Cyber Security for the Future

Whether it’s about driverless cars or electric transport, digitalization is changing vehicles and the industry that makes them. Modern cars now contain more programming code than an aircraft, and their drivers leave data trails such as movement and speed profiles. Car manufacturers use this data to improve their products. Insurance companies may offer discounts to careful drivers based on how they drive. Data protection activists, however, have a more critical perspective: up until now, drivers have not known what data they are disclosing, and have had no influence over doing so. Researchers from the Fraunhofer Institute for Secure Information Technology SIT now want to change that along with their partners from research organizations, the German government and the industry in a project entitled “Self-Protection of Data in Networked Vehicles” (Selbstdatenschutz im vernetzten Fahrzeug, SeDaFa for short).

As vehicle IT becomes ever more complex, the risk of cyber attacks grows. In a number of EU projects, Fraunhofer researchers are therefore developing integrated end-to-end IT security concepts for Car2X communication that will ensure authenticity, integrity, and confidentiality whenever sensitive data is exchanged.

Thus far, manufacturing facilities have rarely been connected to the Internet – and have therefore been safe from online attacks. That is changing in the course of Industrie 4.0, as machines now communicate with each other, and networks are becoming more open – either within the company or for external partners. As a consequence, manufacturing facilities are now more vulnerable: data theft, espionage, and sabotage cause annual losses of more than 22 billion euros in the manufacturing industry, according to figures released by the BITKOM industry association in 2016.

To protect connected industrial facilities effectively against cyber attacks and espionage, a “National Reference Project for IT Security in the Era of Industrie 4.0” (IUNO), has been launched in Germany. Its 21 partners – including three Fraunhofer Institutes along with Bosch, Siemens and Volkswagen – are now all pooling their efforts.

The IT security laboratory at the Fraunhofer Institute for Optronics, System Technologies and Image Exploitation IOSB was specifically designed for production and automation technology. Scientists there can simulate a factory’s entire complex IT infrastructure – including the office network as well as the networks for planning, monitoring and controlling production.

Researchers from a number of Fraunhofer Institutes, together with other partners, have examined the legal, organizational and technical aspects of "IT security for industry". That is also the title of the report in which Germany’s Federal Ministry of Economic Affairs and Energy published their results.

If cyber attacks paralyze critical infrastructure such as the power grid, water supplies, or medical services, the repercussions are massive. Yet small utility companies in particular often find it difficult to protect their own – and thus the entire – system adequately. Fraunhofer researchers are facilitating protection and risk analysis for this target group in particular.

The challenge lies in the fact that in the energy turnaround, facilities are connected with each other not only directly, but also increasingly via the Internet. What makes a great deal of sense in terms of energy policy represents a major challenge when it comes to cyber security, a challenge that demands robust security solutions. For those in positions of responsibility in power plants, this means the need to maintain state-of-the-art IT security across the board at all times – and not for one centralized structure, but for any number of heterogeneous, regional companies. Yet it is these companies in particular that often have difficulty in guaranteeing security.

While the Federal Office for Information Security in Germany has a standard assessment form – essentially a comprehensive questionnaire – designed to identify risks, it is far too complex for small companies. Researchers at the Fraunhofer Institute for Applied and Integrated Security AISEC are therefore involved in the MOSAIK project, intended to trim the questionnaire down: “We are shortening the process from 100 steps to 10, thereby making it much more manageable for smaller companies,” says Dr. Jörn Eichler, the head of department at Fraunhofer AISEC.

In the long term, it might even be possible to run through various measures in advance, and to test how helpful they might be against identified threats without disrupting operations.

Whether it’s search engines or online shops, data-driven digital services that are always accessible make everyday life easier. But how do things look when it comes to the security of services, data protection, and even users’ personal assets and identity? “Data has become the fourth production factor,” according to Michael Ochs, business unit manager at the Fraunhofer Institute for Experimental Software Engineering IESE. “The protection of an individual’s privacy, identity, and intellectual property, as well as the ability to trust the services on offer, has become a crucial issue in the use of digital services.”

The use of particular services usually requires accepting their terms and conditions: either yes or not at all. What this means, however, is that users have no influence over who does what with their personal data or when they do so (»going white«).  If  users would rather not be that transparent, the only option is not to use such services (»going black«). Fraunhofer researchers are now giving users a third – and above all, a secure – option, that of »going grey«.

That pills have to be bitter and security solutions need to be complex if they are to be effective is a popular misconception. In fact, it would be possible to prevent many attacks if security technologies were correctly implemented or if users chose not to bypass them. For that to happen, security technologies need to be easier to use. The aim of the usable security approach is to have technology adapt to those using it rather than the other way around, as has too often been the case in the past. Here the focus is not just on end users, but primarily on software developers: they are the people who from the start have to give some thought to security mechanisms, and embed them in their products. The easier this is, the fewer mistakes will be made as security mechanisms are embedded, and products will be all the more secure.