Ransomware attacks have been the bane of the meat industry for several years now. I can’t count how many of our smaller clients and fellow vendors have fallen victim to this kind of terrorist attack. But the fact that a pipeline of one of the largest fuel transporters on the East Coast and one of the largest suppliers of proteins in the world got hit finally kicked the headlines up to national news.
What gets lost in the national news stories is that it is not just large businesses that get hit; medium and small companies get hit as well5.
Our government is either unable or unwilling to mitigate the attacks. I posted this sentiment on my personal social media page and was called out on the “unwilling” portion of my statement. My response was simple: Our own government has a vested interest in keeping us vulnerable because they want to see what we are doing just as much as the bad guys do. The National Security Agency (NSA) is infamous for popping in and out of U.S. business networks, and when they were exposed, so were the tools they used. That meant the bad guys gained knowledge of and access to the tools to intercept and actually see what is being transmitted via the Internet, and they’ve had them now for a very long time.
Most people and companies rely on virtual private networks (VPNs) to encrypt their traffic and “hide” it from prying eyes, but even that doesn’t work anymore. Several of the latest attacks have exploited VPNs to get in and steal data.
It truly seems to be the Wild West all over again, just via bits and bytes. But honestly, that comparison really does not cover the scope of it. It’s a silent, ongoing Cyber World War.
Yes, many of the attacks are by “gangs” that just want cold hard cash and believe this is the easiest way to extort it. And many blame cyber insurance on it2. It is typically cheaper for the victims to pay than to fight back, so the insurance company pays the lower cost. You see, to fight is expensive! Imagine having to rebuild your entire infrastructure, touch every machine.
The University of Utah reportedly gave up $457,000 in a ransomware attack (I’m guessing Utah taxpayers must have loved that!) and Colonial Pipeline allegedly paid $4.4 million. Paying instead of fighting may make financial sense in the moment, but cowering to the demands of the hackers just creates bolder and bolder attacks. Meanwhile, there has been no response by the government other than to chide business. And before you start pointing fingers at the current administration, understand that this threat has been present — and the response has been similar — for years.
It is a tough time to run a business! Now let’s look at the Cyber World War we are in.
The enemy
Part of the problem with these attacks is that it is very difficult (but not impossible) to figure out and track down the actual attacker(s) in most cases. This makes the hacking business attractive and profitable, at our expense.
The Russian government, the Chinese government, and our own U.S. government all “snoop” around. Search the Internet and read up on the development of the sixth-generation fighter jets, and you might be surprised at how quickly the Chinese were able to develop their plane in comparison to other nations.
Anyhow, we are under constant attack from a wide variety of enemies whom we rarely can identify. But they are always lurking or working. Attempts that breakthrough whatever level of security you may have can come at any time. I was visiting a client when one of their systems started encrypting. That forced an employee to make a frantic run up a ladder to the network room to pull the plug, and everyone (and everything) was disconnected. It may sound as though I’m exaggerating, or even sound silly, but it stopped the ransomware from spreading; it also derailed the company’s rollout of an inventory system and set that project back several years.
When I consider the crazy amounts of time and effort it takes to secure a computer system, I lose sleep. However, should you decide not to secure your systems, you will be a target. We have many clients who have been victims of these attacks — money stolen, ransoms paid, major disruptions caused, or production lost because of the distraction of having to battle the attack.
Insurance helps, but it won’t cover your costs. For example, Norsk Hydro had costs of between $60 million and $71 million, but the company reportedly received only $20.2 million dollars from their insurer2.
The front
The current administration has stated that the government can’t go it alone in this fight, and business needs to step up. I completely agree we all need to chip in on the battlefield, but the administration has it backward: Businesses and the average American are currently fighting this war, not the U.S. government. Again, I am not sure if it is unwilling or unable, but the government needs to step up and join us on the front lines.
That said, the government is moving, slightly. President Joe Biden has said he will bring up the “Russian gangs” with President Vladimir Putin. Additionally, Anne Neuberger, Deputy National Security Advisor for Cyber and Emerging Technology in the Biden Administration, wrote to American business and stated3: “All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location… We urge you to take ransomware crime seriously and ensure your corporate cyber defense match the threat.”
Although I totally agree with the statement, Neuberger’s use of it should tell you all you need to know: The U.S. government isn’t particularly interested in helping defend businesses or citizens in this battle — they “urge you” to defend yourself. You shore up those castle walls, and they’ll stand by and happily claim that they told you so if you are victimized!
