The cyber security threats to cars, as more and more of them become connected to the internet, are becoming increasingly well known. What about the threats to those that sell and maintain the vehicles, and the customers they service?
Lookers is the country’s second largest network of car dealerships, with 150 under its umbrella. Its Head of IT Mark Valentine is in charge of a network of 5000 endpoints, that store millions of customer records, and also has to communicate with manufacturer’s networks.
Valentine said the firm "have a very adaptive, broad, transient endpoint," using its recent acquisition Benfield as an example of this.
He compares the model he has to use to protect this environment to the one deployed in the finance and banking industry, where he has worked previously. "The banking infrastructure I’ve come from is basically stick a firewall around it, put everything inside it and keep everybody out," he told CBR.
However, at Lookers its "mobile phones, smartphones, devices, tablets that’s how we do our business," he said. "That’s changed so you have to have an adaptive security product which meets that requirement."
His firm deploys a variety of products in a layered approach in order to do this. It uses Hexis Cyber Solutions’ HawkEye G product to fend of Advanced Persistent Threats (APT), anti-virus from Sophos, MobileIron to protect its increasingly mobile workforce, and Mimecast Targeted Threat Protection (TTP) on inbound email.
He describes it like this: "HawkEye G product is US marines on the perimeter of every device keeping things at bay." If, with any "product there’s a breakthrough you’re into the next layer, so the anti-virus kicks in, or the next layer, the firewall kicks in, or the next layer the software firewall kicks in. It’s layer after layer after layer."
He said that it makes better sense for his firm financially to adopt this kind of approach than "spend two or three hundred thousand pounds on a whizz-bang Checkpoint firewall that sits in an office…and just relies on you coming to it".
This means that "we’re actually out there, so if somebody does infect one of our endpoints a) we know about it very quickly, we’re not having to sift through firewall logs, it’s very much focussed, b) it can be re-mediated automatically, so we don’t have to rely on BT or one of our other providers to deal with the firewall side of it all. It is the time to market, because it’s a fast paced industry we need that very narrow window to detection and it can be quite quick."
Valentine believes that having a robust cyber security infrastructure could give his firm competitive advantages against their competitors.
"The first competitive advantage is our customers, so why would you buy cars from people who lose your data," he said, "and secondly from the manufacturers who supply the tin. They are the Gods."
Valentine believes that his customers are increasingly aware of making sure their data is protected, even if it is not front of mind when making a major purchase like a car. "If you have a TalkTalk scenario and our Dido Harding had to sand up there and say "I’m terribly sorry we’ve lost a load of information" yes I think they’d be pretty aware," he said.
Valentine also appreciates that even at this relatively early stage of connecting cars to networks, keeping data safe now is vital for future sales, and this is something his firm’s army of salespeople have to be aware of.
"The people who are selling the cars are also selling the technological buy in. People are plugging this together in their heads. So before they’re looking for the whizz bangs and how can my car talk to my phone or anything else, there’s your information and your data," he said.
He believes that ultimately data security may even drive car buying decisions: "Again, maybe not consciously, but they’re looking at the security in their own minds even on that local purchase, some of them will actual buy it."
The manufacturers also take being locked into a robust security infrastructure very seriously. "Basically they want to know that we’re part of their chain so when they roll Land Rovers off the Land Rover assembly line they put them into Lookers showrooms to sell them so we are entrenched and hooked into their systems electronically so they want to know that we are treating their relationship, and their connectivity and their security in the same way they will," said Valentine
The manufacturers have to know that data is transferred between Lookers and themselves is secure, in order to continue doing business with the dealership. Valentine uses a recent example from Volvo to demonstrate this. "You come to have your car serviced or have something done or even just visit to book it, and the Volvo cars now wirelessly, securely wirelessly link into the dealership," said Valentine.
"They hook into the wireless and check if you need to be update or not that your firmware then and there, and that solution had to be secure. So you had to have secure encryption from your wireless endpoint into your Wide Area Network, and if the wide area network is routed back to one of the dealerships via our firewall, if it’s us, that all has to be securely looked after."
Obviously this is a burden on a firm such as Lookers that is only going to increase, as Valetine said that "within another year or so 70% of all cars made will be hooked up to the internet."
It is clear then that Valentine subscribes to the theory whereby instead of security people just stopping their colleagues doing things, they are a key part of a company’s growth strategy. "I’ve seen in the year I’ve been here, with the Hawkeye G product and the other ones which I’ve brought into play a major leap forward and it’s setting Lookers up to where it’s trying to go commercially," he said.
Ultimately, said Valentine, security "will get to the point, I think, in maybe not this year or the next, maybe the next five years, where the exteriors will be even more open than they are now."
He said that defenders "will encrypt your databases, as I think some people do already, but it will become more common, at source. So your major customer databases will be hard encrypted. You won’t be so much worried about what floats around because the data will be so secure at source it will prove to be almost uncrackable. I’m not saying anything’s uncrackable but certainly it will go that way."
While everyone accepts nothing is uncrackable, a car dealership like Lookers now has to deploy a security solution for vehicle and customers data, that is as robust as the one they have to deploy for the vehicles themselves.