Meat industry suffers from cyber attack

A ransomware attack against the world’s largest meat processor is giving a taste of the chaos hackers could cook up with a concerted hack against the agricultural and food sector. It’s also prompting renewed calls for government to mandate stringent new cybersecurity protections in industries vital to U.S. economic security, such as agriculture, energy and transportation. 

The attack against Brazil-based JBS has halted production at all the company’s U.S. meat processing facilities and slaughterhouses across Australia, shutting down about one-fifth of U.S. beef production, Hamza Shaban reports. JBS said it expects to have sufficiently recovered to have most plants operational today, but the shutdown is still threatening a temporary surge in beef and pork prices and roiling an industry already battered by the coronavirus pandemic.  The breach is also stirring memories from just last month when U.S. oil production was severely impaired by a ransomware attack against Colonial Pipeline. In that case, Colonial paid a $4.4 million ransom to the Russia-based criminal group in an effort to unlock its systems and data.

The two hacks offer a dramatic warning about how quickly criminal hackers could send an entire economic sector into a tailspin.

“Everything is connected and everything is vulnerable and it leads us to this place where we can no longer be polite with critical infrastructure and say, ‘If you can get around to it, it would be good to do the basics,’ ” Kiersten Todt, president of Liberty Group Ventures, told me.

“We need to be taking a more assertive position of, ‘You have to do the basics and we’re going to check up on you,’ ” she saidAs with the Colonial breach, the group that targeted JBS is likely based in Russia, White House spokeswoman Karine Jean-Pierre said. “The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals,” she said. The FBI is investigating the attack and the Agriculture Department has reached out to other major meat processors, asking them to make up for any production shortfalls. 

The government, however, has been slow to embrace cybersecurity mandates for companies.

The Department of Homeland Security is implementing a suite of new cybersecurity requirements for pipelines. But those regulations came only after the Colonial Pipeline hack.

Similar mandates aren’t yet on the table for other sectors — including many, such as agriculture and food production, where cybersecurity protections are mostly voluntary. 

Todt led a White House cybersecurity commission that argued against government mandating cybersecurity protections for industry in its 2017 report. That report suggested waiting on mandates to see whether companies would improve their own cybersecurity in response to market pressures.  Four years later, it’s clear the market-driven approach has failed, Todt told me.

“We said if market forces fail, then the government needs to step in. And the reality we have now is that the market is not incentivizing security,” she said. “They’re actually disincentivizing security … It’s kind of stunning.”