Supplier cyber risk concerns auto industry

Dive Brief:

  • In a new study by Synopsys and SAE International, 73% of respondents expressed concern about the cybersecurity of third-party providers, yet only 44% said their organization imposes cybersecurity requirements for products from upstream providers.
  • Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices also found 30% of organizations don’t have an established cybersecurity program or team, and 63% test less than half of the automotive technology they develop for security vulnerabilities.
  • “This study underscores the need for a fundamental shift — one that addresses cybersecurity holistically across the systems development lifecycle and throughout the automotive supply chain,” Andreas Kuehlmann, co-general manager of the Synopsys Software Integrity Group, said in the release.

Dive Insight:

The automotive supply chain is long and complex. A break in the chain at a small, tier 3, single-part producer can be disastrous.

There are plenty of portals and opportunities for “bad guys” to breach security. According to the EY Global Information Security Survey 2018-19, 1.95 billion records containing personal information and other sensitive data were compromised between January 2017 and March 2018, and 550 million phishing emails were sent out by a single campaign during the first quarter of 2018. The average cost of a data breach last year, EY reported, was $3.62 million.

Opportunities do exist for automotive supply chains to protect themselves. One organization, the 3,000-member Automotive Industry Action Group (AIAG), last year released the Cyber Security 3rd Party Information Securitypublication to support industry efforts to protect sensitive data by outlining a unified set of cybersecurity guidelines for automotive trading partners.

Its strategies are based on industry best practices and standards. The National Institute of Standards and Technology (NIST) helped create the document. Also participating were security leaders from General Motors, Ford, Honda and Fiat-Chrysler, with additional input from Toyota, Nissan, Caterpillar, Bosch, Continental and Magna International.

The guide covers such areas as access controls, data encryption, vulnerability management, security audits of suppliers/third parties, data retention and disposal and security investigations. Along with this framework, each original equipment manufacturer (OEM) can take additional measures to increase security of its suppliers and their supply chains.

“Over the course of the past 25 years, we have seen a remarkable shift in enterprise value from tangible to intangible assets. Data is the new currency,” J. Scot Sharland, executive director of AIAG, said when the publication was announced. “As such, more effective command and control of data has become an enterprise risk management priority.”

07 February 2019 | Barry Hochfelder | Supply Chain Dive

The Just-Revealed Pentagon Supply Chain Security Drive Has Both Sensible And Dubious Aspects

The Washington Post revealed today that the Pentagon was “rethinking its multibillion-dollar relationship with U.S. defense contractors to stress supply chain security.” That is, Defense would make its decision on awarding contracts not just on the traditional criteria of cost and performance. Now, security assessments, like how well the supply chain is protected from foreign intrusion, would also be a decision criterion.

In some respects, the new security drive makes sense. In buying American weapon systems, the Secretary of Defense Mattis’s Pentagon may have been contracting at the system level with American vendors. But, the American vendors assemble their systems from subsystems and components, depending on suppliers further down the supply chain. At some level, there may be components from China and other security risks.

Defense firms are increasingly vulnerable to data breaches. Earlier this year, China allegedly stole sensitive information related to undersea warfare. And, DoD decided last year to ban software made by the Russian firm Kaspersky Lab.

On the other hand, there are risks in what Defense has in mind. One is simply excessively high prices.  High security may well be worthwhile for many weapons systems. But, there may be many items that do not make up integral parts of a system needing the highest security, just like all communications do not have the highest level of classification. Under the new Defense policy, large contractors willing to establish a high-priced “gold standard” could beat out, in award competitions, competitors offering a must better price – even if only a fraction of the cost difference actually concerned security and security of this particular item was not so key.

Another risk is to small business. Small business may be used to buying components at market prices in the ordinary commercial world. It may be inevitable that such small businesses get squeezed out of some contracting for security reasons. But, there may be many items that do not make up integral parts of a system needing the highest security. Large businesses could invoke the security criterion to take awards away from small business.

Moreover, look under the hood of the new security luxury vehicle and one finds some very startling proposals. This defense policy came from a report by a think tank, the MITRE Corporation. One of its strong incentives are a group of “Supply Chain Tax Proposals.” In a sweeping proposal, MITRE says “[t]ax incentives are a powerful and effective tool to shape corporate behavior  . . . . Tax credits, subsidies, new market incentives, and capital gains rewards are some of the potential ways to make supply chain security investment and deployments profitable.”

This takes defense spending, and potential defense waste, to a new level. The bids by would-be contractors would now considerably understate what the government would pay them. A whole new layer of non-transparency would becloud defense contractor payoffs.

One eye-catching tax incentive is the “Capital Gains Tax Incentive.” MITRE explains, “This tax incentive would reward shareholders with a lower capital gains tax on the sale of assets on corporations that had voluntarily adopted certified and well-recognized supply chain security . . . .” So, MITRE says “shareholders would have an economic incentive to pressure boards of directors to adopt state-of-the-art security measures.”

The new security program would pay off not merely the upper-level class of a percentage of stock owners, but the upper-upper-percentage, the richest, would pay close attention to the capital gains treatment of their stock.  (Keep in mind that the middle class stockholders typically hold their stock in their tax-shielded retirement accounts, and would not be attentive to the nuances of capital gains treatment.)

