JBS Attack Puts Food and Beverage Cybersecurity to the Test
By Grant Geyer | June 2, 2021
Consider the cyberattack against JBS Foods your regular reminder that threat actors are targeting with impunity large companies with the capacity to pay exorbitant extortion demands.
The Brazilian food company and world’s largest meat distributor acknowledged on Sunday that its North American and Australian IT systems had been compromised by an “organized cyberattack” that forced the shutdown of some of its plants and meat distribution. While the company has not confirmed a ransomware attack nor a ransom demand, it did note on Sunday that its backup servers were not affected, and that it was working with an incident response firm to restore systems.
The company then said yesterday that its systems were coming back online and that the majority of its beef, pork, poultry, and prepared food plants would be operational some time today. JBS USA and its Pilgrim’s Price Corp. chicken-producing subsidiary were already shipping products from its facilities yesterday.
Ransomware as a Service (RaaS) Reportedly to Blame
There are several similarities between this attack and the ransomware incident that forced Colonial Pipeline to take its industrial networks offline less than a month ago, impacting fuel delivery up and down the East Coast. In both cases, IT systems were compromised forcing the companies to shut down industrial networks in order to contain the attacks. Critical service delivery—fuel and meat—were temporarily impacted, causing immediate anxiety on Wall Street and with consumers. And in both attacks, Russian-speaking threat actors are being singled out by the White House as the perpetrator.
Bloomberg today said four people familiar with the attack attributed it to the REvil group, also known as Sodinokibi. REvil, like the DarkSide group blamed for the Colonial Pipeline attack, is a ransomware-as-a-service operation known for demanding large payments from victims, and threatening to leak stolen data to the public if ransom demands are not met.
White House Press Secretary Jen Psaki said the Biden administration is not taking any options off the table in terms of response from the U.S., and that Russia’s alleged harboring of ransomware operators will be a topic of discussion between President Biden and Russian President Vladimir Putin June 16 at a scheduled face-to-face meeting between the two leaders.
In the meantime, the food and beverage industry is the latest to feel the pain of a cyberattack, putting further emphasis on managing cyber-related risks in manufacturing environments and critical infrastructure where vulnerable legacy technology rules the day, and downtime is unacceptable. Production environments such as JBS Foods’, which controls 20% of the country’s slaughtering capacity for beef and pork production and one-fifth of its daily cattle harvest, are 24/7 operations. Taking down servers or network equipment for patch testing and deployment is a major task, and any downtime or compatibility issues could cost millions.
A Legacy Problem in Food and Beverage
Threat actors who have long ago moved away from spray-and-pray types of ransomware attacks clearly understand this dynamic and are adept at targeting organizations intolerant of interruptions. The food and beverage industry is the latest high-profile sector to fall victim, and it remains to be seen whether it has given in to the attackers’ ransom demands in order to restore facilities to operational again. Colonial Pipeline, for example, reportedly paid close to $5 million in Bitcoin for a decryption key to restore its systems. Some media reports, however, said the process was so slow that Colonial restored many of its systems from backup.
Many food and beverage production sites run on legacy operational technology (OT) that was never designed to be connected to the internet. OT networks predate the internet, and with digital transformation leading many food and beverage companies to automate parts of the manufacturing processes, OT is suddenly being exposed to a whole host of new cyber threats lurking the web.
Claroty’s most recent Biannual ICS Risk & Vulnerability Report points out more researchers and threat actors are looking at vulnerabilities in IT and OT systems running in food and beverage plants. The report said there was a 56% increase in industrial control system vulnerabilities from 2019 to 2020 after relatively few reports prior to 2019.
Within the food & beverage industry, this problem is particularly acute among meat processing plants, which typically have a very low level of maturity when it comes to their cybersecurity programs. Despite the Livestock industry being one of the biggest contributors to Australia’s economy, ($32 billion in 2019-20 according to the ABS), many companies are blind to cyber risk —a factor which makes meat processing plants a target for cyber attackers seeking financial gain.
To protect themselves, producers, manufacturers and anyone involved in the food and beverage and their supply chain should ensure that they have complete visibility into all of their systems and processes and make sure to continuously monitor for any threats that could result from a targeted or opportunistic attack. An accurate asset inventory is the first step toward proper vulnerability management to ensure critical systems are up to current patching levels and compensating controls are in place when appropriate.
Network segmentation is also a critical strategy to impede attackers’ lateral network movement. OT networks are no longer air-gapped and network segmentation compensates for this by preventing attackers from using stolen credentials or compromising Active Directory and other identity infrastructure in order to move from system to system stealing data and-or dropping malware or exploits.
Strategically, organizations should regularly test incident response plans, and conduct tabletop exercises to put those plans into motion without impacting production environments. Training and testing improves response, and ensures business continuity.