OEMs & Cyber Security
Featuring Nigel Stanley, CTO, OT and Industrial Cybersecurity CoE, TÜV Rheinland.
The term ‘Original Equipment Manufacturer’ (OEM) is often considered misleading – and indeed, searching for its meaning online is more confusing than elucidating at first. Some sources describe OEMs as those companies that alter, rebrand, and resell another’s product. Others define OEMs as just the opposite: the manufacturers of the elements acquired by another company to be transformed, rebranded and resold.
Personally, I tend towards the second definition, and so does Nigel Stanley, Chief Technology Officer at TÜV Rheinland, who shared his insights on OEMs and the role they play in cyber security.
Nigel explains OEMs as providers of the components used in many industries and end products and warns: “They are an integral part of the supply chain and any cyber security related bugs, flaws or errors in their equipment could be carried through to the final product, often with a large impact on that subsequent product or service.”
The ambition to create cost effective and readily available components is often a problem. “Aggressive contracts may drive the cost per component to the minimum level that still provides functionality, and cyber security is often the first to suffer from this,” states Nigel.
However, this picture is slowly changing as end users may be subject to cyber security regulations that are passed down the supply chain. This is likely to become the biggest driver to change attitudes within OEMs.
Cyber vulnerability might come down to the poor design and inadequate consideration of cyber security controls by OEMs. These can have long-lasting and even fatal consequences “and I’ve seen a number of them,” says Nigel. Including:
• Defective software and firmware, developed by professionals who haven’t been trained with security in mind and/or are unaware of the risks that the final device might pose;
• Incorrectly configured network services, including the use of unencrypted connections to the internet, resulting in intellectual property and data being transmitted in plain/clear text;
• Security and privacy issues, such as the use of poor passwords or excessive permissions to basic users and/or operators;
• Poor protection of data at rest (namely, the inactive data that is considered to be less vulnerable than data in transit, but which is often more highly valued as a target by attackers);
• Improper disposal or loss of devices with on-board memory still containing intellectual property;
• Malware and spyware targeting specific OEM devices and their vulnerabilities.
Clearly, the role of OEMs in cyber security is critical. In the process of assessing their security responsibilities, Nigel recommends Original Equipment Manufacturers to carefully consider the following questions:
1. What is the level of dependency of the user on this device?
Issues such as family needs, health, safety, finances and transportation should be factored into the dependency model. A product intended to measure the blood glucose level of a patient will have a higher dependency requirement than a device used for non-medical purposes, for example.
2. What are worst case scenario resulting from the intended or unintended use of this product be?
Manufacturers must consider the possibility of their products being used to cause harm, such as by causing physical or personal damage, threatening consumer safety and privacy, or facilitating data theft and cyber espionage.
3. How complex is the device?
Complexity, such as the conglomeration of subcomponents from various suppliers or code models, can indicate the presence of more attack vectors in a device. It is therefore it is important to consider the device in terms of its class and associated supply chain. ”As a rule, if there are 10 or more disparate components in one device, then threat modelling should be carried out,” says Nigel.
4. How complex is the ecosystem in which this device will be used?
Threat motivation -such as cybercrime, hacktivism, espionage or warfare- often depends on the device’s ecosystem. “For example: an autonomous vehicle follows commands that depend on traffic signals. Instead of targeting the vehicle itself, threat actors might compromise the traffic signal system to undermine the vehicle’s safety. This possibility requires that the manufacturers of both the traffic signal systems and the cars consider the necessity of additional sensors and controls,” he explains.
Regulations are one way to ensure that cyber security controls aren’t imprudently ignored because of financial motivations. Ideally, cyber security should be planned since the product’s concept phase and then carried through to the design, development, manufacturing, deployment and disposal of the product.
Ultimately, ‘security by design approach’ is the cheapest in the long run. If cyber security issues can be identified and remedied early on, businesses can better and faster avoid the damages and costs of cyber-attacks.