With meat giant JBS becoming the latest major food and beverage company to be hit by a cyber attack, there can be no doubt now security is a major business issue.
Ten days ago, JBS’ operations in North America and Australia were hit by what the company called “an organised cybersecurity attack”. The meatpacker’s business in Australia temporarily saw its operations shut down, while production was affected at sites across the US.
Last Thursday, the Brazil-based group announced a “resolution” to the breach, stating its factories were “fully operational”.
Yesterday, the company, which describes itself as “the largest protein producer in the world”, revealed what it had paid to bring an end to the attack. JBS paid “the equivalent” of US$11m to the hackers – said by the FBI to be REvil, a Russia cyber-criminal group also known as Sodinokibi – after consulting with “internal IT professionals and third-party cybersecurity experts”.
JBS said it had decided to pay the ransom “to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated”.
It was, Andre Nogueira, the head of JBS’ US arm insisted, “a very difficult decision to make for our company and for me personally”.
He added: “However, we felt this decision had to be made to prevent any potential risk for our customers.”
Should the subjects of cyber attacks pay up? “Organisations on the receiving end of ransomware attacks are in an impossible position,” David Bicknell, principal analyst for thematic research at UK-based data and analysis group GlobalData, says.
“If they pay, they could be accused of perpetuating attacks, because every successful ransomware attack where a ransom is paid simply proves the attack model works. On the other hand, companies have to keep their operations running, and some, like JBS will choose to pay up. But that, in turn, drives ever bigger ransoms and more and more potential disruption. For an $11m ransom now, read north of $15m next year.”
The affair, following similar incidents in recent years on US brewer Molson Coors Beverage Co., snacks group Mondelez International and fast-food chain Wendy’s, only underlines the importance boardrooms should place on the issue.
“All senior executive teams should request a formal review of the threat of ransomware from their IT leaders, including a simple preparedness assessment,” Neil Jones, a “cybersecurity evangelist” at data-governance business Egnyte, tells Just Food.
“Senior executives should be reminded that a ‘ransomware payoff’ might appear to be a ‘quick fix’ answer to the problem. However, executives need to be reminded that negotiating with cyber-criminals isn’t the same as negotiating with typical business colleagues. Attacks could reveal other infrastructure vulnerabilities that could be exploited later, and negatively impact on the company’s brand identity is likely to long outlive the ransomware attack.”
Ray Walsh, digital privacy expert at cybersecurity firm ProPrivacy, says specialist advice is critical.
“It is vital that food manufacturers engage with a managed security service provider to map their networks, engage in penetration testing, and implement strong endpoint security using a reliable antivirus equipped for ransomware and a firewall capable of detecting unwanted incoming and outgoing traffic to prevent exploits like trojans from communicating with C&C [command and control] servers to download a secondary ransomware payload,” Walsh explains.
No company can make its systems impregnable. The focus should instead be on building capabilities that enable a company to restrict any damage to its business and, indirectly, to the wider industry.
“I always remind my colleagues that no security solution is 100% effective. Therefore, it is impractical to think that attacks can be 100% avoided,” Jones says. “All security solutions rely on responsible user behaviour and effective governance guidelines, in order to succeed.
“However, companies should weigh the affordable monthly cost of a reliable ransomware detection solution against the millions of pounds sterling they would need to pay to a potential attacker, who may or may not negotiate with them in good faith.”
Jones suggests “two practical and inexpensive ways” companies can look to implement to help prevent potential attacks. First, he says businesses should encourage staff not to click on potential phishing links in emails they receive. Secondly, businesses should mandate two-factor authentication, “particularly if you have work-from-home employees”.
That latter consideration will be particularly pertinent right now, with white-collar workforces the world over still working remotely against the backdrop of the Covid-19 pandemic. Training for employees is vital, Walsh says.
“It is important to engage in additional training for staff to ensure that they are not vulnerable to phishing attacks, and to set up rules within company systems to ensure that employees only have access to the parts of the network they require – to prevent exploits moving laterally should they penetrate.
“Strong email security with URL defenses and attachment sandboxing is also important to prevent exploits from being delivered to employees in the first place. Web filtering should also be implemented to prevent users from visiting dangerous websites that are known to contain exploits, and isolation techniques can be used to ensure that access to the web is segregated on secure servers that cannot affect primary company systems.”
Contrast Security is a US-based company specialising in cyber security. Jeff Williams, the group’s CTO, believes automation is a vital component of a company’s strategy in this area.
“The days of manual cyber security are over,” he says. “Everything must be automated and continuous to support our critical infrastructure and keep the world moving.
“Attackers are increasingly going after organisations that aren’t technology-focused companies and crippling their ability to provide service, creating pressure to pay the ransom quickly. It’s important to remember that while today’s attacks are ransomware, attackers could just as easily launch other types of attack to cripple businesses.”
Williams points to the “cybersecurity framework” (CSF) drawn up by the National Institute of Standards of Technology, part of the US Department of Commerce. “It’s important to use a framework like the NIST CSF and get organised about your security efforts. Don’t simply do a knee-jerk reaction to the latest attack or you’ll chase your tail.”
How exposed are food companies to a cyber attack?
The recent cyber attack on Colonial Pipeline, a US oil pipeline system, highlighted again how national infrastructure is a target for hackers. Four years ago, in the UK, the country’s National Health Service was also subject to a ransomware attack. The breach at JBS underlines food is also in the hackers’ crosshairs.
“Hacking collectives like REvil are primarily interested in targets they believe will pay a ransom quickly to regain access to encrypted systems,” Walsh says.
“Food manufacturers and processors are under pressure to ensure that food supply chains remain up and running, because the effect that food shortages can have on wholesale prices and the negative repercussions it can have on company share prices are critical. This makes food companies a lucrative target that cybercriminals believe are more likely to pay a ransom to regain access to their networks swiftly.”
Jones agrees. “Cyber-attackers are looking for weak links in global supply chains, and it is hard to conceive of a more comprehensive and complex supply chain than the food supply chain,” he says. “A practical example is that last night I purchased groceries that originated from Peru, Mexico and Ecuador at my local grocery store in New England, USA. Many coordinated, just-in-time supply chain activities resulted in those groceries being harvested from their farms, transported to the USA and shipped by lorry to my local grocery store, without spoilage. The Covid-19 pandemic demonstrated that even moderate stress on global supply chains can result in major product shortages and disruptions.”
Last Thursday, announcing the cyber attack had been “resolved”, JBS said its JBS USA and Pilgrim’s divisions had limited “the loss of food produced during the attack to less than one day’s worth of production”.
The company said its encrypted backup servers were not infected during the breach and “allowed for a return to operations sooner than expected”. It added: “Any lost production across the company’s global business will be fully recovered by the end of next week.”
JBS has maintained since the onset of the attack that it had had no evidence company, customer, nor employee data had been “compromised”, which the company repeated in yesterday’s (9 June) statement.
“Third-party forensic investigations are still ongoing, and no final determinations have been made. Preliminary investigation results confirm that no company, customer, nor employee data was compromised,” it said.
The hope will be that further examination bears that out. Any impact on these kinds of data would dent JBS’ reputation at best, or potentially open up the company to legal action at worst.
In all, the affair is further evidence, if any is needed, of the importance food industry boardrooms must place on the threat of cyber attacks and the systems companies need to have in place.