A Memorial Day weekend cyberattack gave us more than a little food for thought.
We’re certainly not in the told-you-so business by any means, but we did write a report last year about the importance of having a plan to protect assets against cyberattacks.
Lo and behold, in May, a cyberattack targeted JBS Foods, a meat-processing company with locations in the United States, Canada and Australia. It affected a reported one-fifth of the U.S. beef capacity, and is a prime example of why Security & Vulnerability Assessment software is so important to help plan for potential facility and infrastructure breaches of the electronic kind.
“Retailers and beef processors are coming from a long weekend and need to catch up with orders and make sure to fill the meat case,” wrote Steiner Consulting Group in its Daily Livestock Report for June 1. “If they suddenly get a call saying that product may not deliver tomorrow or this week, it will create very significant challenges in keeping plants in operation and the retail case stocked up.”
It also raised concerns about food security—as if we didn’t already have enough to worry about with climate change.
In a written statement posted on JBS USA’s website on June 1, CEO Andre Nogueira said, “Our systems are coming back online, and we are not sparing any resources to fight this threat. We have cybersecurity plans in place to address these types of issues and we are successfully executing those plans. Given the progress our IT professionals and plant teams have made in the last 24 hours, the vast majority of our beef, pork, poultry and prepared foods plants will be operational tomorrow.”
This major breach is on the heels of a recent ransomware attack on a pipeline that led to some 5,500 miles of pipeline having to be temporarily shut down. An organization called DarkSide was said to be responsible for the incident.
Should we cue “The Imperial March” now?
Anyway, multiple news organizations have reported that the Eastern European hackers were paid nearly $5 million in ransom to restore services, and the pipeline was back up and running along the U.S. East Coast in about a week. The typical downtime after a ransomware attack is 21 days, according to the U.S. Chamber of Commerce, and full recovery from one takes 287 days on average. Update: On June 7 the U.S. Justice Department reported that investigators had recovered “millions of dollars” in cryptocurrency related to the cyberattack.
Still, none of this should be very surprising at this point. There were 304 million ransomware attacks in 2020, according to Statista, which was the second highest total recorded since 2014. And when attacks move from the informational technology (IT) side to the operational technology (OT) side, operational risk is inherent.
“According to open-source reporting, DarkSide actors have previously been observed gaining initial access through phishing and exploiting remotely accessible accounts and systems and Virtual Desktop Infrastructure,” the U.S. Cybersecurity & Infrastructure Security Agency (CISA) wrote.
Of course, the DarkSide is not alone. A cyberattack takes place every 11 seconds, according to Cybercrime magazine, and will cost businesses and consumers a combined $20 billion.
An ‘Elephant’ You’ll Never Forget
As we wrote in our 2020 report, “While concerns about physical destruction to property or even malice toward people are still top of mind as they should be, with the emergence of Industrial Internet of Things (IIoT) technology, the metaphorical room where the elephant can roam has expanded exponentially.”
To better prepare for a potential cyberattack, process safety data from Process Hazard Analyses, emergency response preparedness and training can be used as indicators to assess the integrity of existing controls and employee readiness in case of such an event. It can also help gauge the vulnerability of a plant to assess its security risks as well.
Facility security risk assessment standards and guidelines have been available for many years, such as the API 780 SRA (2013) from the American Petroleum Institute, CCPS SVA (2003) from the Center for Chemical Process Safety, and vulnerability assessment methodology (VAM) (2002) from Sandia National Laboratories, so there is good guidance available.
It’s not a matter of if another cyberattack of the scale we’ve seen in the past month will happen again but when. Regardless of whether the attack affects steaks, chops, pipeline or something else, the stakes couldn’t be any higher.