The severity of the impact of cyber attacks was recently demonstrated at car manufacturer Jaguar Land Rover. To counter this, resilience and functional business continuity management are required. Exciting presentations during it-sa showed how AI can help with such problems and what role the supply chain can play in this.
At the end of August, British car manufacturer Jaguar Land Rover (JLR) was hacked. Production at three British plants was then halted for weeks. The damage is estimated to amount to several billion British pounds, and data was also stolen. Around 33,000 employees at JLR produce around 1,000 cars per day, many of whom have now been sent home. The situation also took a dramatic turn for suppliers, many of whom had to temporarily lay off employees, with some facing insolvency. After five weeks, the cyberattack took on a political dimension. The scale of the incident led the British Parliament to address the matter. It was estimated that a good 200,000 jobs were at risk at the car manufacturer and its suppliers. The British government then decided to step in with a £1.5 billion state credit guarantee to save the jobs. Production only resumed at the beginning of October, albeit with major restrictions. Experts estimated that it would be several more weeks before the company could return to normal operations. According to a BBC report, the effects are expected to last for around six months.
In addition to security deficiencies that helped the attackers succeed, this dramatic cyberattack reveals several problems. Mainly, deficiencies in business continuity management (BCM) and dependencies in the supply chain are becoming apparent. These topics are among the top issues at this year's it-sa. They were addressed in numerous discussion panels and presentations. Further presentations on the topic of BCM can be found on the it-sa website.
Resilience against serious cyber attacks
First and foremost is the topic of resilience, i.e. resistance to disruptions and external influences. It describes the ability of a system not to fail completely in the event of disruptions and failures, as happened at Jaguar Land Rover. Greater resilience is intended to prevent failures like this from having catastrophic consequences. This can be achieved, for example, through redundancy, whereby one IT system can take over if another fails.
But resilience goes further: "Resilience is certainly the basic prerequisite for being able to act independently. In other words, I remain capable of acting, even under the influence of attacks or threats," was the message at an event organised by the IT Security Specialist Group of the German Federal Association of IT SMEs (BITMi) during the three-day trade fair. You can watch the presentation on the it-sa website. This corresponds to digital sovereignty, which was discussed in the last article on this year's it-sa. Representatives of the expert group believe that digital sovereignty leads to greater resilience, as it offers opportunities to choose between different providers, making it easier to compensate for the failure of one provider. Further information can be found in the latest newsletter article on the it-sa website.
But when resilience has to be achieved through redundancy, it becomes expensive. That is why comprehensive emergency preparedness, i.e. business continuity management (BCM), remains important in order to effectively manage incidents such as the one described at the beginning. Silke Menzel from security specialist HiScout emphasised in her presentation on this topic that the key point here is to prioritise time-critical processes. In addition, there are contingency plans, the establishment of emergency teams and a crisis management team. But all this is only useful if exercises are carried out to ensure that plans and teams actually work. "If you're importing a backup for the first time in an emergency, you've got a problem. If you have to look up your boss's number in an emergency because you don't have it, you've also got a problem. So you have to practise," warns Uwe Klapproth. He is head of the Operational Cyber Security – Situation and CERT department at the German Federal Office for Information Security (BSI). It is not without reason that exercises are considered a fundamental component of functional BCM. Klapproth warns that many companies have stated that they are extremely well prepared. But when you take a closer look, this is often not really the case. Further information can be found on the it-sa website.
Supply chain vulnerability: a gateway for attacks
Contingency plans should also take the supply chain into account, as it is a key factor in a company's resilience. Klapproth sees a clear need for action here: the further down the supply chain you go, the more vulnerabilities are revealed. Attackers often find it easy to locate the weakest link, establish themselves there and cause damage from that point.
Criminal groups adapt very quickly to changes in the supply chain. Florian Hartmann, Senior Sales Engineer at Crowdstrike, reported how attacker groups are increasingly turning their attention to Software-as-a-Service (SaaS), i.e. cloud-based services. You can view the entire presentation on the it-sa website. "Attacks go where the data is. When we consider how many companies today use Salesforce, Workday and many, many other applications," numerous problematic scenarios became apparent. "This means that the trend from on-premises to cloud to SaaS applications, which companies are following, is also being adopted by attacker groups, who naturally go where the customer data is," said Hartmann. It is therefore not surprising that two major attacks on Salesforce made headlines in September.
In addition, security managers and CISOs are under a lot of pressure today, according to Michael Schröder, Head of Product Marketing at ESET in Germany. Regulatory requirements, staff shortages and technological overload create a problem situation that offers little room for manoeuvre. He described the situation as "overwhelmed by complexity". You can find the recording on the it-sa website.
Kevin Ott from NVISIO agrees and adds that supply chain attacks are highly complex and difficult to detect. This can make them particularly devastating, especially because attackers are already inside the network and can operate from there. His SANS team has therefore developed a method for "red teams" to simulate such attacks during security tests. You can watch the entire talk on the it-sa website.
Using artificial intelligence to combat increasing complexity
AI can be used to efficiently combat the challenges posed by excessive complexity. Vectra has been doing this since 2011. However, in his article, Christoph Riese, SE Director at Vectra, emphasises that classic anomaly detection – the standard application area for AI – is no longer sufficient today. "AI is part of the modern attacker's arsenal," he explained. Further information can be found on the it-sa website.
Criminals use AI to generate so much different traffic on the network that their own sophisticated attacks are lost in the mix. That is why Vectra has specialised in analysing the behaviour of attackers. Michael Veit, Technology Evangelist at Sophos, describes what this attacker behaviour looks like. He says that there is now malware that comes with its own AI. One named "Prompt.log" independently checks infected systems to see how it can spread further across the network. You can view the entire presentation on the it-sa website.
But AI systems can themselves become targets of attacks, as Marco Di Filippo, Senior Cyber Security Engineer at Whitelisthackers, demonstrates.
He impressively shows how AI language models can be tricked into bypassing built-in protection mechanisms and made to deliver results that should not actually be output, such as malicious code. The ubiquitous presence of AI is also reflected in numerous other presentations. These include its use in SOCs for better filtering of messages and alarms, and the detection of vulnerabilities in vulnerability management.
