Ransomware in Auto Manufacturing Threatens Industry’s Recovery

As automotive supply chains become more complex, automotive manufacturers are increasingly susceptible to a ransomware attack, according to a report from Black Kite.

The security firm’s researchers analyzed the cybersecurity posture and ransomware susceptibility for the top 100 automotive manufacturers and the top 100 automotive suppliers, finding alarming security issues including companies’ susceptibility to phishing attacks, publicly visible ports and credential management.

Bob Maley, chief security officer at Black Kite, noted software vulnerabilities and the use of leaked and stolen credentials are the traditional entry points used by ransomware bad actors to gain access to critical data and systems.

He pointed out that the company’s research found 46% of the companies surveyed earned “F” grades in credential management and 71% have “F” grades in patch management.

In addition, 91% of automotive companies have more than 1,000 leaked credentials on the dark web, which opens the door for phishing campaigns.

“Exploiting the vulnerabilities that allow remote code execution is trending in the ransomware community,” he said. “Even though it is not as easy as using RDP ports, it is not as tiresome as spear phishing.”

Maley said automakers sit at the top of very complex supply chains that consist of component manufacturers, suppliers, assemblers and more.

“The risk of ransomware attacks anywhere within that supply chain poses significant danger to automotive manufacturers,” he said. “We have been able to find soft targets that could be used by ransomware bad actors to inflict financial and reputational harm.”

He noted software vulnerabilities were a common ransomware attack vector, used one in five times over the last three years, while phishing attacks, which commonly use leaked credentials, have historically been the top attack vector in ransomware attacks.

Maley explained that gaining access through credential-stuffing attacks has also been one of the top methods for bad actors in recent years.

“The combo lists shared on the dark web day after day and tools that automate the attack process help increase credential-stuffing attacks,” he said. “Accessing networks using leaked credentials bypasses many cybersecurity countermeasures and poses a significant risk for ransomware attacks.”

Driving Supply Chain Security

In the face of these threats, Maley recommended automakers undertake a comprehensive assessment of their trading partners, suppliers and any other organization within their supply chains to determine and financially measure the cybersecurity risk each entity poses.

Once an assessment is completed, automakers can review the most critical vulnerabilities that need to be remedied. Maley added that contracts with suppliers should require specific remediations and suggested that future business decisions would make cybersecurity risk a critical factor.

“It is really about prioritization. Some cybersecurity vulnerabilities represent little financial or reputational costs,” Maley said. “Organizations must first determine where their costliest vulnerabilities are and focus on closing those ‘open doors’ first. But any cybersecurity strategy is rudderless if an organization has not determined where the most destructive risks lie.”

The Race to Innovate

Kevin Dunne, president at Pathlock, a provider of unified access orchestration, said in industries where there is pressure to innovate, there can be cracks in the armor as companies push forward, as in the race for connected, self-driving vehicles.

“This combination of security vulnerability plus the need to maintain 100% service uptime is ideal for ransomware attackers,” he said. “As cars transition to connected vehicles, there is even an opportunity to disrupt the ability for cars to function properly.”

He said while many automakers were better prepared to deal with such threats in the past, the evolution of their infrastructure to deliver a connected vehicle experience is leaving them more vulnerable to attacks.

“As they become pressured to move more services to the public internet to interact with their vehicles, they are open to more exploits, many of which are new to this industry,” Dunne noted. Working from the basic assumption that all devices on the network will be compromised—if they aren’t already—will lead to better overall security practices and lower risk.”

He pointed to adoption of zero-trust policies as a way to ensure that they are not providing unnecessary privileges to any single device and argued that investing in zero-trust solutions for identity and access management would be key for automakers in today’s environment.

Automakers rely on hardware ranging from robotics to sensors to IoT devices to provide their connected car services and intelligent assembly lines. Dunne said making sure these devices can connect to the network securely and be trusted is a massive task for security teams at large automakers.

“They are managing hundreds of thousands—if not millions—of endpoints, and if any one of these is compromised, it can provide a trusted backdoor to the network,” he said.

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 244 posts and counting.See all posts by nathan-eddy