[HN Gopher] Toyota suspends domestic factory operations after su...
___________________________________________________________________
Toyota suspends domestic factory operations after suspected cyber
attack
Author : caaqil
Score : 100 points
Date : 2022-02-28 15:21 UTC (7 hours ago)
(HTM) web link (www.reuters.com)
(TXT) w3m dump (www.reuters.com)
| badrabbit wrote:
| The attack was on a supplier network
| thatguy0900 wrote:
| I think the reality is if a nation state wanted to they could
| shut down 80%+ of infrastructure (water, power, internet etc) and
| any domestic manufacturing by attacking something in the supply
| line. There's terrible security everywhere, you literally have
| ransom ware groups taking down key infrastructure on accident its
| so bad. Our insane military budget does nothing to prevent this
| and it honestly seems almost as bad to me as a few nukes could
| be.
| Melatonic wrote:
| They actually I believe this year announced new programs in the
| US at least to specifically combat this - but I agree - it has
| been a known issue for a long time and is potentially a huge
| problem.
| boringg wrote:
| Expect a ramp up in security disruptions globally as a result of
| the Russia's war on Ukraine.
| throwaway894345 wrote:
| > the war on Russia
|
| That's a funny way to spell "Russia's war on Ukraine". :)
| [deleted]
| [deleted]
| boringg wrote:
| Yeah was an egregious typo - fixed it. Clearly wrote the
| comment quickly.
| shepherdjerred wrote:
| It's not Russia's fault that Ukraine's border got so close to
| Russian troops
| dstroot wrote:
| Nothing mentioned on Toyota's site:
| https://global.toyota/en/newsroom/
|
| Supplier is apparently Kojima Industries, their website is being
| hammered: https://www.kojima-tns.co.jp/en/. Or maybe it's down
| because of the attack?
| coding123 wrote:
| So I imagine the last 5-10 years of minor squabbling in the news
| about "Russian Hackers" was just training. I hope we're ready for
| the full onslaught now.
| raducu wrote:
| I don't think you have any idea what the NSA is capable of...
| newsclues wrote:
| Why would Russia hit Toyota? They have more important stuff to
| hack right now.
|
| China on the other hand, has a new auto industry to take over
| the world.
| ricardobayes wrote:
| Japan is supporting the sanctions and pledged to give $100M
| in aid to Ukraine.
| SpicyLemonZest wrote:
| I would bet that most major security services have a list of
| known vulnerabilities they can exploit whenever they see a
| good reason to.
| newsclues wrote:
| I'm questioning motivation and priorities not ability.
| freedomben wrote:
| Huge motive: gain access to "free" compute and storage
| resources. If they have GPU stacks too you can put ML to
| use for further penetration.
| bbarnett wrote:
| Technically true, but a bit click baitish.
|
| Article says a plastics supplier was hit, which isn't the same as
| Toyota being hit.
| syshum wrote:
| The headline is accurate, and not click bait IMO.
|
| No where did they imply Toyota was hit, however to believe it
| is any less serious because a Supplier was hit vs them directly
| shows ignorance of how manufacturing works
|
| Supply Chain attacks are very serious and are how a lot of
| malware is moving because the primary targets are getting very
| good at preventing direct attacks however supplier are often
| overlooked as an attack vector, and even if they are aware of
| the risk, that risk is often very much understated
| mherrmann wrote:
| I think it's clickbait. I immediately thought Toyota was
| hacked.
| kerneloftruth wrote:
| A supplier was hit, so they suspended domestic (i.e.
| Japanese) production. The title is actually a good
| encapsulation, and not at all click bait. Gotta celebrate
| these rare times when it's a legit title.
| jjulius wrote:
| >The title is actually a good encapsulation, and not _at
| all_ click bait.
|
| I, too, thought it was an attack on Toyota based on the
| title. I see where you're coming from in saying that it's
| not, but because many of us have stated that we were
| confused by the title, I don't think it's fair to say
| that it's "not at all" click bait. It is, at least just a
| teensy bit.
| samatman wrote:
| The dividing line should be whether the headline is
| misleading, rather than confusing. If everything about an
| article could be encapsulated in a headline there would
| be no need for articles.
