Earlier this week, multiple sources, including CNBC, reported on a cyberattack that targeted JBS, a global meat processor. The attack resulted in the closure of several processing plants in the US and Australia.
According to the JBS website, they are the largest global producer of beef and poultry, and the second largest producer of pork. According to their Q1 2021 financial statement, JBS had net income of about $400M USD. That is plenty of cash to tempt hackers to make a ransomware demand!
In a press statement released on May 31st, JBS said that “On Sunday, May 30, JBS USA determined that it was the target of an organized cybersecurity attack, affecting some of the servers supporting its North American and Australian IT systems. The company took immediate action, suspending all affected systems, notifying authorities and activating the company's global network of IT professionals and third-party experts to resolve the situation.”
On June 1st, JBS’ CEO reported that “Our systems are coming back online and we are not sparing any resources to fight this threat. We have cybersecurity plans in place to address these types of issues and we are successfully executing those plans. Given the progress our IT professionals and plant teams have made in the last 24 hours, the vast majority of our beef, pork, poultry and prepared foods plants will be operational tomorrow.”
The New York Times has reported that this was indeed yet another ransomware attack. Following the Colonial Pipeline incident last month, this will be the second incident of ransomware that has shut down the operations of US critical infrastructure in a month.
As we noted in our blog post on the new pipeline cybersecurity directive from DHS last week, just because you are not a major player in the electric utility industry does not mean you won’t be targeted by hackers. Every company that provides any type of critical goods and services to the public must be on high alert, no matter their size or industry vertical.
“If you think you are too small or too obscure to be vulnerable, you are mistaken. If someone is going to rob a bank, they’re going to choose the bank with no security guards. Much of a company’s staffing information is now in the public domain because of the big data industry that has emerged over the past decade, so for hackers, identifying small to mid-size critical infrastructure companies with limited security staff is very easy,” said Jim Crowley, CEO of Industrial Defender.
Food processors such as JBS aren’t generally considered in the same category of critical infrastructure such as electric utilities. However, disrupting a nation’s food supply can have ramifications that are just as serious as disrupting the electricity supply. As long as profitable companies that provide critical products and services are perceived to have inadequate cybersecurity (and continue to pay ransom demands), then hackers will believe that launching ransomware attacks will be a successful business model going forward. Although it’s unfortunate that this happened, we have to give some kudos to JBS for their transparency and quick action to mitigate this cyberattack and minimize supply chain disruptions.
For tips on how you can get started with applying cybersecurity for your critical systems, check out our 20 CIS Controls Implementation Guide.