The Mt. Gox Bitcoin disaster and the need for innovation in the finance industry

05.03.2014 by Martin Kuppinger

A few days ago, Tokyo-based Bitcoin exchange Mt. Gox appeared to be in trouble. When looking at their website Friday morning, I only found meaningless announcements. They are “working very hard to find a solution to our recent issues”. Looking at the situation realistically, chances are high that the owners of the Bitcoins have lost a significant part, if not all, of their money. Just a few hours later, the news spread that Mt. Gox has gone bankrupt. while it is still unclear what exactly happened and what will happen now with the Bitcoins and Mt. Gox, this sheds a light on the concept of Bitcoins. Bitcoins were claimed to be absolutely safe. However, when you cannot use them but instead lose your “money”, this obviously is not the case.

There are good reasons for having trusted parties in the Finance Industry. Despite all the turmoil that industry went through in recent years, but also back in the Big Recession and in other times, the concepts worked relatively well.

On the other hand, the initial success of the Bitcoin currency also demonstrated that there might be a need for other concepts, aside from traditional currencies and the way financial transactions are handled. Even while the concept of Bitcoin might have been the wrong answer, that discussion will continue. Aside from requiring a trustworthy provider and exchange infrastructure, there are other questions to answer. One is about security, with an increasing number of attacks. Overall, there is a strong trend towards crypto-currencies. We will see a lot of evolution, we most likely will see failures and disasters, but it is not likely that crypto-currencies disappear again.

It will be interesting to observe how the Finance Industry reacts to that pressure. While Bitcoins are the most prominent topic these days, PayPal and other new players in the mobile and online payment market probably are the bigger challenge to the Finance Industry. PayPal in fact is a specific new type of Financial Institution. PayPal is a bank that knows how to provide APIs and how to interact with other players. It knows how to support the supply chains. It knows how to find the balance of security and customer convenience.

On the other hand, Financial Institutions still are trusted, when it is about money. They know how to do security. The challenge is how to make the banking business fit for the changing landscape of the Computing Troika (of Cloud Computing, Mobile Computing, and Social Computing) and enable them to provide their proven services for a world of consumerized IT. It is about API-enabling that industry.

However, that is more of a technical perspective. In fact, it is about moving banking IT to a level that allows Finance Institutions to leverage their strengths while becoming agile enough to compete with new players in the market. There is a strong potential for trusted Financial Institutions to do so. However, that requires banks looking closely at API Management and Security, BYOI (Bring Your Own Identity), trust and privacy concepts such as the Life Management Platforms.

EIC 2014 will dive into this topic in the Finance Industry Roundtable on the “Future Model of Banking”. Discuss and learn how to enable business agility by doing the things right in IT.

I personally believe that classical financial institutions have a strong potential in the future Finance business, despite Bitcoins and other concepts. I also believe in regulations. There is a good reason for regulations in the Finance industry. Having such regulations in place might have avoided the situation Mt. Gox and Bitcoins are in today. That is where the established Finance Industry comes into play: Making crypto-currency more secure by providing professional services, complying with the regulations. Regulations will come for that field – and then, the Finance Industry has an advantage again, if it is agile enough to support these new models by then.

Clearly, you might argue that the main value of crypto-currency is not about having a regulated and safe method of payment but one that is not traceable. It was Silk Road that brought Bitcoin to prominence. The question is whether there is a need for crypto-currency aside from the dark side of the Internet. I think to, with crypto-currencies being the “cash” of the Internet. No transaction fees, no fees for exchanging into other currencies. There is a potential value in using that type of currencies.

However, regulation and anonymity do not necessarily exclude each other. Take the analog world as an example: cash money lets me buy whatever I like anonymously, but the place where I deposit my cash (bank) is regulated. Banks should try to be clever enough to provide the trust that is created by regulation to the crypto-currency world.

