A company that slaughters cattle may seem like an unlikely target for a cyberattack. That is, until you realize that taking out just one company could paralyze burger and steak supplies for all Americans.
That’s the lesson from the recent ransomware attack on one of the biggest U.S. beef producers. Namely, that a fervor for mergers and acquisitions has created single points of failure in some critical industries, making them prime targets for hackers who want to threaten huge disruptions to cash in on the biggest payouts possible.
The attack on JBS SA, which started over the Memorial Day weekend, wiped out production at plants that account for almost a quarter of U.S. beef supplies. That came just weeks after a hack on Colonial Pipeline Co. managed to take out 45% of the East Coast’s fuel supply, driving up gasoline prices and sparking shortages in some parts of the country.
It’s the natural risk that comes from the cheap food and energy bills that Americans have come to rely on. Fierce competition among companies to contain costs and achieve scale sparked a wave of consolidation that has left the vast majority of production in the hands of a few giant commodity producers that now oversee giant bottlenecks of supply. In turn, these companies have become sitting ducks for hacker groups that know any downtime of critical operations can cost millions and have serious economic impacts, making it all the more likely that companies will meet their demands.
Colonial ended up paying a $5 million ransom to regain control over its pipeline. JBS declined to comment on whether the Brazilian company paid a ransom, or on the risks of industry concentration.
“Massive scale, combined with the fact that critical infrastructures are frequently not well defended, make them such a prime target for hackers,” said Amit Yoran, chief executive officer of cybersecurity firm Tenable. “This puts organizations that operate critical infrastructure, which every consumer relies on, in the hot seat to either pay the ransom or deal with the economic fallout.”
Fuel storage tanks connected to the Colonial Pipeline Co. system. Photo: Bloomberg.
Of course, it’s not just commodity producers. American government agencies, businesses and health facilities have suffered a series of devastating hacks, and President Joe Biden’s infrastructure proposal includes billions of dollars tied to improving cybersecurity. But the companies that are critical to food and energy supplies are both particularly important to everyday consumers and especially vulnerable because their boards tend to be dominated by industry stalwarts rather than executives with technology expertise, and they often don’t have the safeguards in place seen in some other sectors.
“These companies tend to be old school,” said Danny Jenkins, CEO of cybersecurity firm ThreatLocker. “What the bad guys have realized is that if they can go after these guys, they don’t have the security in place, but they have the pockets.”
In the case of the meat industry, there are no U.S. Department of Agriculture cybersecurity regulations or requirements, a U.S. official said.
Meanwhile, JBS, the largest meat producer globally, is flush with cash. Booming protein demand helped the Sao Paulo-based company post its best-ever quarterly profits in the first quarter after generating record cashflow in 2020.
JBS grew to global dominance from its start as a single Brazilian slaughterhouse in 1953. Founder Jose Batista Sobrinho bought the abattoir with money earned from trading cattle in Goias, a rural state in the center-west of Brazil. After expanding in Brazil, often through acquisitions of failing businesses, the company started to grow overseas with major takeovers including U.S. meatpacker Swift & Co. in 2007, beef units of Smithfield Foods Inc. in 2008 and the 2009 purchase of Pilgrim’s Pride Corp., the No. 2 U.S. poultry producer.
The company is now the No. 1 beef producer in the U.S., accounting for 23% of the nation’s maximum capacity compared with rival Tyson Foods Inc.’s 22% share, according to an investor report by Tyson. JBS accounts for roughly a fifth of pork capacity.
The U.S. meat industry is so concentrated that when JBS plants shut down this week, the USDA couldn’t report on some key pricing because there are so few data points that disclosures would likely shed light on how much competitors were making. The consolidation also created major supply disruptions last year when COVID-19 outbreak forced shutdowns at major processing facilities, sparking meat shortages that even ensnared burgers at Wendy’s.
The majority of U.S. beef consolidation took place in the 1980s and 1990s, when companies built far bigger plants than ever before to capitalize on economies of scale. By 2000, a single cattle plant could process 6% of the nation’s output.
There have been concerns over Big Meat’s exposure to attacks during the past couple decades, but they never became a major flashpoint until recently, said James MacDonald, an agriculture economics professor at the University of Maryland. Congress has been examining legislation to address cattle markets and rural lawmakers recently pressed the Justice Department for action on an anti-trust investigation of the beef industry launched last year after the Covid disruptions. The cyberattack on JBS further underscores the risks associated with concentration, MacDonald said.
“Attacks like this one highlight the vulnerabilities in our nation’s food supply chain security, and they underscore the importance of diversifying the nation’s meat processing capacity,” U.S. Senator John Thune of South Dakota, the Senate’s No. 2 ranking Republican leader, said in an emailed statement.
The energy world is similarly at risk.
The Colonial Pipeline alone hauls almost half of all the fuel consumed on the U.S. East Coast. When it shuttered, it only took a few days for gasoline stations and terminals across several states to run dry. Reliance on the conduit system has grown over the years as refineries along the East Coast closed because they couldn’t make money in the face of competition with rivals better positioned to process increasingly abundant shale oil. Also, tougher regulation and fierce opposition from environmental activists made it increasingly costly and more complex for companies to pursue major pipeline projects.
A few other names, including Energy Transfer LP, Enterprise Products Partners and Kinder Morgan Inc., control the bulk of U.S. major fuel pipelines. Williams Cos. alone handles almost a third of all the natural gas Americans use every day for heat, power and cooking, according to information in the company’s website.
“If I just have to hack into one company that owns a lot of assets, I can get to all those assets much more easily than if they’re owned by a bunch of separate little companies,” said David Drescher, co-founder and board member of Mission Secure Inc., which helps oil and gas companies with their cybersecurity.
“I can get a big bang for my buck as a hacker.”