credit card and Social Security numbers, being the victim of a hack. But over the past month, a different threat has taken precedence that goes much deeper into the psyche, and everyday lives, of Americans: ransomware attacks that take down major energy and food supply infrastructure and raise fears about being able to buy key consumer commodities like gas and meat at affordable prices.
A month ago, the hack of the Colonial Pipeline, which controls 45% of fuel in the Eastern U.S., led to panic buying of gas. This week’s ransomware attack on the world’s biggest meat processing company, JBS, escalated concerns about the potential for a spike in meat prices and food supply as a national security threat.
These cyberattacks have evolved beyond theft of data to physical assets with consumer impacts. Hackers often encrypt data on systems and demand ransom to decrypt it, but in these cases, the primary targets have shifted from the data alone to consumer-facing services. On Wednesday, the ferry service to popular New England vacation destination Martha’s Vineyard was a minor example of the infrastructure added to the list of ransomware attack targets. It’s not a new idea — it can be seen in already common cyber incidents like taking down consumer websites in denial of service attacks — but in the Colonial and JBS hacks, the criminals are digging deeper into critical national infrastructure controlled by business interests.
Hacking a nation’s protein supply
“There is a growing trend of cyber criminals going after bigger fish now and ripple effects in the supply chain,” said Derek Manky, chief of security insights and global threat alliances at Fortinet‘s FortiGuard Labs. “It’s getting down to the producer level and if they can hit that target effectively it will have an impact on the consumer, not targeting the consumer directly, but it does have that consequence.”
JBS has a global supply chain that relies on connections as far apart as Australia (one of the largest sources of imported beef to the U.S. after Canada) to North America. The cyberattack led to temporary shutdowns of several plants in the U.S., though the company said many operations were coming back online Wednesday and facilities shipping product again, easing concerns about pricing.
The underlying cyber issues for the food sector, however, will remain.
Employees in the parking lot of the JBS Beef Production Facility in Greeley, Colorado, U.S., on Tuesday, June 1, 2021. A cyberattack on JBS SA, the world’s largest meat producer, has forced the shutdown of some of the largest slaughterhouses globally, and there are signs that the closures are spreading.
Michael Ciaglo | Bloomberg | Getty Images
The meat processing industry has become highly concentrated among a handful of players including JBS, which controls over 20% of the cattle harvesting industry in the U.S. And it is an industry which has been behind on building its cyber defenses, according to experts.
“This attack demonstrates the reach of these events, shutting down meat plants in Australia and impacting meat processing in North America,” said John Hoffman, senior research fellow at the University of Minnesota’s Food Protection and Defense Institute and a retired U.S. Army Colonel.
JBS has grown from a Brazilian cattle company to a global giant operating in over six countries and that through ownership of the Swift brand became the world’s largest beef processor. In the U.S., it sells beef and pork through major retailers including Costco.
“It brings home these attacks, when they occur now, are no longer local,” Hoffman said. “This is a primary protein supplier and major supplier, and simultaneous effects in North America and Australia.”
A complex, consolidated meat processing chain
The complexity built into the current global food supply chain can benefit consumers in keeping costs down and providing yearlong access to items grown around the world depending on seasonality. But that complexity also results in risks that rise to the level of critical infrastructure.
For a hacker whose objective in a ransomware attack is to force payment, a food manufacturing and processing company like JBS, a centralized node in a consolidated industry, makes for a good target. If successfully attacked, the hack can result in widespread problems from the cattle on the pasture to the feedlots and into the grocery store. JBS USA says it has the capacity to process more than 200,000 cattle, 500,000 hogs, 45 million chickens and 80,000 small stock (lambs, sheep, goats and veal calves) per week.
Covid exposed how the concentration in the meat processing sector could quickly create unexpected issues related to food security and pricing. The ability to delivery livestock to plants was cut off amid shutdowns for health safety reasons, and those supply chains were thrown out of alignment for weeks, hitting both the farms and the consumers.
A 2019 fire at a single Tyson Foods processing plant in Kansas caused cattle prices to fall and retail beef prices to jump. A hint of those market dislocations was seen again on Tuesday. Cattle futures fell on fears that meat processing shutdowns would suspend the ability to move cows from the pasture and feedlot to the slaughterhouse, while at the same time fears rose about potential price hikes in stores and restaurants.
