Canada’s parts manufacturers are being urged to bolster their defences against cybersecurity attacks – a growing menace that threatens the entire auto industry, including dealers and car companies, experts warn.
“This is something that happens to everybody in every industry,” said Hassan el Bouhali, chief information officer for Toronto-based Woodbridge Group. “What we need to do is get educated, do things about it and learn from each other and share with each other what it is we did to protect our business.”
El Bouhali used a November industry conference to publicly share his company’s experience with a ransomware attack that struck the foam manufacturer last September.
“By sharing, we break that taboo,” el Bouhali told the Automotive Parts Manufacturers’ Association conference on cybersecurity.
According to a 2019 study commissioned by U.S.-based cybersecurity provider Carbon Black, 88 per cent of Canadian organizations surveyed said they have suffered one or more breaches in the past 12 months due to external cyberattacks, and 82 per cent reported an increase in cyberattacks over the same period.
Of those that experienced a breach, 78 per cent said they think these incidents are becoming more sophisticated.
RANSOM DOESN’T PAY
Outside the automotive industry, the Canadian medical laboratory testing company LifeLabs revealed in December it paid a ransom to recover the sensitive medical information of 15 million Canadians.
Within the auto sector, incidents are piling up. The 2017 WannaCry ransomware epidemic forced Nissan and Renault to temporarily idle some of its manufacturing operations in Europe. In February 2018, news broke that hackers had accessed Tesla’s cloud computing account, exposing sensitive data including vehicle telemetry information.
In December 2017, Nissan Canada said it was the victim of a data breach that exposed the personal financial information of 1.13 million customers of its vehicle financing arm. The incident led to a class action lawsuit filed by more than 600,000 customers against the automaker, which admitted that the breach was an “inside job” by an unidentified employee who had demanded a ransom, according to court documents.
El Bouhali would not say whether his company paid a ransom, but he noted that Woodbridge had a plan in place to respond to potential threats such as the one that occurred in September 2019.
The company employed a war-room strategy that immediately deployed a team to resolve problems caused by the breach, he said.
The most common cybersecurity risk to a business is financial. Such attacks often occur through ransomware, in which IT systems are taken hostage by hackers who demand payment, said John Heaton, a Toronto-based partner in the cybersecurity advisory services practice of KPMG.
The most effective response to ransomware is not to pay the attackers, Heaton said.
“They’ll know that you paid,” he said, “and that will get shared [among hackers], and then they’ll go at you again. It’s pretty much a guarantee.”
This means being prepared to shut down affected computers, servers and networks and to restore files from offline backup systems.
SAVED BY THE BANK
Wire-transfer fraud is also prevalent. In February 2019, hackers tried to complete a $200,000 transfer from the APMA’s business account to Hong Kong after gaining access to President Flavio Volpe’s email account. The attackers even tricked the bank into calling an alternate phone number for verification.
“They said that I was on vacation, and [the bank] needed to call me at this phone number,” Volpe said. “The only thing that saved us was a very intelligent and instinctual branch manager who speaks to me on occasion and said, ‘That doesn’t sound like him.’ ”
Lost time and productivity due to system lockouts, recovery procedures and demands on employee time and resources can all add to the costs brought on by a cyberattack.
The risk to intellectual-property assets extends beyond those held by the affected business. Supplier or client IP can also be stolen and exploited, exposing a business to legal liability and privacy investigations.
“The OEMs are going to make you responsible ... for whatever data they share with [parts suppliers],” Heaton said. “And if you fail to protect it appropriately, they’re going to turn around and sue you.”
In fact, parts makers will have to comply with a new ISO standard to address cybersecurity by 2022 or risk losing business from global automakers, said Colin Dhillon, APMA’s chief technical officer.
ISO 21434 will be released this year to establish cybersecurity guidelines for the automotive supply chain as the industry moves further into connected and autonomous technologies.
Data breaches can occur through simple errors such as a lost portable hard drive, through deliberate acts by internal or security breaches of cloud computing systems or executive email accounts.
“In [one] case, the top five executives had their emails auto-forwarded to Gmail accounts,” Heaton said, “[exposing] personally identifiable information, personal health information and corporate strategy information.
“Not only did they have an $800,000 wire-transfer fraud, they now have an investigation by the privacy commissioner because, as of November of , you have to report if you have a privacy breach that has a significant potential for harm.”
MITIGATING THE RISKS
Have a plan in place. The Woodbridge Group had prepared a plan for what it viewed as the inevitability of a cybersecurity attack.
“We engaged with legal advisory on how to deal with the attackers and the ransomware demand,” el Bouhali said, “and we engaged with cybersecurity forensic experts and consulting firms to help us go through the whole thing.”
Train staff on how to spot phishing and scams. Ensuring staff are trained on how to spot fraudulent activity can thwart an attack.
“We’re trying to get parts out the door, we’re trying to innovate in our manufacturing factories, and we’re the ones that are clicking the buttons that are causing the phishing attacks and causing us to lose money,” said Wendy Young, director of operations for technology at NGen, a Canadian not-forprofit organization that helps manufacturing companies identify new technologies.
The C-suite should manage a company’s response to attacks. IT departments will drive responses to attacks, but they do not answer to those affected by security breaches. Decisionmaking on the issue should come from company leadership, said KPMG’s Heaton.
“Cyber is not an IT function anymore,” said Heaton. “It’s a business problem.
Be willing to outsource. The Woodbridge Group has a small IT team, but it works with suppliers skilled at keeping up with the cybersecurity needs of businesses, said el Bouhali.
“I strongly believe that manufacturing companies ... will never be able to staff enough cybersecurity resources internally,” he said. “We will never be able to be up to date on everything from a technology perspective that’s required. We will have to rely on our suppliers to do that.”
Never assume you’ve done enough. Hackers are always working to gain a new advantage. “They have the investment to move ahead of us, and they’re always trying to get one step ahead,” said Young of NGen.