Posted in Security | 2 comments

The NIST Cybersecurity Framework for Critical Infrastructures

14.02.2014 by Martin Kuppinger

NIST (the US National Institute of Standards and Technology) has now released the final version of their Cybersecurity Framework for Critical Infrastructures. As requested, this is not a set of new regulations or fundamentally new concepts for security, but, to quote my colleague Prof. Dr. Sachar Paulus, a “well-written summary document incorporating different approaches (lifecycle views, maturity views, communication aspects, risk posture analysis…) that helps getting an operational grasp on the necessary activities, and therefore well-suited as a guideline or education piece for technicians / practitioners. It is by no means sufficient (nor meant) to replace an ISMS (Information Security Management System). So: good that it exists, but in essence nothing new.”

However, it is very likely that it will lead, in consequence, to new regulations. Sector-specific agencies are obliged to engage in a consultative process with various governmental agencies to determine whether current regulations are sufficient for the critical infrastructures sector. This in consequence most likely will lead to new regulations.

When looking at the framework and its Appendix A, the fact that there is nothing really new in this framework becomes obvious. That leads to a simple bit of advice: follow common good practices and standards such as ISO 27001:2013 and CoBIT 5. If there will be a need for new regulations in future, this will happen because too many organizations in critical infrastructures do not follow established good practices.

Posted in Security | Comments Off

Security Advice for Industrial Control Systems

03.12.2013 by Martin Kuppinger

Last week, the German BSI (Bundesamt für Sicherheit in der Informationstechnik, the Federal Office for IT Security), published a document named “ICS-Security-Kompendium”. ICS stands for “Industrial Control Systems”. This is the first comprehensive advisory document published by the German BSI on this topic so far. The BSI puts specific emphasis on two facts:

  • ICS are widely used in critical infrastructures, e.g. utilities, transport, traffic control, etc.
  • ICS are increasingly connected – there is no “air gap” anymore for many of these systems

It is definitely worth having a look at the document, because it provides an in-depth analysis of security risks, best practices for securing such infrastructures, and a methodology for ICS audits. Furthermore it has a chapter on upcoming trends such as the impact of the IoT (Internet of Things) and the so-called “Industry 4.0” and of Cloud architectures in industrial environments. Industry 4.0 stands for the 4th industrial revolution, where factories are organizing themselves – the factory of the future.

As much as I appreciate such publication, it lacks – from my perspective – an additional view of two major areas that are tightly connected to ICS security:

  • Aside from the ICS systems, there is a lot more of IT in manufacturing environments that frequently is not in scope with the corporate IT Security and Information Security departments. Aside from attacks to such systems, for instance in the area of PLM/PDM (Product Lifecycle/Data Management), there are standard PCs that might serve as entry point for attacks.
  • This directly leads to the second aspect: It is not only about technical security, but about re-thinking the organizational approach to Information Security in all areas within an organization, i.e. a holistic view on all IT and information. Separating ICS and manufacturing IT from the “business IT” does not make sense.

The latter becomes clear when looking at new business cases such as the connected vehicle, smart metering, or simply remote control of HVAC (heating, ventilation, and air conditioning) and other systems in households (or industry). In all these scenarios, there are new business cases that lead to connecting both sides of IT.

Also have a look at our KuppingerCole research on these issues, such as the KuppingerCole report on critical infrastructures in finance industry (not about iCS) and the KuppingerCole report on managing risks to critical infrastructure.

Posted in Security | Comments Off

What happened recently in Security?

05.08.2013 by Martin Kuppinger

When looking at the recent security news, there is one predominant theme: The NSA surveillance disclosure by Edward Snowden. There is some more news, but little “breaking news”. We might count the news about the SIM card flaw, however this seems to be less severe in reality than it was reported at first.

I will not comment much on the NSA issue. Both Dave Kearns and me here and here have touched on this topic. There are a lot of political discussions going on, with some accusing others of not telling the (whole) truth about what they knew. Interestingly, here in Germany the opposition is accusing the current government, even though they were in the government some years ago, thus being well aware of what has been going on at least since 2001. Clearly, this is not a topic for election campaigns and at least until now, it does not seem to be working out as such for the current opposition.

In addition, the reaction of Apple, Google, Microsoft and others did not surprise me. They are asking the US government to unveil more information about when they were urged to provide information to the NSA. That fits to what I have said from the very beginning: The entire thing is a business challenge, especially for US Cloud providers. Thus, they will create (some) political pressure. On the other hand: As long as there are no real alternatives to US-based Cloud services, not much will change. Maybe the shift from on-premise to the Cloud will slow down. However, over time the commotion will fizzle out.

