The wave of ransomware attacks on high-profile industrial manufacturers continues apace, as the world’s largest meat processor, JBS, was forced to shut down several plants in the United States earlier this week. JBS USA released a statement on May 31 saying it was the target of an “organized cybersecurity attack” that affected servers supporting its information technology (IT) systems in the U.S., Canada and Australia.
JBS has 150,000 employees worldwide and more than 150 plants in 15 countries. In the U.S. alone, the food industry giant processes nearly one-quarter of the beef and one-fifth of the pork produced. The company said it is not aware at this time that any “customer, supplier or employee data has been compromised.”
The hack is believed to be the work of a Russian criminal group, marking the second high-profile hit on a key piece of U.S. critical infrastructure by Russian criminals in the last few weeks. In early May, Russian black hat group DarkSide launched a ransomware attack that briefly shut down the Colonial Pipeline, which supplies the majority of the fuel to the U.S.’s East Coast.
“JBS notified [the White House] that the ransom demand came from a criminal organization likely based in Russia,” White House spokesperson Karine Jean-Pierre said on Air Force One Tuesday. “The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals.”
On Wednesday, the FBI, which has been investigating the breach along with the Cybersecurity and Infrastructure Security Agency (CISA), released a brief statement pinning the JBS breach on REvil, a Russian ransomware-as-a-service (RaaS) operation that has extorted large amounts of money from organizations around the globe.
JBS, a global meat supplier based in Brazil, shut down all nine of its meatpacking plants in the U.S. on Tuesday, as the cyberattack compromised its IT systems. While many of its operations were back online by Wednesday, even a brief shutdown can cause huge problems to the supply chain.
“Any time you shut down production, it’s disruptive,” said Dino Busalachi, chief technology officer at Velta Technology, who previously spent 20 years working for beverage-maker Anheuser-Busch. “You have a lot of product that’s in the system, in a certain state of being made. When I worked for Anheuser-Busch, if we had to sewer one batch of beer, that was a million-dollar loss. One packaging line not running to put beer in a can or a bottle was $80,000 an hour. That’s just one packaging line, so the cash register starts really cranking out the costs and loss when you have these types of events.”
News of the shutdowns immediately stoked fears of meat shortages and price hikes, similar to the situation when fuel delivery was briefly compromised by the Colonial Pipeline attack. That incident prompted panic buying and long lines at gas stations throughout the Southeast. And the meat industry had already been struggling with production and experiencing surging prices thanks to the COVID-19 global health crisis. When the world’s largest meat supplier has to shut down production for any length of time, it can cause wide-ranging problems.
“You have a rippling effect because the whole supply chain, all of a sudden, comes to a stop,” Busalachi said. “So that’s trucks that are waiting in the yard and at the docks and on the scales, and people trying to move goods to and from a location. You’ve got raw materials that you’ve consumed. You’ve got materials that are wasted. You might have a lot of product in the pipeline you just have to get rid of and throw out. It can be millions of dollars in product that you’ve got to get rid of.
“We saw it with COVID. This whole thing happened with meat processing, and it got expensive fast because they shut those plants down. There was a lot of spoilage, even the animals that were still in the in the pens. … It was just a huge disruption. It’s like throwing a rock in the water and just watching it ripple out. And each one of those rings can cost several millions of dollars, if not tens of millions of dollars, depending on the size and scope of the organization and cost of materials.”
The JBS cyberattack is yet another in a recent series of escalating hits on major corporations, critical infrastructure targets and government institutions. While industrial espionage is still a significant threat, ransomware has been getting the headlines of late. Cyber extortion has become a big business for hacking groups and a low-effort way to turn a tidy profit. According to reports, Colonial ultimately paid DarkSide $4.4 million to restore its systems.
“I think those bad actors have realized that, ‘If I can shut your production down, I’m going to get paid,’” Busalachi said. “If I steal your data, nobody cares. You may build your backups up. If I get your employee data, that’s OK. With all that, nobody cares. But if I can shut your plant down and I’m holding the keys to that while you’re losing millions of dollars an hour, tens of millions of dollars a day, they’re going to get paid. [Companies] pay because they can’t handle the downtime.”
