The main lesson from the JBS food attack applies to all industrial organisations: digital transformation expands an organisation’s attack surface, making it easier for threat actors to enter the network and gain control of OT assets. By Vijay Vaidyanathan, Regional Vice President—Solutions Engineering, APJ at Claroty.

When it comes to food security, or access to sufficient, safe and nutritious food, sustainable food production, diversified food sources, and technology adoption are top priorities for food manufacturers and suppliers. However, with the rise of cyber criminals targeting critical infrastructure, it is high time that the industry prioritises cyber security as well. 

In late May 2021, JBS Foods, the world’s largest meat supplier, revealed that its North American and Australian IT systems had been compromised by an “organised cyberattack” that forced the shutdown of some of its plants and meat distribution. This led to the company paying US$11 million in ransom to hackers to prevent future attacks, even though the company was able to restore most of its systems from its backup servers. 

The attack against JBS Foods occurred less than a month after the high-profile cyberattack against the Colonial pipeline, which resulted in the payment of US$4.5 million in ransom. These incidents highlight the need to manage cyber-related risks in manufacturing environments and critical infrastructure wher vulnerable legacy technology rules the day, and downtime is unacceptable. 

Production environments such as JBS Foods’, which controls 20 percent of US’s slaughtering capacity for beef and pork production and one-fifth of its daily cattle harvest, have 24/7 operations. Taking down servers or network equipment for patch testing and deployment is a major task, and any downtime or compatibility issues could cost millions.

Evidently, threat actors today understand this dynamic are more insidious in using ransomware to target large companies who are intolerant of interruptions and have the capacity to pay exorbitant extortion demands. 

These recent breaches highlighted to governments that operational technology (OT) network protection of critical national infrastructure was a national security issue. The U.S. immediately moved to mandate incident-reporting procedures and to ensure that hardened cybersecurity practices be installed and required of private companies that operate in some sectors, such as energy, oil and gas, transportation, finance, healthcare, and food and beverage. 

Some governments in Asia were already broaching the issue. In October 2019, the Singapore government’s Cybersecurity Agency, CSA, outlined an OT Master Plan, which includes adopting technologies for cyber resilience through public-private partnerships to protect Singapore from cyber-attacks on critical sectors like transport and water supply. In May 2021, the CSA announced the formation of the OT Cybersecurity Expert Panel. The panel complements CSA’s OT Master Plan and members will meet in October 2021, to discuss ways to strengthen local cybersecurity capabilities and competencies in the operational technology sector. 

The Legacy Problem In Food & Beverage

While there have been no reported cases of similar attacks in Asia’s food and beverage industry, an attack is highly plausible in the region as many production sites run on legacy OT that was never designed to be connected to the internet. 

OT networks predate the internet, and with digital transformation leading many food and beverage companies to automate parts of the manufacturing processes, OT is suddenly being exposed to a whole host of new cyber threats lurking the web.

In many instances, OT networks run on proprietary protocols wher legacy equipment is incompatible with traditional IT security tools such as virtual private networks (VPNs) used in enterprise IT environments, meaning the same security tools that work well in IT are not adequate for OT. When a company connects its OT assets to their corporate IT network without the appropriate additional security measures, they leave themselves exposed, potentially with an expanded attack surface. Threat actors are given numerous direct or indirect pathways into the OT network, and to the critical systems and physical processes it controls.

Decisions Should Be Grounded In Data

Effective industrial cybersecurity must start with knowing what needs to be secured. You always need a current inventory of all OT, Internet of Things (IoT), and Industrial IoT (IIoT) assets, processes, and connectivity paths into the OT environment. 

With an accurate picture, you can tackle inherent critical risk factors—from vulnerabilities and misconfigurations to poor security hygiene and untrustworthy remote-access mechanisms. Visibility into process values—such as temperatures, chemical composition, and product formulas—can help ensure the quality and consistency of outputs. You can establish a behavioural baseline against which to monitor the network and understand the vulnerabilities, threats, and risks that may be present—including anomalies that may indicate an early-stage attack—in order to take pre-emptive actions.

Build Resilience To Regain Control

In addition to strengthening your industrial network defences, you also need to build resilience. When executed effectively, network segmentation is an effective strategy for impeding attackers’ lateral network movement.

In today’s hyper-connected world, OT networks are no longer air-gapped and network segmentation compensates for this. Since these environments are often geographically dispersed, deploy virtual segmentation to zones within the industrial control system (ICS) network to regain control over isolated sites. This will alert you to lateral movement as malicious actors try to establish a presence, jump zones, and move across the environment. 

Virtual segmentation can also improve network monitoring and access control, and greatly accelerate response time. In the event an attacker does establish a foothold, you can shut down only portions of the network, regain control, and drive intruders out, saving cost and reducing downtime. 

Additionally, encryption of data at rest and in motion is important for good cyber defence and resilience with respect to ransomware. Secure, available offline backups are crucial to rapid recovery from such attacks. Make sure you know wher backups are, how to access them and that they are regularly tested.

The main lesson from the JBS food attack applies to all industrial organisations: digital transformation expands an organisation’s attack surface, making it easier for threat actors to enter the network and gain control of OT assets. Without the correct security tools in place organisations can’t identify vulnerabilities or detect malicious activity, giving way for cyber criminals to exploit organisations.