Cybersecurity Nightmare in Japan Is Everyone Else's Problem Too (bloomberg.com) 23
An anonymous reader shares a report: Kojima is a small company and little-known outside Japan, where it produces cup holders, USB sockets and door pockets for car interiors. But its modest role in the automotive supply chain is a critical one. And when the company was hacked in February 2022, it brought Toyota Motor's entire production line to a screeching stop. The world's top-selling carmaker had to halt 14 factories at a cost of about $375 million, based on a rough calculation of its sales and output data. Even after the initial crisis was over, it took months for Kojima to get operations close to their old routines.
The company is just one name on Japan's long list of recent cyber victims. Ransomware attacks alone soared 58% last year compared to a year earlier, according to the National Police Agency, and hacking incidents have exposed shortcomings ranging from slow incident response times to a lack of transparency. In a nation that exported chip components worth $42.3 billion last year -- dominating the supply of some materials -- supply chain issues can have global implications. [...] But while Japan has its own particular problems with hackers, many of its vulnerabilities are shared by the US and other technologically strong nations. From the Colonial Pipeline attack in the US to the Australian telecoms hack that exposed 10 million users' personal data, wealthy countries have been repeatedly caught underestimating the harsh realities of cybercrime.
The company is just one name on Japan's long list of recent cyber victims. Ransomware attacks alone soared 58% last year compared to a year earlier, according to the National Police Agency, and hacking incidents have exposed shortcomings ranging from slow incident response times to a lack of transparency. In a nation that exported chip components worth $42.3 billion last year -- dominating the supply of some materials -- supply chain issues can have global implications. [...] But while Japan has its own particular problems with hackers, many of its vulnerabilities are shared by the US and other technologically strong nations. From the Colonial Pipeline attack in the US to the Australian telecoms hack that exposed 10 million users' personal data, wealthy countries have been repeatedly caught underestimating the harsh realities of cybercrime.
Those that ignore threats... (Score:4, Insightful)
Ransomware has been around for more than 30 years, and with the advent of crapcons for money-laundering it exploded about 10 years ago. Anybody with an IT infrastructure still not prepared today is willfully ignorant. And it is not even that difficult: Write-protected backups (tape, removable disk, WORM capable backup storage server or WORM cloud service) and actually testing recovery and isolation procedures (so that the malware does not immediately get in again) is already enough.
But people are not doing it. Why? Do they think it will only "hit somebody else"? Do they look away because they cannot handle thinking about it? Is it completely dysfunctional management? I really don't get it.
Benefit math? (Score:4, Interesting)
Is the price of those things financially worth it? For example if "doing it right" costs $5mil/yr, but the est. average hack losses are $4mil/yr (cost times probability), then the biz will probably not do it. They are in the business to make money, not gain IT bragging points.
I don't know what the actual values are, but remember from past articles and studies that the benefits are not so clear from a financial perspective. When a roughly break-even decision choice comes up, the least-change option usually wins, and the least-change option is to skip the improvement steps.
Re: Benefit math? (Score:2)
Re: (Score:1)
Being the average company has roughly a 5% to 20% of folding per year*, I'm not sure the threat of breach-based bankruptcy is big enough to make them worry notably more. Many don't buy fire insurance either, or limited insurance.
* Including shrinking into something puny and then being purchased by another co.
Re: (Score:2)
That was with regular hacks. Ransomware is an existential risk for many companies and massively more expensive and also massively more likely. But them still using the old cost and probability figures could explain why they do not prepare.
Re: (Score:1)
If you can show clear stats that the financial risk is now higher, then the bean counters might be willing to fund prevention.
Re: (Score:2)
You also need to price in the amount of time spent on on making sure the recovered data is actually legit. And the PR hit if the news comes out.
And always the chance that the data that was copied may be sold to a competitor / another bad actor. Or just released on the internet in the future and airing out your dirty laundry / secrets.
Not sure if it's worth paying off with all these other potential problems in the future after paying off anyway.
