When a manufacturing facility gets hit with a cyberattack, the numbers start to add up quickly. How much downtime will be required? How many people and processes does it impact? And the big one: How much will it cost, in both production time lost and remediation? When AW North Carolina (AWNC) got hit with ransomware in 2017, they knew they “stood to lose $270,000 in revenue, plus wages for idled employees, for every hour the factory wasn’t shipping its crucial auto parts to nine Toyota car and truck plants across North America,” according to an AP article from the time.
Though the ramifications of the attack were not severe, the AWNC incident was an excellent example of why manufacturing and ransomware can be a toxic mix. Cyber criminals are generally after a quick and sizable payout, which means they are looking for significant pain points. That can be an overfull hospital in the throes of a pandemic. It can be a power plant in the midst of a cold winter spell. Or, in this case, in can be just-in-time manufacturing, where minutes and seconds matter.
Just-in-time manufacturing and cyber threat
The notion that manufacturing can be a profitable target for criminals is nothing new, but it does seem to be gaining ground. Dragos’ recent Year in Review report highlighted the growing threat to industrial control systems (ICS) and operational technology (OT). According to their study, ransomware attacks against industrial organizations increased by 87% over the previous year, and there were 35% more ransomware groups impacting ICS/OT in 2022. Attacks on just-in-time manufacturing can be even more dangerous.
Just-in-time manufacturing is a strategy that emphasizes the production of goods only as they are needed, rather than maintaining large inventories of finished products or raw materials. It’s designed to reduce waste, lower costs and improve efficiency by producing goods in response to customer demand. Just-in-time manufacturing requires close coordination between suppliers, production teams and customers to ensure that materials are delivered and products are produced at just the right moment. It also requires careful management of inventory levels and production schedules to ensure that production is efficient and cost-effective.
“These people who try to hack into your network know you have a set schedule. And they know hours are meaningful to what you’re doing,” said John Peterson, AWNC’s information technology manager, in the AP article. “There’s only a day and a half of inventory in the entire supply chain. And so if we don’t make our product in time, that means Toyota doesn’t make their product in time, which means they don’t have a car to sell on the lot that next day. It’s that tight.”
The AW North Carolina attack
The 2017 AW North Carolina cyberattack was a significant cyber intrusion that affected both production facilities and operations. AWNC, a subsidiary of the Japanese company Aisin AW Co., has its manufacturing facility in Durham, North Carolina and supplies transmission components to major automobile companies, including Toyota and Honda.
The attack against AWNC started on Aug. 16, 2017, when the company’s information technology (IT) systems were infiltrated by a newer strain of ransomware. This malicious software encrypted the company’s critical data and demanded a ransom to restore access to the affected files. It ultimately shut down production lines for four hours at the 2,200-worker plant.
The disruption affected not only AWNC, but also its customers as delays in the delivery of transmission components led to a ripple effect throughout the automotive supply chain. According to Peterson in an interview with WRAL TechWire, the existing AWNC firewall and antivirus software did not catch the ransomware immediately, so it was able to saturate the network, and several key process servers were unable to respond. They ultimately did not end up paying the ransom, however, and were able to contain the damage.
“Fortunately we did not have to pay ransom because the existing firewall did not allow the ‘ransomware’ to go back through the locking procedure,” said Peterson in the WRAL interview. “The quick response by the AWNC IT team isolated the attacks to the computers that were the initial entry point to the network and these were removed from the network. AT&T responded very quickly and the ‘locked data’ status was not achieved. AWNC IT then removed the ‘ransomware’ from the facility systems. Also, we utilized daily backups to restore any data that was compromised.”
The AWNC response and lessons learned
In response to the attack, AWNC enlisted the help of third-party cybersecurity experts, including AT&T, to investigate the incident and restore its systems. The attack served as a wake-up call for AWNC and the broader automotive industry. In the aftermath of the incident, AWNC invested in improving its cybersecurity posture, implementing better security practices and training its employees on cyber threats. Additionally, the attack highlighted the need for greater collaboration and information sharing among companies within the automotive industry to address the growing threat of cyberattacks.
The automotive sector has been a frequent target of cyberattacks in recent years, with companies like Renault-Nissan, Toyota, Honda and Tesla all being hit. And this threat is expected to rise with the increase in electric and internet-enabled cars. This could not only affect production environments but also driver safety.
According to AP, AWNC was actually hit again by malware later that same year, though the virus was contained before it impacted production. In response to the sharp increase in ransomware attacks in the state, in 2022 North Carolina became the first state in the U.S. to prohibit state agencies and local governments from paying a ransom following a cyberattack. The idea is that criminals will be less likely to strike these essential operations if they know there is no possibility of receiving a ransom payment.
When asked what lessons he had learned from the ransomware attack, Peterson said: “If you are not keeping current on the latest IT security measures and software patches, your business is exposed. If you have a new IT security system and you are not continually keeping it up to date and looking for new products and processes to assist in protecting your business, the threat will occur again.”