Friday, August 7, 2015

The $10k that Chrysler could have invested to save $140,000,000

This post is more of a humorous post, taking statistics to a new level normally only seen during election campaigns.  After all, it is Friday.

Security is rarely seen as an investment.  Yet it is exactly that.  You can also call it an insurance.  What you shouldn't call it is missing.  

We once again have a very telling example.

Imagine this scenario:  Chrysler could have invested $10k to save $140 million.

Chrysler just issued a recall on 1.4 million vehicles because a security expert (hacker) demonstrated that it was possible to bypass the....lacking security controls to access critical components of the vehicles electronics.  All this from the Internet.

Palpitating news.

Recalling 1.4 million vehicles costs money.  

It certainly costs more then $1 per car, and certainly more then $10 per car.  Probably around $100 per car.  Not accounting for the customers wasted time, if they do this service immediately instead of waiting for their next over priced oil change.  So hence, the $140 million dollar price tag of this security issue.

So now the interesting part.  How could a few thousand dollars have prevented this.

Secure Architecture Review.

As an expert, if you call me in to milk my brain for a couple hours, I charge a reasonable price.  Let's say $5000 a day.  This is reasonable because you are only bringing me in for a day or two, your taking my vast experience and applying it in its full concentration and undiluted to your most pressing problems, so in a sense it is priceless.

So in this case, certain basic things have been around in the security world for a very long time.

1) Don't build your outhouse near your well (very basic)

2) Don't use your real name on the Ashley Madison website (appropriate joke this month)

3) Segment your critical assets from your low value ones (separate Virtual Lans for asset categories)

4) Don't do your banking on your kids virus infected Windows 98 laptop

So why is my cars entertainment system on the same network as critical systems like braking ????

Having a security pro in that one important architecture meeting would have resulted in a statement saying that it is a really bad idea to have every electronic device in your car able to talk to each other.  In fact, the aviation industry has entire standards for this type of communications and also a golden rule about isolation.  This means that well documented and proven standards exist that you can either copy or inspire yourself from.

So yes, essentially, having the right skill set in that one meeting would have yielded a car that offers great security by simply respecting a few basic rules.  Rules that every competent security professional should have followed.  

So we could conclude that the right skill set was not at the right meetings.

So forget the $10k, if you paid the best of the best security professional a ridiculous salary of $250,000 a year to sit in all the important meetings, over the course of ten years, you would still have saved a whopping $137,500,000. Why.. because it is certain that at $250k a year, I wouldn't let you build your outhouse right next to your well.

And if you didn't listen to me, paperwork would exist that ensures traceability (just like in the aviation industry) that shows us which level of management accepted a risk which is clearly unacceptable.  And hopefully someone would get their outhouse cleaned out.

Sadly, in the automotive industry, which is older then the aviation industry, we still lack some of these basic elements.

This means that the individuals who contributed to these terrible decisions will not be impacted.  Having a few rough meetings is not impacted.

Today it was announced that a class action law suite is perhaps underway against Chrysler (jeep).  This means that the price tag of $140 million is going to go up.  Way up.

The shareholders should be very upset.

The board of directors should also be very upset as their primary responsibility remains to maximize return on investment.  And at this, they are failing.

Poor management decisions will not result in personal liability by over paid CEO's and other senior executives who fail at addressing these issues and continue to allow KPI's that cause more harm then good.

All these errors, some of them very expensive errors, will be paid by the shareholders.

So now the lawyers are getting involved, which will make them the real winners here.

And the sad part is that no one has actually had their car "maliciously hacked".  

Security researchers found that it could be done.  So if someone really smart takes the time to figure it out, it's possible.   That does not translate by any means into a motivation to invest that time to do it just to activate the brakes on cars for a malicious laugh.

As a security expert, I can guarantee you that given enough time, I can attack anything and win.  I still need a means to translate that into money that preferably doesn't involve showering in groups.

So researchers found a bug, that Chrysler should have found by themselves.  The bug is being addressed, and Chrysler is still going to go through a law suite.

So should they have invested in security architecture review.... or security testing ?

Yes, they should have.


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique University in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

1 comment:

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...