Situation Report: Cyberattack on world’s largest meat processor highlights food system vulnerabilities

A cyberattack against the world’s largest meat producer has severely limited meat production around the globe.

Headquartered in San São Paulo, Brazil, JBS S.A. is the world’s largest meat producer. On May 30^th, it suffered a cyberattack that initially halted plant operations in Australia, with outages spreading to Canada and the United States.

“The prospect of more extensive shutdowns around the world is already upending agricultural markets and raising concerns about food security as hackers increasingly target critical infrastructure,” reported Bloomberg, who noted that “JBS accounts for almost a quarter of all beef capacity” in the United States.

Plant operations had to be halted because the company’s computer networks, specifically servers in those regions, had come under an organized cyberattack. Initially it was unclear whether the attack was in the form of ransomware – such as what was recently used to attack the Colonial Pipeline company – since there were few details of IT structures affected.  It was also not immediately clear whether the attack was carried out by for-profit criminals or by a state actor.

State-backed hackers certainly possess the capability for such an attack, and some might have a motive.

The fact that the cyberhack originated in Australia raised some red flags, as Chinese pressure on Australia has been continuing to intensify over the past several months. For example, The Guardian warned in April that China threatened to “retaliate” after Australia’s Minister of Foreign Affairs, Marise Payne, canceled two “Belt and Road” agreements. Chinese hacker groups have been accused in the past of using ransomware as “smokescreens” to cover for cyberattacks intended as “political deterrence.”

However, White House Deputy Press Secretary Karine Jean-Pierre stated that information supplied by the company suggests criminal hackers operating from Russia may have been behind the attack.

“JBS notified the administration that the ransom demand came from a criminal organization likely based in Russia. The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals,” she told reporters at a press briefing.Russia, unlike China, is more willing to tolerate hacker groups “freelancing” ransomware attacks for financial, rather than political motives.

Ransomware is only one form of cyberattack that threatens the food industry.  A well-researched 2019 white paper by Food Protection Defense Institute (FPDI) documented numerous other types of attack, ranging from industrial espionage, to network denial of service attacks, to malware, to manipulation of industrial control systems (ICS).  ICS manipulation could cause a wide array of consequences, ranging from manipulated co-bots (robots working alongside humans which could be programmed to malfunction and cause injury/death to those humans) to erroneous field data collection, to physical infrastructure damage.

Unfortunately it remains the case that, “the US food supply is neither cybersecure nor safe from control system cyber threats,” writes ICS cybersecurity expert Joseph Weiss.

This also means that JBS will need to take great care in ensuring that hackers did not use the ransomware as cover for a more complex or more dangerous attack since the safety of the food supply is of paramount importance.

As FDPI notes, “the worst-case scenario is if an attack on an ICS intentionally or unintentionally causes a food product to become unsafe, and it isn’t noticed until the product reaches consumers,” said the report.  “The public health and business consequences of this scenario are potentially dire.”

While the FDA is responsible for ensuring food safety, it does not mandate cybersecurity protections for the food industry. The federal government is involved in supporting the industry however through the Department of Homeland Security’s Cyber Infrastructure Security Agency (CISA), since the “Food and Agriculture Sector” is one of the Nation’s 16 critical infrastructures.

DHS CISA’s Critical Infrastructure Partnership Advisory Council (CIPAC) held a meeting of Food and Agriculture Sector Joint Government and Sector Coordinating Councils on April 20^th of this year.  While the agenda listed “Food Supply Chain Vulnerabilities” and “Emerging Threats to Food and Agriculture (FA) Sector/Threats from Domestic Violent Extremists” as discussion topics, it appears that the cybersecurity discussion focused most heavily on the SolarWinds hack, which is reasonable given the scope and severity of that attack.

Ultimately, no matter how much government assistance and coordination is available, the food industry will have to be the ones to address its cyber vulnerabilities, since they are the owners of the infrastructure.

Regardless of what group is ultimately assessed to have been behind the attack, the solution remains the same. As the Food Protection and Defense Institute noted in its white paper, “The overarching, most important step is for companies to extend their food safety and food defense culture to cybersecurity, always remembering that insecure = unsafe.”