50% of automotive manufacturers are susceptible to a ransomware attack, Black Kite data finds

Nearly half of the top 100 automotive manufacturers are highly susceptible to a ransomware attack, and over 17 percent of automotive suppliers are likely to incur a ransomware attack, according to Black Kite data on ransomware trends in the automotive supply chain.

The research carried out by Black Kite also disclosed that patch management is the most prevalent vulnerability for automotive companies, with 71 percent having “F” or “poor” ratings, and 71 percent of automotive CIOs indicating that they are most likely to enhance investments in cyber and information security this year.

Boston, Massachusetts-based Black KIte provides standards-based cyber risk assessments that analyze the supply chain’s cybersecurity posture. For its latest report, Black Kite analyzed the cybersecurity posture and ransomware susceptibility of the top 100 automotive manufacturers and the top 100 automotive suppliers. The researchers conducted a detailed study around the automotive supply chains to identify common security issues, as well as the likelihood of a ransomware attack.

The Black Kite’s Ransomware Susceptibility Index (RSI) determines how susceptible a company and its third parties are to a ransomware attack. Data is collected from various open-source intelligence (OSINT) sources including internet-wide scanners, hacker forums, and the deep/dark web. Black Kite correlates each finding with 26 control items using data and machine learning in order to provide approximations. Black Kite’s RSI scores range on a scale from 0.0 (least susceptible) to 1.0 (most susceptible). A low RSI score, however, does not necessarily mean a company is immune to a ransomware attack. 

Cybercriminals, especially state-backed actors, may use zero-day vulnerabilities and craft sophisticated attacks, which a security automation tool may not detect or predict.

Black Kite data showed that on average, automotive manufacturing companies reflect a “C+”, or “average”, overall cyber risk rating. However, there are alarming security issues that lie underneath the surface including companies’ susceptibility to phishing attacks, publicly visible ports, and credential management. 

Beneath the surface, credential management and patch management rank the lowest of the 19 cyber risk categories, with respective “F” ratings. Based on Black Kite’s prioritized technical heat map, 46 percent of the 100 companies have “F” grades in credential management, and 71 percent have “F” grades patch management.

Aside from reducing the risk of ransomware, fixing software and application vulnerabilities susceptible to a cyber attack is the key to reducing an organization’s security risk, Black Kite said. Most malware attacks, particularly those that leverage ransomware, exploit vulnerabilities in servers and software applications. In fact, software vulnerabilities were a common ransomware attack vector, used one in five times over the last three years.

Ransomware threat actors have shifted their focus to supply chains in recent years and are now more likely to prey on small companies and their vendors, such as original equipment manufacturers (OEM). While the average RSI of automotive suppliers is lower than the companies themselves, parent organizations should maintain similar, if not more, focus on protecting their vendor ecosystems.

Black Kite data revealed that over 17 percent of automotive suppliers are above the critical threshold, indicating high susceptibility to a ransomware attack. At present, most malware, ransomware in particular, exploits vulnerabilities in servers and software applications. Among the attack vectors used by the top three ransomware variants are Sodinokibi, Conti, and Lockbit, as software vulnerabilities continue to dominate various attack vectors.

To uncover the factors leading to ransomware susceptibility, Black Kite researchers drilled down even further into the technical findings of the supplier group. The average automotive vendor reflects a “C-” rating or “below average” rating, which is consistent with the company ratings, indicating present critical security issues. 

Credential management and patch management ranked again among the lowest-scored categories, receiving a “C” and “C-“, respectively, according to Black KIte. Based on Black Kite’s prioritized technical heat map, 63 percent of the 100 vendors received an “F” grade in credential management, and 67 percent received “F” grades patch management.

In February, Kia Motors America (KMA) confirmed that it experienced a systems outage, but said at the time that it has seen no evidence of having suffered a ransomware attack. The car manufacturer apologized to customers for an extended systems outage, which Kia Motors affirmed it was working to resolve at the earliest with minimal disruption to the business.

In addition to Black Kite data, a recent Gartner survey also disclosed that 71 percent of automotive CIOs also indicate they are most likely to increase investments in cyber and information security this year, compared to 2020. This sweeping response follows an uptick in ransomware attacks, especially headlines including legacy automotive companies. It also recognized how CIOs in the automotive industry are trying to optimize and modernize their organization, reacting to industry changes and those in the broader manufacturing environment. 

Earlier this year, Orignix identified in a blog post that with the increased proliferation of smart devices and sensors in the automotive industry, connected vehicles are becoming more prone to cyberattacks. The digitalization of crucial vehicle components and growing adoption of IT/OT convergence in the automotive industry introduces many new challenges, in addition to bringing about various benefits, it added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.