Report Sector Case Studies: Payments - Automotive and Insurance
Wrap-up report Black Hat Sessions 2019 - Sector case studies written by Mentor Emurlai - 31 July 2019
How to increase the security maturity level within sectors like automotive, payments and insurance? Every sector is challenged in a different way, but we also see a lot of commonalities. During the Black Hat Sessions various speakers addressed how they deal with security and how to increase cyber resilience within their business. Below you will find a brief report written by Mentor Emurlai (Associate Consultant at Secura), of the case studies presented by Geert Pater (RDW), Max Geerling (Dutch Payments Association), Wouter Wissink (Chubb) and Liesbeth Holterman (Cyberveilig Nederland).
The paradox of open banking - Payments sector
In current time, through the eyes of the consumer, banking is considered a closed institution that cannot be easily accessible by anyone. The emergence of an open banking model becomes, as the name implies, very interesting, if viewed from a security perspective. The question that arises when talking about security in open banking is, how we can implement sufficient and efficient security measures in an open banking model. Max Geerling addressed this topic during his talk at the Black Hat Sessions. Max has a PHD in Mathematics and well-built experience in IT since 1995. Max is working as an Executive advisor at the Dutch Bank Association and has given insights on the paradox of open banking and the future steps ahead for PSD2.
PSD2 and open banking
A majority of the consumers do not know how PSD2 works. The idea behind PSD2 is that different companies can assist consumers in accessing their bank account. Generally speaking there are two types:
a) Account information service providers
b) Payment initiation service providers
The account information services providers assist in retrieving account information from the bank and provide additional services. The payment initiation service providers assist in doing payments (for example, such as IDEAL). This structure of banking is one of the first steps in differentiating from the whole monolithic idea of bank, making distinction in a manufacturing and distribution part. Within the concept of PSD2 it becomes more realistic that banking products are being distributed to other entities. What is important to know is that both account- and payment service providers need to have the same licenses as banks are required now, issued by the Dutch Central Bank. An interesting development with PSD2 is that all of the banks are implementing APIs as new access channels to their banking system. APIs are generally tend to be enablers for unbundling service offerings, which is now specifically happening in the payments and banking industry.
The development in the UK regarding open banking
Especially in the UK there is quite a competitive banking landscape, with new banks belonging to either type A or B kind of service providers, meaning that either banks are focused on the manufacturing part and making their services offering ready to be distributed to various channels and on the other hand you have partners or banks that are becoming a distribution bank and are embracing the services of other providers. Without doubt there are also banks that try to do both (often hugely sized banks). These developments, however are in a very early stage and yet have to reach the peaks of maturity, but at the same time are definitely evolving.
The paradox of open banking
The idea of openness makes the supply chain longer, by the introduction of manufacturing parts or becoming distribution bank. It has to be kept in mind that the supply chain still needs to be closed off from crooks and criminals. With a longer supply chain, you get an increased number of access points for attack surface, malware, and so on. Right now, users are provided with passwords, biometrics, two factor authentication as to protect the chain required by law. Those who are developing and implementing these applications know that they need to take certain measures such as hardening to prevent undesired situations.
On the communication there are all sorts of certificates for integrity, non-repudiation, transport layers and more. These sorts of measures are all fine but not sufficient nowadays as measurements ought to be taken for the entire chain. What banks now do, for instance in the mobile industry is continuous monitoring of client activity and transactions. This is however all based on user data (activity, normality, locations, device etc.). What also comes into play is to know whose is responsible in what part of the chain and who is liable. It would therefore help to have more data on the user in, for instance the manufacturing part. Security is also not a stand-alone concept as it is dependent on other aspects of the service being delivered such as the availability and the ease of use. Currently we have the technology (e.g. restful APIs, JSON, ISO standards messages etc.) and legislations such as the PSD2 Framework framing responsibilities and liabilities having also references to incident management. The contractual agreements need to fill the gap between the legal framework and the technology. Two ways are considered fit for achieving that, which can be done through a specified number of contracts or can be done through a scheme having one set of rules where we all adhere to (such as IDEAL), making it more efficient to arrange all challenges regarding open banking.
Challenges in type approval of modern vehicles - Automotive sector
Geert Pater has been working for RDW for over 20 years and for the last six years has been actively involved in the process of ensuring that safety and security measures are met in new vehicle regulations. In the early stages of the production of vehicles, safety was regarded as very important and was mostly considered the main cause of worry. Although safety will always remain important, vehicles are now becoming driving computers creating an entire new surface area with a lot of exposure to security risks. RDW is not only the type approval authority for Dutch cars to the road, but has also a lot of other tasks. RDW is responsible for the whole process: car registration, delivering card registration with special chips, but also issuing drivers licenses. In addition, RDW is responsible for allowing special traffic on the road, maintaining a register that is used for parking, and besides that, RDW works on new car taxes and toll systems that are introduced in the Netherlands. The work performed by RDW is very broad, encompassing everything that is about, around and surrounding the car. The special task RDW is assigned to is that it represents the Netherlands on international scale in making vehicle standards within the United Nations, held in Brussels and in Geneva.
In the recent years there has been a lot of noise regarding autonomous vehicles being labeled as self-driving cars, however, technically and currently there are no self-driving cars on the road. Most vehicles that are labeled as self-driving cars are classified as a level-two system which means that it solely assists the driver of the vehicle. At the same time this ensures that responsibility is kept with the driver and not with the software. The vehicles that drive fully automatically have a special permit or special allowance given by RDW. These vehicles drive on special tracks, are risk-assessed by RDW and have limited speed allowance (e.g. 25km/h). Typically, a personal car has at least 120 (on average) devices on board with computing, detection and monitoring capabilities, but also built-in sensors located all around the vehicle. Given this, the quality of the hardware, quality of the software, and especially the know-how software is built with, needs to be assessed including the security aspect. In short, vehicles are connected ‘through the air’ and can be considered datacenters on wheels.
