Imagine you are driving down the highway and your windshield wipers begin to turn on automatically, the radio volume surges, the trunk pops, windows unroll and then ultimately, the steering wheel locks or steers on its own accord. While this frightful tale seems like something out of a bad movie, hackers have recently demonstrated the ability to perform these tasks. Gone is the day of the traditional security breach of “just” stealing personally identifiable information (PII), and welcome the new dawn of ransomware attacks.
Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. The hacker will often, upon a successful breach, encrypt key company data rendering it inaccessible until a hefty sum is paid. A rising number of ransomware attacks were noted in 2020 with cyber insurer Beazley Group seeing an increase of 25% in ransomware claims. In a May 2020 survey, the cybersecurity firm Sophos estimated that 51% of organizations incurred a ransomware attack within the prior 12 months. The recent attacks are creating greater risks to industries that may not have considered themselves significant targets in the past — manufacturing and utilities.
The Honda Example
In June 2020, Honda experienced what was believed to be a SNAKE (also known as EKANS) ransomware attack. The notice of system issues began via a tweet specifying they were experiencing technical difficulties. Behind the scenes, Honda’s customer service team was unable to access customer records and plants had to be temporarily shut down across North America, Turkey, Italy, and Japan. All in all, facilities were shut down in most instances for a day while Honda worked through the issue. For an organization already strapped by manufacturing constraints due to the COVID-19 pandemic, the loss of valuable production days significantly impacted not only Honda’s customers, but also their business partners. Honda’s issue comes on the heel of multiple other security instances which may cause rise to customers and partners engaging with them. In December 2019, 26,000 North American customers’ personal data was stolen including names, email addresses, and phone numbers, with the breach not discovered for over a week. In 2017, Honda was similarly forced to shut down production services after it was affected by the WannaCry ransomware.
A Look at Other Incidents
While Honda has become a source of much media attention as to how the world in which hackers play has changed, it was far from being alone. The electric vehicle manufacturer, Tesla made the news in September 2016 when a group of “white hat” hacker researchers identified software exposures that allowed them to take control of the vehicle’s windshield wipers, open the trunk, and apply the brakes. Two individuals, Charlie Miller and Chris Valasek posted a video in 2015 where they demonstrated a live test on a St. Louis highway how they were able to manipulate the brakes, steering, and dashboard functions on a Jeep Cherokee. An Australian logistics and delivery company with operations in over 50 countries, Toll Group, chose to shut down their systems temporarily in January 2020 due to a ransomware attack. Edesur S.A., a distributor of energy in Argentina, was the suspected victim of a ransomware attack that shut down electricity to over three million customers. And last but not least, a targeted attack on Iran’s uranium enrichment program is estimated to have damaged over 1,000 centrifuges (1/5 of Iran’s inventory) when hackers developed a worm that caused the centrifuges to spin too quickly or too slow, causing them to explode.
Each of these examples is worrying because of the implications for their customers. As product safety becomes compromised by breaches, customers may be more concerned about the reliability and security of their purchase, and business partners may be concerned about the ability for a company to address vulnerabilities. In extreme cases, breached products could impair the manufacturing or utilities provider’s ability to meet service-level agreements.
What Manufacturers Can Do to Assuage Concerns
There is a long-standing joke around the foresight of The Simpsons, and it seemed as though the AICPA tapped into some of that future casting ability when it introduced a new SOC for Supply Chain report just prior to the COVID-19 pandemic in March 2020.
The new SOC for Supply Chain report was designed to help organizations communicate certain information about their supply chain risk management efforts, and to assess the effectiveness of system controls that mitigate those risks. The intent is to provide greater visibility of supply chain organization’s controls on their overall security posture, and additional potential operations concerns such as:
- Availability – Examining control on an organization’s ability to manage/monitor product availability (quantities and times), achievement of delivery commitments (time, storage, transportation), and distribution (adherence to laws and regulations around timing, storage, and transportation)
- Process Integrity – Examining controls around the company’s ability to produce products that meet specifications and the system’s conformity with production requirements (laws, standards, and customer requirements)
- Confidentiality – Examining commitments related to the use of company’s intellectual property
- Privacy – Examining controls over the achievement of commitments around privacy notice / policy
While even The Simpsons can’t foretell how organizations will embrace considerations such as the AICPA’s SOC for Supply Chain, it may be worth considering. The SOC reports provide an option to give clients and business partners further assurances about controls, or in this case, on the processes to manage the supply chain lifecycle. Meanwhile, the examples of what may occur when not well-managed, continue to mount.
For more information, please contact Scott Woznicki or another member of our team.
Published on February 17, 2021