JBS and Colonial Pipeline hacks highlight how large food and energy companies have become prime targets

Industry consolidation has created a single point of failure for major food and energy companies as hackers seek the largest payouts possible
Any downtime for large companies critical to food and energy supplies could cost millions of dollars, increasing the likelihood they will meet demands

Cybersecurity

Bloomberg

Published: 10:03am, 4 Jun, 2021

Why you can trust SCMP

A company that slaughters cattle may seem like an unlikely target for a cyberattack. That is, until you realise that taking out just one company could paralyse burger and steak supplies for all Americans.

That’s the lesson from the recent ransomware attack on one of the biggest US beef producers. Namely, that a fervour for mergers and acquisitions has created single points of failure in some critical industries, making them prime targets for hackers who want to threaten huge disruptions to cash in on the biggest payouts possible.

The attack on JBS SA, which started over the Memorial Day weekend, wiped out production at plants that account for almost a quarter of US beef supplies. That came just weeks after a hack on Colonial Pipeline Co managed to take out 45 per cent of the East Coast’s fuel supply, driving up gasoline prices and sparking shortages in some parts of the country.

It’s the natural risk that comes from the cheap food and energy bills that Americans have come to rely on. Fierce competition among companies to contain costs and achieve scale sparked a wave of consolidation that has left the vast majority of production in the hands of a few giant commodity producers that now oversee giant bottlenecks of supply. In turn, these companies have become sitting ducks for hacker groups that know any downtime of critical operations can cost millions and have serious economic impacts, making it all the more likely that companies will meet their demands.

Holding tanks are seen in an aerial photograph at Colonial Pipeline's Dorsey Junction Station in Woodbine, Maryland, on May 10. Photo: Reuters

Colonial ended up paying a US$5 million ransom to regain control over its pipeline. JBS declined to comment on whether the Brazilian company paid a ransom, or on the risks of industry concentration.

“Massive scale, combined with the fact that critical infrastructures are frequently not well defended, make them such a prime target for hackers,” said Amit Yoran, chief executive officer of cybersecurity firm Tenable. “This puts organizations that operate critical infrastructure, which every consumer relies on, in the hot seat to either pay the ransom or deal with the economic fallout.”

Of course, it’s not just commodity producers. American government agencies, businesses and health facilities have suffered a series of devastating hacks, and President Joe Biden’s infrastructure proposal includes billions of dollars tied to improving cybersecurity. But the companies that are critical to food and energy supplies are both particularly important to everyday consumers and especially vulnerable because their boards tend to be dominated by industry stalwarts rather than executives with technology expertise, and they often don’t have the safeguards in place seen in some other sectors.

US says JBS hackers likely from Russia, meatpacker resuming operations

“These companies tend to be old school,” said Danny Jenkins, CEO of cybersecurity firm ThreatLocker. “What the bad guys have realized is that if they can go after these guys, they don’t have the security in place, but they have the pockets.”

In the case of the meat industry, there are no US Department of Agriculture cybersecurity regulations or requirements, a US official said.

Meanwhile, JBS, the largest meat producer globally, is flush with cash. Booming protein demand helped the Sao Paulo-based company post its best-ever quarterly profits in the first quarter after generating record cash flow in 2020.

JBS grew to global dominance from its start as a single Brazilian slaughterhouse in 1953. Founder Jose Batista Sobrinho bought the abattoir with money earned from trading cattle in Goias, a rural state in the centre-west of Brazil. After expanding in Brazil, often through acquisitions of failing businesses, the company started to grow overseas with major takeovers including US meatpacker Swift & Co in 2007, beef units of Smithfield Foods Inc in 2008 and the 2009 purchase of Pilgrim’s Pride Corp, the No 2 US poultry producer.

Hams and other memorabilia displayed at a restaurant in Smithfield, Virginia, on May 29, 2013. Smithfield Foods was acquired by Hong Kong-based WH Group for about $4.72 billion in 2013. Photo: AP

The company is now the No 1 beef producer in the US, accounting for 23 per cent of the nation’s maximum capacity compared with rival Tyson Foods Inc’s 22 per cent share, according to an investor report by Tyson. JBS accounts for roughly a fifth of pork capacity.

The US meat industry is so concentrated that when JBS plants shut down this week, the USDA couldn’t report on some key pricing because there are so few data points that disclosures would likely shed light on how much competitors were making. The consolidation also created major supply disruptions last year when Covid-19 outbreak forced shutdowns at major processing facilities, sparking meat shortages that even ensnared burgers at Wendy’s.

The majority of US beef consolidation took place in the 1980s and 1990s, when companies built far bigger plants than ever before to capitalise on economies of scale. By 2000, a single cattle plant could process 6 per cent of the nation’s output.

There have been concerns over Big Meat’s exposure to attacks during the past couple decades, but they never became a major flashpoint until recently, said James MacDonald, an agriculture economics professor at the University of Maryland. Congress has been examining legislation to address cattle markets and rural lawmakers recently pressed the Justice Department for action on an antitrust investigation of the beef industry launched last year after the Covid disruptions. The cyberattack on JBS further underscores the risks associated with concentration, MacDonald said.

01:59

Millions face hunger as food and fuel prices spike in coup-stricken Myanmar

“Attacks like this one highlight the vulnerabilities in our nation’s food supply chain security, and they underscore the importance of diversifying the nation’s meat processing capacity,” US Senator John Thune of South Dakota, the Senate’s No 2 ranking Republican leader, said in an emailed statement.

The energy world is similarly at risk.

The Colonial Pipeline alone hauls almost half of all the fuel consumed on the US East Coast. When it shuttered, it only took a few days for gasoline stations and terminals across several states to run dry. Reliance on the conduit system has grown over the years as refineries along the East Coast closed because they couldn’t make money in the face of competition with rivals better positioned to process increasingly abundant shale oil. Also, tougher regulation and fierce opposition from environmental activists made it increasingly costly and more complex for companies to pursue major pipeline projects.

A few other names, including Energy Transfer LP, Enterprise Products Partners and Kinder Morgan Inc, control the bulk of US major fuel pipelines. Williams Cos. alone handles almost a third of all the natural gas Americans use every day for heat, power and cooking, according to information in the company’s website.

“If I just have to hack into one company that owns a lot of assets, I can get to all those assets much more easily than if they’re owned by a bunch of separate little companies,” said David Drescher, co-founder and board member of Mission Secure Inc, which helps oil and gas companies with their cybersecurity.

“I can get a big bang for my buck as a hacker.”

Post