KANSAS CITY — Cybersecurity has rightly risen to an issue of critical importance for corporate and government leaders. The ransomware attacks on Colonial Pipeline and meat processor JBS bring to the fore the significant vulnerabilities that exist throughout industrial supply chains.
In stark testimony before House of Representatives and Senate committees investigating the ransomware attacks, Joseph Blount, chief executive officer of Colonial Pipeline, explained why he shut the pipeline.
“If you even think there is even a 1% chance that that criminal got into your system and could potentially take over control of a 5,500-mile pipeline moving 100 million gallons a day, then you shut that pipeline down,” he said.
On May 31, JBS SA, the São Paulo, Brazil-based meat processor, said servers supporting its North American and Australian IT systems were the target of a ransomware attack. Operations were halted at numerous production plants, but by June 3 all plants were back on line. JBS paid $11 million in ransom. While most of the company’s plants were back in operation when it made the payment, management still decided to pay to “mitigate any unforeseen issues related to the attack.”
“This was a very difficult decision to make for our company and for me personally,” said Andre Nogueira, CEO of JBS USA. “However, we felt this decision had to be made to prevent any potential risk for our customers.”
These high-profile cyberattacks are a wakeup call for many, but they were not unforeseen. In comments filed May 18 in response to a request from USDA’s Agricultural Marketing Service about how to strengthen America’s food system, the Food Protection and Defense Institute at the University of Minnesota explicitly called out the cyber vulnerabilities that exist within the food industry.
“… We would like to call USDA’s attention to the significant cybersecurity-related risks to the agricultural and food product supply chain that threaten its resilience and companies and consumer nationwide…,” wrote Jennifer van de Ligt, director of the Institute.
Regarding ransomware, Ms. van de Ligt added, “Agricultural and food product supply chains are especially vulnerable to this threat because of the immediately costly consequences of even the slightest interruption in the availability of processing equipment, cold chain equipment, facility climate controls, or distribution and transportation information.”
Using the disruptions COVID-19 caused in the pork processing industry as an example, Ms. van de Ligt wrote that the impact of a cyberattack could be worse.
“Fast-spreading ransomware attacks could simultaneously block operations at many more plants than were affected by the pandemic and result in even more euthanizations, straining public health capabilities nationwide and creating cascading effects throughout the animal products supply chain,” she wrote.
Concern about the impact of cyberattacks on critical infrastructure, including the food supply, has reached the highest levels of the US government. It is all but assured that some sort of action to protect against future attacks will be required of businesses.
During 2011 and 2012, the Food and Drug Administration became concerned after a series of food fraud incidents that the nation’s food supply could be tampered with. The result was the requirement for food manufacturers to develop and implement food defense plans. Recent events suggest similar plans for cybersecurity are an additional necessity.