Food Safety Humor

FSPCA - Food Safety Preventive Controls Alliance

Tuesday, June 8, 2021

Determining the Impact of Cyber Attacks on Food Safety in Light of the JBS Event

An article in Huffington Post (below) discusses the recent cyber attack on JBS, the world's largest meat supplier.  While this resulted in a momentary hold up of the meat supply and not a food safety risk, it does show the vulnerability of a company's digit control system to an attack.

But what if this was impacted the controls for formulation or temperature control, there could be a food safety issue, and certainly a food quality issue.

A white paper titled "Adulterating More Than Food The Cyber Risk to Food Processing and Manufacturing" developed by the Food Protection and Defense Institute (link below) outlines cyber risk and some actions that food companies can take.  One of those actions is to extend your Food Defense and Food Safety programs to address cybersecurity.  

This begins with a risk analysis of the operations involving maintenance and IT staff to understand the involvement of digital control systems within the work flow and then developing practices that would mitigate potential issues.

Huffington Post
What The JBS Meat Hack Means For Consumers, Pricing And Food Safety | HuffPost Life
What The JBS Meat Hack Means For Consumers, Pricing And Food Safety
Will prices go up? Will the meat make us sick? Here's what to know for both the present and the future.
By Heide Brandes
06/04/2021 05:45am EDT

The meat production industry in the U.S. was rocked this week when a massive cyber attack shut down the operation of JBS, the world’s largest meat supplier.

Although some of JBS’s systems were back online Tuesday and Wednesday, the cyber attack (thought to have originated from a criminal organization likely based in Russia) forced the company ― which operates pork, poultry and beef plants worldwide ― to suspend operations at nine beef processing plants across the U.S. due to ransomware.

Going into what is traditionally a grilling season when consumers are buying up beef, chicken and pork for backyard cookouts, this latest industrial cyber attack will ultimately have little effect on the prices of meat, experts say. What it has done, however, is bring to light just how fragile the world’s food industry is to future cyber hackers.

Although you may not see a shortage of meat or a drastic increase in prices at the store, the ransomware attack on the livestock industry will have a long-lasting ripple effect on how we process and buy our meat.

What Happened?

On Sunday, May 30, JBS USA announced that it was the target of an organized cybersecurity attack that affected its servers in North America and Australia.

According to a media statement, JBS immediately shut down the affected systems and began working with an incident response firm to restore its systems as quickly as possible.

By Wednesday, the company announced that it was on schedule to resume production at all of its facilities on Thursday.

“JBS USA and Pilgrim’s continue to make significant progress in restoring our IT systems and returning to business as usual,” Andre Nogueira, JBS USA CEO, said in a statement Wednesday. “Today, the vast majority of our facilities resumed operations as we forecast yesterday, including all of our pork, poultry and prepared foods facilities around the world and the majority of our beef facilities in the U.S. and Australia.”

It appears that the shutdown didn’t affect the food safety of the products that left JBS during that time, as neither JBS nor the Department of Agriculture’s Food Safety and Inspection Service (FSIS) have issued any recalls or statements that the food is unsafe to eat. HuffPost reached out to JBS but hadn’t heard back by the time this story was published.

For the average shopper, the massive disruption barely had an impact on beef prices or consumer’s day-to-day needs.

“It wasn’t an incredibly long-lasting attack, but if the damage was greater or persisted longer, you would probably see a more market change and price change,” said Trent Milacek, an area agricultural economics specialist with Oklahoma State University Extension.

“We saw incredible price movements on Tuesday, but then the market recovered to pretty much where we were a week ago in terms of live cattle prices,” he said. “On the retail side of that, if you’re going out to buy stuff, I’m sure you will still find plenty of products available in the grocery stores, so that won’t be a huge concern.”

However, Milacek said, the U.S. is now aware of how fragile the food supply actually is. Additional attacks or disruptions, like what the industry experienced in 2020 during the COVID-19 pandemic, could definitely make waves in the market, increase volatility and affect supply and prices. That being said, Milacek said the public shouldn’t worry about running out of food anytime soon.

“The great thing about the U.S. is we are incredibly diverse. We have a lot of different sources of food, and that has always helped maintain our robust food supply,” Milacek said.

“As a consumer, I wouldn’t be incredibly concerned about this single incident, but in the future, it opens up our eyes to what can happen.”

How Future Threats Affect Our Food

The risk of cybersecurity to America’s food supply isn’t a new concern. In September 2019, The University of Minnesota’s Food Protection and Defense Institute released its “Adulterating More Than Food: The Cyber Risk to Food Processing and Manufacturing” report on risks to the U.S. food supply chain, stating that the food industry is already a frequent target of criminals.

One of the biggest problems in large-scale food operations, the report showed, is that many control systems and software used by the food industry were developed before cybersecurity was a concern. Thus, these systems were never designed to be secure from cyber attacks.

