Cyberterror, hacking threats have industry beefing up Internet security

INFORMATION TECHNOLOGY
New awareness


Internet security has taken on a new importance since the Sept. 11 terrorist attacks. The auto industry is responding by:


  • Budgeting more money for security

  • Monitoring usage more closely

  • Re-examining procedures and access

  • Developing disaster-recovery plans


    Name: David Miller

    Title: Security officer, Covisint
    His computer: "It's truly unique. I built it myself with handpicked components to my own specifications."
    Favorite IT publication: Information Week
    Favorite Web site: google.com
    What he's reading: "Executive Orders" by Tom Clancy
    Next big IT trend? Streaming video. "Broadband is here, and it will be delivering real-time accessible entertainment of all kinds into everyone's home."

  • When the I Love You e-mail virus swept around the world in May 2000, it forced Ford Motor Co. to shut down its e-mail system for four days.

    Ford won't say how much it lost as a result. But the Love Bug - so dubbed because "I Love You" appeared in the message subject line - served as a wake-up call for automakers and other large companies. Many installed better anti-virus protection and reinforced their firewalls.

    Today, the auto industry faces a more menacing threat.

    Within days after the Sept. 11 terrorist attacks on two American icons - the World Trade Center and the Pentagon - security experts began warning of a potential "Digital Pearl Harbor" in which a terrorist attack would paralyze computers, electrical grids and other key infrastructure.

    It's a warning the industry is taking to heart.

    "The next big frontier for someone trying to attack our country will be large firms," says Erik Naugle, chief technology officer at ANXeBusiness Corp. (anxebusiness.com) of Southfield, Mich., a high-security electronic network begun by the auto industry.

    "Organized attacks on their infrastructure - that's an area that large firms are going to have to deal with, which they haven't had to in the past. If we learned anything out of the 11th, they were going after our icons."

    Since Sept. 11, automakers such as General Motors and American Honda Motor Co. are taking a closer look at network security. Ford (ford.com) won't say what it is doing and refused a request for interviews for this story, citing the sensitivity of the topic.

    Other auto-related businesses are paying more attention to things that might have been overlooked in the past. For example, auto industry exchange Covisint LLC () of Southfield, Mich., noticed an increase in "port scans" that originated in the Middle East after the terrorist attacks. It is tracking the scans to look for trends.

    And security spending is not being neglected. Security application software ranks as one of the top three information technology investment areas for all industries, including auto, according to AMR Research Inc.'s () latest technology spending report for 2002-03. The report was completed after Sept. 11.

    "My heads of security and disaster recovery are looking at everything again," says Ralph Szygenda, GM's () chief information officer.

    "I think we didn't anticipate necessarily the major electronic security issues we might be seeing in the next couple of years. So I have redoubled our efforts."

    Naugle says that since Sept. 11, ANXeBusiness has seen a greater number of inquiries from automotive companies and government agencies wanting to know more about the company's private computer network.

    "It's really part of an overall re-examination of how open we are as a society," Naugle says. "The reliance on the Internet is something that is being reconsidered by all companies as well as state, local, federal municipalities."

    Sense of urgency

    There is a sense of urgency now as executives weave cyberterrorism into their "what if" scenarios.

    Companies for years have not funded security in their information technology budgets adequately, says Naugle, who also is a member of the network security subcommittee of President Bush's Commission on Critical Infrastructure Protection.

    But the terrorist attacks - combined with periodic disruptions from computer viruses and worms - have companies realizing their data networks are just as mission critical as their telephone networks and other business systems, Naugle says.

    "I think that companies are recognizing that it's not an area where they can skimp any more," he says.

    While businesses may have realized that their IT systems were vulnerable to hackers, the prospect of an organized terrorist cyberattack is chilling, says Christopher Frith, senior manager in Ernst & Young's () security and technology solutions group.

    "Now they are really looking at themselves as being a target," he adds.

    Says Kevin Prouty, senior research analyst at Boston-based AMR Research: "We're seeing across the board there's much more awareness about security. When you talk about data recovery and disaster mitigation, there is definitely more spending around that. People are taking a much harder look."

    Prouty expects a 10 percent to 15 percent increase in spending for disaster recovery and risk mitigation in the automotive industry.

    "It's a combination of recovering data and storing data properly offsite, with duplicate servers, things like that," Prouty explains. If backup data are stored offsite, any type of disaster then has a minimal impact on the operation of the business, he says.

