JBS attack points to food industry cyber weaknesses; Singapore vulnerable too

The ransomware attack on JBS on May 30 forced the closure of all its beef plants in the United States.
The ransomware attack on JBS on May 30 forced the closure of all its beef plants in the United States.PHOTO: AFP

SINGAPORE - Last month's ransomware attack on Brazilian food giant JBS - the world's largest meat processor - highlighted the cyber-security weaknesses of companies in the food industry.

And those in Singapore are similarly vulnerable, even though there have been no documented or known cases so far of food supply firms here being hit by cyber attacks, said cyber-security experts.

The ransomware attack on JBS on May 30 forced the closure of all its beef plants in the United States - accounting for almost a quarter of supplies in the country - and slowed pork and poultry production. Operations in Australia and Canada were also disrupted.

In Singapore, cyber-security regulation for food suppliers is "much more relaxed", said Mr Matthew Hum, security architect for Asia-Pacific, China and Japan at app security firm F5 Networks.

This is compared to heavily regulated industries here that deal with data much more regularly, such as financial services and the telecommunication sector.

"The food supply industry is still in the nascent stages of digitalisation in Singapore," said Mr Hum, adding that guidelines and regulations from the Singapore Food Agency focus on the physical aspects of the industry, especially those related to hygiene.

"As we continue to become a digital-first economy, we will need to ensure our food supply chains have safeguards against cyber threats," he said.

The cyber-security practices of food suppliers here are not all equally mature, said Mr Ian Lim, field chief security officer for Asia- Pacific at cyber-security firm Palo Alto Networks.

"There are companies that are using technologies like blockchain to improve food security," said Mr Lim. "On the other hand, there are other companies that face challenges to sufficiently fund and implement their cyber-security programmes."

And even though there are no known instances of the food industry here being hit by cyber attacks, it does not mean it is safe, said experts.

Mr Lim said protecting the supply chain should be imperative for every food supplier: "Cyber security is an absolute necessity, not a luxury."

This applies to other sectors, too. "Any company that is not being vigilant in its cyber-security posture is highly susceptible to ransomware or supply chain attacks," warned Mr Lim.

Mr Hum said it is critical for companies to closely inspect their internal data, as well as data moving across their networks' boundaries, to detect potential attacks and find any indications of compromises affecting systems.

Also key is educating employees on cyber security, he added, as phishing attacks, which can lead to a ransomware hit, are growing in sophistication and frequency over the years and have become increasingly difficult to detect.

A government initiative could help. To improve the cyber-security practices of companies here, the Cyber Security Agency of Singapore (CSA) launched a cyber-security masterplan for operational technology in 2019.

Operational technology systems include traffic light controls, train-signalling systems, and can also cover food processing and manufacturing systems.

The masterplan aims to improve cyber-security training for stakeholders in operational technology, and share threat information between the public and private sectors. It will also look into strengthening cyber-security policies and processes for operational technology, and promoting development of innovative technologies that keep systems resilient.