A company that slaughters cattle may seem like an unlikely target for a cyberattack. That is, until you realize that cutting a single company could cripple hamburger and steak supplies for all Americans.
That’s the lesson of the recent ransomware attack on one of America’s largest beef producers. Namely, a fervor for mergers and acquisitions has created unique points of failure in some critical industries, making them prime targets for hackers who want to threaten huge disruption to cash in on the biggest gains possible.
The attack on JBS SA, which began over Memorial Day weekend, wiped out production at factories that account for nearly a quarter of America’s beef supply. It came just weeks after a Colonial Pipeline Co. hack managed to cut 45% of the East Coast’s fuel supply, driving up gasoline prices and causing shortages in some parts. from the country.
It’s the natural risk that comes from the cheap food and energy bills Americans rely on. Fierce competition among companies to contain costs and achieve scale has sparked a wave of consolidation that has left the vast majority of production in the hands of a few giant commodity producers who are now watching giant bottlenecks. In turn, these companies have become sitting ducks for hacker groups who know that any downtime of critical operations can cost millions and have serious economic repercussions, making it all the more likely that companies will respond to their requests.
Colonial ended up paying a ransom of $ 5 million to regain control of its pipeline. JBS declined to comment on whether the Brazilian company paid a ransom or on the risks of industry concentration.
“The massive scale, combined with the fact that critical infrastructure is often not well defended, makes it a prime target for hackers,” said Amit Yoran, CEO of cybersecurity firm Tenable. “It puts organizations that operate critical infrastructure, on which every consumer relies, in the hot seat to pay the ransom or deal with the economic fallout. “
Fuel storage tanks connected to the Colonial Pipeline Co. system. Photo: Bloomberg.
Of course, it’s not just the producers of raw materials. U.S. government agencies, businesses and healthcare facilities have suffered a series of devastating hacks, and President Joe Biden’s infrastructure proposal includes billions of dollars tied to improving cybersecurity. But the companies that are essential to the supply of food and energy are both particularly important to everyday consumers and particularly vulnerable as their boards tend to be dominated by pillars of the industry rather than by executives with technological expertise, and they often don’t have the safeguards in place seen in some other industries.
“These companies tend to be old school,” said Danny Jenkins, CEO of cybersecurity firm ThreatLocker. “What the bad guys have realized is if they can go after these guys, they don’t have security in place, but they have pockets.”
In the case of the meat industry, there are no US Department of Agriculture cybersecurity regulations or requirements, a US official said.
Meanwhile, JBS, the world’s largest meat producer, is bursting with cash. Soaring demand for protein helped the Sao Paulo-based company post its best quarterly earnings in the first quarter after generating record cash flow in 2020.
JBS has gained global dominance since its inception as the only Brazilian slaughterhouse in 1953. Founder Jose Batista Sobrinho bought the slaughterhouse with money earned from selling cattle in Goias, a rural state in west-central Brazil. . After expanding in Brazil, often through acquisitions of failing companies, the company began to expand overseas with major acquisitions, including US meat packer Swift & Co. in 2007. , the beef units of Smithfield Foods Inc. in 2008 and the purchase in 2009 of Pilgrim’s Pride Corp., the second largest poultry producer in the United States.
The company is now the largest beef producer in the United States, accounting for 23% of the country’s maximum capacity compared to the 22% of rival Tyson Foods Inc., according to a Tyson investor report. JBS represents about a fifth of the pig’s capacity.
The US meat industry is so concentrated that when JBS factories closed this week, the USDA was unable to report on some key prices because there are so few data points that the disclosures would likely shed light on. competitor gains. The consolidation also created major supply disruptions last year when the COVID-19 outbreak forced the closure of major processing facilities, causing meat shortages that even trapped burgers at Wendy’s. .
Most of the beef consolidation in the United States took place in the 1980s and 1990s, when companies built factories much larger than ever before to take advantage of economies of scale. In 2000, a single cattle factory could process 6% of national production.
Big Meat’s exposure to the attacks has raised concerns over the past two decades, but they never became a major flashpoint until recently, said James MacDonald, professor of agricultural economics at the University. from Maryland. Congress has considered legislation to deal with cattle markets, and rural lawmakers recently pressured the Justice Department to take action on an antitrust investigation into the beef industry launched in the United States. last year after the Covid disruptions. The cyberattack on JBS further underscores the risks associated with the merger, MacDonald said.
“Attacks like this highlight the security vulnerabilities of our country’s food supply chain, and they underscore the importance of diversifying the country’s meat-processing capacity,” the US Senator said. John Thune of South Dakota, Republican Leader No. 2 in the Senate, in a statement. statement sent by email.
The world of energy is also threatened.
The Colonial Pipeline alone transports nearly half of all fuel consumed on the east coast of the United States. When it closed, it only took a few days for gas stations and terminals in several states to dry up. Dependence on the duct system grew over the years as East Coast refineries closed because they could not make money in the face of competition from competitors better placed to process. increasingly abundant shale oil. In addition, stricter regulations and fierce opposition from environmental activists have made it increasingly expensive and complex for companies to pursue large pipeline projects.
A few other names, including Energy Transfer LP, Enterprise Products Partners, and Kinder Morgan Inc., control most of America’s major pipelines. Williams Cos. alone manages nearly a third of all the natural gas Americans use every day for heat, electricity and cooking, according to information posted on the company’s website.
“If I just have to hack a company that has a lot of assets, I can access all of those assets a lot easier than if they were in a group of separate small businesses,” said David Drescher, co-founder and member of the board of directors of Mission Secure Inc., which assists oil and gas companies with their cybersecurity.
“I can get what I pay for as a hacker.”