Incident Response, TDR

Ensuring the supply chain is cost-friendly — and protected

According to a survey conducted by Purdue University and the Center for Education and Research in Information Assurance and Security (CERIAS) in association with McAfee, as much as $1 trillion of intellectual property is stolen by cybercriminals each year.

Is this figure not enough to suggest that an out-of sight, out-of-mind placement of security in favor of cost-cutting could actually prove to be more costly for the automotive industry in the long run?

The automotive industry relies heavily on its secure and reliable communications for key business operations, such as supply chain management via electronic data interchange (EDI), computer aided design (CAD), computer aided engineering (CAE), and product data management (PDM).

One could say that the systems and data that enable these communications are the lifeblood of the automotive supply chain, potentially even the automotive industry. Make a poor decision that affects the ability for the supply chain to move, and the results could be globally catastrophic. However, as the industry struggles to operate more efficiently with fewer expenses, these collaboration and document exchange services become a very large and natural target for cutting costs.

In an attempt to formally find ways to cut costs associated with the enablement of these services, the Automotive Industry Action Group (AIAG) established a committee in the latter part of 2010 that is designed to bring together a number of global industry representatives with the goal of identifying cost-effective alternatives to dedicated private collaboration networks. This committee recently met with other global industry representatives during the recent “Collaborative Supply Chain Data Network Connectivity” event held in Southfield, Mich.

It should come as no surprise that the topic of cost-cutting ran hot through most of the sessions and conversations during the event.

Unfortunately, it appeared that the main discussion point of savings and the associated discussions surrounding the adoption of new technologies as a way to reduce costs have pushed the topics of security and reliability to the side.

With a suggested move to leverage the public internet, the industry could indeed save some money through lower technology and service acquisition costs. However, this decision could come at the expense of trade secrets being stolen, supply chain productivity decreasing, and even increased operational overhead.

As described by McAfee in its 2011 report, “Underground Economies: Intellectual Capital and Sensitive Corporate Data Now the Latest Cybercrime Currency," the globalization and commoditization of IT have driven businesses to store increasing amounts of precious corporate data in the cloud. As this shift has taken place, cybercriminals have discovered new ways to target this precious data, both from inside and outside the organization. More pointedly, in 2010 alone, the U.S. Secret Service handled cybercrime violations totaling over $500 million in actual fraud loss.

One such case of theft occurred when Hyundai Capital admitted that nearly a quarter of its 1.8 million customers' personal information was stolen. Roughly 420,000 people were affected through the unauthorized access to Hyundai's customer database via a successful hacking attack.

Maybe of more interest to readers here is the top theme captured in the 2011 Symantec "Internet Security Threat Report: targeted attacks. The report highlights a targeted attack named Hydraq (a.k.a. Aurora), an attack designed specifically to steal data. Not only is Hydraq designed to steal, it is designed to steal intellectual property from major corporations. Given the attention that this threat gained in the media, it is likely that most IT security professionals have their eyes open and their security measures fine-tuned to combat this specific attack.

But, Symantec expects the attackers to modify their wares via an investment in the advancement of rootkits, employing these sophisticated malware capabilities as part of new targeted attacks in the future.

Therefore, as alternative methods for collaboration are explored, OEMs (original equipment manufacturers) and suppliers must utilize reports and data available to them – reports such as those referenced here – in order to properly assess the situation such that they can make informed decisions regarding performance, reliability, and security as they relate to costs. The industry should not take lightly the task of finding the right balance of cost versus functionality versus risk.

Two firms very familiar with this space, ANX in the United States and ENX in Europe, have described two key areas within the automotive data exchange environment which represent the core of the automotive supply chain collaboration space: engineering data and electronic data interchange (EDI), split at 80 and 20 percent, respectively.

During interviews with both firms, each described that, in the engineering collaboration space, 80 to 90 percent of the risk exposed would primarily be associated with the loss and theft of design and other engineering documents, such as the theft of highly-sensitive computer-aided design drawings.

The firms also expect that 70 to 80 percent of the risk exposed in the EDI space is associated with delayed or failed order transactions. A significant failure within a just-in-time manufacturing process could take down an entire production line.

While cost is certainly a factor, the price of the service becomes a non-issue if the low-cost alternative introduces weakened security measures, unacceptable reliability, and inadequate performance. If the communications don't flow, aren't quick enough, are vulnerable to attack and introduce the risk of sensitive data being leaked or stolen, it won't matter how little the service costs.

In an effort to help suppliers make an informed decision, captured below are some of the primary concerns associated with the secure and reliable exchange of intellectual property and EDI communications. The information is presented in the form of questions to ask the service provider before making tradeoffs based primarily on cost.

  1. Can the service substantially reduce the complexity, errors, and overhead of setting up multiple secure OEM communications?
  2. Can the service provide a one-call setup and configuration process with always-on, end-to-end communications across multiple countries, languages, and internet service providers?
  3. Can the service provider protect against unauthorized access to, and loss of, highly sensitive information such as engineering designs and documents?
  4. Can the service provider properly protect against breaches and denial-of-service attacks such that they can guarantee an end-to-end service without disruption to critical just-in-time EDI transactions?

The automotive industry will undoubtedly continue to rely heavily on their supply chain communications. With the increased pressure to establish and maintain a respectable bottom line, it is completely natural that the OEMs and suppliers must also find ways to work better together using efficient and long-lasting, cost-effective means.

The actions toward these goals, however, should not come via the introduction of risk to operating the supply chain with reliability, integrity, or security.

Don't let $1 trillion in theft prove you wrong. Ask questions. Verify answers. Choose wisely.

Sean Martin is a CISSP and founder of imsmartin consulting. He can be reached at [email protected].

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.