Abstract - Cyber Security Oxford · N umb er s of d i ffer ent typ es of s uppl y l i nk s N umb er s of d i ffer ent typ es of fi r ms T i er-1: 580 T i er-2: 1476 T i er-3: 136

OXFORD WORKSHOP ON CYBER RISK AND CONNECTED/AUTONOMOUS VEHICLES

22/02/2016

© Steve New 2016

1

Steve New, Saïd Business School & Hertford College, University of Oxford Tomomi Kito, University of Tsukuba

Abstract

• People commonly believe that manufacturers have plenty of information about the provenance of the components that are used in their products (both hardware and software). In fact, firms often have surprisingly little information on the origin of goods, and workable systems of provenance information management are only now beginning to emerge in some industries. The issue has significant implications when the products have any one of the following three characteristics: they can be controlled remotely; they can harvest data; they can be dynamically engineered. Autonomous cars fit all of three of these, and the solutions to this problem need to go beyond product technology. To produce safe autonomous cars requires a reconfiguration of industry practice, new regulatory systems and rethinking of established socio-economic norms.


22/02/2016

© Steve New 2016

2

Some security threats

CONTROL

DATA HARVEST

DYNAMIC UPDATE

All these threats get greater as technology moves to autonomous vehicles

Agenda

• Two issues about provenance

– Attributes of Provenance

– Supply networks

• Three issues for supply chain cybersecurity

– Interception/Insertion/Substitution

– Design Infiltration

– Substandard Operation


22/02/2016

© Steve New 2016

3

ATTRIBUTES OF PROVENANCE

AoPs are characteristics of a physical item which are not practicably tangible, which carry some notion of value or disbenefit to a user or customer, and are a function of the item’s trajectory prior to the user or customer’s experience of/ownership of/ use of the product.


22/02/2016

© Steve New 2016

4

Maxfield, C. (2007). Actel pioneering new markets for FPGAs in automobiles. EE Times, 27th August http://www.eetimes.com/document.asp?doc_id=1305894


22/02/2016

© Steve New 2016

5

By definition, AoPs cannot be verified directly by the customer from the item itself, and so must be taken on (some kind of trust) by the customer/user.

This may be personal trust, institutional trust, or systemic trust. • Personal trust means that I believe in the goodwill and

competence of the person who provides me with the information about the AoPs.

• Institutional trust means that I believe in that an institution will behave rationally and honestly because it has a reputation to defend.

• Systemic trust means that I believe some supra-organisational system is in place to provide reliability of AoPs.


Attributes of Provenance

ETHICAL CULTURAL SAFETY-RELATED ENVIRONMENTAL

Personal trust

I believe in the goodwill and

competence of the person who provides

me with the information about the

AoPs

At the Farmer’s market, I believe the Farmer when

he says the animals are treated well.

I believe the person I meet at

the Science Fiction convention

that this cardboard laser gun was really

used as a prop on the TV show

I believe the person selling me the second-hand bike that he has had it serviced

regularly

At the Farmer’s market, I believe the

Farmer when he says he used no pesticide on the

carrots.

Institutional trust

I believe in that an institution will behave

rationally and honestly because it has a reputation to

defend.

At Sainsbury’s, I believe the firm’s

claims about labour standards

I believe Christie’s endorsement that this painting was really painted by

Chagall

I believe that this children’s garden

toy is safe because Argos are a large

company

I believe Homebase’s claims

about the sustainable nature

of its wood products.

Systemic trust

I believe some supra-organisational system is in place to provide

reliability of AoPs

I believe this Fair Trade label

provides evidence that workers in the supply chain were

treated fairly

I believe that the Appellation

d'Origine Contrôlée mark on this wine

means that it is authentic

I believe this toaster is safe

because it has a “kitemark” safety

label

I believe this Forest Stewardship Council label means that the

wood was sourced from sustainable

forests



22/02/2016

© Steve New 2016

6

11

(Kito et al., 2014)

Toyota’s network

World-wide automobile supply network (40,000 firms)

SUPPLY NETWORKS (Kito et al)

12

Other Japanese

OEMs

Overseas

OEMs

Other

clients

Toyota

Tier-1 à Toyota: 580

Tier-2 à Tier-1: 3095


Intra-tier: 1069 Tier-1

Intra-tier: 469 Tier-2

Tier-3

Intra-tier: 3




2221 937 72

1341

1484

66

1325 3027

197

(a)

Numbers of different types of supply links

Numbers of different types of firms

• Tier-1: 580

• Tier-2: 1476

• Tier-3: 136

• Other Japanese OEMs: 12

• Overseas OEMs: 155

• Other clients: 749

(b)

Kito et al


22/02/2016

© Steve New 2016

7

What do you know about your supply network?

• Firms often have startlingly little knowledge of suppliers beyond first tier

• Even knowledge of first tier suppliers can be relatively flaky

• Getting knowledge from beyond first tier is not always easy, because dependency (and power) disperse quickly in complex network structures

• Storing knowledge beyond first tier is very difficult indeed.

When people buy stuff, they don’t know exactly what they’re buying, and so they are relying on complex (and often unarticulated) patterns of trust

Attributes of Provenance

When stuff (hardware and software) gets into a car, you can’t always tell what it is, or where it’s come from

Supply Networks

There is very substantial complexity and diversity in network structures, and limited understanding/visibility beyond the first tier

Car firms do not – in general – have a good understanding of their extended networks and have limited ability for detailed command and control of chain.


22/02/2016

© Steve New 2016

8

• Three issues for supply chain cybersecurity – Interception/Insertion/Substitution

• If the Office of Tailored Access Operations (TAO) can do it…

– Design Infiltration • Insider or Stuxnet-style attack on

hardware/firmware/software at production within extended supply base.

– Substandard Operation • Poor internal processes, or non-adherence to standard

or official procedures.

“A document included in the trove of National Security Agency files released with Glenn Greenwald’s book No Place to Hide details how the agency’s Tailored Access Operations (TAO) unit and other NSA employees intercept servers, routers, and other network gear being shipped to organizations targeted for surveillance and install covert implant firmware onto them before they’re delivered.”

Gallagher, S. (2014). Photos of an NSA “upgrade” factory show Cisco router getting implant. Ars Technica, May 14. http://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa-upgrade-factory-show-cisco-router-getting-implant/


22/02/2016

© Steve New 2016

9

Guin, U., DiMase, D. and Tehranipoor, M. (2014). “Counterfeit integrated circuits: detection, avoidance, and the challenges ahead.” Journal of Electronic Testing 30/1: 9-23. Citing: Cassell J (2012) Reports of counterfeit parts quadruple since 2009. Challenging US Defence Industry and National Security

Conclusions

• Supply chain vulnerability raises far more profound challenges than protecting against straight-forward car-hacking;

• “Magical Black Box” thinking is misleading;

• Fundamental changes in assumptions about regulation, data transparency may be necessary.


22/02/2016

© Steve New 2016

10

19

Dr Steve New Fellow, Hertford College

Associate Professor of Operations Management,

Saïd Business School, University of Oxford

Mail: Hertford College, Catte St, OX1 3BW UK

http://www.sbs.ox.ac.uk/community/people/steve-new

Twitter: @Steve_New_

[email protected]

01865 288922

Documents

Abstract - Cyber Security Oxford · N umb er s of d i ffer ent typ es of s uppl y l i nk s N umb er s of d i ffer ent typ es of fi r ms T i er-1: 580 T i er-2: 1476 T i er-3: 136