Toyota cyberattack on supplier halts production — car makers among most vulnerable to attack
Toyota is stopping all car production in Japan from March 1, due to a cyberattack on a key supplier, Kojima Industries. The automotive giant said it was suspending the operation of 28 production lines at 14 plants in Japan saying “we apologize to our relevant suppliers and customers for any inconvenience this may cause” and attributing the issue at Kojima to a “system failure.”
Speaking to Nikkei one source confirmed the incident, saying: “It is true that we have been hit by some kind of cyberattack. We are still confirming the damage and we are hurrying to respond, with the top priority of resuming Toyota’s production system as soon as possible.”
The move also affects the Daihatsu and Hino car brands, which are affiliated with Toyota, and which rely on plastic parts from Kojima. Reuters reported the Toyota cyberattack will cost it around 13,000 cars of output per day of the production freeze, and the car maker could not say how long the stoppage at its 14 Japanese plants – which make up around a third of Toyota’s production capacity – would last.
Worryingly, Nikkei notes that many of the ~400 tier 1 suppliers that Toyota deals with directly “are connected to the automaker’s kanban just-in-time production control system, which allowed the problems at Kojima Industries to spill over to Toyota” — suggesting Toyota’s systems may also have been infected.
Car makers are particularly vulnerable to cyberattacks due to their extremely complex supply chains, as well as their reliance on older IT systems. A 2021 report from Black Kite claimed 91% of automotive firms had at least one high-severity unpatched vulnerability, 90% were vulnerable to phishing, and 84% had publicly-visible critical ports.
The report’s analysis of automotive supply chain partners wasn’t much better: 87% had high-severity vulnerabilities, 85% were susceptible to phishing, and 81% had visible ports.
See also: The top three ransomware infection vectors remain troublingly consistent
Given the costs of any production shutdown, all manufacturers are particularly vulnerable to ransomware attacks. An IBM report released last week said manufacturing was the economic sector most hit by cyber attacks, accounting for 23% of all attacks in 2021 – in no small part because many companies choose to pay rather than endure a lengthy shutdown.
“Understand your third parties and their associated risk. Supply chains and OEMs can be complex, increasing the likelihood of a ripple effect in the case of a cyber breach. Classify vendors, identify critical data sharing points, and adopt a continuous model for vendor risk monitoring. Point-in-time assessments do not cut it anymore. Automation is the key to vendor risk management,” wrote the authors of the Black Kite report in their recommendations to car makers.
Ransomware attacks are now so prevalent, there are even examples of one group’s attack interfering with that of another. An analysis by Sophos, published today, shows how a Canadian healthcare provider’s data was first ransomed – but not encrypted – by Karma, then ransomed and encrypted by Conti just hours later. The Conti attack encrypted Karma’s ransom notes along with the main target’s data.
“In this case, the initial access came over three months before there was any ransomware activity. This suggests the likelihood of an ‘access broker’ discovering the ProxyShell vulnerability and either offering it for sale on a marketplace or simply sitting on it until ransomware affiliates wanted it,” wrote Sophos senior threat researcher in the report.