Proposals to increase the security of defense contracting are an idea whose time has come. I support the idea.  But, one should go into it with eyes open.

13 August 2018 | Charles Tiefer | Forbes

Cyberattacks targeting the software supply chain nearly double

Dive Brief:

  • Infiltration of the software supply chain is one of the most potentially disruptive threats to the critical infrastructure sector. Foreign intelligence services from China, Russia and Iran are the leading sources of cyberthreats targeting economic espionage, according to the 2018 Foreign Economic Espionage in Cyberspace report.
  • Seven significant software supply chain attacks were reported in 2017, compared to only four between 2014 and 2016. Mitigation costs for FedEx and Maersk — victims of the Not Petya, also known as Nyetya, cyberattack last year — were approximately $300 million for each company.
  • Next-generation technologies such as artificial intelligence (AI) and the Internet of Things (IoT) will introduce new attack vectors for which U.S. networks are not prepared.

Dive Insight:

Foreign and economic industrial espionage represent a continuing threat to American business and the country’s security. Foreign nations and terrorist groups target U.S. companies as well as research institutions and universities to uncover technology, intellectual property, trade secrets and proprietary information.

Threat actors including those working on behalf of foreign intelligence services, corrupt the software supply chain, adding malware such as backdoors that allow unauthorized access to networks where information is stored. The goal, according to the report, is to “achieve a range of potential effects to include cyber espionage, organizational disruption, or demonstrable financial impact.”

Companies that use the corrupted software could fall victim to ransomware attacks, lose valuable proprietary information and be subject to disruptive activities that could leave them defenseless against state-sponsored competitors.

Regulations in China and Russia force U.S. companies to use local resources, which means government agencies have access to proprietary information and intellectual property. For instance, foreign companies operating in China must store their data within the country and get government permission to move data outside the country. In Russia, the Federal Security Service (FSB) conducts computer code reviews of foreign technology being sold inside the country.

As more data are generated with IoT devices and managed on the cloud, supply chain managers must understand the vulnerabilities of both emerging and legacy technology.

30 July 2018 | Gary Wollenhaupt | Supply Chain Dive

Public cloud security: 4 myths and realities

Let’s break down some lingering misunderstandings about public and hybrid cloud security

When the tech hype machine kicks into high gear, seasoned IT leaders know the drill: Expect all manner of jargon-laden pitches, misunderstandings, and downright myths to follow. Consider cloud computing as Exhibits A through Z. Cloud had a heck of a run in the hype cycle, and for great reason: It’s nothing short of a significant shift in IT.

Cloud is now well past hype at this point, of course, and living comfortably in the mainstream. But that doesn’t mean it left all the myths back on shore, especially when it comes to security, especially public cloud security.

We figured it was high time to revisit some of the big, lingering misunderstandings around public cloud security – some of which certainly extend to private or hybrid cloud environments, too, not to mention IT security in general.

We asked several cloud security experts to help us rewrite the myths as realities. Here’s what they had to say.

Myth 1: Public cloud is inherently insecure

Let’s dispense with this one quickly, shall we? This is a phase of actual cloud history that has since been mythologized. Does public cloud have different considerations than a traditional datacenter? Sure thing. Does that mean public cloud is automatically less secure? No.

“When public cloud was new, there were valid concerns as the technology was unproven, but this is no longer the case,” says Laurence Pitt, global security strategy director at Juniper Networks. “Modern cloud computing started in the 1990s, meaning providers have many years of experience providing data and application access, ensuring rights management, strong governance, and systems monitoring.”

Of course, not all providers are equal – more on that in a moment. But Pitt uncloaks the great prevailing cloud boogeyman here: That public cloud is in and of itself a massive security threat.

Reality: Public cloud security is often better than your old on-premises security

In fact, for some companies, leveraging the size and scale of some cloud vendors might actually be a part of a more efficient overall security strategy, especially if they’re strapped for budget or simply, like so many IT leaders, having a difficult time finding the right cybersecurity skills for their teams.

As Red Hat technology evangelist Gordon Haff recently noted, you’re likely worrying too much about security process at that public cloud provider. “The nature of public clouds is that they approach security using specialized staff, automated processes, and discipline (which is not to say that enterprises don’t, but it’s by no means a given),” he writes. (See the full article: Public cloud security: Follow the Goldilocks principle.)

Myth 2: There’s a single thing called “public cloud”

Ask George Gerchow, CSO at Sumo Logic, for his prevailing public cloud myths, and he’ll give you one – by pointing out that the topic is too broad.

“This question needs to be broken down further to differentiate single tenant versus multi-tenant versus managed service in a public cloud,” Gerchow says.

Indeed, we tend to lump together a whole bunch of stuff – from software to infrastructure to development platforms, basically anything you can attach the ubiquitous “as-a-Service” (-aaS) acronym too – under a giant umbrella of “public cloud.”

