Prototype protection: How to prevent social engineering in automotive

This article covers

• A definition of social engineering
• Insights into the role of prototype protection against social engineering in the automotive industry
• Information on how social engineering threatens your information security
• Examples for consequences of a social engineering attack
• Measures to protect your organisation from social engineering

• Details on how DataGuard helps you prevent social engineering attacks

Facts in a nutshell:

• Social engineering focuses on people, as they are easy to manipulate yet rather difficult to keep an eye on. The attack vectors for social engineering are manifold and the effects on business continuity are often highly painful.
• Designs and innovations that go into a highly complex product, such as vehicles are attractive targets for attackers (e.g. social engineers). Especially prototypes (e.g. mules) which, in general, cannot be kept “top secret” are at risk and thus in need of special protection.
• The German Association of the Automotive Industry (VDA) and the ENX Association explicitly made prototype protection part of the TISAX® standard. The standard lists measures protecting against attacks, social engineering attacks being one type of them.

TISAX® is a registered trademark of the ENX Association. DataGuard is not affiliated with the ENX Association. We provide consultation and support for the assessment on TISAX® only. The ENX Association does not take any responsibility for any content shown on DataGuard's website.

What is social engineering, exactly?

The term describes attack methods that target the greatest vulnerability of every security system: humans, with all their idiosyncrasies and flaws.

Criminal social engineers, or – to put it simply – hackers, take advantage of our need for human interaction and manipulate their victims using every trick in the book. They aim to make the victim bypass security measures and hand over secret information, which the criminals, in turn, use for further criminal activity.

Prototypes as targets for social engineering in the automotive industry

Every process where many people are involved and need to exchange information is a potential target for hackers. The whole automotive industry revolves around one main thing: the final product, the vehicle. It is highly complex and subject to massive innovation pressure and fierce competition. At the same time, the development and manufacturing process is multidimensional: It relies on cooperation and collaboration. A wide variety of parties – manufacturers, suppliers and service providers – work together for months and across several locations, sharing sensitive data in the process.

Designs and innovations that go into the product are vital to a manufacturer – and very attractive for attackers. They might resell sensitive data they gain through social engineering attacks, e.g., blueprints, photos, or employee data – or use it to blackmail the organisation they stole it from.

Prototypes are particularly complex cases. They need to be treated as confidential, yet have to be moved and tested in different environments, e.g. for test drives on special tracks or public roads (as “mules“). So, they need extra care when it comes to protection.

How social engineering threatens your information security

Social engineering focuses on people, as they are easy to manipulate and difficult to keep an eye on. As with many hacking techniques, the aim of social engineering is to steal important information and use it to extort ransom money. Therefore, social engineering poses a major challenge to corporate information security. The threats are manifold and lurk both in the virtual and the real world, for example:

• Phishing: fake email with an embedded link leading to a compromised website. The user is asked to, for example, enter login or account data – and thus hands them over to criminals. Attackers also use SMS (“smishing”) or phone calls (“vishing”) for this kind of attack.
• CEO fraud: fake email in the name of top management or CEO requesting an employee, for example, to transfer money to a specified (false) account. The request usually gives the impression of being very urgent.
• Baiting: invitation via email to free downloads or free products that can conveniently be requested via an online form or by clicking on a link. The bait, however, comes with malware that infects the target's computer (e.g., ransomware).
• Media dropping: data storage device (USB stick) that has been "lost" on the company’s premises, for instance in the parking lot where it can easily be found by an employee. If the employee connects the device to his or her computer, it transmits malware.
• Tailgating: physical intrusion into secured premises. For this, criminals use data to manipulate electronic access controls (“tampering”) or to impersonate someone who is authorised to enter like a supplier’s employee (“pretexting”).

Consequences of social engineering attacks

As with many other attacks, social engineering attacks can cause significant damage to organisations – be it financial, commercial, or legal consequences or damage to the company’s image. Typically, organisations experience the following problems:

• Disruption of business continuity: According to a recent Allianz study, ransomware is considered to be the biggest cyber risk. After they successfully enter a company’s systems and access sensitive data, criminals usually demand ransom money. To limit the damage, analyse the incident, and to restore normal business operations, the organisation’s entire IT infrastructure needs to be shut down, sometimes including systems critical to business continuity. 
  If the organisation does not have adequate processes for backup and recovery in place, it can take weeks or months to retrieve lost data. So, you need to ensure that you are able to maintain your business activities even in the event of disruptive incidents, e.g. by implementing a Business Continuity Management system (BCM).

