• You can’t believe the machine
• You have to secure the whole product chain
Just when the automotive industry thought things couldn’t get worse, they did: weeks after a Jeep Cherokee was hacked, Volkswagen admitted to installing software to defraud regulators. The two incidents have put security on the agenda – big time – for every manager who thought automation was the answer.
The Jeep hack (and of other “connected cars”) shows yet again that IT systems are vulnerable to well-funded, skilled and determined hackers. The VW scandal is different in that it was an inside job. Someone programmed the diesel engine’s control system to produce false data, but only under certain circumstances mediated by machine to machine communications.
Managers should raise more than an eyebrow at this. An engine’s control system should contain only those instructions necessary for the safe operation of the engine, and nothing more. What kind of world is it when we can’t trust that? VW’s claim that passenger safety was unaffected might be true, but both the VW and Jeep examples show a potential industry failure to conduct reviews and audits of code that is installed in millions of vehicles.
For a graphic example of what can go wrong, look no further than Stuxnet. Stuxnet was purpose-built to play havoc with a closed system – the control system for uranium-enrichment centrifuges – by pushing false information to downstream units under certain circumstances. In such a tightly-toleranced system, even random data could be catastrophic.
Just as the world is on the brink of plunging into the Internet of Things, enabled by machine to machine communications, we need to pause and ask, in all seriousness, what exactly are those machines saying to each other. This should be an absolute condition for automated systems where lives are at stake, and part of a risk reduction programme for all else.
CIOs should start with smartphones because they increasingly mediate our interaction with the world. It is therefore increasingly important to ensure that these mobile devices communicate only that which we intend them to. Telefonica’s new tool, Tacyt, audits the code of popular apps. It found a popular flashlight programme sent SMS messages to who knows whom. Why should a flashlight programme send SMS messages? Similarly, Apple has just delisted more than 250 apps developed on an advertising SDK that passed customer data to third parties that even the developers weren’t aware of.
This is not a new problem, but three of the top four apps on Apple’s App Store are ad blockers. This is testament to the growing backlash against sharing personal data such as location, which could also compromise corporate interests. In this spirit Deutsche Telekom has just partnered with Wandera to give business customers the tools to set policies and to monitor two-way traffic on mobile devices.
Data leakage or worse is a clear and present threat to enterprises. CIOs should consider strongly starting with smartphones and moving through the rest of their organisation’s devices to ensure that they are not telling stories out of school about themselves and their environments.