For one company, “public cloud” might mean multiple infrastructure environments spread across multiple vendors, integrated with private cloud and/or on-premises infrastructure as part of a robust hybrid cloud portfolio. For another company, “public cloud” might simply mean they use Google Apps or Office 365.

This leads to generalizations about public cloud security that tend to be off-target.

Gerchow, for example, sees a key misunderstanding when digging into more specific categories of public cloud: “There is a huge misconception that single-tenant cloud deployments are more secure than multi-tenant,” he says.

Reality: Public cloud types, and their security considerations, can vary significantly.

Gerchow’s point is well-taken: It’s a mistake to think of public cloud security as a homogeneous issue.

It would similarly be a mistake to view all public cloud environments as one and the same from a security standpoint. You must draw distinctions between the specific type of cloud environment, the data you’re moving there, and so forth as part of any public cloud strategy. Moreover, different organizations have different needs and concerns around security, compliance, governance, SLAs, and more; you know those needs better than anyone.

Again, to think of “public cloud” as some big, leaky environment just waiting to get hacked is to miss the opportunities cloud presents. And these days, it’s a misnomer.

“Public cloud providers spend an inordinate amount of resources on making sure security is initially a core part of the architecture as well as keeping their networks and services hardened,” says Mike Kail, CTO and co-founder and CYBRIC.

In that same vein, IT leaders must understand the environments they’re using. You should be digging in to your public cloud providers with the same level of diligence as you would into your own datacenter. (And if, in the latter case, you’re not paying particularly close attention – well, that probably means your whole security profile needs an audit.)

As SAS CISO Brian Wilson told us recently, cloud security in general – and perhaps especially in public clouds – requires a deep understanding of your providers’ capabilities and how those map to your particular needs. (It may be that a multi-cloud strategy will be necessary to meet your various requirements.) In Wilson’s case, for example, any provider who can’t deliver federation with SAML is a non-starter.

Myth 3: Cloud security is too complex to maintain

Here’s a particularly persistent myth: Cloud security is too complex for most organizations to effectively grasp.

The amusing part of this myth? It suggests that securing your on-premises network or datacenter has ever been simple. You know the saying: If it were easy, everyone would be doing it? If IT security was ever easy, why do is it have a such a consistently recurring and, um, colorful history of breaches?

In fact, the perception of proximity to on-premises infrastructure – while much more than mere perception in many cases – might actually lull IT pros into an unearned sense of safety.

“Just because you can ‘see’ the servers and storage doesn’t mean that proper security controls are in place,” CYBRIC’s Kail says. “The mega-breaches have occurred because of a lack of proper security hygiene and processes, not because of location.”

Reality: Hybrid cloud security requires new models and processes

What’s true is that your old ways of doing things won’t cut it when you move workloads to a public cloud. That just gets more true if you’re securing a hybrid cloud architecture, or pursuing a multi-cloud strategy that utilizes two or more cloud services from two or more different platforms.

“Cloud security is a new paradigm that is software-defined and not dependent upon well-defined network perimeters,” Kail says. “This is not complex to implement or maintain — it requires a new way of thinking and culture.”

For Kail, that culture is DevOps. Organizations that want to put a finer point on security are increasingly embracing its younger sibling, DevSecOps, which quite literally accords security the same status as the other major pieces of the software pipeline.

Myth 4: Public cloud security is the vendor’s problem

A common selling point of public cloud, in particular, has been that it affords organizations the kinds of compute power, scalability, and flexibility that would be otherwise out of reach (for reasons of cost, skill sets, aging infrastructure, and more.)

It’s true that a tiny startup can essentially stand up an enterprise-quality infrastructure overnight. The appeal is straightforward: Someone else has already done the heavy lifting for you; you don’t need to buy a single server, much less build out an entire datacenter, unless doing so is a part of your broader IT strategy.

This doesn’t absolve you of risk, however; it’s still your data, your applications. You should be certainly be selecting public cloud vendors that invest heavily in security and related areas according to your needs. Just don’t take a checkbox approach to your evaluation and then assume your work is done.

Reality: Public cloud security still ultimately starts and stops with the CIO

“Cloud providers have the software-defined constructs and APIs in-place for customers to leverage, and cloud security needs to ultimately be the responsibility of the customer,” Kail says.

That doesn’t mean your public cloud vendors can’t help. As Kail noted, any cloud provider worth a darn is continuously investing in the security of its platforms, and they can do so at global scale.

As we’ve noted previously in this space, you can turn the outsized security fear that once commonly stood in the way of cloud adoption into an opportunity to retool lax or outdated security practices.

Gerchow offers some quick fundamentals for public cloud, in particular.

Everything in [a] public cloud [environment] should be encrypted with daily key rotation,” he advises. “Public cloud also opens the door to the usage of single sign-on and multi-factor authentication.”

This gets back to the earlier advice from Brian Wilson, the SAS CISO: If you prioritize technologies and practices like these, make sure your potential providers can support those requirements. Don’t take “encryption” at face value, for example. How do they support key management?

If you don’t like the answer, then you’ve arrived at another cloud security reality: Find providers and platforms that actually meet your needs.

28 March 2018 | Kevin Casey | The Enterpriser’s Project