• Legal consequences: If an incident affects partners, existing or potential customers of an organisation, the case is often taken to court – and makes the news. Negative headlines can be highly damaging to business as they undermine customer trust and make the company appear less attractive to future customers and partners. In addition, legal disputes usually end in hefty fines.
• Financial consequences: Financial consequences might vary according to the type of attack. In addition to direct losses of ransom money, the following financial consequences might ensue: Revenue losses, legal expenses, fines (e.g. for violating GDPR), costs of responding to the attack, damage claims, maybe declines in stock price and other business-related losses. If the information on a vehicle’s design and technical specifications is lost, the manufacturer might lose the competitive advantage they spent years investing into.

How to prevent social engineering

As there are so many attack vectors, preventing social engineering is a complex task. Humans can all too easily be manipulated. However, the following measures can help reduce your risk:

• Train your employees and raise security awareness:
  • Educate your employees on online and offline security risks.
  • Show them how to identify scam emails, calls, SMS or text messages.
• Establish, optimise and check internal processes:
  • Define rules for IT systems, for example, regarding backup, recovery, patching and updates.
  • Establish binding rules of conduct for your employees, especially when it comes to dealing with suspicious emails.
• Digital security:
  • Regularly check your accounts to see if they might have been compromised.
  • Install or enable anti-virus solutions, establish blacklists and whitelists for websites and for spam filters.
• Access management:
  • Make sure only safe passwords, multi-factor authentication and encryption are used.
  • Regularly check your premises and your physical access controls, use surveillance cameras and train your security guards regarding IT security awareness.
• Asset and risk assessment:
  • Determine your valuable information and prioritise your information assets.
  • Identify your risks.
• Implement an Information security management system (ISMS)
  • Comply with the criteria given by ISO 27001 to guarantee basic information security.
  • Automotive industry: Make sure you comply with the requirements on TISAX®, prototype protection in particular. 
    
    

How does TISAX® help?

The TISAX® - Trusted Information Security Assessment Exchange - standard has been developed by the German Association of the Automotive Industry (VDA) and the ENX Association. It aims to standardize the level of information security for all stakeholders in the automotive industry.

In its basics, TISAX® follows ISO 27001. However, it has been adjusted to the needs of the industry and explicitly states criteria for working with suppliers and prototype protection.

Find out more about the differences between TISAX® and ISO 27001.

Among others, TISAX® lists the following requirements:

• regular trainings on security awareness
• implementation of ISMS
• access management
• security zones

The ENX Association has been commissioned by the VDA as a neutral body for quality assurance and to monitor the implementation of TISAX®. They have developed a catalogue for the assessment on TISAX®, which organisations might use as a guideline for their own certification.

How DataGuard helps you prevent social engineering

DataGuard provides you with expertise and consulting services on information security, for example when establishing and implementing an ISMS and a TISAX®-compliant management system.

You can rely on a whole team of experts with in-depth expertise and best practices from a large number of projects and assessments.

With our information security platform, you have access to a variety of guidelines that help you implement your ISMS. This provides you with a strong basis that you can use and adapt to your internal processes.

Something you might also find helpful is our DataGuard Academy. On this platform, your employees may take part in basic information security trainings – and get a deeper understanding of the risk of social engineering.

Our conclusion and your next steps

Social engineering techniques are as diverse as their victims – and become more sophisticated every day. In a highly complex industry such as the automotive industry that relies on collaboration and where innovations and designs are vital, timely and comprehensive protection is key.

The TISAX® standard has been developed to standardize the level of information security for all stakeholders. High time to get to know its requirements!

Need help with the implementation of TISAX®, establishing an ISMS or training your staff? We are here to help. Get in touch with one of our information security experts today.

Did you enjoy reading this? If so, you might also be interested in Assessments on TISAX®– What are they, what are the differences? or What is TISAX® certification?