Grainswest - Winter 2022

Winter 2022 grainswest.com 23 days the company paid half of the initial demand, $11 million, all in Bitcoin, to the hackers. They won. JBS lost. Agriculture noticed. Any industry can come under cyber attack, so perhaps the shock was not that an agricultural company was attacked, but that it hadn’t happened sooner. “This was a bit of a wakeup call,” said Sylvain Charlebois, director of the agrifood analytics lab at Dalhousie University in Halifax, NS. “They had to shut down plants for several days … that is just not good. You are compromising the integrity of supply chains and many markets. The entire agrifood industry should be concerned about what happened at JBS. The fact that they had to pay the ransom is even more concerning. It points to the fact that the agrifood sector is not necessarily ready to deal with cyber attacks, or made cybersecurity a priority. Many companies aren’t ready. JBS is one of the largest agrifood companies in the world, one could think other companies could be targeted by cyber attacks, unfortunately.” Charlebois framed the attack as agriculture having its “Tylenol moment,” a reference to tampered pain reliever pills covertly laced with potassium cyanide that killed seven Chicago area residents nearly 40 years ago. “Back in 1982 no pharmaceutical companies were expecting customers to walk into a store with poison products on shelves, but it did happen,” he said. “Agrifood companies are very good at managing risks, generally speaking, but they’ve never actually considered risks that aren’t food related.” Charlebois believes industry always leads on policy, but is worried how far behind government may be on this issue. “I can assure you cybersecurity is nowhere near the Canadian Food Inspection Agency’s [CFIA] radar,” he said plainly. “It’s not even close. You can’t rely on government to push that agenda.” At the time of writing, a quick search of the CFIA website confirmed it has zero posted information related to cybersecurity in Canada’s food system. With the hit on JBS, Charlebois rightly thinks Cargill should be concerned, but so should similar players such as McCain and Maple Leaf Foods. Grain handlers and railways should sleep with a metaphorical eye open, too. “I think everyone is exposed here,” he said. “In transportation, I suspect there’s been some movement there. When I think of most grain handlers, mills, things like that, I wouldn’t be surprised if they made cybersecurity a priority. When I saw the JBS ransom, I thought, ‘oh, this is just not good news for everyone.’” Such high-profile attacks affect everyone to different degrees, including the average farmer. Charlebois believes it is vital farmers and their networks join the conversation about cybersecurity. A shutdown such as JBS endured should alarm them. After all, if a meat processor halts operation, what do feedlot owners do? Extrapolate far enough and it raises the question of how feed grain farmers may be affected. Similar questions arise with crush plants and grain mills. “Farmers are suppliers are JBS; I don’t see how farmers shouldn’t be part of the conversation,” he said. “The one thing I’ve learned, the weakest link you have will be the target used against you. This is the food supply chain. If you’re not concerned about cybersecurity now, you should be.” SIZE DOES MATTER Wendy Young backs this spot-on assessment of the situation by Charlebois. She is a 30-year IT and cybersecurity veteran and vice-president of data systems and security at NGen, an industry-led, non-profit that leads one of Canada’s five research superclusters, Advanced Manufacturing. Young talks of countless instances of hackers accessing smaller systems to make a leap into larger, potentially more lucrative ones. “Why would somebody want to hack you?” she asked. “You are a small organization. What’s the value of that data to those threat actors? If they can find a small chink in the armour of the supply chain they’re after or if the supply chain is connected to a big system, that’s the value of wanting to hit the small company.” The internal leapfrogging often goes largely unnoticed, too, because information is not often tampered with at the lower levels, which Young explains is typically HR-related data and is difficult to leverage as part of a ransom payment. “They are looking for the money, they’re looking for the easy win,” she said. “They may want to attack you to get to the next guy, and in some cases you’d never know. It is important for the whole supply chain to understand their part.” Young is familiar with companies that choose to eschew ransoms and instead decide to rebuild kidnapped data, thinking it the shrewd decision. “Five to six years and $15 million later, they’re still trying to recover. If you lose that data and can’t recover, what’s the impact to your business?” For JBS, which paid out eight figures in short order, the answer was likely too long. “Agrifood companies are very good at managing risks, generally speaking, but they’ve never actually considered risks that aren’t food related.” — Sylvain Charlebois