Commentary on the Mitsubishi Electric Cyber Attack

Businesses and organisations around the world are all going digital. This is a natural evolution as digitisation brings with it incredible benefits that can increase efficiency and save time. However, such convenience does come at some risk. Cyber crime is a very real threat and many organisations are still not fully prepared to counter this dilemma.

As many might know by now, one of the world’s biggest manufacturer for electronics and electrical products, Mitsubishi Electric revealed that they were hacked, and found out last year in June 2019. Mitsubishi may have compromised personal and corporate data, but confirmed that there was no breach of sensitive data on defence, electric power, railroad, confidential technical data, important client information and other information on critical infrastructure.

Jonathan Knudsen, Senior Security Strategist at Synopsys Software Integrity Group, shares his thoughts on the incident.

The following commentary is attributed to Jonathan Knudsen, Senior Security Strategist at Synopsys Software Integrity Group

As of 2020, essentially every business is a software business in some way, shape, or form. As such, software is critical infrastructure. It is an attractive target for attackers and many organisations have valuable information that must be protected. Software also serves as the foundation for other critical infrastructure, such as utilities, transportation, and healthcare. In these cases the stakes are even higher. Using a structured approach to minimising risk means less danger for the organisation and its customers.

Cyber security cannot be effectively managed with a one-time effort, but must be woven into the fabric of each organisation. A comprehensive security initiative includes three related efforts. First, organisations must control the supply chain of acquired software. Every piece of software presents some risk that must be evaluated and managed. Second, the security of software produced by the organisation must be managed using a secure development life cycle. Finally, an incident response plan ensures that the organisation can minimise damage when cyber attacks happen.