Security by Design – Closing down the loopholes for hackers

 

The digital age is opening up previously undreamt-of possibilities for consumers and companies – and for cyber-criminals. It’s for this reason that the security experts from TÜV NORD want to make software and networked products are secure as possible, starting from the point of development.

 

In August 2017, 745,000 wearers of networked pacemakers throughout the world were given a nasty shock: The health authorities of the USA had discovered a security vulnerability which would allow hackers to manipulate the pulse frequency or battery charge of these life-saving devices. It took a firmware update to close this dangerous loophole. Security vulnerabilities like this have long since become the rule in our networked present. A study of the German association of electrotechnology, electronics and information technology companies (VDE) has found that over half of all companies in Germany have already been affected by cyber-attacks. As the insurance company Allianz Global Corporate & Speciality discovered, cyber-attacks cause damage to companies across the world to the tune of €400 billion every single year. In 2015, over €45 billion worth of damage was sustained by the German economy, and this figure is increasing sharply. Even critical infrastructures like energy providers are no longer safe from cyber-criminals, as the hacker attack on Ukrainian power plants proved in 2015.

Multi-stage protective barriers

“We have to think about whether we want to continue to chase after the hackers and plug security holes on an ongoing crisis basis – or whether we want instead to adopt a preventive security policy,” says Matthias Springer. For the head of Security4Safety coordination body at TÜV NORD, the solution is this: Security by Design. The idea behind this concept is to prevent security vulnerabilities from arising in the first place. To this end, security experts accompany the entire development process for software or smart devices, working with IT departments and developers in an interdisciplinary capacity. “The principle involved is that of multi-stage protective barriers,” Matthias Springer explains. “It‘s kind of like a digital knights’ castle.” Just as mediaeval fortifications use a complex system of moats, curtain walls and other defensive walls to keep out intruders, the experts review security elements at all levels: starting with the software and the hardware, taking in the network and the processes, right through to the users. “If you just do that on one level, the other levels will still be unprotected. And attackers are always on the lookout for the weakest points,” explains Mr Springer. Just like the master builders of mediaeval castles, they have to make all kinds of assessments: Where might attacks come from, what motives and opportunities do the attackers have, and how can an effective defence be mounted against them. “If we include all these aspects, what arises is a comprehensive picture of which levels require particular protection.”

“We have to think about whether we want to continue to chase after the hackers and plug security holes on an ongoing crisis basis – or whether we want instead to adopt a preventive security policy.”

Matthias Springer, IT security expert

 

It isn’t sufficient simply to adapt previously established security solutions, Mr Springer explains. “You really have to start with a blank canvas. This is the best way.” By doing so, the security experts are supporting the development process to create new and individual solutions for every situation.

The experts from TÜV NORD and TÜViT have already implemented Security by Design, for instance, on behalf of the German Federal Office for Information Technology (BSI) in the development of what are known as smart meter gateways. These central communication systems transmit data from electricity meters to energy suppliers and will assume a key role in the smart energy system of the future. To ensure that they were sufficiently well protected, the experts from TÜV NORD monitored the entire development process from specification of the security profiles through to implementation.

Cyber-attacks cause € 400 billion worth of damage to companies across the world every year. Over € 45 billion worth of damage was sustained by the German economy in 2015.

 

 

In the case of smart electricity meters, the highest possible security standards are now mandatory by law; with many smart products, however, they remain optional. The problem is this: for two thirds of German companies, when push comes to shove, performance and user friendliness are more important than IT security, as was revealed by a survey conducted by Crisp Research by order of TÜViT. But this is shortsighted: better security gives rise to an increase in customer satisfaction, component availability and legal certainty. The costs of technical and legal damage limitation exercises fall, as does the risk of reputational damage resulting from successful hacker attacks. As IT expert Mr Springer says: “In the medium and long-term, Security by Design results in a strategic market advantage.”

Holistic security needs standardisation

Regardless of how effective Security by Design is for individual network products and applications, what is needed is a cross-sector security codex to guarantee comprehensive security, especially for critical infrastructures. “We need to carry out normative needs analyses for all areas so that we can help shape and develop security standards for all the different sectors. This is the huge task that currently faces the legislature and standard-setting bodies,” says Mr Springer. “We’re definitely going to need two or three years to do this,” the security expert adds. “Which is why we need to get started now.”