On May 30, 2021, meat processor giant JBS USA determined that it was the target of an organized cybersecurity attack, which impacted some of the servers supporting its North American and Australian IT systems. The company says it took immediate action, suspending all affected systems, notifying authorities, and activating the company's global network of IT professionals and third-party experts.
Resolving the situation, however, turned out to be very costly. The company says it opted to pay approximately $11 million in ransom to the attackers to prevent any risk to its customers.
Recognize the threats
Relying on outdated security systems such as secure email gateways — proven unsuccessful for preventing modern, more sophisticated attacks — increases dairy processors’ vulnerability to an attack.
No industry, including the dairy processing segment, is immune from such an attack.
“The dairy industry is susceptible to the same cybersecurity threats as other industries — data breaches, theft of assets, compromise of proprietary information, and more,” says Collin Varner, a manager for Tampa, Fla.-based Schellman, an IT compliance specialist.
In fact, the manufacturing industry ranks second, behind the technology industry, when it comes to attacks over encrypted channels, says Deepen Desai, chief information security officer and vice president, security research and operations for San Jose, Calif.-headquartered cloud security specialist Zscaler. (He cites data from Zscaler’s 2021 “The State of Encrypted Attacks” report.)
A ransomware attack — whereby the attacker inundates its target with “misleading and fraudulent emails containing malicious software” — is the most prevalent type of cyberattack, notes Al Leiva, counsel in the Fort Lauderdale office of the Memphis, Tenn.-based law firm Baker Donelson, and a member of the firm’s Data Protection, Privacy and Cybersecurity Team. Opening the emailed files can result in encryption of the victim’s files.
“Once encrypted, the attacker demands payment for a decryption tool and key,” Leiva explains. “In addition to locking up files, such attackers may also exfiltrate sensitive data files.”
Ultimately, protection against attacks should be rooted in a “zero-trust architecture.”
And those threats could impact the dairy industry at the plant level. Although one of the largest cybersecurity attacks in recent history — the Colonial Pipeline ransomware attack — did not directly impact the company’s industry control systems such as pumps and valves, the possibility of attacks on industrial control systems and water treatment facilities certainly warrants consideration, notes Jacob Ansari, security advocate for Schellman.
“The dairy industry does have some potentially unique elements, particularly if it uses internet-enabled technology for any of its manufacturing or transit of perishable goods,” Ansari says. “These systems are often not designed with appropriate security controls and may not get regular operating system software updates or other security practices.”
Leiva agrees — and points to additional potential chaos.
“Attackers may expand their attacks beyond just information technology systems [and] also target operational technology assets that control key industry processes,” he says. “Such an attack may, therefore, potentially impact pressure, temperature and safety settings, which can potentially spoil food or shut down production completely.”
Eyal Benishti, founder and CEO of Ironscales, an Atlanta-based AI- and machine learning-powered email phishing security platform, notes that dairy processors and dairy farmers potentially represent a significant target for ransomware attacks, which commonly are accomplished via email phishing.
“Cybercriminals can use email phishing and ransomware against these producers to disrupt food production or interfere with a time-sensitive distribution supply chain, with the goal of large payouts from key players in the agriculture industry.”
To protect their plants and overall operations, dairy processors would be wise to avoid mistakes that make them more vulnerable to cyberattacks. For one thing, bringing traditionally offline systems online to the internet might not be wise, says Andy Rogers, senior associate for Schellman.
“I understand that it can make it easier to track production and reduce downtime, but it can open up a system that is fraught with vulnerabilities to a much larger and malicious audience,” he says. “Easily guessed passwords and a lack of multifactor authentication in the environment [also are a risk]. Hackers know that the simplest attacks are the ones they must give very little to exploit.”
Ransomware attacks have recently impacted some large companies. Aldo (Al) Leiva, an attorney with the law firm Baker Donelson, joins us for Episode 5 of the Let’s Talk Dairy podcast. Al Leiva talks about how dairy processors could better prepare for ransomware and other cybersecurity attacks. processors could better prepare for ransomware and other cybersecurity attacks.
In addition, relying on outdated security systems such as secure email gateways — proven unsuccessful for preventing modern, more sophisticated attacks — increases dairy processors’ vulnerability to an attack, notes Benishti. Failure to adequately train employees on how to identify and handle potentially dangerous emails, links, and/or pop-ups also ups the risk.
Dairy processors could — and should — take a number of steps to reduce the likelihood of a cybersecurity attack. As a starting point, they not only should be aware of such threats but also have a written information security plan in place, Leiva says. And they should proactively perform risk assessments tied to their computer networks and infrastructure so they are able to assess and address any vulnerabilities before they are targeted.
“Such proactive measures include training employees on email phishing campaigns and remote and desktop and software vulnerabilities,” he says.
Benishti also underscores the importance of regular employee training, noting that it’s one of the most important things companies can do to enhance cybersecurity.
“There are many different forms of cybersecurity training, but conducting training in a gamified or simulated format will likely increase engagement and retention among teams,” he adds.
The right procedures and tools can help, too. Dairy processors should be sure to back up data, install critical software updates, adopt multifactor authentication and strong passwords, and install antivirus and anti-malware software, Leiva notes.
Benishti also points to the use of anti-phishing tools such as advanced self-learning email filters that flag, block or quarantine suspicious emails before they reach targeted employees. Artificial intelligence such as email filters that leverage machine learning can be used to protect end-users, too.
And Varner advises dairy processors to use a reputable security framework when expanding their information security and cybersecurity efforts.
“These provide foundation and opportunities for security enhancement based on the latest trends to remain steadfast and alert to threat actors,” he says. “You may also utilize other frameworks such as SOC for Cybersecurity, NIST CSF, etc., to assess the true representation of your cybersecurity risk management program.”
Ultimately, protection against attacks should be rooted in a “zero-trust architecture,” Desai points out. This architecture encompasses attack surface reduction, compromise prevention, lateral movement deterrence, and data exfiltration prevention.
The manufacturing industry ranks second, behind the technology industry, when it comes to attacks over encrypted channels.
“With a distributed workforce, it is important for organizations to implement new tools to secure access to the web, cloud services, and business-critical applications,” he says. “A security service edge approach can help enforce consistent security policy no matter where the users are working.”
Segmenting applications can help reduce “the blast radius” of any attack, Desai notes.
“In a true zero-trust state, you should connect approved, authenticated users (and applications) directly to an application, never to a network,” he says.
Adoption of a zero-trust strategy can be a big undertaking, Desai admits, but it starts with just a single step.
“A logical starting point is moving your crown jewel applications behind a proxy architecture to enforce micro-segmentation and eliminate exposure risk,” he says. “And remember that you’re not alone — security vendors and other trusted consultants can help you make the business case for zero trust and ensure that your deployment goes smoothly.”
For additional help, dairy processors could also consult resources from the U.S. Cybersecurity and Infrastructure Security Agency (www.cisa.gov) and the Information Technology-Information Sharing and Analysis Center (www.it-isac.org/food-and-ag-sig), Leiva says.