Data security tops the agenda of many CIOs. Lax handling of information security can threaten companies’ technological edge – and drivers’ safety. In a discussion with automotiveIT, professional hacker and data security consultant Felix “FX” Lindner and Sandro Gaycken, a security researcher at the Free University in Berlin, talk about risks to the auto industry. Some of their biggest concerns: the security of digital product information, construction plans and factory operating instructions; the absence of in-house expertise in many companies; and the weak security standards of networked vehicles.
automotiveIT: Gentlemen, how do you assess the security situation in German industrial companies?
Lindner: Security cannot be assessed based on black-and-white categories. There are numerous threat levels between “I am at risk” and “I am secure” that you can and must handle very differently. I think the security situation for problems of private users is relatively stable – here everything functions mostly as it should. The situation appears to be different for companies: They are increasingly putting themselves in an uncomfortable position by outsourcing critical infrastructure to cloud providers. By trying to save on short-term IT costs, CIOs have handed themselves long-term strategic problems that can only be solved with difficulty. And targeted economic espionage is the area where their protections are the least adequate. This doesn’t simply involve infecting as many computers as possible, but rather tapping into key know-how in selected systems digitally. Most companies do not even realize that they have been hacked. The data in question are not suddenly missing. They are just copied.
Does this apply to the auto industry as well?
Gaycken: We know from the intelligence services that that it is not just digital product information that is at risk. It is increasingly construction plans and operating instructions for entire factories – all the way to the last screw and the associated organizational structure. If the information on “fine-tuning” gets into the wrong hands, the technological edge of a high-technology center like Germany can quickly be lost. While the construction of complex manufacturing facilities formerly took up to five years, now they can be built in three to four months. Whatever can be copied is in fact copied. It is possible to verify official programs in about 120 countries. Each of these countries can offset the offensive deficits in its economic development. The economically weaker countries are especially interested.
Lindner: The auto industry is certainly one of the sectors predestined to this. Automakers and suppliers are extensively networked with one another and distributed work is the rule rather than the exception. In addition, development data and design drawings must be generally available everywhere at any time. This form of work organization allows criminal projects to run over a relatively long time without being discovered. The number of internal threats is also considerable but it varies from industry to industry. But there are no solid figures supporting the report that employees within a company are responsible for 70 percent of all security incidents.
Experts assume that target hacker attackers cause billions in damage every year. Do you believe that the majority of CIOs and IT managers are technically capable of taking sensible and appropriate protective measures?
Gaycken: Companies now have basic protection well in hand. And the regulation side increasingly exercises a positive pressure – just think about the requests for appropriate security certificates or about fines imposed for negligence and violations. But protection against targeted attacks is another story entirely. Today there is an unbelievable amount of work to do in this area. There is hardly enough expertise at the moment. For a long time, security was a product that many CIOs purchased – mostly from large, well-known providers so that the decision seemed responsible to management. But such strategies increasingly come to naught. It is crucial for companies to build up their own security expertise, in the form of an appropriate task force, for example. These experts should know the infrastructure of the company and its facilities in detail, so they can correctly determine the extent of the security requirements, adapt security solutions precisely, and correctly evaluate and assess alarm messages.
Lindner: There are companies in every industry already working with these structures. And I know a successful auto industry example showing how each member of a management board was actively integrated into security activities long-term. With this close integration, security becomes a business enabler – and not a patch that is screwed on somewhere, somehow, and gets in everyone’s way. There are many well-trained young workers in IT departments and specialist fields who tackle the security issue with great enthusiasm. Companies should not let this potential lie dormant. They should actively put it to use. It takes time, but an investment in a chief information security officer and appropriate internal organization pays off.
But why aren’t most automakers and their suppliers dealing appropriately with the matter?
Lindner: Because they feel greater pressure to act in other areas. Companies don’t do anything as long as they are unaware of their security problems. They begin to take action when incidents become public and are documented. That is a pattern that we have already seen in many targeted attacks. The security infrastructure does not have to be rebuilt weekly, but it should be flexible and be able to adjust to new circumstances. There is nothing worse than offering a standing target. That is just inviting someone to make an attempt and see if it works.
Does it make sense to encrypt more information?
Lindner: Not if I would like to work with it – and companies do have to store information to do that. An important first step is to classify data. Even well-meaning employees cannot assess how carefully they have to handle information they see in their workplace on a daily basis. For example, can a page containing production statistics on the Intranet be printed out and taken home or not? As long as the data are not neatly classified, no one can say how bad it is if the information goes missing.
German federal authorities warn that criminals follow the user’s patterns of use.
Gaycken: Security authorities can make as many rules as they want – it won’t do them any good – as long as top executives cannot be seen without their iPhone in their colleagues’ circles, and members of parliament pull out their iPad even during confidential meetings.
Lindner: All the more so since the cost to hackers is kept within manageable limits. To get at the information in the cases like this, it is often enough to merely look for the Apple ID password – and just sit back and let notes and calendar entries download from the cloud.
Let’s take a look at product-related IT. How bad is the situation there?
Gaycken: The more the electronics are embedded in an industrial product, the greater the risk of manipulation. In my view, the engineers in the auto industry who create control units and software for vehicles still do not have a well-developed awareness of how important IT security is to their work. The same applies directly to the world of production facilities. For 30 years, this was supposedly a closed world – until Stuxnet showed what targeted attacks could do to infrastructure. The security issue has played no role in the conception phase of all the so-called smart versions that exist in our world and society. You can see the results.
Would you get into a networked vehicle?
Lindner: Yes, but only to play with it, not to drive it. You could compare the security standard for car IT today with that of university networks in the 1980s: There is none. Nothing keeps hackers from doing what they want. Even sensible innovations such as tire pressure monitoring show weak points because the information reaches the vehicle via a wireless protocol. If you know how it works, you can use this kind of interface to directly access the CAN bus, the central control unit of every automobile. No one is thinking about security in product design either. For example, in one of its sedan models, one automaker led the CAN bus into the exterior mirrors so that they could be easily adjusted from the center console. But the same network controls the door lock/unlock and engine on/off functions. Thieves only have to kick away an exterior mirror and connect a computer to the cable – and the car is stolen: without breaking in a window, without scratches on the door lock.
Do you have any recommendations to eliminate such “misuse” in the future?
Lindner: Quite easily. Stop linking things together as a matter of course. There is no good reason for the engine control to have to communicate with the entertainment system. In the current state of affairs, it is still possible to de-network this kind of car IT. The more the value chain progresses, the more difficult it will become. Automakers that buy and install entire systems cannot possibly judge the components’ level of security.
Gaycken: Automakers should give careful consideration to which parts of the products they want to network. For quite some time, it has not made sense to network just because it’s possible. Each entry into a large network is a potential security risk that must be appropriately evaluated. One thing is clear: the current experience with critical infrastructure such as power plants, energy companies, and electric and transportation networks will reach the automobile in a few years. Political leaders will take a very close look at vehicle security and provide appropriate regulation.
Interview by Ralf Bretting and Hilmar Dunker