JBS, one of the world’s largest beef and pork producers, was the victim of a major cyberattack over the Memorial Day weekend, leading to shut downs in company plants in North America and Australia.
On June 2, the FBI released a statement attributing the attack to REvil, a Russian-speaking group that has made some of the largest ransomware demands in recent months. The agency and the White House are working to find out more.
Immediately after being alerted to the problem, JBS suspended all affected systems, notified authorities, and activated the company’s global network of IT professionals and third-party experts to resolve the situation.
The disruptions appear to be relatively mild in the U.S., with the majority of beef, pork, poultry, and prepared food plants resuming work on June 2. “Our systems are coming back online and we are not sparing any resources to fight this threat,” says Andre Nogueira, JBS USA’s chief executive.
Industry experts say that even a one-day shutdown would mean the U.S. would lose nearly 25% of its beef-processing capacity, the equivalent of 20,000 beef cows. That would cause a spike in beef prices, especially after the busy Memorial Day weekend when many retailers sold the bulk of their supply.
Fortunately, JBS was already shipping product from almost all of its facilities; however, no details were released on exactly what percentage was being delivered and when all systems would be online. Once those answers are in, it will be easier to calculate the true cost of the temporary shutdown.
“The company is not aware of any evidence at this time that any customer, supplier, or employee data has been compromised or misused as a result of the situation,” JBS said in a statement after the attack. “Resolution of the incident will take time, which may delay certain transactions with customers and suppliers.”
Preventing an Attack
Stephen Streng, a food defense analyst with the Food Protection and Defense Institute at the University of Minnesota in St. Paul, notes that there is, unfortunately, no magic bullet companies can implement when it comes to protecting themselves from a similar attack.
“Cybersecurity best practices and security controls for both OT [operational technology] and IT systems are well known and there are a ton of resources available,” he tells Food Quality & Safety. “The biggest issue is making the commitment to implement them, because that costs time and money. Hopefully, with the recent highly publicized wave of cyberattacks, companies will begin to see that it’s going to cost more not to give adequate attention and resources to cybersecurity.”
In Streng’s opinion, the biggest change that needs to happen is a change in culture. “Most food processors and manufacturers have a great food safety culture,” he says. “They need to incorporate cybersecurity into it because—particularly when it comes to OT—poor cybersecurity is a food safety issue.”
Among the actionable steps the Food Protection and Defense Institute recommends for food companies are fostering more communication between the OT and IT staff, conducting risk assessments that include inventorying both IT and industrial control systems, and involving the entire staff with cybersecurity expertise in the procurement and deployment process for industrial control system devices.
“You need a procurement team with the knowledge to negotiate with vendors for what your company really needs,” Streng says. “In addition, have a team able to effectively vet the equipment before placing it on the service line.”