On Sunday Brazil-based JBS was targeted by a cyberattack that forced the shutdown of its facilities in Arizona, Colorado, Michigan, Nebraska, Pennsylvania, Texas, Utah and Wisconsin. The ransomware attack affected servers that support the company’s IT systems in North America and Australia. It is suspected to have originated from an organization based in Russia, according to reports.
It is expected that most of the company’s beef, pork, poultry and prepared food plants will be operational today, JBS said in a statement last night. Thus far the company is unaware of any customer, supplier or employee data that has been compromised.
Cyberattacks coming from Russia have increased at a significant rate and are likely to continue. “The fact that this kind of activity is happening with a relatively high frequency and also all signs sort of leading back to Russia, that is very disturbing,” said Javed Ali, a former National Security Council director of counterterrorism, in an ABC News report. “I don’t think we’ve seen a period of this kind of high-intensity cyber operations from Russian soil directed against a variety of different U.S. targets arguably ever, unless the government has been tracking this and the public details of those types of operations haven’t been revealed before.”
With significant clusters of COVID-19 infection among employees—16,000 cases and 86 deaths documented by the CDC through May 2020 — the food processing and distribution industry faces significant challenges in reopening their facilities and ramping up to full capacity. Technology for health and safety access governance and intelligence, along with guidelines from the CDC and OSHA, can help support food companies in the automation of certain compliance activities and a safe return-to-work strategy.
Designated part of the essential critical infrastructure by the federal government at the onset of the pandemic in the spring of 2020, the food supply chain needs active solutions to protect its workforce. But there’s more to this back-to-work transition. Workers need to feel safe and trust that new security, safety and compliance processes have their best interests in mind—transferring to an overall positive experience with their employer.
In the age of contagion, the food industry requires ways to communicate better with the workforce, identify and isolate areas of contagion and also deal with the lingering presence of potential bioterrorism, insider threat and cyber-attack. It’s a multi-faceted and complex workspace we’re reentering, one that takes coordination of technology, people and processes. Without it, food suppliers risk plant shutdowns and loss of business continuity.
Bioterrorism and insider threat remain an active part of the supply chain landscape. In fact, according to a June 2020 Wall Street Journal Pro Research Survey of cybersecurity executives at nearly 400 companies, 67% were concerned about malicious insiders. Remote workers and lax controls have exacerbated the situation and rising threats include malicious employees, accidental negligence, contractor or vendor misuse and account compromise.
The Landscape of Collaboration
The ongoing coordination between human resources (HR) and security is a collaborative effort that bolsters food defense in a COVID-19 world. Fueled by digital transformation, converged physical security and HR management solutions are wound together tightly in a coordinated and analytical approach to keep food industry employees safe and operations running smoothly.
These departments, once siloed and co-existing without direct interaction, are benefiting from software’s move to the cloud and open operating platforms, which provides increased opportunity for real-time integration of HR, security and facilities technologies. Moving to a converged approach across all departments, including HR, IT/cyber and operational technology (OT)/SCADA—can effectively secure our most critical food production and distribution resources while actively enforcing compliance and company policies, including COVID-19 mandates. In addition, physical security access governance, in a holistic manner, protects food industry workers and processes from compromised identities, systems and insider threats.
HR and physical security now have the ability to share data-insights to prevent, detect and mitigate the spread of contagions. With this convergence, organizations have the information they need to actively defend and protect the workforce, focusing on the human side of security to yield a positive experience.
Enabling a Safe and Healthy Return to Work
This time of unprecedented change has triggered a tectonic shift in the way organizations have been dealing with the health, security and safety of their workforce. Sensing a coming tsunami, HR, corporate real estate and physical security leaders are realizing that they must stop operating in silos and embrace a holistic approach. Enterprise response and recovery plans have become a major catalyst for converged security, as it has proven to be the most effective way to manage workspace access, enforce workforce security, safety and privacy.
