Managing Cyber Threats to Operational Technology: Learnings from the JBS ransomware attack
What made the JBS ransomware attack possible?
For over a decade, software and propriety protocols were relied upon to protect the industrial systems used by the meat industry. Quite literally, this meant that humans manually monitored and managed systems and were ultimately responsible for identifying or reporting issues. Without a network interface, cyber criminals did not have a way to cause any significant or widespread damage or disruption to these kinds of businesses, leaving the sector relatively unscathed.
However, with the rapid digitisation of industries, the threat landscape has changed. There is far greater integration between Information Communications Technology (ICT) and Operational Technology (OT is the combination of hardware and software that manages, controls and monitors industrial equipment and processes). The meat industry has also experienced the rapid adoption of connected devices to optimise production and increase operational efficiencies, which has increased its vulnerability to cyber threats.
The recent ransomware attack on JBS which shut down operations in Australia, Canada and the US shows that cyber criminals are indeed targeting this kind of technology and are simply looking for the path of least resistance.
What can we learn from the recent JBS ransomware attack?
It came as a shock to many people that JBS was the victim of a cyber-attack. Crucially, what this highlights is that any industry with critical infrastructure, including the meat industry, is looking attractive to cyber criminals. By comparing this ransomware attack with the recent Colonial Pipeline cyber-attack, it is evident that although both Colonial Pipeline and JBS were attacked in the US, there are cascading consequences into multiple geographic locations, and the impact to their customer bases are quite significant and concerning.
As companies cannot afford the luxury of shutting their operations in the event of a cyber-attack, they need to become more resilient, not only in securing their OT, but also in their recovery capabilities.
What are the key challenges for businesses?
- ICT and OT network segmentation: The ICT environment and the OT environment are now converging, making it difficult to segment networks and balance industry best security practices against an evolving architecture.
- Proliferation of connected devices: The Internet of Things (IOT) and Industrial Internet of Things (IIOT) era has led to an abundance of unsecured data being transmitted through the corporate network.
- Increasing regulatory requirements: Government is imposing increasingly stringent regulations on critical infrastructure (those assets essential to the functioning of our economy), and the expectation is that businesses more broadly will need to meet these high standards of compliance to achieve ‘best practice’ cyber security.
- Rising costs: The financial burden of compliance, and the ever increasing cost of implementing and uplifting additional cyber security controls and tools can be difficult for businesses of all sizes to manage and budget for.
What can you do?
- Understand and manage your cyber risk landscape by identifying your vulnerabilities and implementing an information security management system.
- Build a solid cyber policy with standards and guidelines for your business. A great place to start is the ASD Essential Eight, eight mitigation strategies recommended by the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC).
- Engage a cyber-risk consulting specialist to assist your business in understanding, measuring and managing your cyber risk landscape and organisational cyber security maturity levels.
What does this mean moving forward?
The JBS incident has frighteningly demonstrated that there are significant cyber risks associated with operating in an environment with OT, and that even the meat industry isn’t immune to cyber-criminal activity and the potentially catastrophic financial, operational and reputational consequences of such an attack. With increasing regulatory requirements, businesses must not only take action to better secure their OT and ICT environments, but also take greater accountability for their cybersecurity and ensure they have a robust cyber strategy in place that will give them the best chance of mitigating the impacts of a cyber-attack.
With the appropriate cybersecurity and risk management strategies in place, your business can both reduce the likelihood and severity of a cyber-attack and improve your ability to recover quickly and effectively from a cyber-incident.
How can Marsh help?
Effectively protecting your OT environment requires cyber security solutions based on a deep understanding of this landscape. Marsh Cyber Risk Consulting brings global experience into this space. By adopting the global OT industry framework based assessment, Marsh can assist your organisation gain a thorough understanding of the maturity of your OT environment, assist in developing a bespoke cyber strategy and create a road map to help minimise your OT cyber exposure.
Want to speak to us about how to increase your cybersecurity maturity? Contact us here.
About Marsh and AMIC Insurance
Marsh is the world’s leading insurance broker and proud to be the endorsed insurance services provider for AMIC.
We understand the importance of creating the ideal balance between providing insurance expertise and a seamless hassle-free purchase or renewal of insurance. AMIC Insurance was created to specifically benefit AMIC members, bringing together the deep insurance broking expertise of Marsh and unrivalled sector understand of AMIC.
This article and any recommendations, analysis, or advice provided by Marsh (collectively, the “Marsh Analysis”) are not intended to be taken as advice regarding any individual situation and should not be relied upon as such. The information contained herein is based on sources we believe reliable, but we make no representation or warranty as to its accuracy. Marsh shall have no obligation to update the Marsh Analysis and shall have no liability to you or any other party arising out of this publication or any matter contained herein. Any modelling, analytics, or projections are subject to inherent uncertainty, and the Marsh Analysis could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. LCPA 21/155.