A recent ransomware attack on the world's biggest meatpacker is raising questions about cybersecurity in the food industry and about whether the industry is so concentrated in a few hands it is more vulnerable to sudden shocks.
The company, Brazil-based JBS, is a giant in the meat industry, with operations all over the world. The attack forced it to shut down several plants in the U.S. and Australia, which briefly rattled beef markets. But the plants soon came back online, and JBS downplayed the impact, saying it lost less than a day's worth of production. The company admitted it had paid $11 million in ransom to the hackers.
But according to John Hoffman, a senior research fellow at the Food Protection and Defense Institute at the University of Minnesota, the attack has continued to reverberate. Hoffman says he's receiving a wave of inquiries about cybersecurity from industry executives who previously were inclined to disregard his warnings.
"People just didn't accept that it was that big of a risk," he says. "I think that's changed today. I've already heard from folks in government [that] it's changed. People are looking at this and saying, 'OK, we've got to do something.' "
According to Hoffman, many food companies' computer systems are vulnerable. "If you go to factory floors around this country, you're going to find a wide range of outdated software still being used, and computer devices that aren't secure," he says.
He recalls a visit to one plant a few years ago — he won't say which company — where he noticed a supervisor sitting at a computer on the production floor, monitoring operations. Hoffman could see it was running an old operating system, Windows 98. He asked the plant manager and a top executive of the company, who were giving him the tour, whether the computer was connected to the internet. "And they say, 'Oh, no, no. This isn't connected to the internet.' "
Hoffman then talked to the supervisor on duty, who acknowledged he could log into that computer from home to monitor and control equipment in the plant. The company hadn't taken steps to secure that access using, for instance, a virtual private network, or VPN.
"There it is. That's the definition of vulnerability," Hoffman says. In fact, food itself is vulnerable, because those computers "are controlling valves and monitoring temperatures, controlling mixes of additives to food. These are part of food safety."
Hoffman has been pushing for the government to enforce computer security standards in the food industry in the same way it enforces food safety standards. Currently, food safety regulations don't explicitly address cybersecurity.
Other longtime critics of the meat industry, such as Diana Moss, president of the American Antitrust Institute, are drawing another lesson from the JBS attack. Moss says the industry is too concentrated in the hands of too few companies, so a problem in just one company can disrupt supplies for millions of consumers.
"What we have, in the meat supply chain, is a cartel," she says. Just four companies, including JBS, slaughter about 85% of the country's cattle that are raised for beef. Those companies operate giant, centralized slaughterhouses. Moss says a small number of companies also dominate chicken production, flour milling and other kinds of food processing.
"When you have only a few firms, in this critical midstream part of the supply chain — processing, manufacturing — the supply chain becomes very unstable. It lacks resiliency and is very subject to shocks to the system," she says.
The biggest recent shock was the COVID-19 pandemic when the coronavirus spread rapidly among workers at meatpacking plants. Hundreds of workers died. Companies were forced to suspend operations at some of the largest processing plants, leaving many ranchers and pork farmers with no place to take their animals.
Kathryn Bedell, a rancher in Colorado, says that 60 years ago, "processing was more regionally distributed, and we would have never faced this problem. You wouldn't have noticed either the pandemic or the JBS [ransomware] problem."
The U.S. Department of Agriculture appears to be sympathetic to these arguments. The USDA is offering grants to support small and medium-size meat processors, and it recently asked for public comment on ways to build "more resilient, diverse, and secure supply chains."
The North American Meat Institute, which represents meat producers such as JBS, says the existing supply chain is already resilient. Mark Dopp, NAMI's senior vice president of regulatory and scientific affairs, told the USDA that during the pandemic, "the industry fared reasonably well in extraordinary circumstances," and that "suggestions that the government needs to step in and 'do something' may be trying to fix something that is not broken."
A NAMI spokesperson pointed out that the cyberattack on JBS ultimately caused little disruption and said that meat companies reacted immediately to that attack and reviewed their own computer systems to ensure they were secure.
AILSA CHANG, HOST:
A new cyberattack has shut down computers at thousands of small companies around the world. The cybercriminals behind it are demanding that companies pay a ransom in order to get their computers and their data back. The attack is similar to the one that recently hit the world's biggest meat processor, raising concerns about the U.S. food supply. Some critics say industry consolidation has made those supply chains more vulnerable. NPR's Dan Charles has the story.
DAN CHARLES, BYLINE: The company JBS is a giant in the meat industry, with operations around the globe. When hackers took some of its computers hostage a month ago, JBS shut down several processing plants in the U.S. and Australia and then paid the ransom of $11 million. But it downplayed the impact. The company says it lost less than a day's worth of production. Yet John Hoffman, a senior research fellow at the Food Protection and Defense Institute at the University of Minnesota, says it's had a longer-lasting effect on the thinking of some industry executives.
JOHN HOFFMAN: People just didn't accept that it was that big a risk. I think that's changed today. I've already heard from folks in government. It's changed. People are looking at this, saying, OK, we've got to do something.
CHARLES: Hoffman says many food companies are still using outdated computers that aren't secure, including in processing plants. He remembers visiting one plant - he won't say at which company - when he noticed a supervisor sitting at a computer on the factory floor, monitoring production. Hoffman could see that the operating system was very old - Windows 98.
HOFFMAN: And I'm walking through with the manager of the plant and one of the officers of the company, and I said, gee, is any of this connected to the internet? And they said, oh, no, no, this isn't connect to the internet.
CHARLES: Well, in fact, it was. So employees could log in from home, monitor that equipment, even shut it down or change the settings if they needed to.
HOFFMAN: I mean, right there, I mean, that's the definition of vulnerability.
CHARLES: And Hoffman says if those computers are vulnerable, so is the food itself.
HOFFMAN: They're controlling valves and monitoring temperatures and controlling mixes of additives to food. These are part of food safety.
CHARLES: Hoffman has been pushing for the government to enforce computer security standards in the food industry the same way it enforces food safety standards. He thinks the JBS attack is convincing more people that this would be a good idea. Other longtime critics of the meat industry, like Diana Moss, president of the American Antitrust Institute, are drawing an additional lesson from the attack. Moss says this industry is too concentrated in the hands of too few companies, so a problem in just one company can disrupt supplies for millions of consumers.
DIANA MOSS: What we have in the meat supply chain in beef is a cartel.
CHARLES: Just four companies, including JBS, slaughter about 85% of the country's fed cattle, those that are raised for beef. Their slaughterhouses are enormous. Moss says a small number of companies also dominate chicken production, flour milling, other kinds of food processing.
MOSS: So when you only have a few firms in this critical midstream part of the supply chain - processing, manufacturing - the supply chain becomes very unstable. It lacks resiliency and is very subject to sort of shocks to the system.
HOFFMAN: The North American Meat Institute, though, which represents meat producers like JBS, says recent events actually show that the existing system is already resilient. The cyberattack on JBS didn't cause much disruption, and the Meat Institute says its member companies reacted immediately to that attack and reviewed their own computer systems to make sure they were secure. Dan Charles, NPR News. Transcript provided by NPR, Copyright NPR.