Re: (Score:2)
I know of companies that lost important customers because they could not deliver for more than a month after a ransomware attack. The customer needed the stuff, did some market research and found another supplier. Which they asked about _their_ ransomware preparedness before selecting them. Especially for a SME, a ransomware attack can be the end of them if they are not prepared.
Don't ask about evidence. This is from my audit-job and I am under NDA. Feel free to conclude that I am lying here.
Re: (Score:2)
Re: (Score:2)
You already need to be able to backup and restore the enterprise for other causes and you also already need to be able to isolate the IT to deal with an attack in progress. If you do not have those capabilities, you are likely grossly negligent already.
The only thing ransomware preparedness adds on top is that protected backup.
Why is it connected to the net? (Score:4, Interesting)
Why does a plastic moulding factory need to have anything that can stop production connected directly to the internet?
Sure, ordering and probably HR are connected, they can be on a separate network and are incredibly easily backed up.
Re: Why is it connected to the net? (Score:3)
Re:Why is it connected to the net? (Score:5, Interesting)
278MorkandMindy inquired:
Why does a plastic moulding factory need to have anything that can stop production connected directly to the internet?
If the situation in Japan is anything like it is in the U.S., it's because the plant operators demand to have access to the Internet while they're doing their incredibly boring jobs, and management insists on giving it to them to keep them happy and productive. Sure, it's a stupidly risky thing to do, and yes, any responsible production automation designer will loudly insist it's a Very Bad Idea - but management the world over is blindly resistant to being educated about network security, because MBA schools taught them that IT is a cost center, not a profit center.
My source for the above is a close personal friend who retired last year after spending 40 years in the production process automation game - 30 of them as the owner of his own firm. He's regaled me many times over the years about the stubborn insistence of his clients on making their operators happy by giving their plant control workstations Internet access over his carefully-reasoned objections.
In the end, he was forced to give in, because, no matter how self-sabotagingly stupid he may be, the customer is always right ...
Re: (Score:3)
ICS (Industrial Control Systems) are typically Internet-connected these days. Remote monitoring, statistics, control, vendor updates, etc. These days, there is basically almost no computing machinery that is not Internet connected. Stupid? Yes. The reality? Also yes.
Re: (Score:2)
Japan is more vulnerable than most to this because they love to do everything by the book. That means all the paperwork, and if the office computers that do the paperwork are down they are very reluctant to proceed.
There is a way of doing things, and they don't like to change it. That's why fax machines are still a thing there.
Ironically Toyota invented a system to mitigate that cultural norm, but I guess Kojima wasn't using it.
Re: (Score:2)
If you don't know what your orders are, how do you know how many of which parts to make? How do you know where to send them? How do you know how much to bill each customer? How do you know which customers have paid already?
At one time this may have been trackable by purely paper record, but at a much smaller number, and at a time when the customers also were forking from pure paper records.
Maybe you think you can just run your lines at average levels, or a little higher the average and just warehouse any ex
Re: (Score:2)
All of your questions are billing related, which can have a backup. None of them explain why production has stopped.
Having worked in a factory, I can tell you that the line NEVER stops, and is the highest priority. The order from the client never goes directly to an actual machine making it, although this may happen in the future.
The order goes to the manager/super, who is told what and when to produce. The manager/super is required to be in the loop, as they asses other things, such as raw materials requir
Re: Why is it connected to the net? (Score:2)
Re: (Score:2)
Again, none of this stops production?
Dependency (Score:4, Insightful)
Live by just-in-time, die by just-in-time.
Re: (Score:2)
Indeed. Short-sighted profit optimization by people that hope they are long gone when everything comes crashing down.
Just-in-time balloons your attack surface. (Score:2)
Live by just-in-time, die by just-in-time.
Hear, hear! (I came to bring up just-in-time but you beat me to it.)
With just-in-time your entire head of suppliers is your attack surface. If any one of them gets stalled or killed by a malware attack your whole operation gets stalled until they're back up or replaced. That includes the supporting-you piece of each of your other suppliers.
Even if you had redundant suppliers for whatever got victimized you have to expect they can't ramp up instantly to fill the g