|
| Was there a cyberattack? Yes. Did Toyota suspend domestic
| factory operations after it? Also yes. I'm content.
| cronix wrote:
| "Toyota suspends domestic factory operations after
| suspected cyber attack on supplier" would be far more
| accurate
| mherrmann wrote:
| ... after suspected cyber attack _of a supplier_ would
| have been non-clickbait. As it is, it fooled me and so I
| say it 's clickbait.
| sschueller wrote:
| All they had to do is add 2 words ("on supplier") but
| decided not too probably to make it sound like Toyota, a
| billion dollar company doesn't have good cyber security.
| pooper wrote:
| I would even feel better about adding one more word
| "some" as in Toyota suspends some domestic factory
| operations because by default it sounds like it suspends
| all domestic factory operations.
|
| I agree. The title is click bait.
| tiahura wrote:
| The headline is misleading. "Toyota halts Japan production
| after supplier hit by cyberattack" isn't.
| https://www.autonews.com/automakers-suppliers/toyota-
| halts-j...
|
| Moreover, geopolitically, there is a HUGE difference between
| random plastic company being a random extortion victim, and
| Japan's largest company being the target of Putin's
| retaliation.
| syshum wrote:
| You have made a large amount of assumptions that it was a
| random supplier and it was a random extortion
|
| Not saying it was not, but the idea that only Russia would
| attack Toyota directly, and only random attacker hi
| suppliers is not true
| tiahura wrote:
| I'm not making any assumptions- that's the whole point.
| We don't know if it was random or not. The original
| headline suggested Toyota was the direct target. If that
| was so, it would be some evidence that it was
| retaliation. But, Toyota wasn't directly targeted, so the
| headline is misleading.
| criticaltinker wrote:
| You two are talking past each other, at this point it's
| just semantics.
|
| _> Toyota wasn't directly targeted _
|
| GP is trying to say this is the assumption you're making.
| Supply chain attacks can be a clever way to disguise a
| direct target as an indirect one.
|
| I agree with you though, the headline could be more
| clear.
| Melatonic wrote:
| Yeah I think this situation is more nuanced and we will
| probably find out more later. Supply chains are certainly
| very valid ways to attach an entity even if the supplier
| is not technically part of that entity.
|
| If someone were to attack a major private utility in the
| US, for example electricity, they would not be directly
| attacking the US Government but I do not think most would
| find a title similar to this being clickbait.
| Animats wrote:
| Business computer security just got a lot more serious.
|
| - Cloud-based factory automation? Unsafe now.
|
| - Mandatory remote diagnostics? Unsafe now.
|
| - Remote updates? Questionable, and need to be blockable during
| crisis periods.
| bob1029 wrote:
| I would hope most of us have been taking it seriously well-
| before this incident.
|
| We've been doing B2B business for banks and we eschew any
| cloud/remote infrastructure as part of our offering because no
| one would pay for it. Everyone demands on-prem hosting of our
| software and it has to exclusively flow through their network
| security appliances.
|
| I had a conversation with more than one CIO who would rather
| suffer arbitrary DDOS attacks than allow cloudflare the ability
| to decrypt their application traffic.
|
| I am more than happy to work with these kinds of customers.
| There is no excuse to compromise on security when the stakes
| are this high. Everyone is willing to take their time to get it
| right.
| serf wrote:
| >- Cloud-based factory automation? Unsafe now.
|
| I feel like I must have slept through the point where that was
| ever a safe option rather than just a compromise for
| convenience sake.
| Animats wrote:
| Right. Internet-configurable power grid control relays were
| not a good idea.[1]
|
| "Web server interface is supported on UR over HTTP protocol.
| It allows sensitive information exposure without
| authentication." (Yes, they actually put a web server in a
| device which directly controls high voltage relays in power
| grids.)
|
| "UR IED with "Basic" security variant does not allow the
| disabling of the "Factory Mode," which is used for servicing
| the IED by a "Factory" user."
|
| ...
|
| Those particular bugs were supposedly fixed.
