Cyber Attack Strikes US Critical Infrastructure

The US Agriculture industry is only the latest victim of ransomware attacks – highlighting yet again the susceptibility of our supply chain to devastating cyber attacks. Considering recent cyber attacks on the water supply we need to rethink our conception of which industries and types of companies are at risk.

Information technology has become a critical component of every aspect of the American economy and this change has made cyber risk universal.  Many industries think that their risks are low as they don’t believe day-to-day operations rely on computerized systems, but as the attack on JBS meatpacking plants demonstrated, this is greatly contributing to a false sense of security and a growing risk climate for companies that form the backbone of the nation.

How much will this ransomware attack cost? The ransomware price tag is alone $5.9 Million but the true cost will likely be much higher. New Cooperative supplies feed to chicken producers and despite the reasonable move of shutting down operations to recover from the attack, those chickens still need to eat. The $5.9 Million ransom demanded by fledgling ransomware group, BlackMatter, is also just the beginning as secondary impacts of the attach spread from New Cooperative throughout the US food delivery system.  In typical fashion, the cost of systems recovery is more than the actual ransom. Even leaving out the impact on third parties, beyond the known $5.9M cost there will also be significantly larger costs of recovery including the cost of lost business, damage assessment, shutdowns, reputational damage, remediation, legal fees and regulatory penalties.

But there are also reasons to be optimistic. Based on the publicly available data on this attack, basic mitigation strategies would have helped prevent it from occurring in the first place.  Robust Identity and Access Management (IAM) with multi-factor authentication, routine monitoring of breached credential databases, and comprehensive Privilege Access Management for key systems are tools that are readily available, and a relatively modest investment in these technologies can lead to a significant reduction of the corporate attack for groups like BlackMatter.

 

What is Ransomware?

A ransomware attack is a type of data breach where hackers obtain access to digital information and then hold it “hostage” for a negotiated sum. Like the attack on New Cooperative, the effectiveness of this extortion lies in its ability to disrupt an entire infrastructure. Ransomware is now a multi-billion-dollar industry that is increasingly dangerous, and it’s estimated that ransomware attacks cost the US economy approximately $20B/year. IBM reports that the average cost of a ransomware attack in 2020 was $4.44M, and the Herjavec Group has estimated that, in 2021, a business will fall victim to ransomware every 11 seconds.

The actual cost of a ransomware attack carries other hidden costs beyond the negotiated price tag. In most cases, it’s impossible to know the breadth of data to which the hackers gained access. Not only can the hackers encrypt the stolen data and hold it for ransom, but nothing is preventing them from saving and selling that data, or holding it for ransom again later.

Many ransomware attacks demand numbers that seemingly make sense for a company to simply pay.  Acer recently made news with the highest ever ransom demand of $50 million but against an annual revenue exceeding $2.5 billion, a $50 Million ransomware is not an amount that would cripple the company’s bottom line.  New Cooperative was being extorted for $5.9 million but that sum needs to be balanced against annual sales over $1 billion.  However, it is not ideal to pay hackers the ransom they demand. After all, it sets a precedent with the hackers (and continues to fuel their illicit criminal activities) and may even be considered illegal in the U.S. depending on circumstances. Many ransomware attacks also go unreported, leaving security experts with limited data to make estimates or decisions around mitigation.

 

Is this the new normal?

Ransomware attacks have become increasingly common over the last few years as they require relatively little technical expertise to carry out and the victims can be easily extorted to make a profit for the attackers.  The spread of cryptocurrencies have provided a means for the attackers to demand money without leaving a trail for police to follow. With a low level of effort invested in each attack, only a small percentage need to succeed to provide significant income to a criminal syndicate.  High profile ransomware attacks like the ones on Colonial Pipeline, CD Projekt Red, Acer, and the District of Colombia Police Department, further demonstrate the need for organizations to assess their susceptibility to ransomware before its too late.

This industry may have been lulled into a false sense of security as manufacturing, healthcare, and financial services have traditionally been main targets for ransomware. However, the vulnerabilities we’ve seen exposed in the US Agriculture industry highlight that the supply chain industry is not immune (nor is any other industry) to these attacks. In addition to the financial cost, these attacks risk critical pieces of our interconnected infrastructure.

While the US government scrambles to implement new cyber security maturity standards and provide tools to enable businesses to manage cyber-risk, hackers are not slowing down. CEOs cannot rely on the U.S. government to stop cyber-attacks of this nature. Every company is vulnerable, and thus, every company must continue to improve their cyber programs. They also need to look at their third-party vendors, suppliers and customers (among many other dimensions) to gain a more holistic view of organizational risk.  No company is an island and an attack that shuts down a critical supplier or prevents a customer from accepting delivery can have as much of an impact on a business as a direct attack on their own networks.

 

Cyber Security is a Business Problem.

When considering cyber risk at the corporate level, there are a plethora of vulnerabilities, and the threat of ransomware looms large. With the seemingly exponential increase of attacks, the question is not “will my company experience a ransomware attack?” but rather “when will my company experience a ransomware attack?” The sad reality is that CEOs in the Food Industry may not have the luxury of access to the most sophisticated security practitioners on their staff. Oftentimes they may not have a staff at all, but instead rely on MSP/MSSPs for maintenance and configuration. With limited resources and/or budget, a wise approach is to identify and prioritize your business assets that need the greatest protection.

 

How Can I Prepare for Ransomware?

There are many easy ways for companies of all sizes to prepare for a ransomware event. First, as recent attacks make clear, ensuring appropriate cyber hygiene is a crucial first step in preparing for ransomware. Are all of your servers patched with the latest OS updates? Have you implemented SSO with robust MFA? Are you conducting routine security awareness training? Are you safeguarding privileged credentials and monitoring privileged user access to key systems?

Companies should also routinely assess their cyber programs against industry-validated security assessment standards. The National Institute on Standards in Technology (NIST) provides a good basic framework for most businesses to look at their cyber risk profile and identify key gaps to address.  Routine assessments are valuable tools in understanding where a company stands and should be performed not just to meet compliance requirements but as a basic part of any risk management strategy.  An assessment at New Collective might have identified the weak passwords and lack of endpoint defense that appear to have allowed this attack to happen.  A more comprehensive assessment at JBS might have determined that there were control systems used by managers which were available on the public internet.

In the modern economy no company simply can or should rely on its employees to practice good security measures. Business AND Security leaders must get back to cybersecurity basics.  And assessments provide the tools to ensure that when hackers go after low hanging fruit, your company is not the one they find.