A cyberattack targeting the world’s largest meat processor over the weekend is pointing to a disturbing new reality: Our nation’s critical infrastructures and supply chains are being targeted because they have not identified the cyber risks that matter most to their operations.
JBS USA announced Sunday that it was the victim of an organized cyberattack targeting its business networks in the U.S. and Australia. The company has not released details on how widespread the attack was or the nature of the intrusion. But its impact is already being felt throughout the food industry.
The owner of Pilgrim’s Pride has closed meat processing facilities in Utah, Texas, and Wisconsin and canceled shifts at plants in Iowa and Colorado. The attack also disrupted Canada’s largest meatpacking plants on Monday and forced the cancellation of all beef and lamb kills across Australia, according to the industry website Beef Central.
The attack comes just weeks after a ransomware group successfully took down business systems that impacted the operations of the Colonial Pipeline system and got away with $4 million in ransom money.
It’s Time to Have The Cyber Risk Conversation
Coming so soon after the ransomware attack against the Colonial Pipeline system, the attack against JBS demonstrates the urgent need for critical infrastructure owners and operators to adopt a risk-led cybersecurity program. It is becoming clearer by the day that these major firms are not having the proper risk conversations between their cybersecurity experts and the business executives.
“I think it’s incredibly important to evolve the way that we talk about cybersecurity,” said Michael Daniel, a former White House cybersecurity policy advisor and the CEO of the Cyber Threat Alliance, in a recent interview with the ThreatConnect Podcast. “Cybersecurity is now a critical enabler for most businesses to continue operating. And it needs to be framed in that way. And I think that’s very much the place that we need to move is putting it in those business terms, framing it in those risk terms.”
However, a recent survey by ThreatConnect showed that half of the respondents said they lack confidence in their ability to communicate and report the financial impact of cyber risks, prioritize vulnerabilities and security alerts, and justify their future investments to mitigate those risks. The reason for this is two-fold:
- 41% of respondents said they do not have a formalized process in place to evaluate and rank cyber risks.
- 25% said they do not have a cyber risk quantification technology deployed at their company.
…when business networks and systems can be compromised in a way that disrupts or halts industrial operations, that points to a clear failure to identify, understand, prioritize and remediate the most critical cyber risks facing one’s organization.
The businesses that own and operate our nation’s critical supply chains must start quantifying and prioritizing their risks, leveraging threat intelligence, and automating and orchestrating their responses. And they must shift to this approach immediately. It’s the only way forward.
One of the primary reasons critical infrastructure enterprises remain vulnerable is the lack of structure that has existed around enterprise cyber risk quantification. In fact, last year’s release of an interagency report by the National Institute of Standards and Technology (NIST) titled, Integrating Cybersecurity and Enterprise Risk Management, identified significant shortfalls in enterprise cyber risk quantification efforts.
“Most enterprises do not communicate their cybersecurity risk guidance or risk responses in consistent, repeatable ways,” the report states. “Methods such as quantifying cybersecurity risk in dollars and aggregating cybersecurity risks are largely ad hoc and are sometimes not performed with the same rigor as methods for quantifying other types of risk within the enterprise.”
The growing pace and sophistication of nation-state attacks, coupled with an ever-expanding attack surface, makes our ability to accurately quantify and prioritize cyber risks within the context of our individual businesses an urgent priority. But when business networks and systems can be compromised in a way that disrupts or halts industrial operations, that points to a clear failure to identify, understand, prioritize and remediate the most critical cyber risks facing one’s organization.
Risk — Threat — Response
That’s why we developed the Risk-Threat-Response strategy. Business leaders who understand the risk, threat, response paradigm are better equipped to understand prioritization and resource allocation.
Keeping pace with today’s advanced adversaries – and specifically with the adversaries that matter most to your particular organization – also requires a focus on cyber threat intelligence. But to develop an effective cyber threat intelligence (CTI) program, you need to constantly harvest and process knowledge about threat actors, not just specific incidents that impact your network. Knowing the who, what, where, how, and when of the adversaries’ actions is the only way to decrease their chances of success.
However, the difference between a good CTI program and a great CTI program is in its ability to communicate value to the business in terms of risk. This is a realization that many have come to within the threat intelligence community and a core reason why the discussion around cyber risk quantification is heating up in these circles. It factors heavily into ThreatConnect’s decision to acquire one of the pioneers in cyber risk quantification in late 2020.
By adding context and enriching our understanding of threats and vulnerabilities, a great CTI program helps inform an organization’s risk quantification platform and aligns the entire business to the threats that matter most based on primary (initial response) and secondary loss (the damage that comes to the business as a result of the breach) magnitude.
Threat data also feeds your security orchestration, automation, and response (SOAR) platform — all of which should be accessible through a single dashboard. Businesses and organizations today tend to be in a constant state of reacting to threats, vulnerabilities, and incidents. That’s a recipe for disaster in a world of highly sophisticated criminal and state-sponsored adversaries.
ThreatConnect was the first company to bring intelligence-driven SOAR to market…making it possible to drive this collaboration between intelligence and operations.
Bridging the gap between cybersecurity and business, however, remains an aspirational goal for many who struggle to understand where to begin. We cannot allow this situation to continue in the critical infrastructure space.
Our critical infrastructures need a risk-informed decision and operational support platform that can help them prioritize and focus on the risks that matter most and can leverage threat intelligence to drive orchestrated response.