Reopening with Technology at Your Back
Physical identity access management (PIAM) software, including visitor identity management (VIM) are convergence platforms that deliver identity and access governance, health and safety intelligence and compliance validation across the enterprise. PIAM provides a safer work environment by managing physical, logical and operational technology access for employees and visitors, actively enforcing company policies, compliance and industry regulations with built-in best practices and regulatory controls. Automated policy-driven background checks yield real-time vetting of visitors, contractors and employees while validating and identifying any policy violations. PIAM and VIM keeps facilities and workers safe, making sure the employees and visitors only have access to the areas, data and assets they need, including vital food processing areas where deliberate sabotage needs to be kept at bay.
While prevention of bioterrorism and insider threat is ongoing at food distribution, production and processing facilities there’s been a notable shift during the pandemic that focuses on the health and safety of workers. Security is no longer simply about keeping the bad guys out; it’s about safety and protecting workers from unsafe behavior.
Workforce health and safety access governance software solutions help organizations open safely in a frictionless, controlled and secure way by automating and enforcing COVID-19 related policies and procedures. Automated batch email/text notifications with self-service links send requests to the remote workforce for self-attestation and self-reporting offsite and enable access by the worker to the facility based on health, travel and other company policies.
Here’s how it works: An employee completes the self-reporting health and travel questionnaire through a mobile app, which triggers automated workflows based on those answers. These health questionnaires collect data and document employee activity during lockdown, including infection, symptoms or exposure. The employee’s self-attestation request comes to the manager for action, and based on answers the worker is considered high risk and per policy their access to the facility is revoked for 14 days while they are in quarantine. A similar self-attestation and workflow then applies to reinstatement for the employee. This reporting and workflow can be configured specifically to the facility. Enterprises can further customize their visitor identity management to provide clear communication of current policies during the outbreak, reinforcing WHO best practices.
Focus on Health and Safety
Health and safety access governance and intelligence provides prescreening support of workforce site entry with automated policy enforcements. Pre-registered and onsite visitors/contractors check-in/check-out with prescreening, watch list and other checks prior to access. In the production or distribution facility, health and safety analytics track confirmed or potentially exposed COVID-19 workers, identify exposed areas for lockdown and/or sanitization, social distancing violation, location heat map and other actionable health & safety analytics.
PIAM also allows you to automate your communications and deliver clear expectations and procedures to your workforce, visitors and contractors pre-visit and onsite—adding to a seamless experience.
Security convergence delivers a comprehensive, holistic solution across the entire food value chain, from sourcing to production to retail distribution. Human resources and physical security have teamed up—yielding real-time data that can prevent, detect and mitigate the spread of contagions. With this convergence comes greater situational awareness that defends and protects the workforce, with a strong focus on safety and building trust between worker and employer.
Much of the attention that cybersecurity gets is on the IT or office network side of things, but recently people have begun paying more attention to operational technology (OT) systems that make up the country’s critical infrastructure. When people think of critical infrastructure, they automatically think of oil and gas, power generation, and water. Many people don’t realize that there are actually 16 critical infrastructure industries:
Water and Wastewater
Food and Agriculture
One of the easily forgotten, but perhaps most important, is food and beverage manufacturing. A cyber attack on a food and beverage company might not result in the lights going out or clouds of toxic gas, but they could result in explosions, or tainted food. We need to start paying more attention to cybersecurity in the food and beverage industry. What would happen if a hacker got into the control system at a frozen foods distribution facility? They could raise the temperature in the freezers, thaw the food and then refreeze it. This could result in food poisoning for hundreds or thousands of people. Bad actors can do a lot of harm by targeting this sector.
Many companies are pushing to combine their IT and OT departments, something they call IT/OT convergence. This can be done, but you need to first understand that IT and OT have differing goals.
It is important to review the organizational structure. You will typically find that both IT and OT report organizationally to the CEO level. We also find senior management believes IT owns the industrial control system (ICS) networks and security—mainly because IT owns support, maintenance & operational budget for network and security (basically letting OT off the hook).
IT’s primary goals are confidentiality, integrity and availability, the CIA triad. While working toward these objectives IT also tries to make it possible for users to access the network from any location from which they are working, using whatever computing device they have with them. The goal is to make it as easy to work from an airport, hotel room or coffee shop as it is to work in the office itself. Technology is updated and replaced often. Service packs are loaded, new software releases are loaded, and bugs are fixed.
