What Happened
On Sunday, May 30th, JBS SA determined its information technology (IT) systems were compromised by a ransomware attack. In response to the attack, JBS SA suspended its North American and Australian computer systems, shutting down its beef processing operations in the U.S., Australia, and Canada while severely disrupting operations at poultry and pork plants. This is not the first cyber attack on the food and beverage sectors (discussed further below), and the meat processing industry has experienced previous interruptions for non-malicious causes, including COVID-19-related shutdowns. That said, the attack already has impacted the price of meat products, depressed livestock futures, and led to worries about further disruptions in food supply chains as the country recovers from the COVID pandemic.
JBS announced late on Tuesday, June 1, that it was beginning to bring its systems back online and that it expected that the vast majority of its systems would be operational on Wednesday, June 2. The company also confirmed that several of its pork, poultry, and prepared food plants as well as a beef plant in Canada were back online on June 2. The company has reported strong progress in restoring its systems by utilizing system backups that were not impacted by the attack. The U.S. Department of Agriculture has reached out to other meat processors to encourage them to accommodate additional capacity in order to help address any supply impacts.
The FBI has attributed the attack to the notorious Russia-linked REvil ransomware operation. REvil, blamed for a number of severe ransomware attacks, has not confirmed its involvement on its dark website.
Why It’s Important
- The JBS SA attack is believed to be the first on a major meat processor, but ransomware attacks on industrial food and beverage producers are increasing. Over the past year, there has been an observed rise in ransomware attacks on food and beverage producers’ systems, impacting large firms such as Australia’s Lion Brewing, Molson Coors, and the U.S.-based beverage giant E&J Gallo. These attacks have generally led victims to suspend operations, often as a precautionary measure even if they did not directly impact operational networks.
- Risks to critical infrastructure have been compounded by separate attacks on physical supply chains. Ransomware attacks have increasingly targeted logistics firms, which can have ripple effects on global supply chains and impact a wide variety of industries and countries regardless of where the logistics firm is based. Recent attacks on the French container transport company CMA CGM and the Australia-based Toll Group’s logistics network demonstrate how significant risks remain within the logistics sector, even if they are more limited in scale and scope than the 2017 attack on Maersk.
- Defending against a disruptive ransomware attack is a “necessary but not sufficient” step in addressing extortionate cyber activity: companies will likely still be extorted to pay to prevent the release of stolen data. Increasingly, a company may be faced with the prospect of a “double extortion,” where payment is demanded both to decrypt a victim’s ransomed data and to prevent the release of stolen, sensitive documents to the public. The Kentucky Whiskey producer Brown-Forman successfully prevented REvil, the same suspected attacker as in the JBS case, from encrypting data on its network, but was unable to prevent the attackers from stealing employee and product data. REvil subsequently demanded payment in exchange for not releasing this information.
- While President Biden’s recent Executive Order (E.O.) on cybersecurity will not have any immediate impact on this type of attack, it could indirectly address ransomware attack risks in the future. President Biden’s May 12 O. includes provisions that could indirectly mitigate some ransomware attack risks when fully implemented. Such provisions include expanded breach notification requirements, a heightened focus on “zero trust” architecture and more rigorous operational technology/IoT hygiene standards. While the standards and best practices will technically only apply to federal departments and agencies and their technology suppliers, it is likely that “where practicable” they will also be adopted by broader categories of buyers and suppliers across critical infrastructure as a north star for security expectations.
Risk-based Actions to Mitigate Ransomware Attacks
While the specific adversary tactics have not been released, defenders can apply the following guidelines and best practices to address risks from ransomware and other disruptive cyber threats:
- Technical guidance resources. Our industrial cybersecurity partner Dragos has released these operational technology recommendations in relation to the Colonial Pipeline attack. These recommendations are largely applicable in the case of JBS SA as well.
- Threat modeling, ATT&CK and zero-trust. More generally, The Chertoff Group recommends that security practitioners should apply security controls based on anticipated adversary behavior and an assumption that a breach is inevitable or has likely already occurred. By understanding the anatomy of recent ransomware attacks and associated tactics, techniques, and procedures (TTPs), defenders can ensure risk-based countermeasures are in place. The MITRE Corporation’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework can help through its library of mappings between TTPs and defensive countermeasure coverage.
Security planning should also reflect zero trust principles that eliminate implicit trust in any network node or access point and consistently limit access to only what is required. This model is particularly relevant to critical infrastructure providers where threat actors may seek to achieve initial entry to the enterprise environment in order to compromise the operational network.
- Validating control effectiveness. Critical infrastructure owners & operators must validate that defensive countermeasures are operating as intended. As more details emerge from the JBS SA attack, defenders should ensure existing security controls are effective against identified TTPs. Likewise, security teams can use testing tools based on the ATT&CK framework to measure control performance with added precision, instilling greater confidence that controls are operating effectively.
Guidance from multiple public and commercial sector sources – including from CISA, U.S. Department of Justice, FBI, MITRE, and other sources track and analyze ransomware attacks. These resources provide valuable context and tactical mitigations and detection analytics for organizations to employ in attempting to thwart ransomware campaigns.
Policy Implications Following the JBS Attack
- Building Cybersecurity Provisions into Infrastructure Bill. On March 31st, the White House released the American Jobs Plan, a sweeping $2 trillion spending proposal designed to revitalize the country’s aging infrastructure and manufacturing sector. Despite the White House’s assurances that cybersecurity would be a priority for any projects receiving funding, the plan does not explicitly reference cyber initiatives “ or forecast cyber security requirements. The JBS SA compromise puts the absence of cybersecurity provisions into sharper relief as critical infrastructure owner/operators struggle to defend against disruptive cyber attacks. While many of the plan’s modernization initiatives will likely carry safety and security benefits, proposed projects like internet-connected machinery and autonomous vehicles can create additional cybersecurity risk exposure. Policymakers and critical infrastructure industries should include additional provisions for hardening vulnerable assets, building security into new projects, and enhancing response and resilience capabilities. The U.S. government and industry need to work together to address this threat.
- Civilian-military cooperation. As the JBA SA and Colonial attacks demonstrate, ransomware campaigns can result in disruptive impacts to national critical infrastructure and public safety. In these circumstances, policymakers can look beyond traditional response options and consider invoking authorities and capabilities that can more meaningfully support ransomware deterrence and response. The U.S. Department of Defense (DoD) Joint Doctrine is in place to address such contingencies. In close coordination with DHS and other relevant agencies, the doctrine contemplates the use of Defensive Cyberspace Operations-Response Actions (DCO-RA) to leverage DoD cyber forces to defend non-DoD cyberspace segments, like national critical infrastructure.
While this authority provides supporting doctrine for U.S. Cyber Mission Forces (CMF) support, to our knowledge, this capability has never been exercised. With the appropriate relationships in place with critical infrastructure, NMTs could be in a position to execute their DCO-RA missions and provide an effective deterrent as well as response and remediation support to victims.
The Chertoff Group has deep experience helping organizations of all sizes rapidly implement threat and risk-informed cyber defenses. Contact info@chertoffgroup.com for more information.
