A company that slaughters cattle may seem like an unlikely target for a cyberattack. That is, until you realize that taking out just one company could paralyze burger and steak supplies for all Americans.
That’s the lesson from the recent
The attack on
It’s the natural risk that comes from the cheap food and energy bills that Americans have come to rely on. Fierce competition among companies to contain costs and achieve scale sparked a wave of consolidation that has left the vast majority of production in the hands of a few giant commodity producers that now oversee giant bottlenecks of supply. In turn, these companies have become sitting ducks for hacker groups that know any downtime of critical operations can cost millions and have serious economic impacts, making it all the more likely that companies will meet their demands.
Colonial ended up paying a $5 million ransom to regain control over its pipeline. JBS declined to comment on whether the Brazilian company paid a ransom, or on the risks of industry concentration.
“Massive scale, combined with the fact that critical infrastructures are frequently not well defended, make them such a prime target for hackers,” said
Of course, it’s not just commodity producers. American government agencies, businesses and health facilities have suffered a series of devastating hacks, and President Joe Biden’s infrastructure proposal includes billions of dollars tied to improving cybersecurity. But the companies that are critical to food and energy supplies are both particularly important to everyday consumers and especially vulnerable because their boards tend to be dominated by industry stalwarts rather than executives with technology expertise, and they often don’t have the safeguards in place seen in some other sectors.
“These companies tend to be old school,” said Danny Jenkins, CEO of cybersecurity firm ThreatLocker. “What the bad guys have realized is that if they can go after these guys, they don’t have the security in place, but they have the pockets.”
In the case of the meat industry, there are no U.S. Department of Agriculture cybersecurity regulations or requirements, a U.S. official said.
Meanwhile, JBS, the largest meat producer globally, is flush with cash. Booming protein demand helped the Sao Paulo-based company post its best-ever quarterly
JBS grew to global dominance from its start as a single Brazilian slaughterhouse in 1953. Founder Jose Batista Sobrinho bought the abattoir with money earned from trading cattle in Goias, a rural state in the center-west of Brazil. After expanding in Brazil, often through acquisitions of failing businesses, the company started to grow overseas with major takeovers including U.S. meatpacker Swift & Co. in
The company is now the No. 1 beef producer in the U.S., accounting for 23% of the nation’s maximum capacity compared with rival Tyson Foods Inc.’s 22% share, according to an investor report by Tyson. JBS accounts for roughly a fifth of pork capacity.
The U.S. meat industry is so concentrated that when JBS plants shut down this week, the USDA couldn’t report on some key pricing because there are so few data points that disclosures would likely shed light on how much competitors were making. The consolidation also created major supply disruptions last year when Covid-19 outbreak forced shutdowns at major processing facilities, sparking meat shortages that even ensnared burgers at Wendy’s.
The majority of U.S. beef consolidation took place in the 1980s and 1990s, when companies built far bigger plants than ever before to capitalize on economies of scale. By 2000, a single cattle plant could process 6% of the nation’s output.
There have been concerns over Big Meat’s exposure to attacks during the past couple decades, but they never became a major flashpoint until recently, said James MacDonald, an agriculture economics professor at the University of Maryland. Congress has been examining legislation to address cattle markets and rural lawmakers recently pressed the Justice Department for action on an anti-trust investigation of the beef industry launched last year after the Covid disruptions. The cyberattack on JBS further underscores the risks associated with concentration, MacDonald said.
“Attacks like this one highlight the vulnerabilities in our nation’s food supply chain security, and they underscore the importance of diversifying the nation’s meat processing capacity,” U.S. Senator John Thune of South Dakota, the Senate’s No. 2 ranking Republican leader, said in an emailed statement.
The energy world is similarly at risk.
The Colonial Pipeline alone hauls almost half of all the fuel consumed on the U.S. East Coast. When it shuttered, it only took a few days for gasoline stations and terminals across several states to run dry. Reliance on the conduit system has grown over the years as refineries along the East Coast closed because they couldn’t make money in the face of competition with rivals better positioned to process increasingly abundant shale oil. Also, tougher regulation and fierce opposition from environmental activists made it increasingly costly and more complex for companies to pursue major pipeline projects.
A few other names, including Energy Transfer LP, Enterprise Products Partners and Kinder Morgan Inc., control the bulk of U.S. major fuel pipelines. Williams Cos. alone handles almost a third of all the natural gas Americans use every day for heat, power and cooking, according to information in the company’s website.
“If I just have to hack into one company that owns a lot of assets, I can get to all those assets much more easily than if they’re owned by a bunch of separate little companies,” said
“I can get a big bang for my buck as a hacker.”
--With assistance from
To contact the editors responsible for this story:
Millie Munshi, Doug Alexander
© 2021 Bloomberg L.P. All rights reserved. Used with permission.