ITr Security : Not Optional - Brief Article

Automotive Manufacturing & Production, April, 2001 by Martin Piszczalski

Computer security is the most dangerously neglected issue in today's rapidly changing auto-industry landscape. Never has the industry been exposed in so many ways. At the same time, awareness among general management is low. The industry faces unprecedented, major risks in part because it has embraced the Internet so wholeheartedly. Only by continuously reassessing a firm's exposure, revisiting and revamping its security policies, and adding new preventive measures can a firm operate safely today.

Almost no one in the auto industry understands the full breadth of computer security concerns. These include:

* Keeping the "bad guys out"

* Denial of service

* Protection of a firm's intellectual and proprietary information

* Protection of your trading partner/ service partner's intellectual and proprietary information.

Keeping hackers out, for instance, is just one of the many threats a firm must face. Denial of service (DOS)--such as through the "Love Bug" virus--dramatizes how easy it is to bring down critical business systems.

Loss of highly proprietary information can be the most damaging. For instance, Chrysler Corp. believed in the 1990's that a competitor had misappropriated its innovative cab-forward truck design. That led to a loss of hundreds of millions of dollars in lost profits, it contends. Also, with greater sharing of trading-partner information, an inadvertent leak of customer-owned information can permanently kill a business relationship--or worse.

Security matters are far graver today than 10 years ago. This is due to sweeping changes both in the auto industry and in the information technologies it uses. Massive outsourcing by the original equipment manufacturers (OEMs) of components, assemblies, engineering services, etc., is far more prevalent than ever. This outsourcing, in turn, has led to far more confidential information flowing between trading partners.

The vast majority of this new information exchange is now across the Internet. This is often done via non-secured, e-mail attachments. Prior to the Internet, security was far less of a problem. The older media of paper documents (such as blueprints), faxes, phone conversations, U.S. mail, and electronic data interchange (EDI) posed far less of a security risk than Internet-based communications.

Furthermore, computers handling this Internet traffic are on the critical path of more automotive business operations than ever. Among them are product development, supplier-relationship management, and warranty/legal. Taking down one of these computers can disrupt or stop multiple business processes. The cost can be tens of thousands of dollars per hour in denial-of-service outages.

End-to-end communication across the Internet spreads even highly sensitive information (e.g., vehicle styling, pricing information, etc.) across a dozen or more servers, desktop computers, and routers. Each of these components, often maintained or operated by an assortment of service providers, introduces multiple points and classes of vulnerabilities.

Furthermore, security companies and their products and services are hardly household names to many information systems (IS) departments, much less among executives in the auto industry. These firms include Checkpoint (for authentication), Verisign (for digital certificates), SAIC (secure networks), and Probix (content protection).

In addition, this constellation of equipment and service vendors is constantly evolving. Hence, even if the end-to-end link was secure six months ago, it may not be so today. An example is shifting responsibility to a vendor for a task (e.g., digital certificates) that had previously been done in-house. Each such change can introduce new vulnerabilities.

The technical complexity of the Internet's infrastructure makes it hard for even seasoned IS professionals to understand and anticipate all the major areas of vulnerability. Furthermore, IS departments are swamped by end-user demands that rarely focus specifically on security deliverables. These other end-user-mandated projects always get priority so critical security projects may never be undertaken.

Also, bare-bones IS departments often wishfully believe that their strategic IT vendors will somehow protect them against any and all vulnerabilities. This is never the case. Lastly, IS managers fully aware of security exposures may be hesitant to bring this touchy topic up to a superior who is uncomfortable with IT in general. For instance, a plant manager may simply be looking for an excuse to kill a major e-business initiative and use security vulnerabilities as a showstopper.

Another common mistake is to believe that by deploying one (or more) of the following security-related measures, one has a prophylactic against all security threats. These include firewalls, pass words, tokens, SSL, IPsec, ANX, PKI, authentication, VPNs, and proxy servers. There is too little space to explain what these terms mean but none come even close to guaranteeing information and system security when used in isolation.