News

MES Security: What can we learn from the Volkswagen Recalls?

Alexander Polyakov
October 16, 2015 by
Alexander Polyakov

[download]Download the BEST PRACTICES FOR DEVELOPING AN ENGAGING SECURITY AWARENESS PROGRAM whitepaper[/download]

I decided to write this article right after the news about Chrysler's recall of cars affected by software vulnerability No doubt you had heard about hackers who hijacked a Jeep as this incident was covered by all the top media. I'd like to go deeper and assume that not this one, but similar security breaches may be a result of sophisticated cyber-attack. In theory, competitors could use the same techniques and insert vulnerabilities or backdoors into products intentionally. It looks like a script for a new episode of Mr. Robot, but another scandal related to Volkswagen proved that can be real and similar issues may become even more critical in the near future.

Top Security Awareness Posters

Top Security Awareness Posters

Download our collection of free posters and use them to keep security at the forefront of your employees' minds.

Let us first trace the history of vehicle recalls. Before I started collecting the information I expected to see a couple of examples in total, but I have found a dozen for the last several months alone! Here are the major recalls took place this only summer:

  • July 08 – Japanese parts supplier Takata announced it is recalling 33.8 million vehicles in the U.S. because airbags could explode and send metal pieces flying at drivers and passengers. The faulty driver- and passenger-side airbags have been linked to at least seven deaths, including six in the U.S., and more than 100 injuries.
  • July 8 – Ford recalled more than 400,000 cars in North America to fix a software bug
  • July 9 – Honda recalled  4.5 million cars over exploding airbags
  • July 13 – General Motors recalled 1.55 lakh cars in India.
  • July 14 – GM recalled 50K cars for seat belt cable issue.
  • July 15 –   Nissan recalled about 270,000 vehicles worldwide because the ignition start buttons can malfunction and unexpectedly shut down the engine.
  • July 15 – Subaru recalled 32,400 compact cars to fix air bag problem.
  • July 15 – Toyota recalled 625,000 hybrid cars worldwide because of a glitch that can shut down the entire system while driving.
    July 17 – Ferrari recalled 814 sports cars for an airbag defect.
  • July 24 – Harley-Davidson recalled 185,000 motorcycles because the saddlebags can come loose and fall off, increasing the risk of a crash.

In the manufacturing industry, vehicle recalls make up a significant part of all recalls. One of the first examples of the recall dates back to when rubber parts in V-8-powered General Motors engine mounts would give out, causing the engine to come free, twist upward and pull open the throttle, resulting in rapid acceleration. It would often disable brake assistance, making it harder to stop the car. By 1971, 172 cases of engine-mount failure had been reported, resulting in dire consequences (63 accidents and 18 injuries).

So, the most common reasons for recalls are airbag issues, faulty seatbelt buckle, stone-guard assembly issues, and bolt failures.

Volkswagen scandal

On 22 September, it was reported that Volkswagen's market cap had fallen 25€ billion (from 77€ billion to less than 52€ billion) because activists found out that the automaker inserted a special code into cars to cut emissions when the car's computer detected it was being tested. Although in the history of the automotive industry there were examples of far more dangerous defects this incident is notable because of its serious economic consequences. It led to both the fines and the biggest drop of shares, and nobody knows the long-term impact of the incident.

Volkswagen admitted that they installed a program to game inspectors. Special algorithms detected when a car was tested and purposely lowered emissions. The company had done so for the last six years, since 2009. The software modification was made in the VW Jetta, Golf, Beetle, Passat, and Audi A3. In that way, the company tried to win a share of the US car market, where emission standards are stricter. The supplier that provided Volkswagen with software and devices to falsify test turned out to be the world famous company Bosch.

What we can learn from these recalls?

It's absolutely clear that software bugs and errors in the manufacturing process are the major reasons of recalls. However, if this can happen by mistake and nobody can detect it, somebody, be it competitor committing a sabotage attack or an anonymous group of hackers driven by ideological motives, may use such security flaws to perform malicious actions.

Traditionally, manufacturing, planning and designing processes are managed in enterprise business applications such as MES, PLM, or CAD systems. For a successful attack against a company, a cybercriminal needs to obtain access to these applications and make some minor changes in the following systems: in CAD during construction side, in PLM system during product lifecycle management configurations or directly in the MES system during manufacturing.  The level of MES and PLM integration and automation gives attackers an opportunity to implement some modifications easily into those highly connected systems. Siemens (one of the largest vendors providing solutions for automotive industry) tells that "PLM-MES integration allows you to continuously respond to shifting demands by distributing your latest product designs and assembly methods to a more connected, more efficient and more effective production value chain, assuring complete visibility between your production and engineering domains". So, nowadays production and engineering fields are not isolated, on the contrary, they are connected not only between each other but to corporate network that is vulnerable to traditional malware and attacks.

The story of Stuxnet has shown that the attacks on technology modules are real and have already been executed against SCADA systems and PLCs. From the technical point of view, for hackers there is not a big difference between performing an attack against SCADA and gaining access to MES, PLM, or CAD systems. Moreover, the security of those systems is even weaker than the security of SCADA/PLC systems. Companies started implementing SDL and at least somehow monitoring the security of those devices using some vulnerability management and event management solutions, but nobody cares about MES/PLM security.  We should not forget that those systems are traditionally connected with other applications such as ERP, where is also a large number of vulnerabilities according to SAP Security in Figures Report and more recent analysis of 3000 vulnerabilities in SAP . Therefore, it's not a big deal to get unauthorized access to PLM or MES.

