Maybe a not-so-funny coincidence: I first wrote this editorial solely about the Colonial Pipeline cyberattack, with references to the 2017 Mondelez malware incident. On the day this magazine went to the printer, I did a total rewrite because of JBS USA’s cyberattack, which happened over Memorial Day weekend.
My point remains the same: These attacks should be seen as warning shots for food and beverage processors. It’s only a matter of time ...
The Colonial Pipeline incident made headlines earlier in May and created gasoline shortages in the eastern third of the U.S. last month. Hackers, presumed to be based in Russia, somehow got into the company’s computers and shut down the East Coast’s largest conduit for fuel for six days. Ultimately, Colonial paid what was reported to be a $5 million ransom.
All of which reminded me of a 2017 malware incident that apparently cost Mondelez International $100 million in various business impacts – actually, a security website put the full cost of the incident, including lost business, at closer to $180 million. It’s been that long since we visited the subject. It’s time to return some focus to cyber security.
JBS did not provide a lot of detail on its cyberattack; the company did not mention ransomware, but several experts speculated that was the goal of the attack. The company said it affected servers supporting its North American and Australian IT systems.
JBS did note: “The company is not aware of any evidence at this time that any customer, supplier or employee data has been compromised or misused as a result of the situation. Resolution of the incident will take time, which may delay certain transactions with customers and suppliers.” Various media reported JBS shut down production at multiple sites worldwide, not just in North America and Australia. Bloomberg reported five JBS plants totaling 20% of U.S. beef packing supply went offline because of the hack.
At the risk of sounding callous, a food plant blowing up would not be as catastrophic for the surrounding area as a chemical plant exploding, nor would the resulting shortage of steaks create the havoc that the loss of power to a major city would. But tainted burgers, not detected until they were being consumed all across the country, certainly would qualify as terror.
A 2017 post-Mondelez story of ours laid out a seven-point process that will at least get you started:
- Assess Existing Systems. Determine the risks that an attack on your control and computer systems poses to your business. Rank these risks so you can prioritize spending.
- Document Policies and Procedures. Once you have an understanding of the risks facing your systems, start creating policies and procedures to mitigate those risks. Start with preventing what will hurt your company the most.
- Train Personnel and Contractors. Make employees, suppliers and contractors aware of your policies and procedures starting with an awareness program and then formal training.
- Segment the Control System Network. This is arguably the most important tactical step. Partition your computer and control systems into distinct security zones and implement layers of protection to isolate the most critical parts of your process.
- Manage Access to the System. Once you’ve partitioned your systems, the next step is to control access to the assets within those zones. Create both physical and logic access controls.
- Manage the Components. Deploy software tools that allow you to efficiently keep all your equipment backed up, patched and monitored. This should include updating antivirus and white-listing tools. Companies used to focus only on their Windows computers, but with the new malware, continuous management is essential for anything that has an IP address.
- Monitor and Maintain System Security. Remain vigilant by monitoring and maintaining security throughout the life of your system. Install software that will warn you of suspicious activity.