A YEAR on from the infamous JBS cyber attack, what has agribusiness learned about digital security?
While the company’s South American operations were less affected, JBS businesses in Australia and the United States were paralysed by the 30 May 2021 cyber breach. Australian processing operations were closed for a week, before JBS paid a A$14.2m ransom to regain control of its systems. The event disrupted cattle markets in Australia, and left a significant hole in Australia’s June 2021 monthly beef exports.
The episode attracted worldwide media attention, as the world’s largest cyber attack against an agribusiness firm.
Businesses everywhere (Beef Central included) raced to update their security systems.
Cybersecurity expert Lani Refiti suggests Australia’s food & beverage organisations remain a good target for ransomware, especially in light of recent geo-political conflicts.
Mr Refiti is ANZ’s regional director of cybersecurity firm Claroty, and a former partner at Deloitte. He co-founded the start-up CyberMetrix, which consults with government and business sectors on improving cyber resilience.
Twelve months on from the JBS attack, the agribusiness sector has not improved enough in terms of cybersecurity maturity and readiness to face a similar attack, he said.
“The needle has shifted slightly, but far more could be done,” Mr Refiti said.
“There is definitely more awareness in the form of increased discussion on the potential risks of a ransomware attack in terms of disruption and loss of service. Some food & beverage manufacturers have started remediation work in their corporate IT networks to close off security vulnerabilities.
“This is typically where ransomware originates from and also what caused the JBS incident, so this is a positive first step,” Mr Refiti said.
“However, in all honesty, most food sector organisations have a hard enough time maintaining and keeping track of all the assets and devices connected to their networks, let alone having the budgets and resources (people, process, technology) to secure them. Unfortunately, this means there will probably need to be more incidents like the JBS attack to encourage the industry to shift as a whole.”
Australia’s Security Legislation Amendment (Critical Infrastructure) Bill 2021 (also known as SOCI Act) has significantly impacted the level of compliance required in the F&B sector overall, and particularly by major players like retailers Woolworths, Coles and Aldi.
“SOCI has increased the level of awareness around cybersecurity, particularly at the board level, but progress is still slow overall,” Mr Refiti said.
He said many F&B organisations were essentially caught off guard by the new bill, which increased the number of industries recognised as critical infrastructure from four previously, to eleven now.
The F&B sector now falls under the category of critical infrastructure, just like Energy, Water and Transport, and are subject to a host of new security requirements which they didn’t need to be compliant with before.
“Organisations are now completing risk assessments to figure out how the legislation will affect them and what their new obligations are. It’s an already slow process, exacerbated by the fact that the F&B sector is a slow adopter of new processes and technology as it is,” he said.
F&B organisations already mad very good targets for adversaries due to a number of factors, and this risk has further increased as a result of recent geopolitical conflict, Mr Refiti said.
“Australia’s best threat intelligence shows criminal groups are targeting the F&B sector more frequently, as it’s perceived to be an easier industry to penetrate and from which to extort ransom. This is because the food supply chain is critical to a nation’s functioning, therefore an attack has the potential to cause serious disruption to the wider public by leaving them without access to certain foods.”
The industry overall lacked maturity from a cyber risk perspective, Mr Refiti said.
Rather than spending resources and time targeting sectors that have a higher level of cybersecurity maturity, such as financial services, the public sector, energy and mining, cybercriminals would likely target the ‘low hanging fruit.’
“Due to several reasons – culture, low technology adoption and resourcing issues – the F&B sector continues to lag behind other industries when it comes to cyber risk maturity,” he said.
“This existing risk has been exacerbated by geopolitical instability. Australia’s support of the global sanctions against Russia has landed it in the crosshairs of nation-state aligned cybercriminal groups.
“Adversaries are now targeting not just Government infrastructure, but critical infrastructure more broadly including the F&B sector. This led to the intelligence agencies of US, UK, Canada, Australia and NZ (5-Eyes partners) in April releasing an official alert, highlighting the ongoing targeting of critical infrastructure.”