Facebook usage in schools

Another news item that did not gain much attention is from Baden-Württemberg, the southwestern part of Germany I live in. The government of Baden-Württemberg has forbidden the use of Facebook for communication between teachers and their scholars. In some schools, Facebook has been used to communicate about homework and the results. However, this communication might include privacy-relevant contents. In addition, using Facebook mandatorily as a communications tool would force scholars into this social network. Thus, according to the order of the government of Baden-Württemberg (and in accord with the German privacy regulations), it is not allowed. As I’ve mentioned, there has been only little discussion in public about that – either the use has been rather limited or the decision has been widely accepted.

Teaching computer science in schools?

When talking about schools, there has been another news item. The German BITMi (Bundesverband IT-Mittelstand e.V.), the association of medium-sized IT businesses, demands that computer science becomes a required subject in German schools, starting rather early. Currently, it is optional in many schools and regions, and taught as a separate subject only in few grades, mainly in the higher grades. However, it is integral part of several courses in virtually all schools. Recently, Hamburg has decided to reduce the time spent on computer science.

There is some discussion about whether scholars really need to learn coding – which is part of Informatics as a separate subject, while the integral part focuses more on core competencies in using computers, the Internet, word processors, spreadsheets, etc. I think this can be discussed. However, I’d like to see some thorough education on IT security in schools, so that scholars understand this critical subject far better than they typically do today.

Posted in Security | Comments Off

How to mitigate risks of industrial espionage in Cloud Computing

17.07.2013 by Martin Kuppinger

Last week I did a webinar concerning the recent news about secret/intelligence services such as the NSA and their activities, e.g. PRISM and others. This is not really news, but the broad and intense public discussion about this is new. In that context, many organizations have raised the question of whether they can still rely on Cloud Computing or whether they would be better off stopping their Cloud initiatives. Businesses raise this question especially as regards the risk of industrial espionage in cloud space – something that is not proven, but appears to be a risk from the perspective of many businesses.

The main points I made are that

  • there is a risk in Cloud Computing, but we should not underestimate the risks of attacks against on-premise environments;
  • encryption across the entire information lifecycle is a key element in information security especially for Cloud Computing;
  • businesses need to understand the information risks to decide about what to put in the Cloud and what not, but also to evaluate the protection requirements for different information.

The entire webinar has been recorded and is available for replay. It is in German.

The attendees raised a large number of questions that I could not fully answer in the remaining time at the end of the webinar. Thus, I want to address some of these questions now.

Are there specific Cloud encryption algorithms, how secure are they, and are they already in use?

One question has been about encryption approaches for Cloud Computing and their security. In fact, there are several proven strong encryption methods out there. Most of the algorithms have been published. Clearly, there is a risk of backdoors in the installations; however, this should not be overestimated. Backdoors that are not easily available to the surveillants are not of interest to them.

There are no specific algorithms for the Cloud, which makes sense for two reasons. One is that there are several well-established and proven encryption methods already available. Another is that there is no sense in doing IT for on-premise and the Cloud separately, given that most environments are hybrid.

So it is all about applying existing encryption methods and algorithms, although the solutions might vary and range from secure email over transport security such as TLS to secure folders or simply encrypted files that are held on Cloud services.

Are there encryption approaches where the encryption is managed by the Cloud Service Provider, but all keys are on-premise at the customer?

The simple answer here is: No. The CSP would need access to the key for encryption, thus he cannot do this without access to the key. Once he has access he potentially can store the key or pass it to someone else.

How do we know that S/MIME implementations of vendors do not contain backdoors for the NSA, for instance via “key escrow”?

We do not know, for “closed source”. However, unless the vendor has access to keys, there cannot be any key escrow. Thus, that risk applies to Cloud Services, where keys are stored at the CSP. But as long as the keys are managed on-premise, this does not work.

How can I automatically support employees in my organization to better protect tools such as Chatter or Microsoft SharePoint? These tools are rather unprotected by default. Can I use them at all in the manufacturing industry?

