Australia's food supply is uniquely vulnerable to cyber attacks, the director of a national cybersecurity firm warns, as he calls for the industry to raise its standards on the anniversary of the JBS ransomware hack.
JBS Foods, the world's biggest meat processor, was held ransom by Russian-based hackers for $US11 million last year.
The cyber attack shut down the company's global operations for five days, including multiple Australian abattoirs.
Claroty Australian regional director Lani Refiti said Australia's entire food and drink supply chain was "uniquely vulnerable" to further attacks.
"It is happening," Mr Refiti said.
"It's not a matter of 'if' a major attack will happen to the Australian food and beverage sector, it's a matter of 'when'."
He said there would be food shortages if there was another incident like JBS.
Laws were passed months after the JBS hack to list food and beverage as a critical national industry.
They brought about the introduction of mandatory cyber incident reporting and enhanced cyber security obligations for assets of national significance.
But Mr Refiti said leading supermarkets, food distributors and processors were still far less secure than other industries.
"If you look at critical infrastructure like financial services, power, water — food and beverage is at the bottom of the list," he said.
Russian-backed hacking threat
The Australian Cyber Security Centre said cybercrime rose 13 per cent last financial year with self-reported losses totalling $33 billion.
About a quarter of the 67,500 cyber crime reports the agency received last year were associated with Australia's critical infrastructure.
"Significant targeting, both domestically and globally, of essential services such as the healthcare, food distribution and energy sectors has underscored the vulnerability of critical infrastructure to significant disruption in essential services, lost revenue and the potential of harm or loss of life," the centre's 2021 report reads.
Mr Refiti said the spike in cybercrime had accelerated since the Russian invasion of Ukraine.
He said there had been a lot more coordination between nations and cyber criminal groups in the past three to five years.
"Threat intel has been telling us that these groups are supported or given a safehaven by the Russian government."
The centre joined with US, UK, Canadian and New Zealand cybersecurity authorities last month to issue a public warning that Russian state-sponsored hackers were targeting the critical infrastructure of "countries and organisations providing materiel support to Ukraine".
Animals, food at risk
The vulnerability of Australia's food supply was made abundantly clear during the pandemic as shortages of some products prompted panic-buying of many others.
Curtin University senior supply chain and logistics lecturer Elizabeth Jackson said a cyber attack could bring more problems than empty supermarket shelves.
A Woolworths spokesperson declined to be interviewed, only saying "cyber security is a crucial part of our risk management framework and we welcome the new legislation which will help create a consistent standard for cyber security protocol across the broader supply chain".
JBS Foods has not responded to requests for comment.
The JBS attack was one of multiple successful hacks targeting Australia's food supply.
Lion, one of Australia's largest milk and beer processors behind brands like XXXX, Tooheys, Pura and Masters milk, was hacked and stopped production in 2020.
Toll Group, one of Australia's largest food distributors, was hacked and shut down twice in 2020.
"Anything three weeks plus would cause severe [food] shortages," Mr Refiti said.
"These businesses are absolute targets," Dr Jackson said.
Technology is available
The Australian Cyber Security Centre listed a range of types of attacks in its warning to critical industries "including destructive malware, ransomware, DDoS attacks and cyber espionage".
Mr Refiti said malware attacks were a common way for hackers to extort ransoms and shut down entire companies.
"All it takes is one or two people in an organisation to open an infected file and then it spreads like wildfire in an infected organisation."
However, he said there were ways to improve security.
"The controls to combat ransomware have been out there for 10 years," he said.
"It's not a hard thing to do from a process or technology perspective."
He said the financial sector had tightened its security.
"It took a lot of theft of credit cards and personal information for the regulators to act and for the government to start to hold these organisations to account," he said.
"I think the same thing will happen in the food and beverage sector."