Five Lessons from the JBS Attack for Securing the Manufacturing Supply Chain
The Fourth of July is just around the corner and many Americans are looking to celebrate their holiday with family and friends. “Grillin’ and chillin,’’ as it’s come to be known, is an industry. But what if the prices of meat spiked overnight or, worse still, if there was no meat available on supermarket shelves? And what if consumers learned that this disruption could have been prevented if meat producers had secured their supply chains with modern technology?
These questions are all worth posing in light of the recent cyberattack on the world’s largest meat manufacturer, JBS, which led to the closure of five meat processing plants across the U.S. and Australia for close to three days. Granted, consumers were still able to purchase meat. And outside of futures, prices remained relatively stable. Reserve stocks eventually filled surplus demand. Nonetheless, this attack is a serious warning sign not only for the meat production industry but also for the wider manufacturing supply chain. Early intelligence suggests that the “reconnaissance” phase of attack may have started as early as February 2021, with data being stolen by malicious actors. The FBI has since labelled this as a ransomware attack and attributed responsibility to REvil, a Russian-based persistent threat group.
If a ransomware attack can shut down 25% of U.S. beef production for close to three days, what else is in store for our food supply chain? And what steps should CISOs in the manufacturing industry be taking to secure their rapidly evolving supply chain?
Attack Vectors Facing the Manufacturing Supply Chain
The COVID-19 pandemic accelerated the deglobalization of the manufacturing supply chain, leading to a sharp increase in the number of down- and upstream organizations operating within the manufacturing ecosystem. This has, in turn, extended the attack plane and created new opportunities for malicious actors. Ransomware code propagated through phishing and malware attacks that target weak workforce, supplier, and partner access credentials is perhaps the most common type of attack. This partly explains why malware attacks increased by 435% in 2020. Other attack tactics include exploiting overprovisioned workforce, supplier, and partner credentials to gain access to ecosystem applications; weak authentication policies; and gaining access through unsecured non-human identities, such as Internet of Things (IoT)-connected devices. And the list goes on.
The truth is that solving these challenges is simple in theory, but often difficult in practice. Siloed legacy systems are holding manufacturers back from modernizing their identity and access management (IAM) infrastructure at pace. Outdated thinking puts workforce, supplier, and partner identity management on the periphery of the manufacturing technology stack. Investments in cloud technologies are often exclusively geared toward consumer identity use cases. Meanwhile, the “identity fabric” of the manufacturing supply chain grows unchecked, creating vulnerabilities that can no longer be managed manually. Mitigating the risks associated with the rapidly changing manufacturing supply chain must be prioritized by CISOs and form part of a comprehensive “identity-first security” strategy. Here are five lessons from the JBS attack that will help manufacturing leaders move in this direction.
Lesson 1: Control Access to Ecosystem Applications
The 2021 ForgeRock Consumer Identity Breach Report shows that unauthorized access accounts for 43% of all breaches. The increasing number of workers, suppliers, and partners operating within today’s manufacturing ecosystem makes it increasingly difficult to ensure that the right person has the access to the right applications at the right time. Placing robust access management (AM) capabilities at the core of the manufacturing technology stack allows organizations to leverage standardized protocols, federated identity, and context-driven single sign-on (SSO) to ensure that the right level of access control is applied at the right time. By leveraging best-in-class low-code/no-code configuration functionality, organizations can ensure that AM workflows will easily evolve as the manufacturing ecosystem continues to grow. This will reduce risks, costs, and time to value.
Lesson 2: Automate Identity Governance
Managing the end-to-end identity lifecycle, access requests, and segregation of duties (SOD) across the growing manufacturing ecosystem is expensive, is fraught with risk, and creates extensive compliance challenges. New workers, suppliers, and partners joining the growing manufacturing ecosystem can be easily overprovisioned, creating the risk of entitlement creep. Access for those who depart the ecosystem may not be sufficiently deprovisioned. The ability to harness artificial intelligence (AI) to automate high-confidence access approvals, recommend certification for low-risk accounts, and automate removal of unnecessary roles can make a difference between mitigating unauthorized access to sensitive applications and falling prey to malicious actors.
Lesson 3: Strengthen Authentication
The 2021 ForgeRock Consumer Identity Breach Report shows that breaches involving usernames and passwords increased by a staggering 450% in 2020. Workers, suppliers, and partners in the manufacturing ecosystem continue to use antiquated means of authenticating when accessing business-critical applications. Despite the well-known fact that passwords account for 80% of all breaches, organizations continue to rely on these, along with static multi-factor authentication policies while the incidence of phishing attacks continues to grow. By leveraging contextual signals, Continuous Adaptive Risk and Trust (CARTA) and Zero Trust security, organizations can strengthen their basic and step-up authentication workflows and significantly reduce or completely eliminate reliance on usernames and passwords. This can mitigate the risk of phishing attacks, weak credentials, and, ultimately, the ability of malicious actors to propagate malware and ransomware attacks across the manufacturing ecosystem.
Lesson 4: Secure Non-Human Identities
Non-human identities, including IoT devices, accounted for over 32% of all cyberattacks on mobile networks in 2020, up from 16% in 2019. The explosion of both consumer and industrial IoT in manufacturing has created vulnerabilities increasingly exploited by malicious actors. By leveraging rich IAM capabilities at the “edge,” organizations are able to create secure and seamless management for connected and constrained IoT devices as well as other non-human identities. Deploying a standards-based approach for authenticating and authorizing these identities provides organizations with an automated and scalable method for embedding Zero Trust security at the core of the manufacturing technology stack, without the need for human intervention. Deploying this model across software development kits (SDKs) also allows organizations to easily integrate non-human identities with the manufacturing applications at pace.
Lesson 5: Modernize the Right Way
A recent Forrester study commissioned by ForgeRock and Google Cloud shows that over 80% of enterprises have already adopted or plan to adopt cloud-based IAM in the next two years. Manufacturing organizations are frequently held back by legacy IAM solutions and are increasingly turning to hybrid IT to accelerate their move to cloud-based IAM platforms that offer the best-in-class innovative capabilities required to secure the wider ecosystem. But many of these organizations find that the transition process can be painful, slow, and expensive. Adopting hybrid IAM solutions allows organizations to manage the modernization at their own pace and to expeditiously sunset legacy systems that pose the greatest security risks. The most effective hybrid solutions provide the means to unify identities across multiple on-premises, cloud and hybrid identity stores, while offering full tenant isolation, as well as the latency to handle spikes in traffic.
Securing the future of the food supply chain as well as the wider manufacturing ecosystem is now more important than ever, as the JBS attack has shown. Investing in the evolving “identity fabric” across the manufacturing supply chain can help CISOs move toward adopting “identity-first security” strategies that shrink the attack plane and mitigate risks facing the industry today and into the future. What better way to protect the ‘grillin’ and chillin’’ tradition.
To learn more about how ForgeRock helps manufacturing organizations, download our latest eBook, “Unlocking the Power of Digital Identity in Manufacturing” today.