Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Japan Security

Cybersecurity Nightmare in Japan Is Everyone Else's Problem Too (bloomberg.com) 23

An anonymous reader shares a report: Kojima is a small company and little-known outside Japan, where it produces cup holders, USB sockets and door pockets for car interiors. But its modest role in the automotive supply chain is a critical one. And when the company was hacked in February 2022, it brought Toyota Motor's entire production line to a screeching stop. The world's top-selling carmaker had to halt 14 factories at a cost of about $375 million, based on a rough calculation of its sales and output data. Even after the initial crisis was over, it took months for Kojima to get operations close to their old routines.

The company is just one name on Japan's long list of recent cyber victims. Ransomware attacks alone soared 58% last year compared to a year earlier, according to the National Police Agency, and hacking incidents have exposed shortcomings ranging from slow incident response times to a lack of transparency. In a nation that exported chip components worth $42.3 billion last year -- dominating the supply of some materials -- supply chain issues can have global implications. [...] But while Japan has its own particular problems with hackers, many of its vulnerabilities are shared by the US and other technologically strong nations. From the Colonial Pipeline attack in the US to the Australian telecoms hack that exposed 10 million users' personal data, wealthy countries have been repeatedly caught underestimating the harsh realities of cybercrime.

This discussion has been archived. No new comments can be posted.

Cybersecurity Nightmare in Japan Is Everyone Else's Problem Too

Comments Filter:
  • by gweihir ( 88907 ) on Tuesday April 18, 2023 @05:45PM (#63460206)

    Ransomware has been around for more than 30 years, and with the advent of crapcons for money-laundering it exploded about 10 years ago. Anybody with an IT infrastructure still not prepared today is willfully ignorant. And it is not even that difficult: Write-protected backups (tape, removable disk, WORM capable backup storage server or WORM cloud service) and actually testing recovery and isolation procedures (so that the malware does not immediately get in again) is already enough.

    But people are not doing it. Why? Do they think it will only "hit somebody else"? Do they look away because they cannot handle thinking about it? Is it completely dysfunctional management? I really don't get it.

    • Benefit math? (Score:4, Interesting)

      by Tablizer ( 95088 ) on Tuesday April 18, 2023 @06:57PM (#63460394) Journal

      not even that difficult [read-only backups, recovery drills, isolation plan]

      Is the price of those things financially worth it? For example if "doing it right" costs $5mil/yr, but the est. average hack losses are $4mil/yr (cost times probability), then the biz will probably not do it. They are in the business to make money, not gain IT bragging points.

      I don't know what the actual values are, but remember from past articles and studies that the benefits are not so clear from a financial perspective. When a roughly break-even decision choice comes up, the least-change option usually wins, and the least-change option is to skip the improvement steps.

       

      • I like your logic. But in this situation, thinking of the cost of a cyber attack only in terms of expected value isn't appropriate for many businesses. This isn't a series of repeatable events. Better to think about prevention somewhat like the cost of catastrophic insurance (or at least the variety not required by law). If one can survive the catastrophe, fine. But if not, then strongly consider the insurance.
        • by Tablizer ( 95088 )

          Being the average company has roughly a 5% to 20% of folding per year*, I'm not sure the threat of breach-based bankruptcy is big enough to make them worry notably more. Many don't buy fire insurance either, or limited insurance.

          * Including shrinking into something puny and then being purchased by another co.

      • by gweihir ( 88907 )

        That was with regular hacks. Ransomware is an existential risk for many companies and massively more expensive and also massively more likely. But them still using the old cost and probability figures could explain why they do not prepare.

        • by Tablizer ( 95088 )

          If you can show clear stats that the financial risk is now higher, then the bean counters might be willing to fund prevention.

      • You also need to price in the amount of time spent on on making sure the recovered data is actually legit. And the PR hit if the news comes out.

        And always the chance that the data that was copied may be sold to a competitor / another bad actor. Or just released on the internet in the future and airing out your dirty laundry / secrets.

        Not sure if it's worth paying off with all these other potential problems in the future after paying off anyway.

        • by gweihir ( 88907 )

          I know of companies that lost important customers because they could not deliver for more than a month after a ransomware attack. The customer needed the stuff, did some market research and found another supplier. Which they asked about _their_ ransomware preparedness before selecting them. Especially for a SME, a ransomware attack can be the end of them if they are not prepared.

          Don't ask about evidence. This is from my audit-job and I am under NDA. Feel free to conclude that I am lying here.

