By: Dan Simonds
On Sunday, May 30, JBS Foods USA, the world’s largest processor of beef and pork, determined that its North American and Australian (IT) information technology systems were the target of a ransomware cyber-attack. In a JBS press release published May 31, JBS stated that in response to the ransomware attack they took immediate action and suspended all of the affected systems, shut down all slaughter operations in the U.S., notified authorities (the White House, USDA, the Canadian and Australian governments and the FBI), and activated “the company’s global network of IT professionals and third-party experts to resolve the situation.” Furthermore, this press release stated that their backup servers were not affected and that they were actively working with an incident response firm to restore their systems as soon as possible.
What is interesting about this cyberattack is that the ransomware targeted JBS’s IT systems but prompted JBS to stop slaughterhouse operations. This is important because JBS slaughterhouses utilize operational (OT) technology (systems that control physical processes) to automate physical processes. It is possible that JBS stopped the operation of the slaughterhouses, taking the OT systems offline, to protect them from the ransomware.
June 3rd, JBS announced in a press release that all of its facilities and slaughterhouses were fully operational. This press release also stated “immediately upon learning of the intrusion, the company contacted federal officials and activated its cybersecurity protocols, including voluntarily shutting down all of its systems to isolate the intrusion, limit potential infection, and preserve core systems. In addition, the company’s encrypted backup servers, which were not infected during the attack, allowed for a return to operations sooner than expected.” Furthermore, Andre Nogueira, JBS USA CEO stated “Thanks to the dedication of our IT professionals, our operational teams, cybersecurity consultants and the investments we have made in our systems, JBS USA and Pilgrim’s were able to quickly recover from this attack against our business, our team members and the food supply chain…. The criminals were never able to access our core systems, which greatly reduced potential impact.”
JBS’s cybersecurity practices in response to this cyber-attack are notable because they imply that JBS may have invested in increased network visibility, a well-segmented network with proper security protocols, quick and organized incident response protocols, the prioritization of crown jewels, and the separation of IT/OT data. Investing in these practices is important because they are the industrial cybersecurity firm Dragos’ top five recommended actions to increase industrial systems security.
In the case of the JBS attack, increased network visibility plays a major role in identifying affected systems so that they can be shut down to “isolate” the intrusion. Well segmented networks prevent malware from spreading and finding its way to “core” systems. Prioritizing quick and organized incident response protocols is what provides IT professionals with steps that in the case of an incident can be taken immediately ranging from contacting the proper authorities to making the voluntary decision to shut down affected systems. Prioritizing crown jewels is the process that determines the “core” or most important systems so that increased layers of protection can be created around them making them harder to access. The separation of IT and OT data is what prevents an attack on IT systems allowing the adversary to access OT systems.
In the past, the private sector has been hesitant to involve the government when targeted by cyberattacks, so it is also notable that JBS immediately contacted government agencies because they can provide strategic guidance and assist in the investigation process. Furthermore, it is praiseworthy that JBS voluntarily shut down systems and physical operations. Shutting down systems and physical operations costs money so JBS’s actions demonstrate that they were willing to incur the immediate cost of shutting down operations to protect the safety of their networks and physical operations.
Citations
Dragos. “2020 ICS Cybersecurity Year in Review.” Dragos, 1 Apr. 2021, www.dragos.com/blog/industry-news/2020-ics-cybersecurity-year-in-review/.
“JBS USA and Pilgrim’s Announce Resolution of Cyberattack – JBS Foods.” – JBS Foods, 3 June 2021, jbsfoodsgroup.com/articles/jbs-usa-and-pilgrim-s-announce-resolution-of-cyberattack.
“JBS USA Cyberattack Media Statement – May 31 – JBS Foods.” – JBS Foods, 31 May 2021, jbsfoodsgroup.com/articles/jbs-usa-cyberattack-media-statement-may-31.
Runyon, Luke. “World’s Largest Meatpacking Firm Wants To Test Out Robot Butchers.” NPR, NPR, 5 Jan. 2016, www.npr.org/sections/thesalt/2016/01/05/461377861/worlds-largest-meatpacking-firm-wants-to-test-out-robot-butchers.
Tom Polansek, Jeff Mason. “U.S. Says Ransomware Attack on Meatpacker JBS Likely from Russia.” Reuters, Thomson Reuters, 1 June 2021, www.reuters.com/world/us/some-us-meat-plants-stop-operating-after-jbs-cyber-attack-2021-06-01/.