Global cybersecurity company Blackfog has been tracking ransomware attacks in their State of Ransomware in 2021 blog. Attacks have been up every month in 2021, compared with the same period in 2020. According to Blackfog, the industries that have been hit hardest are manufacturing (14 attacks), government (21), education (21) and services (22). A wide range of companies and institutions have found themselves in the crosshairs, from international law firm Jones Day to auto manufacturer Kia Motors to beer-maker Molson Coors to the Washington, D.C., police department.
If bad actors can get inside a company’s networks, often through phishing or by exploiting poor cyber hygiene, they can seize control of essential data, encrypt it and then demand a ransom for its restoration. That’s a lot easier than infiltrating a network, waiting patiently for weeks or months on end, and stealing industrial secrets. Yet even if the ransom is paid, and paid quickly, that doesn’t always mean files are returned intact.
“When you take a look at what’s going on activity-wise, you obviously see a huge increase,” said Rick Peters, chief information security officer (CISO) of operational technology (OT) North America at Fortinet. “At least, it seems to be making a lot more headlines. And the reality is the numbers bear out that way. We saw a 400% increase in attacks on OT just in the last year. That probably doesn’t surprise many because in these times of uncertainty, and certainly a global pandemic, it creates lots of confusion.”
Even though attacks like JBS and Colonial were on IT networks, that still bleeds over into OT systems, causing shutdowns. The divide that exists between IT and OT can be a big problem when trying to defend against cyberattacks. Because of digital transformation, most industrial control systems are now on networks, which makes them attractive targets for hackers. And the number of OT endpoints is exponentially higher than those in IT — Busalachi pegs the ratio at 20:1.
“[Companies that have been hit] can’t determine the difference between what’s been attacked or not attacked, where this ransomware has expanded into its footprint,” Busalachi said. “In so many organizations, digital transformation and Industry 4.0 have created this integration, if you will. We’re way past convergence. They’ve merged. IT and OT have merged. The problem is, there has not been an owner identified for that type of environment — someone to really own it.”
IT still maintains and protects its systems, but often doesn’t see OT as falling under its purview, Busalachi said. This has created an opening for OT to really take ownership of its cybersecurity landscape, but OT often doesn’t have the staffing levels or expertise necessary to do that job effectively.
The tools to help bring visibility into the space are out there, but they require significant interest and investment. In a crisis situation like what happened with JBS and Colonial, where companies are hemorrhaging millions of dollars a day in lost productivity, the goal isn’t to fix the network issues; it’s to get the plant back up and running as fast as possible.
“When you have a lot of OT assets that have been out there for a number of years, let’s say you remove the malware … well, you can’t patch this stuff, so the vulnerability is still there. You still have the risk. You didn’t get rid of it,” Busalachi said. “So now what are you doing? Are you going to try and put something in place to keep an eye on it, to get continuous real-time visibility into the environment? Are you going to change your network and separate IT and OT, which is not an easy thing to do? It’s very expensive and costly to redesign and re-appropriate your network to be able to reconfigure it if that’s what needs to happen.
“No, what they’re going to do is they’re just going to get back up and running as fast as they can and just say, ‘If we’re still vulnerable, we’re still vulnerable.’ They will not go out there and fix those machines that are still harvesting that weakness that allowed this thing to get in there and do what it did.”
One of the big, open questions for entities that get hit with ransomware attacks is whether or not to pay the ransom — and there’s far from a consensus on the matter. Many experts and government agencies counsel that companies should not pay to retrieve their data, but it all comes down to perspective. The U.S. government has a long-standing policy of not bargaining with terrorists, but companies and critical infrastructure organizations are often working with a different, less idealistic calculus.
“I guess it just depends on your checkbook and what kind of pain you’re willing to withstand from a risk standpoint,” Busalachi said. “If you’re losing several millions of dollars a day versus paying a $5 million ransom and being back up and running, why wouldn’t you do that? Otherwise, you might be looking at weeks or months’ worth of work to get back.”
According to CISA, food and agriculture is one of 16 critical infrastructure sectors “whose assets, systems and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”