By Ryan Gallagher and Alyza Sebenius
A few years before it was hit by a major cyberattack, the world’s largest meat producer, JBS SA, rebuffed efforts to spend more on cybersecurity because it wasn’t considered a priority and didn’t show an immediate return on investment, according to three former employees.
The employees, who worked in information technology and security in the U.S., said the company had commissioned a cybersecurity audit between 2017 and 2018, which identified weaknesses in the company’s infrastructure that hackers could exploit. The audit recommended the purchase of specialist monitoring technology that could detect possible intrusions, but JBS executives viewed the technology as too costly and declined to purchase it, said the employees.
While the audit was commissioned in the U.S., it had implications for the Brazilian company globally because some systems are interconnected, the employee said.
Related: JBS proposes record high dividends
One of the employees described cybersecurity as a “back burner” issue at JBS, where the person said executives were focused on cost cutting. A second ex-employee shared similar concerns. The company was so focused on profits, the employee said, that it was difficult to push through cybersecurity improvements. The ex-employees requested anonymity as they weren’t authorized to speak publicly about their work with the company.
A JBS USA representative, Nikki Richardson, denied the former employees’ allegations about the company’s cyber culture.
“The company has been and remains committed to investing in and maintaining robust IT systems and protocols to protect it from criminal cybersecurity attacks,” she said in an email on June 4. “Relying on former, disgruntled employees as sources and positioning dated information as fact is not relevant to this week’s events.”
It wasn’t known if JBS paid the hackers’ ransom demand. Richardson didn’t respond to messages seeking comment on whether the company paid up.
The company was attacked by “one of the most specialized and sophisticated groups in the world” but was able to quickly recover and lost less than one day’s worth of production, she said. “Our ability to quickly resolve the issues was due to our heightened encryption and security of our backup servers,” Richardson said. “The FBI noted this is extremely rare and complimented our process.”
Related: JBS targeted in cybersecurity attack
JBS was forced to shut down all of its beef plants in the U.S. after a breach at the end of May, amid a string of major ransomware attacks that included one on Colonial Pipeline Co. that squeezed fuel supplies along the East Coast. The attack on JBS, which the FBI blamed on Russia-linked group REvil, also slowed pork and poultry production. JBS’s networks have been restored and its plants are operating at full capacity, Richardson said.
Ransomware is a type of malware that encrypts a victim’s files, rendering them useless unless a payment is made to unlock them. Some ransomware gangs also steal files, providing an extra avenue for extortion. JBS as provided few details about the attack itself.
Cybersecurity experts said the food industry generally performs poorly in protecting networks against attacks because of a lack of investment and little or no regulation or uniform standards.
The food industry hasn’t traditionally focused on technology, said Dmitri Alperovitch, chairman of Silverado Policy Accelerator and co-founder of the cybersecurity firm CrowdStrike Holdings Inc. “They have not paid much attention to cybersecurity, either spending money on latest technologies and services or recruiting top talent.”
John Hoffman, a senior research fellow at the Food Protection and Defense Institute at the University of Minnesota, said the modern food industry relies on computers from factory floors to farm fields, where software carefully manages such things as fertilizer and water use. Even so, he said there aren’t uniform cybersecurity standards – or regulations – making the sector vulnerable to attacks. One bright spot? insurance underwriters are working with the food business on ways to prevent attacks, he said.
“The industry tends to react to regulatory pressure,” Hoffman said. “And areas where there isn’t pressure don’t tend to get the same attention.” In addition, he said the food industry often uses outdated operating systems and software, or code written for specific machinery, that is vulnerable to hacking. For instance, he said he has been in food plants in the last two years that were still using Windows 98.
In many cases, corporate boards don’t pay attention to cybersecurity until something goes wrong, he said, adding, “I think the formula just shifted in food.”
A cybersecurity consultant who works with a large U.S. meatpacker, and asked not to be named to discuss confidential matters, said that the state of security in the industry generally is “non-existent.” Companies in the meatpacking industry and other commodities markets often don’t have basic security technologies because they don’t view their intellectual property as having value to hackers, the person said.
The person said organizations with limited IT and security investments inevitably ask the same question: Why hasn’t anything happened to us yet if this is such a big issue? But it is difficult to detect threats -- or investigate hacks -- if cybersecurity controls aren’t in place, the person said.
An analysis of JBS SA by the security rating firm SecurityScorecard Inc., conducted days after the cyberattack, determined that the company was a particularly vulnerable target within the food and beverage industry. JBS ranked in the bottom 10th of the 57,251 companies in the food industry rated by the firm. The rankings are based on a series of publicly viewable cybersecurity metrics.
“They were the under performers in the food industry,” said Aleksandr Yampolskiy the firm’s co-founder and chief executive officer. Based on the analysis, it wouldn’t be difficult for an attacker to breach JBS using widely available hacking tools, he said.
Richardson, the JBS spokesperson, disputed the findings. “We question any evaluation of our cybersecurity performance that relies solely on publicly available data. Our interactions with leading cybersecurity professionals during this crisis completely contradict the analysis from SecurityScorecard.”
Two of the former JBS employees said that during their time with the company some of its computers, particularly those connected to machinery on production lines, ran outdated software and were not always disconnected from JBS’s internet-connected networks, meaning they could be vulnerable to hackers. The systems weren’t segregated particularly well, meaning an adept hacker could access other areas of JBS’s network once they breached a computer or other “endpoint,” one of the employees said.
During the cybersecurity audit that took place between 2017 and 2018, the company hired outside experts to carry out a simulated cyberattack, or “penetration test,” to check its infrastructure for vulnerabilities, according to the three former JBS employees, who were familiar with the audit. The experts recommended that the company purchase “endpoint detection” tools, which could be used to monitor potential intrusions or suspicious network activity.
Instead, in the aftermath of the audit, JBS continued to rely on more basic cyber defenses, the employees said. The company had an “event management” system that logged anomalies on its networks, such as failed employee logins. It also had a firewall to shield its computers against attack, in addition to anti-virus solutions, such as Windows Defender, that came as a standard feature with some of the computers it purchased.
Instead of prioritizing cybersecurity, the employees said, the company’s management focused on ensuring the company maintained regular backups of computer systems so that in the event of a major breach or outage, they could recover their data.
A handful of employees who worked on IT and security issues for JBS in both the U.S. and Australia had in recent years quit the company, partly due to frustration over executives declining to provide a larger budget to bolster the security of internal systems, according to two of the former employees.
Two of the former employees said it was an ongoing joke that there was only one way JBS would significantly bolster its cybersecurity: after a major hack.
Richardson said JBS USA conducts annual audits on cybersecurity and evaluates and promptly implements improvements, including endpoint protection. She declined to provide a recent audit, citing security reasons.
Asked about an alleged breach last year, she said there was “a minor incident involving a server that included no company or employee data.”
As for employees leaving, Richardson said, “As in any company, there is some turnover on every team, and people are also replaced due to performance issues.”