“As the energy, financial and healthcare sectors harden their defenses in response to attacks, it’s safe to assume criminals and other threat actors will move on to lower hanging fruit. This could well be the food industry, which continues to use vulnerable (systems) that are discoverable on the internet,” the report warned.

The JBS meat plant is viewed in Plainwell, Michigan, on June 2, 2021. An American subsidiary of Brazilian meat processor JBS told the U.S. government that it has received a ransom demand in a cyberattack it believes originated in Russia, forcing some plants to cut production.

The JBS meat plant is viewed in Plainwell, Michigan, on June 2, 2021. An American subsidiary of Brazilian meat processor JBS told the U.S. government that it has received a ransom demand in a cyberattack it believes originated in Russia, forcing some plants to cut production.

Ravi Jadeja, food safety expert with OSU’s Robert M. Kerr Food and Agricultural Products Center, said the automated nature of industrial livestock production facilities and food processing centers could be its biggest weakness.

Many automatic machines are controlled by software, and if a hack occurs, those machines could be shut down or even used to harm plant workers if they are tampered with. It also disrupts the safety measures companies are required to use when processing food.

“Not only is the physical safety of the food products impacted by this, but the food industry needs to create tons and tons of documentation to prove that the food product is safe,” Jadeja said.

“If documents are not present, then the food industry may need to recall all of the food products that they produce. More and more industries are moving toward going online, so when there is an issue like this, it prevents them from creating those documents.”

Jadeja said the chemical antimicrobial agents the food industry uses to remove microorganisms from food could also be tampered with, making those foods unsafe to eat.

“For a multinational company with its system online, then it is likely that someone could even change the concentration of chemicals. It not only becomes a food safety issue, but it can even become a human health hazard.”

Although rare, future cyber attacks like that could happen without more safety protocols put into place.

“There are many different safeguards against this type of thing,” Jadeja said. “Cyber attacks are part of every company’s Food Defense Plans, which identifies your computer system and designs appropriate measures to mitigate the vulnerabilities. But again, this is very new to the food industry, which has seen small-scale issues, but not at the scale that we are seeing right now.”

The cyber attack on JBS was short-lived, but it still made an impact on the market. When JBS shut down its processing facilities this week, the USDA numbers for livestock saw 22% reduction in processing on Tuesday and a 15% drop on Wednesday.

“When you hit a 22% reduction in processing, that’s definitely going to affect what we see on the retail side for beef and also swine,” Milacek said. “It’s kind of similar to the pandemic, where we saw disruptions to processing facilities that were due to labor. On the retail side, we see prices go up. If this was a long-term attack, you might see reductions in supply, but we had just two days of disruption.”

Although you may not see much of a price increase on beef or pork in the grocery store, the attack is causing shoppers to rethink just how safe food production is from future attacks.


Food Protection and Defense Institute

Adulterating More Than Food The Cyber Risk to Food Processing and Manufacturing
fpdi-food-ics-cybersecurity-white-paper.pdf (umn.edu)
Pg. 12
"Recommended actions for food companies FPDI has identified several critical steps food companies can take  to protect themselves. If you’re not already doing all of them, start  here. 
First:  Foster more communication between your OT and IT  staff. This is critical for bridging the cultural gap and fully  understanding how ICSs and IT systems interact. For starters,  OT staff can help IT staff see how standard IT security solutions often won’t work for ICSs. IT staff can help their OT 
counterparts understand the risks to their systems and the company, and together they can develop 
processes and procedures to protect your systems that work for everyone.
Next, once your teams are beyond the introductions: Begin conducting risk assessments that include inventorying both ICSs and IT systems. You  know where all the physical doors and windows into your facility are and how they work, but do you  know this about all your hardware and software? If not, how will you lock them? As the former head  of the National Security Agency’s top hacking team has said, those wanting to attack a network put in the time “to know it better than the people who designed it and the people who are securing it”  [96]. Also, strongly consider using 3rd-party cybersecurity audits of your process controls.
Cybersecurity has to become part of your operating culture:
Involve staff with cybersecurity expertise in the procurement and deployment process for ICS 
devices. They can save you from “buying problems” by purchasing vulnerable devices. Unfortunately, 
vendors too often package and market new “features” that are anything but when it comes to 
keeping your systems safe. You need a procurement team with the knowledge to negotiate with 
vendors for what your company really needs. In addition, have a team able to effectively vet the 
equipment before placing it on the service line.
There is also another way to leverage your company culture to enhance protection, and this may be the most important change to make of all:
Extend your food safety and food defense culture to cybersecurity. Plant workers are trained to 
incorporate food safety concerns into the plant workflow and manage food safety threats through 
good manufacturing workflow design. This can include incorporating best practices and standards 
into action steps in the workflow. Cybersecurity threats have to become part of this threat mitigation 
and safety enhancing process. "

No comments:

Post a Comment