As with any tools, both on-premise and Cloud, decisions about procurement and implementation should take security into account. The use of Cloud tools favored by the business might require mitigating controls to deal with information risk in an appropriate way. More information on this is available in the replay of this webinar.

In general, organizations should implement the concept of Information Stewardship. You will find extensive information on that concept at our website  and in the EIC presentations and videos.

I would not say that these tools could not be used at all. However, it is important to understand what information is stored or communicated using these tools and configure them accordingly – or restrict their use. Thus, it requires a thorough understanding of information classification and risk and well-defined policies, before these tools are used.

Isn’t there a risk in using encryption technologies to bypass security?

Clearly, there is some risk. S/MIME or PGP might be used to forward information to unauthorized recipients. It comes as no surprise that the Tor network is frequently used for illegal purposes. This is about finding the right balance.

How can I enforce confidentiality for internal communication?

Technically, many approaches for digitally signing email and documents are available, as well as encryption. Lotus Notes/Domino is one of the systems that has supported this for many, many years. S/MIME is a standard that supports this for email. Enterprise Rights Management technologies such as Microsoft RMS (Rights Management Services) can do that for documents. So there are various approaches available, many of these are rather mature. Thus, it is about re-evaluating the information risks and identifying an adequate set of technologies to help mitigating these risks, based on well-defined policies.

It is not a question of technology availability. It is a question of setting the organizational framework (Information Stewardship) and investing in security. With all the new incidents – and this goes beyond nation-state attacks and suspected industrial espionage to all the cyber-attacks of today – the equation changes. The risk is far higher today, thus investing in information security is increasingly an economic imperative for businesses.

What about article 10 of the German constitution?

The German constitution (“Grundgesetz”) defines on one hand that the privacy of correspondence, posts, and telecommunications are inviolable. On the other hand, the second part of article 10 states that the law might allow exceptions, especially for protecting the free democratic system of Germany or the state of Germany. That gives the government some freedom – so we should not be too surprised if we learn in future about the activities of the German intelligence/secret services.

Interestingly, one of the participants pointed back to the cover story of the German news magazine “Der Spiegel” from week 8 of 1989. That story was about Echelon and talked about the fact that industrial espionage was already happening. However, there was little attention to that story back then. Things have changed now.

Still, as I have said in the webinar: there is not that much news, and there are even less proven facts. Companies should just assume that their information is at risk and act accordingly, both in on-premise environments and the Cloud.

If you need our advice on that, just contact my colleagues at and listen to upcoming KuppingerCole webinars on that topic.

Posted in Security | Comments Off

What happened recently in Security?

25.06.2013 by Martin Kuppinger

The big topic clearly is what Edward Snowden unveiled: The PRISM program and some other nation-state activities on the Internet. In fact, this did not really come as a surprise. There have been discussions and rumors about such activities (and others) for many, many years. Maybe it helps driving forward risk- and information-centric security concepts and end-to-end-security instead of investing in point solutions. I will cover that topic in another blog post soon.

Facebook again struggles with privacy

However, besides PRISM etc. there have been various other security-related incidents and news. Facebook inadvertently shared eMail addresses and phone numbers of 6 million users with other members. That also comes as no surprise, given that Facebook always has been brilliant in weak security and privacy architectures and implementation.

Google under regulatory pressure – again

Google sees itself confronted with new pressure from regulators. The U.K. ICO (Information Commissioner Officer) has placed a legal requirement on Google to delete any data the company still has related to its Street View snooping.

In addition, the French regulator CNIL (Commission nationale de l’informatique et des libertés) ordered Google to change its privacy policies. Unfortunately, the fines are ridiculously low, starting at 150,000 €. Obviously, the plans of the EU to massively increase the potential fines and relate them to an organization’s annual revenue would put far more pressure on companies such as Google.

Old bugs appear again

Sometimes, security weaknesses appear to have a long lifetime. A bug that had been fixed by Adobe back in 2011 appeared again in the Adobe Flash Plug-In for Google Chrome browser. Adobe informed the public that Google is working on a patch for that bug.

