Meat processing giant JBS paid out an US$11 million ransom in response to a cyber attack. Most of its meat packing facilities, including one in Alberta, remained idle for a few days. For years, most of us linked the concept of cyber attacks with IT companies, governments and media. Experts have been warning the food industry for years about the threat of becoming an active target for hackers. What was once purely academic has now become a reality.
Until now, efforts in the industry to counter cyber attacks have been timid. The fact that the world’s largest processor of beef and pork was targeted by hackers earlier this month is certainly a cause for concern and can serve as a major wakeup call. We can easily imagine that other major industry players could also become a target.
Managing systemic risks is not new to the food industry—far from it. Threats related to food safety, food fraud and, of course, pandemics have been considered critical issues for years. The focus has always been on the integrity and quality of ingredients and products coming in and out of facilities. The pandemic made companies focus more on worker safety and how humans play a role in manufacturing the food we consume every day. It has always been about keeping everyone safe, starting with consumers. Cybersecurity goes to the core of the operational nature of a company and beyond the food we eat.
The food industry is a critical piece of our economy, and changes in the industry are making it a more likely target. High-tech innovations such as drones, GPS mapping, soil sensors, autonomous tractors, artificial intelligence and more are needed in the industry, but they can also make it a target. As the industry becomes more data-driven, it will also become more vulnerable to cyber attacks. And, on the other side of the digital spectrum, many food operations still use outdated operating systems. One can only hope that management teams are reviewing their IT systems and figuring out how vulnerable they are to cyber attacks.
For consumers, the potential consequences of these attacks are not trivial. Disruptions can lead to food shortages and higher prices at retail. Or worse, cybersecurity breaches could lead to procurement issues and inadvertent alterations to ingredients.
Ransom requests are just the beginning. Evil has no shame, no limits and it can harm a great number of consumers within days, perhaps even hours. The fact that JBS paid a ransom signalled to perpetrators that it can work. We should expect more attacks to occur in the future.
Mandatory cybersecurity rules don't exist for the billions of agri-food businesses that account for close to 20% of the Canadian economy. Some trade groups may have voluntary guidelines, but that would be the extent of it. The Canadian Food Inspection Agency (CFIA) has no material on cybersecurity—not a single mention of this on its website. Its world is often exclusively about pathogens and allergens. Its focus requires a broader view now more than ever. For the industry to protect itself, more information sharing mechanisms would be required, and our federal agency should be playing a more active role.
With the attack on JBS, the food industry has just experienced its own “Tylenol” moment. In 1982, seven people living in the Chicago area died after consuming capsules laced with cyanide. At the time, police alleged the bottles had been purchased at retail, tampered with and returned to store shelves. This led to significant changes in how bottles were sealed and secured. Hopefully, the JBS incident will also lead to increased security and protection.