As for the potential attack vectors against automotive institutions, here is a simple example. What will happen if somebody change bolt pressure on the wheel?  Of course, there may be many additional checks to identify this problem during car usage, but this really may lead to an accident when you ride 90 mph on the highway and the wheel falls off.  It was the first idea that came to me, but I discovered the example of a recall because of suspension bolt failure, which affected almost six million Buick cars in 1981. If any part of the rear suspension fails at speed, the probability of passenger drama is high. With this in mind, GM agreed to replace rear-control-arm bolts on a number of models in early 1980s, when reports surfaced that the bolts could fracture or loosen, leading to a loss of control. Suspension bolt failure resembles this simple idea. A real attacker may conduct something more critical and less visible, such as bugs in airbags that prevent their inflation under some circumstances. Not every time, because it would be easy to identify during a crash test, but it may occur randomly. These types of attacks are not only subject to recalls but can lead to human injuries, which can destroy the reputation of a victim company.

If it still doesn't look very realistic, just remember that any incidents associated with gadgetry on these vehicles seemed a nonsense before it happened. A year ago, a remote attack on a car seemed something unrealizable, and three years ago, no one could imagine a local attack on a car, so every attack is just a question of time. It is hard to propose a cybersecurity scenario that has not already occurred somewhere in the world, and even one of those vehicle recalls may be a consequence of a rival's attack.

Considering that scandal with Volkswagen threatens the reputation of the German car industry and the economy of Europe, the sabotage attacks can not only be a tool in a competitive war but a kind of cyber-weapon.

Not only carmakers are at risk

The consequences of the Volkswagen scandal and gaming tests are likely to inflict other industries. For example, the Guardian said the independent test showed that Samsung TVs appear to use less energy during official testing conditions than they do during real-world use

The discrepancy between real-world and test performance of the TVs was discovered by ComplianTV, a research group funded by the European Union. The full research has not been published yet, however, according to the Guardian, energy consumption rates are consistently higher in real-world situations than in official test conditions.

Thus, it's not a secret that vendors can use or are even using such methods to hide the information about the dangerous defects of their products. However, are you sure that even if you observe rules, no one hasn't injected such a malicious code in your software through attack targeting your business critical systems?

References

http://www.cso.com.au/article/583315/car-recalls-sabotage-attacks-against-mes-systems/

http://www.forbes.com/sites/thomasbrewster/2015/07/24/chrysler-recall-exploit/)

http://www.mlive.com/auto/index.ssf/2015/07/nhsta_releases_list_of_vehicle.html

http://www.theregister.co.uk/2015/07/08/ford_car_software_recall_analysis/

http://www.businessinsider.co.id/afp-honda-recalls-another-4.5-million-cars-over-exploding-airbags-2015-7

http://www.thehindu.com/business/Industry/gm-to-recall-chevrolet-spark-beat-andenjoy-manufactured-between-2007-and-2014/article7417613.ece

http://www.detroitnews.com/story/business/autos/general-motors/2015/07/14/gm-recalls-cars-seat-belt-cable-issue/30132281/

http://www.tri-cityherald.com/2015/07/15/3652251_subaru-recalls-32400-compact-cars.html?rh=1

http://www.businessinsider.com/r-toyota-recalls-625000-hybrid-cars-globally-for-software-glitch-2015-7#ixzz3hEZKFhhW

http://www.usatoday.com/story/money/cars/2015/07/24/harley-recall/30607169/

http://www.gm-recall.com/gm-recall-history/

http://www.plm.automation.siemens.com/en_us/products/tecnomatix/launch-production/shop-floor-integration/plm-mes.shtml

http://erpscan.com/wp-content/themes/supercms/Publications/3000-SAP-notes-Analysis-by-ERPScan.pdf

http://erpscan.com/wp-content/uploads/publications/SAP_Security_in_figures_A_global_survey_2013_RC.pdf

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

http://www.gm-recall.com/gm-recall-history/

Alexander Polyakov
Alexander Polyakov

Alexander Polyakov is the founder of ERPScan and President of the EAS-SEC.org project. Recognized as an R&D professional and Entrepreneur of the year, his expertise covers the security of enterprise business-critical software like ERP, CRM, SRM and industry specific solutions for Oil and Gas, Manufacturing, Retail and Banking; as well as other verticals developed by enterprise software companies such as SAP and Oracle. He has received numerous accolades and published over 100 vulnerabilities.

Alexander has also published a book about Oracle Database security, numerous white papers, such the award winning annual "SAP Security in Figures”; plus surveys devoted to information security research in SAP.

Alexander has presented his research on SAP and ERP security at more than 50 conferences and trainings in 20+ countries in all continents. He has also held trainings for the CISOs of Fortune 2000 companies, and for SAP SE itself.

He is the author of numerous whitepapers and surveys devoted to information security research in SAP like "SAP Security in figures." Alexander was invited to speak and train at international conferences such as BlackHat, RSA, HITB and 30 others around globe as well as in internal workshops for SAP and Fortune 500 companies.