How are vehicles regulated?
Regulations can be distinct in three levels: National, European and Global scale. The Netherlands follows the regulations proposed in the UN which is evident because car builders, referred to as OEMs are working globally. The aim of RDW is to harmonize regulations as much as possible, worldwide, making up for a very difficult task to overcome due to the different national regulations. A majority of the regulations are built in Geneva under the banner of the UN. Almost every country worldwide is gathered in Geneva to harmonize these regulations. On a lower level there are European regulations which consequently are followed by national regulations and initiatives. Currently, what can be said is that there are solely a few regulations that deal with the use of IT, resulting in confusion, ambiguity and much space for self-interpretation regarding how IT should be secured. At the same time this results in rules that are not profound enough and that are insufficient to be used as reference for compliance checks.
Right now a legal basis is already established by which vehicles are checked and European type approvals are given. What RDW has initiated and has already taken a leading role in within the UN is that the safety and security also needs to be assessed from a IT perspective, leading to the Vehicle Safety and Security Framework (VSSF framework). On national domain (with a lot of international interest) RDW is aiming for a driver’s license for software for various domains such as the highway domain. Another interesting matter is that cars with current technology of today’s age are capable of learning while driving (also referred to as Artificial Intelligence) meaning that the complete lifecycle of such cars have to be monitored on the basis of safety and security.
Panel discussion Geert Pater - RDW, Wouter Wissink - Chubb, Liesbeth Holterman - Cyberveilig Nederland and Max Geerling Dutch Payments Association
RDW is active in a lot of international and specialized groups, of which one of those groups is called the CS-OTA: “Cyber Security Over The Air updates”. There are proposed regulations that are written in this group where an OEM has to provide evidence that it has security policies in place and that updates over the air to a vehicle are securely employed, having a special number and that the number can always be traced back to whenever a car was updated the last time. Currently RDW is working together with technical services such as Secura to see if the measurements proposed by the regulation can be met by means of a process- and a technical audit. This can be considered as a new and unique way for vehicle OEMs to show that they comply, because they have to share, in a transparent manner how they have organized their IT internally and how they ensure that security is safeguarded.
Routeplan cyber security risk model and certification - Insurance sector
In achieving a cyber-security risk model and certification, it is important to know how to get closer to clients pertaining to associated cyber risks applicable to their business. Everybody knows to a certain degree about the risks of property, and liability and how insurance is organized. Generally speaking, it is difficult to convince a client that they have risks. The cyber domain in specific is still considered a challenge compared to the other domains such as the domain of property. There is a lot of involvement already with larger enterprises within the Netherlands and abroad pertaining to cyber risk, however, the small and medium enterprises (SME) are still considered a problem area, making up for a significant opportunity for improvement. At the same time, a lot of work is done with insurance agents who are relatively new in this domain and don’t know about the risks pertaining the cyber domain, making it difficult to sell and convince a client that they have risks. The main question is how the issue can be resolved, and how to dedicate the client, insurance agents and overall, in the end, get better protected against cyber risks, especially in the SME sector. An example that can be used for organizing is the physical (burglary) protection domain where the size of the risk and the attractiveness of the risk is assessed.
For example, you have a computer and that is worth a number of points and you have a certain worth of computers making up for a totalling amount of points, assigning your organization to a specific risk class. The next step is to look at the protection needed, based on the risk classification.
The cyber domain is totally different when even compared with the physical (burglary) protection domain, however, the plan for the cyber domain was to have a centrally managed, process or system that can be easily maintained. In order to do so various organizations have been involved. In addition, the absence of central funding which was in the end resolved and granted by the Ministry of Justice and Security. In addition, the cyber security sector was included in the route plan because of the amount of knowledge the sector has on crisis risks.
The risks operations can be based on the traditional ISO 27000 and CIA levels. For instance a company can have a score for each of the levels of CIA (Confidentiality, Integrity, and Availability) totaling a certain amount of points, assigning the organization to a certain risk classification from one to four, where a level one classification relates to organizations with minimal risk appetite and level three classification relates to an organization with sensitive (medical) data. The protection for the first three levels can be achieved by the organization itself, while a level four classification requires external support in implementing the required controls in order to get a certificate.
The aim is to make organizations more aware of their risk appetite, meaning that if an organization initiates in digitizing its product or services then this, in return will have an effect on their risk appetite.
With a committee consisting of various stakeholders and former partners, a working group for risk was defined and a working group for certifications. The idea of controlling cyber risks is that a self-assessment should be possible, considering principles such as simplicity and that it should be cost-effective. The main difference between the cyber domain and for example the physical burglary protection domain is that the interaction between protection and security is completely different. If as a metalworking company or bakery, your goods are not that attractive, most likely a burglar will not attempt to compromise your organization. In the cyber domain, this is different as if you have any open firewall ports, then you surely know that someone will attempt to exploit openings. Therefore the main goal is to achieve baseline protection for every organization, and on top, dependent on the risk appetite, being classified in a higher risk classification mirroring the amount of controls to be implemented.
Are you interested in participating? Keep up to date with the latest news about the Black Hat Sessions (BHS), receive exclusive (early bird) discounts and secure your seat for interactive workshops. Sign up for our periodical newsletter and we will keep your informed.