Recently, a nationwide cream cheese shortage has emerged as many Americans make plans for their holiday cheesecakes. Early on, CBS reported that the cream cheese shortage was likely due to a scarcity of the large plastic tubs used to deliver it to stores. Kraft foods, which produces the popular Philadelphia brand cream cheese, initially issued a statement saying, “As more people continue to eat breakfast at home and use cream cheese as an ingredient in easy desserts, we expect to see this trend continue.”
Of course, these scenarios certainly play a role in this nationwide “cream cheese squeeze,” and we know the cream cheese supply began to get spotty in early 2020. However, this isn’t the whole story, and the “real” reason for the cream cheese shortage is far more unsettling: critical infrastructure and supply chain cyber-attacks.
Schreiber Foods out of Wisconsin, one of the Nation’s largest cream cheese suppliers after Kraft, is the latest high-profile victim of supply chain ransomware. While the company has not disclosed full details, the Wisconsin State Farmer reported a mid-October statement from Schreiber’s director of communications in which he confirmed that the company had experienced a “cyber event.” In that same statement, he said, “we had a systems issue that impacted our plants and distribution centers. It did impact our ability to receive raw materials, ship product, and produce product. We’ve made good progress in resolving the issue, and our plants and distribution centers have begun to start up again.”
According to reports, operations at Schreiber were down on a Friday and back up by the following Monday, but the damage was already done, and repercussions were felt across the country. For the first time in 71 years, the beloved Brooklyn, NYC staple Junior’s Cheesecake was forced to halt its baking operations for a day and a half due to an unprecedented dilemma: they ran out of cream cheese. Local news stations throughout NYC have been covering the impact this shortage has had on bagel stores and cheesecake sellers across the state, whose busiest time is the holiday season. “I’ve never been out of cream cheese for 30 years,” NYC cream cheese distributor Joseph Yemma told the NY Times.
Supply chain ransomware attacks is a rising trend in cybercrime, and too many companies are behind the curve on best practices. As recently as early September, the FBI released a Private Industry Notification (PIN), which warned companies about cybercriminals targeting the Food and Agriculture sector with ransomware attacks. The FBI stated that these attacks are aimed to “disrupt operations, cause financial loss, and negatively impact the food supply chain.” The Bureau emphasized that no company is immune from an attack, regardless of size or revenue.
There have been several attacks on the food and agriculture sector heavily covered by the media this year. JBS, a global meat processor, was attacked by ransomware in May and paid the $11M ransom. New Cooperative grain collective was hit with a $5.9M ransomware attack in September, as well as the agricultural supplier, Crystal Valley Cooperative, with each event causing serious complications in the country’s food chain. Now we can add Schreiber Foods to the list; though reports of whether the ransom was paid remain unclear, the Schreiber attackers allegedly demanded $2.5M in ransom. And, of course, these numbers don’t account for the loss of production and income at businesses down the supply chain across the country.
John Hoffman, a senior research fellow at the Food Protection and Defense Institute at the University of Minnesota, spoke on this matter in an interview with Wisconsin Public Radio (WPR). Hoffman noted that “the food and ag sector is probably the least prepared for cyberattacks…they tend to have older software [and] devices.” Most of these systems were designed with daily operations in mind, not cybersecurity. The “if it ain’t broke, don’t fix it” mentality that Hoffman sees as standard in this sector needs to change because, in truth, these devices are vulnerable. Software solutions like the Axio360 platform can help organizations begin to foster a proactive governance mindset, which is becoming essential in today’s climate of cybercrime and the escalating number of ransomware attacks.
By now, most of the country is familiar with supply chain issues due to the Covid-19 pandemic. Challenges such as labor shortages or lack of packaging materials have affected businesses across the country, meaning many are unable to serve customers and operate business as usual. If you’re a cybersecurity professional, you’re no doubt aware of the cyber threats facing the supply chain in America and the level of damage they can potentially cause to the Nation’s critical infrastructure in addition to these pre-existing supply chain scarcities.
Many Americans may not realize the connection between their missing holiday cheesecake and cybersecurity. Still, the plummeting cream cheese supply across the country exposes the rapid ripple effect and damage that a critical infrastructure supply chain attack can have. While Kraft is attempting to mitigate the strain on the cream cheese supply by incentivizing its customers to not make cheesecake for the holidays, this latest attack on Schreiber demonstrates why all critical infrastructure businesses must practice proactive cybersecurity.