    • "And it is not even that difficult" -- It is difficult. It takes a lot of planning to be able to backup and restore an entire enterprise in a minimal downtime fashion. Restoring an enterprise is a logistical nightmare. You don't just need the backups, you need working, non-infected systems to restore to. There is an order-of-operations required, Active Directory first, then other network services, databases before apps, etc. If you want to make sure this will all work you need a relatively large team wor
      • by gweihir ( 88907 )

        You already need to be able to backup and restore the enterprise for other causes and you also already need to be able to isolate the IT to deal with an attack in progress. If you do not have those capabilities, you are likely grossly negligent already.

        The only thing ransomware preparedness adds on top is that protected backup.

  • by 278MorkandMindy ( 922498 ) on Tuesday April 18, 2023 @07:54PM (#63460480)

    Why does a plastic moulding factory need to have anything that can stop production connected directly to the internet?

    Sure, ordering and probably HR are connected, they can be on a separate network and are incredibly easily backed up.

    • Hind sight separation would hinder an attack but most discount their vulnerability, since think small not an interesting target. Operations usually have designs on network increasingly the cloud. Designs have templates for the patterns they need for manufacturing. IT also might want central control for updates etc
    • by thomst ( 1640045 ) on Tuesday April 18, 2023 @09:06PM (#63460578) Homepage

      278MorkandMindy inquired:

      Why does a plastic moulding factory need to have anything that can stop production connected directly to the internet?

      If the situation in Japan is anything like it is in the U.S., it's because the plant operators demand to have access to the Internet while they're doing their incredibly boring jobs, and management insists on giving it to them to keep them happy and productive. Sure, it's a stupidly risky thing to do, and yes, any responsible production automation designer will loudly insist it's a Very Bad Idea - but management the world over is blindly resistant to being educated about network security, because MBA schools taught them that IT is a cost center, not a profit center.

      My source for the above is a close personal friend who retired last year after spending 40 years in the production process automation game - 30 of them as the owner of his own firm. He's regaled me many times over the years about the stubborn insistence of his clients on making their operators happy by giving their plant control workstations Internet access over his carefully-reasoned objections.

      In the end, he was forced to give in, because, no matter how self-sabotagingly stupid he may be, the customer is always right ...

    • by gweihir ( 88907 )

      ICS (Industrial Control Systems) are typically Internet-connected these days. Remote monitoring, statistics, control, vendor updates, etc. These days, there is basically almost no computing machinery that is not Internet connected. Stupid? Yes. The reality? Also yes.

    • by AmiMoJo ( 196126 )

      Japan is more vulnerable than most to this because they love to do everything by the book. That means all the paperwork, and if the office computers that do the paperwork are down they are very reluctant to proceed.

      There is a way of doing things, and they don't like to change it. That's why fax machines are still a thing there.

      Ironically Toyota invented a system to mitigate that cultural norm, but I guess Kojima wasn't using it.

    • If you don't know what your orders are, how do you know how many of which parts to make? How do you know where to send them? How do you know how much to bill each customer? How do you know which customers have paid already?

      At one time this may have been trackable by purely paper record, but at a much smaller number, and at a time when the customers also were forking from pure paper records.

      Maybe you think you can just run your lines at average levels, or a little higher the average and just warehouse any ex

      • All of your questions are billing related, which can have a backup. None of them explain why production has stopped.

        Having worked in a factory, I can tell you that the line NEVER stops, and is the highest priority. The order from the client never goes directly to an actual machine making it, although this may happen in the future.

        The order goes to the manager/super, who is told what and when to produce. The manager/super is required to be in the loop, as they asses other things, such as raw materials requir

    • How does vendor talk to customers? How does vendor get design data from customers? How does vendor do their business processes in support of that equipment? On internet connected infrastructure, which if ransomware'd would certainly being the whole works to a screeching halt.
  • Dependency (Score:4, Insightful)

    by Falos ( 2905315 ) on Tuesday April 18, 2023 @09:29PM (#63460602)

    Live by just-in-time, die by just-in-time.

    • by gweihir ( 88907 )

      Indeed. Short-sighted profit optimization by people that hope they are long gone when everything comes crashing down.

    • Live by just-in-time, die by just-in-time.

      Hear, hear! (I came to bring up just-in-time but you beat me to it.)

      With just-in-time your entire head of suppliers is your attack surface. If any one of them gets stalled or killed by a malware attack your whole operation gets stalled until they're back up or replaced. That includes the supporting-you piece of each of your other suppliers.

      Even if you had redundant suppliers for whatever got victimized you have to expect they can't ramp up instantly to fill the g

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...