A recent ransomware attack on the world’s biggest meatpacker is raising questions about cybersecurity in the food industry and about whether the industry is so concentrated in a few hands it is more vulnerable to sudden shocks.
The company, Brazil-based JBS, is a giant in the meat industry, with operations all over the world. The attack forced it to shut down several plants in the U.S. and Australia, which briefly rattled beef markets. But the plants soon came back online, and JBS downplayed the impact, saying it lost less than a day’s worth of production. The company admitted it had paid $11 million in ransom to the hackers.
But according to John Hoffman, a senior research fellow at the Food Protection and Defense Institute at the University of Minnesota, the attack has continued to reverberate. Hoffman says he’s receiving a wave of inquiries about cybersecurity from industry executives who previously were inclined to disregard his warnings.
“People just didn’t accept that it was that big of a risk,” he says. “I think that’s changed today. I’ve already heard from folks in government [that] it’s changed. People are looking at this and saying, ‘OK, we’ve got to do something.’ “
According to Hoffman, many food companies’ computer systems are vulnerable. “If you go to factory floors around this country, you’re going to find a wide range of outdated software still being used, and computer devices that aren’t secure,” he says.
He recalls a visit to one plant a few years ago — he won’t say which company — where he noticed a supervisor sitting at a computer on the production floor, monitoring operations. Hoffman could see it was running an old operating system, Windows 98. He asked the plant manager and a top executive of the company, who were giving him the tour, whether the computer was connected to the internet. “And they say, ‘Oh, no, no. This isn’t connected to the internet.’ “
Hoffman then talked to the supervisor on duty, who acknowledged he could log into that computer from home to monitor and control equipment in the plant. The company hadn’t taken steps to secure that access using, for instance, a virtual private network, or VPN.
“There it is. That’s the definition of vulnerability,” Hoffman says. In fact, food itself is vulnerable, because those computers “are controlling valves and monitoring temperatures, controlling mixes of additives to food. These are part of food safety.”
Hoffman has been pushing for the government to enforce computer security standards in the food industry in the same way it enforces food safety standards. Currently, food safety regulations don’t explicitly address cybersecurity.
Other longtime critics of the meat industry, such as Diana Moss, president of the American Antitrust Institute, are drawing another lesson from the JBS attack. Moss says the industry is too concentrated in the hands of too few companies, so a problem in just one company can disrupt supplies for millions of consumers.
“What we have, in the meat supply chain, is a cartel,” she says. Just four companies, including JBS, slaughter about 85% of the country’s cattle that are raised for beef. Those companies operate giant, centralized slaughterhouses. Moss says a small number of companies also dominate chicken production, flour milling and other kinds of food processing.
“When you have only a few firms, in this critical midstream part of the supply chain — processing, manufacturing — the supply chain becomes very unstable. It lacks resiliency and is very subject to shocks to the system,” she says.
The biggest recent shock was the COVID-19 pandemic when the coronavirus spread rapidly among workers at meatpacking plants. Hundreds of workers died. Companies were forced to suspend operations at some of the largest processing plants, leaving many ranchers and pork farmers with no place to take their animals.
Kathryn Bedell, a rancher in Colorado, says that 60 years ago, “processing was more regionally distributed, and we would have never faced this problem. You wouldn’t have noticed either the pandemic or the JBS [ransomware] problem.”
The U.S. Department of Agriculture appears to be sympathetic to these arguments. The USDA is offering grants to support small and medium-size meat processors, and it recently asked for public comment on ways to build “more resilient, diverse, and secure supply chains.”
The North American Meat Institute, which represents meat producers such as JBS, says the existing supply chain is already resilient. Mark Dopp, NAMI’s senior vice president of regulatory and scientific affairs, told the USDA that during the pandemic, “the industry fared reasonably well in extraordinary circumstances,” and that “suggestions that the government needs to step in and ‘do something’ may be trying to fix something that is not broken.”
A NAMI spokesperson pointed out that the cyberattack on JBS ultimately caused little disruption and said that meat companies reacted immediately to that attack and reviewed their own computer systems to ensure they were secure.