Protecting the Auto Supply Chain, Part Two

Make sure to check out Saturday's Part One of Protecting the Auto Supply Chain!

Written by Sean Martin

Maybe of more interest to our readers here is the top theme captured in the 2011 Symantec Internet Security Threat Report; Targeted Attacks. The report highlights a targeted attack named Hydraq (or Aurora), an attack designed specifically to steal data. Not only is Hydraq designed to steal, it is designed to steal intellectual property from major corporations. Given the attention that this threat gained in the media, it is likely that most IT security professionals have their eyes open and their security measures fine-tuned to combat this specific attack. But, according to Symantec, they expect the attackers to modify their wares via an investment in the advancement of rootkits, employing these advanced rootkits as part of new targeted attacks in the future.

Therefore, as alternative methods for collaboration are explored, it is of paramount importance that OEMs and suppliers utilize reports and data available to them – reports such as those referenced here – in order to properly assess the situation such that they can make informed decisions regarding performance, reliability, and security as they relate to costs. The industry should not take lightly the task of finding the right balance of cost vs. functionality vs. risk.

Separately, two firms very familiar with this space, ANX (www.anx.com) in the US and ENX (www.enxo.com) in Europe, described two key exchange areas within the automotive data exchange environment which represent the core of the automotive supply chain collaboration space; Engineering data and EDI data; split at 80 percent and 20 percent, respectively.

During interviews with both firms, each described that, in the Engineering collaboration space, 80-90 percent of the risk exposed would primarily be associated with the loss and theft of design and other engineering documents, such as the theft of highly-sensitive CAD drawings or the leaking of real-time CAE communications. The firms also expect that 70-80 percent of the risk exposed in the EDI space is associated with delayed or failed order transactions. A significant failure within a just-in-time manufacturing process could take down an entire production line.

While cost is certainly a factor, the price of the service becomes a non-issue if the low-cost alternative introduces weakened security measures, unacceptable reliability and inadequate performance. If the communications don’t flow, aren’t quick enough, are vulnerable to attack, and introduce the risk of sensitive data being leaked or stolen, it won’t matter how little the service costs.

In an effort to help suppliers make an informed decision, captured below are some of the primary concerns associated with the secure and reliable exchange of intellectual property and EDI communications. The information is presented in the form of questions to ask the service provider before making trade-offs based primarily on cost.

1. Can the service substantially reduce the complexity, errors, and overhead of setting up multiple secure OEM communications?

2. Can the service provide a one-call setup and configuration process with always-on end-to-end communications across multiple countries, languages, and ISPs?

3. Can the service provider protect against unauthorized access to, and loss of, highly sensitive information such as Engineering designs and documents

4. Can the service provider properly protect against breaches and denial of service attacks such that they can guarantee an end-to-end service without disruption to critical just-in-time EDI transactions?

The automotive industry will undoubtedly continue to rely heavily on their supply chain communications. With the increased pressure to establish and maintain a respectable bottom line, it is completely natural that the OEMs and suppliers must also find ways to work better together using efficient and long-lasting cost-effective means. The actions toward these goals, however, should not come via the introduction of risk to operating the supply chain with reliability, integrity, or security.

Don’t let $1 trillion in theft prove you wrong. Ask questions. Verify answers. Choose wisely.