And again plug-ins

Plug-Ins in general appear to be a potential weakness when it comes to security. The German BSI, the federal department for IT security, analyzed systems such as WordPress, Joomla!, Typo3, etc. from a security perspective. Most identified security weaknesses are related to plug-ins and add-ons, sometimes up to 95%. Thus, you should be (even more) careful when you start enhancing such systems.

Besides these news items, there have been many others. One of the positive reports has been that Microsoft and the FBI recently shut down a massive Citadel botnet. A negative one has been another issue in the DNS system where a human error led to the mis-routing of thousands of domains. Maybe it is time to start developing a successor to the stone-aged DNS system?

In general, the situation in security appears to remain rather unchanged. A lot of security bugs, incidents caused by human misbehavior, nation-state attacks and other activities, and the ongoing struggle around privacy, including some massive data leaks.

Posted in Security | Comments Off

What happened recently in Security?

29.04.2013 by Martin Kuppinger

The number one issue in the past weeks is the LivingSocial hack, where attackers reportedly have stolen massive amounts of personal data, including names, eMail addresses, birthdates, and encrypted passwords. LivingSocial has confirmed an attack, but not the reported number of 50 million stolen data sets – which would be the vast majority of all LivingSocial users.

However, there still is relatively little information about the details. It is still unclear whether all non-Asian accounts are actually affected. (LivingSocial holds the Asian accounts on another server.) It is not publicly known how the passwords have been encrypted and thus it remains unclear to what extent the attackers might use them for subsequent attacks on other websites. Fortunately, it appears that the credit card information of the LivingSocial users is held in separate databases and is not affected by the attack.

Given that this sort of attack against large sites happens regularly, the question becomes what lessons are learned and what defenses should be taken. The lessons for the companies running such sites clearly are to invest in security, for both protection and monitoring. However, successful attacks will happen and, in contrast to some former incidents at other sites, LivingSocial at least encrypted the passwords and used a separate database for credit card information.

For the users, the answer is also straightforward: raise the bar for authentication. Reconsider using sites and services if they do not provide options for stronger authentication such as (good) 2FA approaches. Clearly using different hard-to-guess passwords is an option, but that is fairly inconvenient – my colleague Craig Burton once stated that you do not have such thing as a password muscle you can simply strengthen by training.

FIDO Alliance and Google

Another interesting bit of news is the uptake of the FIDO Alliance. Google now is also a member of this alliance and there is some chance that the FIDO Alliance might gain sufficient momentum to become a success. I will cover this in a separate upcoming blog post.

Reported number of attacks

During the past few weeks, several companies such as Symantec, IBM (X-Force Report), or Akamai have published their security reports talking about the observed number of attacks. I found two actually interesting aspects in these numbers. One is that the numbers are highly inconsistent. Some companies report massive increases in attacks, others some decrease at least for certain types of attacks.

The other interesting finding is one in the Symantec Internet Security and Threat Report 2013. The report says that the number of targeted attacks increased by 42 percent. This number stands for a shift towards industrial espionage, with small business being affected in 31 percent of those attacks. Direct attacks differ from the large-scale phishing attacks in that the attackers are looking for specific data or to cause concrete harm against specific targets, instead of just trying to phish as much data from their rather anonymous victims.

Data Broker Acxiom to sell data back to real owners?

You may not have heard of Acxiom, a company that describes itself as an “enterprise data, analytics and software as a service company” that is “known worldwide for our marketing database and consumer data”. There was a report that Acxoim plans to introduce a service that allows individuals to reveal the information Acxiom knows about them. In Germany, such services are mandated by law. For instance Schufa, a company that provides information about the financial credibility, offers such service. This is considered a part of your fundamental rights, in that case the “right for informational self-determination”.

Making a business out of this is a somewhat strange thing from a European perspective. In fact what Acxiom is said to plan is that people have to pay to learn about their data. The fundamental difference here obviously is whether “data about you” is “your data” per se or not.

Posted in Security | Comments Off

Kill the heating – how smart infrastructures will not work at all

17.04.2013 by Martin Kuppinger

This week, I read an article (in German) about a severe security bug in heating systems provided by Vaillant, one of the larger manufacturers in that space. The issue was found in so called “nano block heating systems” that are made for detached houses and duplex houses.

