Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/21/2017
05:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

WannaCry Forces Honda to Take Production Plant Offline

Work on over 1,000 vehicles affected at automaker's Sayama plant in Japan while systems were restored.

In an example of just how persistent modern cyberthreats can be, automaker Honda Motors had to temporarily stop production at its Sayama plant in Japan this week after being hit by WannaCry, a malware threat the company thought it had mitigated just one month ago.

The nearly 48-hour shutdown impacted production of about 1,000 vehicles at the facility, which does engine production and assembly for a line of vehicles including the Odyssey minivan and the Accord.

A statement from Honda North America said the interruption at the Sayama Auto Plant was caused by the shutdown of several older production-line computers infected with the WannaCry virus.

Systems at multiple Honda plants in Asia, North America, Europe, and China were found similarly infected with WannaCry, according to a different Honda statement quoted by Reuters and other outlets.

WannaCry infected hundreds of thousands of computers worldwide last month using a Windows exploit dubbed EternalBlue that the US National Security Agency (NSA) originally developed for use against adversaries. Threat group Shadow Brokers publicly leaked the exploit earlier this year.

Honda has not said if the infection only impacted its industrial control system (ICS) network or its IT network as well, or both. Neither has the automaker so far explained why it decided to shut down operations only in Sayama and not at any of the other locations where WannaCry was reportedly spotted.

Honda first discovered the outbreak Sunday and began recovery work immediately. But it wasn't until Tuesday morning that the company resumed production at Sayama. The infection occured despite Honda's implementation of new measures to mitigate WannaCry when news of the malware first broke. But Honda's efforts apparently were insufficient for several older computers installed at the Sayama Honda plant, some media outlets have quoted the company as saying.

The incident highlights how difficult it is for large organizations to secure every system on their network, especially against self-propagating malware such as WannaCry, says Paul Norris, senior systems engineer at Tripwire.

"Organizations will generally secure the systems they know about," he says. "But most will have assets that are not managed or secured and are old legacy systems that haven’t been decommissioned," and remain vulnerable, Norris says.  

"It's harder for larger organizations to secure every asset within their environment, due to the size and complexity of corporate networks," he says.

The challenges are exacerbated in an industrial control system environment where IT and cybersecurity organizations often have little visibility into all the assets that might be in place.

In fact, up to 80% of all cyber assets in a plant can sometimes be invisible to cybersecurity personnel and often there is an incomplete inventory of IT-based assets as well, making them hard to protect, says David Zahn, general manager at ICS security vendor PAS. "If you can't see it, you can't protect it," he says.

It is possible also that Honda may have known about the underlying vulnerabilities to WannaCry in its plant floor environment but decided not to patch right away because it did not want to disrupt operations. "Risk mitigation within an industrial process facility moves at industry pace – not hacker speed," Zahn says.

Hopefully, incidents such as this will prompt organizations into answering basic cybersecurity questions for plant environments, he notes. "What are my cyber assets, where are my vulnerabilities, did an unauthorized change occur, and can I recover quickly if the worst case scenario happens."

More details are needed to know how Honda got breached. But the incident shows the need for organizations to pay more attention to securing plant floors against cybersecurity threats, adds John Bambenek, threat intelligence manager at Fidelis Cybersecurity.

"Large organizations have devices in low security environments that are necessary for their operations and in many cases, rely on factory employees not take actions that undermine the security of those environments," Bambanek says. That is a mistake, he adds.

"These attacks can cause real impact and a factory not producing parts for a day has a large monetary impact to the organization."

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TammyMinger
50%
50%
TammyMinger,
User Rank: Apprentice
10/17/2017 | 9:23:12 PM
Re: A new form of war
Technology is a double-edged sword.  Advancements provide solutions to great problems, however, new problems are also formed with the advancement of technology.  My concern is will there ever be a time when the new problems outweigh the solutions created?   I fear one-day cyber attacks will become so common that they will begin attacking individuals.

 

~Tammy

 
Joe69400
50%
50%
Joe69400,
User Rank: Apprentice
6/22/2017 | 4:31:41 AM
A new form of war
Cyber attacks are a new form of war. It will be interesting to see how companies and countries will manage to counter them and how they will respond to these digital attacks.
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12551
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, improper validation of arguments in the internal implementation of the Memcpy function (provided by the scripting engine) allows an attacker to overwrite arbitrary memory, which could lead to code execution.
CVE-2019-12552
PUBLISHED: 2019-07-22
In SweetScape 010 Editor 9.0.1, an integer overflow during the initialization of variables could allow an attacker to cause a denial of service.
CVE-2019-3414
PUBLISHED: 2019-07-22
All versions up to V1.19.20.02 of ZTE OTCP product are impacted by XSS vulnerability. Due to XSS, when an attacker invokes the security management to obtain the resources of the specified operation code owned by a user, the malicious script code could be transmitted in the parameter. If the front en...
CVE-2019-10102
PUBLISHED: 2019-07-22
tcpdump.org tcpdump 4.9.2 is affected by: CWE-126: Buffer Over-read. The impact is: May expose Saved Frame Pointer, Return Address etc. on stack. The component is: line 234: "ND_PRINT((ndo, "%s", buf));", in function named "print_prefix", in "print-hncp.c". Th...
CVE-2019-10102
PUBLISHED: 2019-07-22
aubio 0.4.8 and earlier is affected by: null pointer. The impact is: crash. The component is: filterbank. The attack vector is: pass invalid arguments to new_aubio_filterbank. The fixed version is: after commit eda95c9c22b4f0b466ae94c4708765eaae6e709e.