Learning from the Bridgestone Ransomware Attack | #ransomware | #hacking | #aihp

Summary

On May 17, 2023, Accenture Operation: Next ‘23 OT Cybersecurity Summit discussed prioritizing protection, defense and resilience. Of particular interest was the discussion on the ransomware attack on Bridgestone Americas.

Jim Guinn, senior managing director and cybersecurity leader at Accenture introduced the discussion titled, “What We Learned from our Ransomware Attack.” The discussion elaborated on the February 2022 ransomware attack on Bridgestone Americas and what organizations can learn from this incident to implement change and strengthen their own security measures.

Tom Corridon, CISO at Bridgestone, and Rob Boyce, global lead, cyber resilience Accenture discussed the attack and how, moving forward, the industry can benefit from lessons learned from the incident, how the event is shaping priorities, and what is being done to support change. Corridon was the interim CISO when the global tire manufacturer was hit by a ransomware event.

Guinn explained that Bridgestone took facilities offline out of an abundance of caution. He said that Corridon shared his thoughts on what to do after an attack and advice on how to prepare executives for the rapid decision-making required when navigating an event such as this.

Corridon learned the importance of having a plan and knowing what your approach is going to be. He advised doing tabletop exercises ahead of time so that you’re not caught flatfooted in an incident. “[Organizations must] know how and who needs to make decisions and who has those decision rights,” he said.

“Money and resources are important things,” Corridon said. “But I think the silver lining and the opportunity to take advantage of is awareness because the whole organization has gone through an event, and they’re prepared for organizational change management. They’re prepared to adopt changes that would’ve been much more difficult to convince, taken years to enable perhaps, while in the incident—or right after an incident—is a prime opportunity to really make people aware because it just happened, and they have a real relevance to the moment.”

“A lot of that is cultural change,” said Boyce. “People are the weakest link in the security chain; it’s almost at two different levels. There’s a general population of user awareness and there’s the executive level of security awareness to really drive support for the program.”

“In an incident, the executives have a front seat to the action, so they walk away with a better understanding of terms they never wanted to understand or wanted to know,” agreed Corridon. “Making it personal—not with a stick of constantly reminding people of a nightmare that they went through—but keeping it relevant and top of mind and making it relatable to their day-to-day has been key in messaging to those below the executive suite down to the individual contributor. It just takes one individual making one bad decision and all of a sudden, you’re in a complete crisis.”

Corridon said that organizations need to capitalize on organizational change management to take advantage of an incident while it’s fresh in peoples mind and the taste is still in people’s mouths about what happened to really lean into organizational change management—things that might have taken months or even years to implement. People are going to be much more open minded to leaning into changes that are needed to improve the security posture right after an incident.

“Disaster recovery (DR) needs to be part of that change management process so that you’re constantly updating your DR plans based on how your environment is changing,” Corridon said. “That’s an obvious one. I also do think that thinking through immutable backups and prioritizing your most critical assets, what are you going to need bare minimum to keep your business running, to keep realizing revenue? And how do you tier those in a tier zero and ensure backups are air gapped or immutable? Those are some of the really important lessons.”

Key takeaways, lessons learned

The Bridgestone incident spurred more investment in security, but everyone can benefit greatly from the opportunity of awareness.

• Have a solid incident response plan. Know what your approach is going to be and who has decision rights.
• Have a strong communications plan. If you don’t have a plan, the narrative gets written for you.
• Conduct tabletop exercises ahead of time so you’re not caught flatfooted in an incident.
• Increase awareness. When it comes to security, humans are the weakest link. Following an incident, executives are certainly more aware. For everyone else, you must make the incident relatable to their day-to-day life.
• Change mindset. Organizations need to think of a cyber event as not being an information technology (IT) or security incident, but rather a crime against the company.
• Understand your value chain. To accelerate your recovery time, you need to work simultaneously across your entire value chain.

Looking ahead

Due to an abundance of caution, often facilities may be taken offline to protect from an attack getting into operational technology (OT) environments. “The reality is,” said Guinn, “if you can’t see it, you can’t protect it. And if you don’t know you have it, you can’t see it. Some of the most important things we can do is understand how our IT and enterprise infrastructure communicates with our OT enterprise infrastructure and how they come together.”