The entities have an IP-Interface that allows both the service technicians of the vendor and the owner of the heating system to remotely manage the device. However, a security bug allows pretty much anyone to easily access, in clear text, the passwords of the owner, the technician (expert), and even the developer. In other words: attackers can easily gain full access and control all settings. That allows increasing the temperature of the outgoing water in summer, which can damage the heating element. It allows stopping heating in winter, which could result in frost damages. There most likely are other types of damages an attacker can cause.

Even worse, these systems communicate with the DynDNS (Dynamic DNS) service of the vendor. That allows attackers to identify all systems in a simple way, just by “trial and error”.

Vaillant has announced that they will inform the customers, update the software – which requires, despite having an IP interface,  that a technician visits the customers – and provide VPN communication for technicians.

This issue is a perfect example of what is happening these days in smart metering and other areas of “smart homes”. Vendors start adding IP interfaces, but they fail in security. In the entire segment of home automation, which is based on standards such as EIB/KNX, understanding of security issues appears to be rather limited. Security is understood as “availability”, not as being secured against attackers. That is, by the way, true for other standards as well – most bus systems in manufacturing are not secure at all. EIB/KNX does not even have a security layer. These bus systems typically rely on simple broadcasting. Who has access to the bus, has access to everything. Once you connect the bus to the Internet, things become obviously highly insecure.

The obvious solution for that is protecting the IP interface. However, as long as that is not done perfectly well, the problem remains. The entire manufacturing industry, but also the automotive industry and others that rely on rather primitive bus systems, have to fundamentally rethink their security approaches. Not doing this is wantonly negligent.

Smart infrastructures require smart security. Not having well-thought-out and well-implemented security approaches in place but relying on stone-aged security approaches for (sometimes) stone-aged bus systems puts us all at risk. There is a good reason for the massive potential of Stuxnet: It arises by opening up unsecure environments – unsecure by design – to the Internet, without appropriately changing the security approaches.

What happened recently in Security?

02.04.2013 by Martin Kuppinger

During the past few days, there have been at least two notable events in security. One was the attack on South Korean banks and TV networks. The other was the “Spamhaus incident”. I will talk about these two more in detail further down that post.

Besides that, it was interesting to observe that iOS and OS X seem to become increasingly the malware targets of choice.That is not surprising, however, since there are masses of iOS and OS X devices out there. Thus, the platform is far more attractive than in the past. Combined with the fact that Apple’s patch policy still is not convincing, this results in an increasing number of attacks. When I count the platform related news of the past two weeks in my CNET RSS feed, then 5 out of 6 articles were related to the two Apple operating systems. That just confirms what I have been saying for a long time: It is not that much about whether a platform is secure or insecure; it is about reaching a critical mass to become a target of choice for attackers. They will always find weaknesses, because complex systems never will be perfect. By the way: It would only be fair if the castigators of Microsoft Windows security from the past would act the same way now regarding Apple. Microsoft has learned a lesson. Has Apple already learned its lesson? I doubt that.

One other interesting news article was about Java updates. According to a new Websense report, 94% of endpoints running Java are vulnerable to at least one exploit. This shows that Java Updates do not work well as of now. One of the issues clearly is that Java runs on a variety of devices. While updating PCs is straightforward, other devices – especially the ones where Java is deeply embedded – are hard to update, due to a lack of a simple, standardized approach for patching these devices. From my perspective, Oracle should concentrate on adding sort of “patch support by design” capabilities to all future Java versions. While many people criticize the Microsoft Update concept, it is – from my perspective – by far the best approach that is currently in place across the entire industry.

South Korea vs. North Korea

Last week, some South Korean companies – TV broadcasters and banks – were hit by a massive cyber-attack run by a group that calls itself “Whois Team”. There were clear signs that the attack was part of the ongoing “cold war” between South Korea and North Korea, which currently is escalating again. Despite the fact that it is still unclear where the attack originated, I think that this is another indicator for the emerging risks of cyber-attacks in conflicts between nations.

