Smart Industry 1/2016

COLUMN BERND SCHÖNE
GERMAN ANGST
The German computer security authority BSI recently
released a 592-page report on the proceedings
of its latest biannual Cybersecurity Congress
in Bad Godesberg, and it makes fascinating reading.
This time IoT was the hot topic. In fact most of the experts
talked about nothing else. And what they had to say
sounded very, very German, especially to people
of the Anglo-Saxon persuasion. They were very,
very worried. In fact they scared stiff.
Of course, Germans always have a tendency
to view the future with a mixture of skepticism
and good old German Angst – a
vague sense of impending doom. Where
others see opportunities, they tend to see
risks, which often makes it difficult to communicate
across cultural borders. Brits and
Americans seem to be talking about a completely
different subject than their German
counterparts.
In this case, the big issue was the worry that, in terms
of automation and smart factory applications, the world
is about where office IT was back in the 90ies, or so the
German participants tended to believe, many of them hailing
from very prestigious institutions and official agencies.
The consensus was sort of like this: stop everything! First,
we need to devote lots of serious research to solving the
problems before we can take a cautious step forward.
As if to confirm their greatest fears, news circulated around
the conference rooms that two American hackers, Charlie
Miller and Chris Valasek, had just demonstrated on public
television how they were able to take control of a passing
automobile from a distance of more than half a mile, switching
the lights on and off and applying the brakes while
the drivers were reduced to helpless passengers, paralyzed
with fright. They then proceeded to take over the wheel
and drive the car into a ditch. Okay, all this was done under
controlled circumstances on a test circuit, and nobody got
hurt. But everybody could readily imagine what it would
be like if you were careening down a German autobahn at
130 miles an hour. Germans love their cars, and they trust
in German automotive engineering. For them, it was as if
the world had just started rotating in the wrong direction.
As a result of the televised live hack, Fiat, an Italo-American
manufacturer, was forced to recall 1.4 million vehicles
which had been proven vulnerable, including Dodge, Ram
and Jeep models. All were found to need an immediate
software update in order to close the hole through which
Miller and Valasek had been able to gain access.
At the conference, the German IT expert Stephan Gerhager
publically asked if the same thing could happen to German
76
Germans
always have
a tendency to
view the future
with a mixture
of skepticism
and good
old German
Angst.
Bernd Schöne
is a veteran
German Internet journalist
and an expert on
cybersecurity.
automobiles. When he got home he hired an automotive
engineer and a graduate student who were given two
months to attempt to similarly penetrate the biggest and
most expensive German cars. It turned out it was a cinch:
using off-the-shelf computer systems available in any
backstreet garage they were able to listen in on
the in-car data communications and insert malware
that was able to take complete control
through the so-called CAN Bus, a communications
interface that is standard in most
German cars of more recent vintage.
The good news was that they had to be
sitting in the car to do it. Any attempt to
duplicate the stunt by the American hackers
and steer the car remotely via wireless
control failed dismally.
It turned out that the German engineers
had done their homework. The vital systems
over which entertainment and engine communications
flow were hermetically sealed off from
the outside and from each other, like the systems of
compartments that can keep a ship from sinking if it suddenly
develops a leak, thus making them impossible to
tamper with, at least remotely.
It appears that German Angst actually paid off in this
case: the car makers had been worried about the kind of
stunt Miller and Valasek had pulled, even though there
had been no proof up to that point that the deed could
actually be done.
As it turns out, virtually every German car manufacturer
has gone an extra step by now and added encryption and
strong authentication to their vehicle systems. The CAN
Bus is now virtually impregnable.
Stephan Gerhager conducted his research independantly,
but he received funded from Allianz, the largest German
car insurance company. But Alliance also insures large
factories, and it seems that many industrial robots also
use CAN Bus technology. They, too, are potentially subject
to outside attack by remote control systems used by hackers
to bring production to stop or, more worryingly, to
cause the factory to produce faulty products, a fact that
would probably only turn up after they have already been
delivered to customers.
Conceivably, this realization will cause even non-German
engineers and managers to wake up to the fact that they
need to do something, and do it fast! Working on the principle
that worrying too much about security is bad for business,
and that if something is broke we can fix it later, may
be typically American. But sometimes a dose of German
Angst can be quite helpful.