    The security-spending trend contradicts overall IT spending plans by automakers and suppliers. Prouty says that overall IT spending will be reduced in 2002 by about $2 billion from $36 billion this year. Economic uncertainty and shrinking revenues are the driving forces behind the cut.

    Survey says …

    A KPMG LLP () survey of automakers and Tier 1 and Tier 2 suppliers in August found that 67 percent of the companies have hired a full-time information security specialist. But 40 percent said that their e-business plans do not address information security adequately.

    In the aftermath of September's attacks, firms are investing particularly in security and disaster recovery technologies, according to a survey of 3,500 companies, including automotive, by Forrester Research Inc. () of Cambridge, Mass.

    Forty-four percent of the companies surveyed plan to increase spending on disaster recovery by an average 18 percent. And 29 percent say that they are increasing spending on network security by an average 22 percent.

    The potential for cyberterrorism comes at a time when automakers and suppliers are stepping up their use of the Internet to collaborate with one another. While collaboration can be one-to-one over the Internet, it also can be accomplished through an industry exchange such as Covisint.

    Covisint's customers demand security measures that prevent sensitive product information flowing through the exchange from being seen by competitors, says David Miller, Covisint's information security officer.

    "It became obvious very early that we needed a direction in information security that was bulletproof," he says. "To be honest, most of our customers are more worried about other customers hacking in than they are worried about terrorists hacking in."

    Nevertheless, Covisint already is prepared to combat cyberterrorism, Miller says. The exchange has monitored some port scans emanating from Middle Eastern IP, or Internet protocol, addresses.

    IP refers to the unique number assigned every computer residing on the Web. Port scanning usually is done to obtain information about services and level of security on an Internet site. But sometimes the scans can determine whether a network can be compromised.

    Mideast interest

    "After Sept. 11, we actually did see that there were more port scans from specific IP addresses that were registered in the Middle East," Miller says, "which may or may not mean anything at all."

    Still, Covisint considers such scans to be an additional risk. So the exchange has been monitoring scans more closely to determine whether any trends exist that might suggest an organized threat.

    When Miller sees something unusual, he reports that to the Office of Homeland Security ().

    "We participate by providing information about any vulnerabilities that we see, like operating system vulnerabilities," Miller says.

    Johnson Controls Inc., a Tier 1 supplier of vehicle interior systems and batteries, began developing a formal information security program before Sept. 11, says Tom Greco, information security architect for Johnson Controls ().

    Johnson Controls has three Internet portals to collaborate with suppliers, employees and automakers. The company is strengthening procedures for network access and installing high-security firewalls and intrusion-detection systems.

    "I think a lot of companies are coming on board now and at least hiring companies to do vulnerability and security assessments," Greco says.

    Greco recommends that companies concentrate on developing a plan that will explain how they will maintain critical business operations in the event of a disaster.

    DaimlerChrysler () says it, too, was prepared for cyberterrorism before the Sept. 11 attacks.

    "Our emphasis on infrastructure and data security before and after have been equal," says Karenann Terrell, director of the Chrysler group's e-business unit, eConnect. "We don't talk specifically about our security plans, but it's not like there's a renewed interest in security. It has always been extremely important - security of the infrastructure and security of the data and the information."

    Don't forget dealers

    Even automotive dealers cannot escape the growing uneasiness over network security. Some U.S. dealers already have dealt with worms and viruses shutting down systems (see story, Page 5-T). Others have different concerns.

    After Sept. 11, Sonic Automotive Inc. of Charlotte, N.C. (), with 170 franchises, began designing a disaster-recovery plan so dealers can continue operating in the event its data center were destroyed. That is where dealership computer servers are kept.

    "We have some disaster recovery plans that go all the way up to carrying servers on site, but we don't have enough to carry one to every dealership," says Sonic CIO David Boatman.

    "Until the strikes on the World Trade Center, we didn't think about those things really. I didn't think about them. I thought about floods, hurricanes, tornadoes - things like that."

    Now, no one can afford to take chances.

    0

    Shares

    ATTENTION COMMENTERS: Over the last few months, Automotive News has monitored a significant increase in the number of personal attacks and abusive comments on our site. We encourage our readers to voice their opinions and argue their points. We expect disagreement. We do not expect our readers to turn on each other. We will be aggressively deleting all comments that personally attack another poster, or an article author, even if the comment is otherwise a well-argued observation. If we see repeated behavior, we will ban the commenter. Please help us maintain a civil level of discourse.

    Newsletters