The “Spamhouse incident”

Finally, a cyber-fight between Spamhouse, a spam-fighting organization, and a group of attackers even made it to the TV news over here in Germany and in other countries. This attack is reported to be the largest DDoS (Distributed Denial of Service) attack ever. It reportedly affected the whole Internet, especially in the U.K., Germany, and the Netherlands (Spamhouse is based in the Netherlands). There are two lessons we can learn from that. One is that the Internet, despite its distributed nature, is not immune to attacks. The second is that obviously cyber-criminals are well prepared to counter attacks against them, having large botnets on hand to place such DDoS attacks.

Physical Attacks on Critical Infrastructure

What I also found interesting were some articles about the Egyptian police arresting three men that tried to cut through some cables for Internet connectivity owned by the Egypt Telecom network. Some days ago, other cables of the Seacom network, being a part of the Internet connecting various countries under the Mediterranean Sea, were destroyed. The Egyptian police arrested the divers that tried to cut through the cables of the Egypt Telecom in action, from what was reported. I have not read anything about the motivation of these attackers. However, this clearly is another indicator of the massive risk for Critical Infrastructures these days.

Posted in Security | Comments Off

Do we really want an unsecured connected vehicle?

27.03.2013 by Martin Kuppinger

I read an interesting article about the future of vehicles and their connectivity in the Geo magazine, sort of the German counterpart to the National Geographic magazine. The article was quite interesting; however, I did not find anything about security. This is not a new experience: most of the articles and discussions about the concept of connected vehicles and their integration into the smart grid (plus all the discussions about smart grids and smart infrastructures) still are security-agnostic.

Do we really want to drive unsecured connected vehicles? Do we really want to live in a smart but unsecured world? How smart will that world really be? I have blogged about this way before. In these days of increasing cyber-attacks and of an increased understanding of the risks of critical infrastructures, agnosticism regarding security is not acceptable anymore.

The article discussed concepts like using electric vehicles as a storage for electric power, as sort of a distributed, large battery for storing power from the large power networks. This is a great idea; however, thinking about the required connectivity for that, just in the context of correct billing alone, shows that this is an interesting topic from both the security and the identity perspective.

At EIC 2012, we held a workshop on the topic of the connected vehicle. We had a very intense discussion there. We quickly identified a complex ecosystem of identities that need to share data. However, most data must be shared only between a few selected parties. There are the owner, the driver, the leasing company, the passengers, the garage, the insurance company, the vendor, and the manufacturer, to name just a few of the possible interested parties. Within the car there are components provided by many different manufacturers which might talk to others – or not. There are other cars, there are traffic management systems, there is the police, etc. Not to mention the utilities companies here… It is an extremely complex ecosystem.

Within that ecosystem, sharing of data must be very tightly managed. Some data might pass to the police only, while other data must not go there. However, that might differ from country to country. Some data is only relevant to the driver or the vendor; other data should be also available for the manufacturer.

However, sharing of data is the smaller part of the challenge. The need for well-controlled security and identity becomes even larger when we are talking about controlling the car or the traffic in general. The idea of cyber-criminals taking control of vehicles is frightening.

I know that several car manufacturers are investing in PKI and related technologies to secure communication among various components. That might work for the components within a car, but it will not be sufficient for the bigger ecosystem of the connected vehicle I have outlined above. What we need are bigger concepts, cross-industry, integrating all the related parties and components. The good thing is that many of the answers to the challenges of a connected vehicle are there. Life Management Platforms are one element, which allow managing a lot of related information in a privacy-aware and security-aware manner. The API Economy and API security is important for managing security of all the interfaces in these complex, connected systems. Identity Federation is an important piece of the puzzle as well. However, what I still miss is both a clear view of the big picture and coordinated initiatives for a secure smart planet, including the connected vehicles.

It is past time to act. At EIC 2013, we will have a roundtable for the Automotive Industry – a good place to connect with others. We will have various sessions around Life Management Platforms, the API Economy and other security topics. So do not miss EIC 2013 when you are involved in securing the smart planet of the future and when you are looking for a more holistic approach instead of point solutions for various pieces.

Posted in Security | Comments Off
© 2014 Martin Kuppinger, KuppingerCole