Where's the Beef? Ransomware Hit Highlights Cyber ProblemsDisruption of Meat Processing Giant JBS Exposes Sector's Security Shortcomings
The ransomware attack that disrupted operations at meat processing giant JBS for nearly a week has exposed numerous cybersecurity shortcomings within the U.S. agricultural sector, as well as raising questions about what a large-scale security incident could mean for the nation's food supply chain.
With the latest attack still fresh in the public's mind, security analysts and industry experts say the U.S. agricultural sector now demands the same level of cybersecurity scrutiny the White House and the federal government has shown to the U.S. electrical grid and the oil and gas industry over the past several months.
"Should 'production and distribution of food' be mentioned in the same breath as 'power' and 'communications?' Of course it should, and at least on a planning level it was," says Phil Reitinger, a former director of the National Cyber Security Center within the U.S. Department of Homeland Security.
"But outside of financial services, defense, and in some cases, information and communications, the amount of action doesn't line up with the threat, especially with how it has evolved in the last few years," says Reitinger, who is now the president and CEO of the Global Cyber Alliance.
On Thursday, JBS, which is based in Sao Paulo, Brazil, and has facilities and meat processing plants in the U.S. and Australia, announced that the company's operations are back to normal following the May 30 cyber incident.
Meanwhile, the FBI continues to investigate the attack, which the bureau has attributed to REvil, aka Sodinokibi, a ransomware-as-a-service operation that appears to be based in Russia and is known for targeting large-scale organizations (see: FBI Attributes JBS Attack to REvil Ransomware Operation).
Much like the attack that shut down operations at Colonial Pipeline Co. last month, the security incident involving JBS elicited a response from the Biden administration and other parts of the U.S. government to crack down on ransomware and other cyberthreats that threaten critical infrastructure.
During a briefing with reporters Wednesday, White House press secretary Jen Psaki noted that President Joe Biden plans to bring up the issues of ransomware and cybercriminal operations during a summit with Russian President Vladimir Putin in Geneva, Switzerland, which is scheduled for June 16.
"Obviously, with ransomware attacks, we've seen them increase over a period of time. It's an increasing threat to the private sector and our critical infrastructure," Psaki said. "And there are other countries, many of whom we will see when the president is in Europe, who have similar concerns."
Spotlight on Agriculture
While more attention has been paid to the electrical and oil and gas industries over the past several months when it comes to disruptions caused by cyberthreats, the U.S. food and agriculture sector is also a prime target for attacks and is listed as one of 16 critical infrastructure areas designated by the Cybersecurity and Infrastructure Security Agency under Presidential Policy Directive 21.
And like other parts of the nation's critical infrastructure, the U.S. agricultural and food sector is mainly controlled by private companies, and reporting cybersecurity incidents and possible threats remains voluntary.
Allan Liska, a senior intelligence analyst at security firm Recorded Future, has tracked about 40 significant cyber incidents affecting agriculture firms and the food service industry over the years that were either publicly reported or appeared on darknet extortion sites. That number, however, likely does not reflect all the attacks on the industry since there's no law or directive requiring reporting of incidents.
I want to expand on the targeting point I made yesterday, but in non-meme format. This is a breakdown of known ransomware victims by industry in 2020 and 2021 that @ddd1ms and I have been working on. Notice, that with the exception of healthcare and possibly local government 1/4 pic.twitter.com/H04Slztj2i— Allan “Ransomware Sommelier” Liska (@uuallan) June 3, 2021
"There is little investment in cybersecurity and there is often outdated technology used on production lines," Liska says. "This same problem occurs with manufacturing and shipping companies. I think what is interesting is that while a lot of attention has been paid to cybersecurity in other critical infrastructure, little attention has been paid to cybersecurity in agriculture."
To date, JBS has not shared specific details about the attack and how it may have happened or what specific corporate systems were affected. The company has also not acknowledged whether it was contacted by the ransomware gang and if there were any negotiations over a ransom.
Andy Bennett, CISO at Apollo Information Systems and a former deputy CISO for the state of Texas, notes that the agriculture industry and companies that support the food supply chain use much of the same technology as the oil and gas industry, including standard IT systems for front-end business operations and older, operation technology systems for their manufacturing and industrial processes. He says the industry also relies of propriety systems that are old and could be vulnerable to various cyberthreats.
"These industries often have built proprietary business systems to handle critical functions like trading, supply chain or production, which can be difficult to upgrade because their technology is specific to them and not always easy to upgrade or integrate with today's systems," Bennett says, adding that many agriculture businesses don't believe that attackers will target them and those that have been attacked tend to keep the information to themselves.
"In the last few years, these new attack types, like ransomware, have created a cottage industry by preying on organizations who are busy trying to play catch-up. Finally, management understanding of how vulnerable they are varies wildly across the market and - like any risk we face - it is easy to say, and think, 'It won't happen to me,'" Bennett notes.
Scott Algeier, executive director of the Information Technology - Information Sharing and Analysis Center, which supports its own Food and Agriculture Special Interest Group, notes that agricultural and food service firms that are engaged with IT-ISAC regularly share data and information about the latest attacks and vulnerabilities.
When it comes to ransomware, Algeier says, agriculture is as susceptible as other sectors to these types of attacks.
"The risks of ransomware are widely understood in the critical infrastructure community. We're just seeing more ransomware attacks now overall since they are generally low-risk, high-reward for the attackers," Algeier says. "The chances of the attackers making money are pretty high. The risks of getting caught are pretty low. Ransomware attacks will not stop simply by building a bigger moat. The financial model favors the attackers. The digital currencies used to pay attackers make it very difficult, if not impossible, to track. If the actors are identified, they often are out of reach of U.S. law enforcement."
Security experts say the agriculture and food service industry can do more to shore up its security, and the federal government needs to step up its own services as well.
Reitinger wants to see more effort paid to CISA's National Risk Management Center to help various private sectors coordinate information about threats that are common to U.S. critical infrastructure.
"We clearly need several things, including a significant enhancement of the National Risk Management Center so we know what is critical and what is only really important, sufficient focus on ensuring - not hoping - that the critical is protected and deploying solutions that work at scale for all the rest, much of which is really important," Reitinger says.
Scott Shackelford, chair of Indiana University's cybersecurity program, says both the federal government and the agriculture business can benefit from the Cyber Safety Review Board, which is included in Biden's cybersecurity executive order and should provide a framework to learn lessons from the types of threats that targeted JBS over the last week (see: Biden's Cybersecurity Executive Order: 4 Key Takeaways).
"The recently announced Cyber Safety Review Board will help in this regard, but in order to effectively grapple with the full range of cyberthreats facing these sectors - including agriculture - it is vital to engage with our friends and allies around the world to share information, cybersecurity best practices, and to present a united front in deterring Russia and other antagonists" Shackelford says.