The defense
No matter what vendor you use, you need to be aware that they may be susceptible. We R Food Safety! decided to leave Cisco Webex about 18 months ago because it was not being responsive. We didn’t know if it was simply the effects of the start of the COVID-19 pandemic or something else, but dealing with the company suddenly felt more like trying to make an 18-wheeler turn like a Corvette. Then, recently, we heard that it has multiple vulnerabilities,4 and our decision looks to have been a sound one. When you begin to peruse the options out there, you MUST have your IT team vet the security protocols used. Microsoft and Amazon are two companies — at least at the cloud layer — that are fighting back and have the tools needed to help your IT team secure your cloud environments.
Another recommendation (even by the U.S. government) is to separate your networks. Production, finance, FS&Q, maintenance, etc., each can and should be on separate networks, and if possible, totally separate devices. The enterprise resource planning (ERP) community hates hearing that, but it is true. It may be most efficient to have everything in one system, but it isn’t always the safest.
Your executive leadership team will always be under attack, but so will the production employee who uses their personal email while on your system. How do you split things up? How do you separate the different environments and how have you created redundancies? If your ordering system gets taken down, do you have a backup that can be restored ASAP? Do you have a plan? Don’t forget that about 20 years ago, none of us used computer systems to this extent, so can you remember how to operate as a business if you have to revert to phone calls on cell phones?
As far as your cybersecurity needs, I know that you need experts; and then you must go with your own instincts and your acceptable level of risk.
A good example of this in action: Recently, Microsoft officially announced Windows 11 and Windows Server 2022 are scheduled for release late this fall. Some of the enhancements that are included are the requirement to use TPM, Microsoft Azure Attestation (MAA), Windows Hello for Business, etc.
The basic expectation is large companies that have a lot of hardware may find out that their current technology stack must be upgraded ahead of schedule. For smaller processors, you will need to look at your systems as well; older computers will not be able to upgrade to take advantage of the added security that Microsoft is rolling out with these new systems. You will need to determine your level of risk and the cost of upgrading, and then create the balance you find acceptable.
As with the rollout of any new operating system, there will be a learning curve and uncertainty in the IT world on how to handle potential bugs and operations. Many will recommend delaying implementation until the skill sets are up to standard on the new system; having said that, it is also prudent to look at the hardware requirements and use them as minimum requirements for hardware purchases going forward. Then, when you do decide to upgrade the system, you won’t find yourself with obsolete equipment.
To begin to build your aforementioned “castle walls,” you can go to the Cybersecurity & Infrastructure Security Agency (www.cisa.gov/) to get tips on how to protect yourself. There is also a multitude of private companies out there that can and will help mitigate your risk. The key is to not rely on anyone's source and, instead, use all the tools available to you. Remember, you are in a war to protect your business, and you need the most diverse arsenal you can secure to protect yourself.
There is a huge downside to implementing cybersecurity: If you implement everything that is recommended, your business efficiency will be destroyed. You must make decisions on the balance you will accept, and in the end, it is up to you; you MUST educate yourself enough to make a proper risk assessment and then take the appropriate actions.
After the year of COVID, Americans know that food is of utmost importance. What if a foreign country, or just a gang, took down enough processors in July/August 2020, when supply chains were already in disarray? Many of you would not be reading this, and I might not even be writing it.
Know that change is coming, and don’t wait to react. We are in a war: silent, online, and ongoing. Sometimes it appears many do not realize it, or simply haven’t learned to be proactive in their defense tactics. I am more than mildly surprised that the Global Food Safety Initiative (GFSI) has not addressed it, let alone the consumer. Listen to the cybersecurity experts and become proactive. Know your risks and take the appropriate actions. Defend your systems and keep yourselves safe, because government defenses are weak, and the enemy is relentless with no compassion for your businesses, large or small.
For more of Lorenz’s advice on how to secure your networks and computers, read We R Food Safety’s blog at http://foodsafetyexperts.blogspot.com.
- https://threatpost.com/exchange-servers-epsilon-red-ransomware/166640/
- https://threatpost.com/exchange-servers-epsilon-red-ransomware/166640/
- https://www.cnn.com/2021/06/03/politics/white-house-open-letter-ransomware-attacks-businesses/index.html
- https://www.securityweek.com/cisco-plugs-high-risk-security-flaws-webex-sd-wan
- https://www.securityweek.com/ransomware-attack-hits-nantucket-marthas-vineyard-ferry-service
- https://us-cert.cisa.gov/ncas/tips