OT’s primary goals are availability, integrity and confidentiality—a complete reversal of the CIA triad. They strive to keep production running, be it an electric utility, an oil rig or a pop-tart factory 24/7/365. OT is all about what works, a “We’ve always done it that way” mentality. OT will always be reluctant to make any change that might bring down the production line. Remember, they are graded on widgets per minute. There must be trust and open communication between IT and OT if things are going to work properly.
When we are talking about OT cybersecurity, we usually use terms like secure or prevent, when we really should be thinking about words like containment. Securing the network and preventing attacks is important, but at some point, an attack will get past your defenses. Then it is a matter of containment: How do we keep the problem from spreading to other networks?
One thing to definitely avoid is the desire by IT to have bi-directional communications between the IT and OT networks—this should never happen. Also, avoid the desire to connect the ICS to the Internet so that you can control the process remotely. There is no reason for the plant manager to be able to go home, have a couple beers and then log on to see if he can make things run better. If the control system is going to be connected to the corporate IT or the Internet, it should only have out-going uni-directional data transmission to allow monitoring of the system.
Building a good OT cybersecurity program, you need to do three things:
Get C-Level support and buy-in for the changes to be made.
Communicate with stakeholders and vendors.
Make decisions as a team, make sure all the stakeholders, IT, OT, engineering are all involved.
After you have set up the structure and started communicating, you need to begin cybersecurity awareness training for the OT staff. This training should be focused on educating plant personnel on what cybersecurity is, both at work and at home, and how to respond or escalate something that seems wrong. They need to be trained what needs to be dealt with immediately and what can wait. Consider doing tabletop exercises where you practice what to do when certain things occur. This can act as a stress test for your incident response plan and help find the holes in your plan and procedures. These tabletop exercises should involve C-suite individuals as well as people from the plant floor, so everyone understand their part in a cyber-attack response.
If these concepts are followed, you will be well on your way to creating a much more cyber-secure production environment.
Strictly Necessary Cookies
Strictly Necessary Cookies should be enabled at all times so that we can save your preferences for these cookie settings.
We use tracking pixels that set your arrival time at our website, this is used as part of our anti-spam and security measures. Disabling this tracking pixel would disable some of our security measures, and is therefore considered necessary for the safe operation of the website. This tracking pixel is cleared from your system when you delete files in your history.
If you visit and/or use the FST Training Calendar, cookies are used to store your search terms, and keep track of which records you have seen already. Without these cookies, the Training Calendar would not work.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.
A browser cookie is a small piece of data that is stored on your device to help websites and mobile apps remember things about you. Other technologies, including Web storage and identifiers associated with your device, may be used for similar purposes. In this policy, we say “cookies” to discuss all of these technologies.
Data generated from cookies and other behavioral tracking technology is not made available to any outside parties, and is only used in the aggregate to make editorial decisions for the websites. Most browsers are initially set up to accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being sent by visiting this Cookies Policy page. If your cookies are disabled in the browser, neither the tracking cookie nor the preference cookie is set, and you are in effect opted-out.
In other cases, our advertisers request to use third-party tracking to verify our ad delivery, or to remarket their products and/or services to you on other websites. You may opt-out of these tracking pixels by adjusting the Do Not Track settings in your browser, or by visiting the Network Advertising Initiative Opt Out page.
You have control over whether, how, and when cookies and other tracking technologies are installed on your devices. Although each browser is different, most browsers enable their users to access and edit their cookie preferences in their browser settings. The rejection or disabling of some cookies may impact certain features of the site or to cause some of the website’s services not to function properly.
The use of online tracking mechanisms by third parties is subject to those third parties’ own privacy policies, and not this Policy. If you prefer to prevent third parties from setting and accessing cookies on your computer, you may set your browser to block all cookies. Additionally, you may remove yourself from the targeted advertising of companies within the Network Advertising Initiative by opting out here, or of companies participating in the Digital Advertising Alliance program by opting out here.