In this Supply Chain Matters blog commentary we focus on yet another targeted cyberattack, attacks that are increasingly targeting and impacting high stakes critical supply chains that could do harm.

On Sunday, Brazil headquartered global meatpacking firm JBS SA’s U.S. subsidiary, JBS U.S.A. was hit with a ransomware attack that impacted beef and pork processing operations in the U.S., Canada and Australia. Reportedly, JBS’s U.S. based facilities in Colorado, Iowa, Minnesota, Pennsylvania, Nebraska and Texas were affected. The forced shutdown of operations reportedly sent food buyers and farming groups scrambling for alternatives in slaughtering and processing meat.

The company informed the White House on Sunday of the attack and a later White House statement indicated that the attack had originated from a criminal group likely based in Russia. As we pen this update on Wednesday morning, reports indicate that JBS is making progress in restoring its systems and expects to resume operations sometime today.

This latest reported attack follows last month’s ransomware incident that impacted the Colonial Pipeline Company, a major pipeline provider of gasoline and diesel fuel, to shut down its operations. This provider manages a 5,500-mile pipeline that transports fuel supply from U.S. Gulf Coast ports to major U.S. East Coast storage destinations including New Jersey and New York. Operational systems in that attack were down for several days before supporting systems and pipeline operations could be restored. The market result of the supply disruption was gasoline prices suddenly reaching 6-year highs.  Reportedly, a ransom was paid to the perpetrators of the Colonial incident.

There have been other supply chain focused attacks most notable of which was the 2017 Maersk cyberattack that brought down the globe’s largest container shipping line for several weeks, followed by subsequent reported attacks on two other global shipping lines.

 

Perspective

For multi-industry supply chain management teams, this latest cyber incident is a stark reminder of yet another supply chain vulnerability, as if teams needed such a reminder. However, the magnitude and consequences of growing cyber threats is far more consequential and strike at the heart of business operational continuity.

As we scan the various reports of this latest incident, the comments and responses from experienced cybersecurity expects is sobering. A report published by Wired concerning the JBS attack includes a quote from Katie Nickels, Director of Intelligence at security firm Red Canary that states in-part: “Coming off the Colonial Pipeline attack, the JBS compromise illuminates how brittle supply chains are, whether they involve gasoline, food or other essentials. Cybersecurity practitioners can’t continue to combat ransomware alone- it’s time policymakers acknowledge this fact and take action.” Similarly, a report published by Industry Week contains a quote from Amit Yoran, CEO of Tenable and Founding Director of US-CERT under the Department of Homeland Security, stated in-part: “The foundation of our global food supply chains, transportation systems and more are under attack because cybercriminals realize how disruptive and lucrative attacks targeting these systems can be.”

 

Reiterated Reader Takeaways

The implications and takeaway for multi-industry supply chain teams is the following:

Needs for business and/or supply chain digital transformation efforts absolutely need to include a cybersecurity and data safety component. As cyber expects continue to point out, older legacy-based IT applications and infrastructure systems were not designed with cybersecurity defense needs. That obviously is now a higher priority. In some cases, and for some businesses, cybersecurity defense upgrades may trump supply chain digital transformation priority. In other cases, both will have to be addressed in the same effort.

As these experts continually point out, cybersecurity should be a boardroom and stockholder concern that is the essence of any business continuity strategy.

When evaluating new Cloud-based applications providers, ensure that the review criteria includes systems and data security measures undertaken by the provider, or that provider’s Cloud based infrastructure provider. Further, ensure that the Cloud based provider has a defined cyber incident detection and response plan. A common tenet of these attacks has been hackers penetrating systems undetected for some period of time before they execute an attack. During that period, they are extracting other valuable data.

Cybersecurity is now reaching the attention of government policymakers in the context of national security concerns. From our lens, this could well be the same of a higher priority of what may be deemed as a nation’s complement of strategic supply chains. As Supply Chain Matters highlighted from a prior Oracle OpenWorld that included a keynote panel consisting of cyber technical and policy experts, it is no longer a question of if your business will be impacted by a cyber threat, but rather when. That was over a year ago and hackers remain much more sophisticated. Businesses need to get involved in the national discourse since politically motivated efforts can sometimes overreach.

Finally, it goes without stating that cyber defenses are the responsibility of all business functions along with all key suppliers or trading partners. There is no single point of accountability and responsibility but rather a collective shared responsibility.

 

Bob Ferrari

© Copyright 2021, The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.