"If that happened and it took [an automaker] offline and they had to make the decision — 'Well, do we pay a $5 million ransom to get our systems back, or do we have the procedures in place to be able to restore our systems?' — it becomes a very complicated business decision that no CEO really wants to face," said Bob Maley, Black Kite's chief security officer.
An estimated 71 percent of automotive chief information officers indicated they will ramp up cybersecurity and information security investments in 2021, according to the report.
Notably, Black Kite found several automakers do poorly when it comes to patch management, or sending out and applying updates to software. The report indicated 71 percent of the automotive companies it surveyed have an "F" rating in that area.
"[Bad actors] will look for older servers, and then they'll explore to see, 'Are there vulnerabilities there?'" Maley said.
And 46 percent of the surveyed companies get an "F" when it comes to managing credentials, or the information employees use to log in to a system, according to the report.
In fact, a single compromised password is what allowed hackers to access and hold hostage the networks of Colonial Pipeline Co. in May. That ransomware attack led the company to take several of its systems offline and temporarily shut down its petroleum pipeline, the largest in the U.S.
Additional ransomware attacks would deal even more damage to an automotive sector still in recovery from the COVID-19 pandemic and grappling with inventory shortages.
"Suffering ransomware attacks at the current moment will add [the] proverbial 'insult to injury' for many automakers, and would at the very least severely hamper their efforts at a return to normalcy," National Cyber Security Alliance Director Kelvin Coleman told Automotive News in an email.
Fraud follows money, Coleman said, which is why cyberattackers went after large automakers such as Honda in 2020 and reportedly Kia and Hyundai in February.
"However, small automakers may also be a target, as they do not have the resources of larger automakers to put into cybersecurity," Coleman said. "Big or small, any automaker is at risk of being hacked at some point or another — bad actors understand that the automotive industry is one of the leading sectors in digitization and automation, making it a prime target."
Per Black Kite's report, 91 percent of automotive companies have at least one high-severity vulnerability because of out-of-date systems and 90 percent are susceptible to phishing attacks.
Approximately 84 percent also have publicly visible critical ports, or communication endpoints where hackers can upload ransomware kits.