As we have pressed further into the 21st century, digital transformation has continued to mold what critical infrastructure and industrial settings look like. This has come with a call-to-action for businesses to increase cybersecurity efforts to ensure all assets are protected from threat actors. However, there is one favored cyberattack that continues to proliferate — ransomware.
With ransomware, a threat actor encrypts data, then demands payment to unlock the data, with the preferred payment method being in bitcoin for reasons relating to trackability. In June 2020, automotive giant Honda was hit by a ransomware attack that halted operations at several assembly plants across the world. While the entrance point of the attack is largely unknown, Honda has remained sturdy on their network being isolated, or “air-gapped.” It is believed that the attack was performed through a phishing attempt, according to the BBC. The perpetrator was never identified.
Other automaker ransomware cyberattacks
Honda isn’t the first automaker to experience a ransomware-based cyberattack. In 2017, WannaCry ransomware took the world by storm, reaching 150 countries and infecting 200,000 devices. One of the victims of this attack was another automotive giant, Renault-Nissan.
WannaCry impacted 5 Renault-Nissan production facilities. Upon discovery, executives opted to unplug operations to halt the spread of ransomware throughout the system. The attack happened on a Friday and operations returned to normal by the following Monday. While Renault-Nissan was impacted by the attack, WannaCry’s primary target was anything running Windows operating system.
The Honda SNAKE ransomware attack
Honda was hit by a ransomware attack called SNAKE. According to Forbes, “Honda temporarily shut some of its production facilities, as well as both the customer service and financial services operations.” This ransomware was said to be fairly unsophisticated because of its inability to exfiltrate data—an important part in the ransom process.
According to Josh Smith, a security analyst at Nuspire, “what made it interesting was that [SNAKE] had additional functionality programmed into it to forcibly stop processes, especially items involving Industrial Control Systems (ICS) operations.” This means that if those functionalities were activated then any plant with the ransomware infection would’ve been shut down and at the mercy of the threat actors. In a statement, Honda reassured its constituents that there was no loss of personal information.
The BBC also said, “The fact that Honda has put production on hold and sent factory workers home points to disruption of their manufacturing systems.”
Honda also had to shut down several plants during WannaCry’s run in 2017, according to ArsTechnica.
The problem with legacy operational technology (OT) systems
Given the opportunity, SNAKE ransomware could have done some damage to several Honda plants. This leads to a problem plaguing many OT systems: they’re old, haven’t been updated or replaced in so long that they can easily be infiltrated by threat actors. This highlights the importance of maintaining older OT/ICS systems and holding them to the same standards of security as the information technology (IT) side. Many companies believe that their plant network being air-gapped is solving those issues, but this isn’t necessarily the case.
According to Richard Robinson, CEO of Cynalytica, “Many air-gapped environments still have remote access for vendor maintenance, some wireless components and other elements that make them very un-gapped.”
Ensuring the maintenance of security in ICS/OT systems is only one part of the equation. Equally as important is the training of employees to exercise cybersecurity best practices and what to do in the event of a cyberattack.
While the SNAKE ransomware attack on Honda didn’t end in a horror story, it did demonstrate how capable certain cyberattacks can be. It also showed the need for refreshing legacy OT systems with new cybersecurity measures to ensure that plants are putting their best foot forward in preventing an attack.