“This is another demonstration of how vulnerable the beef supply chain is,” said Bill Bullard, the CEO of R-Calf USA, a group representing cattle ranching interests which has been pressing the government for years to do more about consolidation in the beef industry. JBS and its peers are under existing antitrust scrutiny from the federal government.
JBS, Tyson, Cargill and National Beef are the four dominant players in the meatpacking industry.
“Centralized systems are vulnerable to all kinds of shocks,” Bullard said. “Cattle is the single-largest sector of agriculture and a major protein source for Americans.”
Food and agriculture as critical infrastructure
The food and agriculture sector has not received the attention from the government when it comes to national security threats that other sectors have historically. It was not deemed a critical infrastructure sector by the federal government until 2003, and many industry players are still playing catch-up on technology. The Food Safety Modernization Act of 2010, meanwhile, placed limited emphasis on cybersecurity.
“I think this sends a strong message to both government and industry that they need to work on hardening these systems” Hoffman said. “The food industry will really have to step up their cyber game, take a critical look at each major component of infrastructure and supply chain segments.”
Meat processing companies have legacy operating technology systems that may have been installed decades ago and are not replaced every few years like IT systems. These OT systems running plant floors are now being connected to each other and with IT systems through new Internet of Things architecture, creating vulnerabilities for hackers to exploit. In a meat processing plant this setup can include devices like multiple digital sensors monitoring temperature and pressure and ingredients, all connected to a global network for packaging and distribution — and executive management and managers in plants using the real-time data dashboards globally — creating multiple attack points.
“There is a path of least resistance to go after IT and OT systems on the plant floor that have critical dependencies on those IT systems,” Manky said.
For financial reasons, as well as data consistency, it can make sense to have a centralized network rather a highly distributed architecture across an organization. “There is a lot of shared infrastructure on all systems tied tightly together,” said John Sheehy, director of strategic security services at IOActive, which has been studying the threat of food supply chain hacking for years.
JBS has not offered much information about the nature of the hack, but did indicate it had backups available, which is considered a fundamental part of competent cyber strategy. But experts said there were questions about its “segmentation” of technology that will need to be answered in an attack that took down operations in both the U.S. and Australia. It is possible the company took down some operations as a preventative measure.
JBS did not respond to a request for comment.
Nation-state actors and criminal hackers
Concerns exist that nation-state actors will test the pressure points of critical infrastructure through hacks so that during future periods of geopolitical conflict they can sow more chaos by disrupting supply chains. Food supply of an adversary is an example. The JBS attack, based on all the available information, does not rise to that level. It was criminal, if strategic in nature, but according to the U.S. government, it is one more example of Russia providing safe haven to hackers hitting key supply chains.
“This is the second major ransomware attack where the government has identified the attackers are geographically based in Russia and this is a significant political issue,” Sheehy said. “It is not clear there is any Russian government support for these criminal organizations, but there is concern they are allowing them to operate fully.”
The idea that a ransomware attack could ripple through the supply chain and end up hitting consumers is not unprecedented. The 2019 ransomware attack on metals giant Norsk Hydro is in some respects similar as far as a broad supply chain threat stretching from the commodities market to the consumer. But the JBS hack could be a turning point for the food sector.
The mind of a cybercriminal is less focused on strategic national security implications than dollar signs, but the potential payout is larger if they can take down a supply chain and demand higher ransom as a result of the attack’s scope. That implies a sector like food with a consolidated global supply chain and distribution will remain under threat.
“It was aluminum yesterday and beef today, and pork tomorrow. Expect more of these attacks to be happening,” Manky said.
Meat processing is a low-margin business subject to greater budget limitations than early adopters of new technology, such as cloud companies and financials, and lower spending on cyber will continue to make it a likely target of more frequent attacks.
“That is an issue food supply companies will have to face,” Sheehy said. “Food security will be more front and center just like the pipeline issue.”
With JBS saying most operations are coming back online, the worst-case scenario of extended plant shutdowns and price shocks through the food system may be avoided. But experts say even a few days of a distribution outage in the food sector can have major consequences and much of the meat processing industry remains vulnerable to attacks, is more likely to be targeted after JBS, and even if companies in the sector take this opportunity to increase cyber budgets, it is a multi-year effort during which present vulnerabilities will persist.
“The more this happens, the more they [criminal hackers] learn from their own successes and that unfortunately has the classic dollar signs flashing in their eyes. They know they can hit where it hurts,” Manky said.