A Single Attack Disrupted Beef Prices and Prompted Calls for Improved Security

Imagine the Fourth of July weekend in 2021. Families are planning holiday barbecues and picnics at the park. Folks are headed to the supermarket to buy the sirloin steaks and hamburger patties that are essential for any good cookout. You can catch the aroma and almost hear the sizzle of steaks on the grill in neighborhood backyards. But when customers get to the checkout counter, there’s only sticker shock — because beef prices have jumped double digits in a matter of just a few weeks.

How this happened is a story of supply chain vulnerability in the U.S. food industry exploited by Russian cybercriminals attacking one dominant company in the hopes of a multimillion-dollar payoff. But there’s a silver lining: The story also reflects the increasing awareness among food safety professionals of the threat posed by cyberattacks and a growing recognition that even a single focused attack can disrupt the nation’s critical farm-to-table supply chain.

The Cybersecurity and Infrastructure Security Agency (CISA) in Washington, D.C., considers the food and agriculture sector a crucial part of the nation’s critical infrastructure. The sector is almost entirely under private ownership and includes an estimated 2.1 million farms, 935,000 restaurants, and more than 200,000 registered food manufacturing, processing and storage facilities. This vital sector alone accounts for about one-fifth of the country’s total economic activity.

Which brings us back to the question: What caused the sharp increase in beef prices in the spring of 2021? Industry analysts point to worldwide supply chain disruptions due to COVID-19, export restrictions and consumer demand. But there was another significant event not widely reported: the ransomware attack by cybercriminals on the largest meatpacking company in the world, JBS, which is headquartered in Brazil and owns a fifth of all the beef-packing plants in the United States.

The attack happened over Memorial Day weekend in May 2021. Hackers using Sodinokibi/REvil ransomware hacked the company’s computer networks in the United States and abroad. The breach resulted in the theft of company data and the shutdown of U.S. plants for several days and helped fuel a double-digit increase in wholesale beef prices, according to news reports. In the end, JBS was forced to pay an $11 million ransom to retrieve its network data and restore plant operations.

The JBS attack and other such attacks have reverberated throughout the food and agriculture industry. One food safety expert who has noticed the increased cybersecurity awareness is Suzanne Barkley, Director of Certification, SCFS, at NSF, the international standards and certification organization. Her team conducts audits benchmarked against the Global Food Safety Initiative (GFSI); their work covers the SQF, BRCGS, FSSC and IFS standards and takes place at food and packaging facilities.

She points to the recent Food Safety Americas 2022 conference held in April in Orlando, Florida. “In April 2022, our BRCGS technical scheme lead and I attended the conference, and there was a session on cybersecurity. Individuals from other certification bodies and the food industry also attended the event.” This is just one example showing that the industry is responding to the need for improved cybersecurity measures.

For Barkley, the new trend is encouraging. She believes that her fellow food and agriculture professionals are taking heed and points to conference organizers inviting information security experts to lead panel discussions on topics like ransomware, extortion, denial of service, theft of data and hacking industrial control systems — subjects much more likely to be covered only at cybersecurity-specific conferences in the past.

Even the U.S. Department of Agriculture (USDA) is getting in on the act. The department’s new Information Security Center (ISC) is tasked with the mission of protecting USDA systems, repelling threats and ensuring that department networks remain secure against potential cyberattacks — so that food and agriculture producers and distributors can rely on safe communications with the department and continue to deliver the quality food products Americans depend on every day.