|
| [1] https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02
| pokstad wrote:
| Compromised remote updates on self driving automobiles is
| scary. We're probably one supply chain attack away from Teslas
| performing a DDoS attack in real life.
| zibzab wrote:
| You don't need that when Tesla (accidentally) does this
| themselves.
|
| True story, had to manually fix vehicles (using SSH)
| kevin_thibedeau wrote:
| Everybody's PC is going to crawl with three layers of useless
| checkbox-ware.
| 71a54xd wrote:
| I wonder how much time they had to make this call?
| tiahura wrote:
| How does just-in-time prepare for a fire at the the steering
| wheel supplier? How is a 30 day supply not sensible?
| zdragnar wrote:
| I admit to not having a solid grasp of the numbers in play, but
| if my limited understanding is correct, a 30 day outage is
| significantly cheaper than the problems pre-JIT supply chains
| faced.
| letitbeirie wrote:
| If a car factory is making 1000 cars a day, a 30-day supply is
| all the parts needed to make 30,000 cars. Managing that is a
| giant, complicated, land-consuming operation unto itself, and
| it all has to get sorted before you can build car #1.
| jcims wrote:
| Supply chain risk management. There's no black box from which
| steering wheels emerge. You send people to their factories, you
| check their finances, you look into their history with
| regulatory agencies, you examine their leadership, you look at
| _their_ supplier relationships. The place I work has a hundred
| folks that do nothing but risk and cybersecurity audits of our
| vendors and suppliers. It 's a whole thing.
|
| It's obviously not perfect and can get caught up in systemic
| issues like a pandemic, but as mentioned in a sibling comment
| it's still cheaper than the alternatives.
| 1ris wrote:
| I can see how these people can confirm risks. But how to they
| falsify risks? And more importantly: How are they managing
| it? Is the the size of the supply heap derived from the
| assumed risk and the cost of a default?
| jcims wrote:
| It's tricky going from an engineering mindset to risk
| management. I still struggle with it and have been in the
| industry for a long time. You can't falsify risks and many
| of your inputs are going to be guesses based on an amalgam
| of experience, historical information, trends and available
| risk/threat models.
|
| Today there's all of these metrics available that give it
| the feel of an exact science, but its not. It's educated
| guesswork, but there's enough evidence showing it works
| that its worth substantially increasing the costs and
| friction of doing business to align with its outputs.
|
| Usually.
|
| In this case something arguably failed in the process. It's
| noteworthy but it's not an existential threat to Toyota.
| They will learn from it, someone's probably going to 'seek
| opportunities outside the firm' and they'll get back to
| making great products.
| tiahura wrote:
| I get that at the end of the day somebody's got to make the
| wheel, and the fire could be anywhere.
|
| However, the article suggests that Toyota has to shut down
| all operations the minute their plastic doohickey supplier
| goes down - ie they have 0 buffer. That doesn't seem optimal.
| Given that there are dozens or hundreds of suppliers, on any
| given day, isn't at least one of them having issues?
| Hamuko wrote:
| Toyota actually does stockpile some supplies it deems critical.
| This is despite the fact that Toyota is basically the pioneer
| of the JIT method of building cars.
|
| https://www.france24.com/en/live-news/20210512-lessons-from-...
| foepys wrote:
| I don't know about other countries but German auto
| manufacturers require (nearly) all suppliers to submit an FMEA
| [1] for their products. Some or maybe all US manufacturers do
| this, too, if I remember correctly.
|
| In short, FMEA is a way to calculate risks and prepare for
| supply chain issues to a certain degree. When done correctly
| those FMEAs get very large and extensively lay out where risks
| are high so plans can be made to minimize them.
|
| 1:
| https://en.wikipedia.org/wiki/Failure_mode_and_effects_analy...
| ISL wrote:
| Multiple JIT steering-wheel manufacturers?
| stickfigure wrote:
| Warehousing parts adds "fire at the warehouse" risk. You could
| have redundant warehouses, sure, but at some point you have to
| decide how much expense and operational complexity you're
| willing to tolerate to remove more 9s of risk.
___________________________________________________________________
(page generated 2022-02-28 23:02 UTC)