Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Protecting Automotive Intellectual Property from Insider Threats

In the automotive industry, intellectual property (IP) is the differentiator and asset that is often most critical to business success and continuity. Whether we look at R&D, product development, CAD/CAE designs, software development and more, IP is always the core DNA that represents most of the value. It is also very vulnerable to theft. Most of the times, intellectual property is stolen by insiders, who have authorized access to that information or have contributed to their creation. They typically steal it while at work, during normal business hours and while pretending to be conducting “business as usual”. Because of that, detection becomes challenging. It is very difficult to detect illicit access from legitimate access. In addition, there is generally no indication of suspicious activity until the IP is in the process of being stolen or has already been stolen. This allows only an exceedingly small window of opportunity for detection and response.
Due to current political, technological and other global developments that are causing sales to plummet, while forcing companies in the automotive industry to make tremendous investments into new technologies and products to keep up with the competition, it cannot be overlooked that the ever-present threat of targeting insiders for economic or industrial espionage is higher than ever. Insiders in key positions are either being recruited or targeted for theft during business travel, or other occasions when they are the most vulnerable.
This presentation aims to shed light on the challenging topic of insider theft of intellectual property in the automotive industry. It will discuss the motives that lead employees to theft and/or the facilitation of third-party access to organizational assets intentionally or unintentionally. Despite the challenges, there are measures that businesses in the automotive industry can take to protect their intellectual property. Research has repeatedly found a clear link between insider activity taking place and exploitable weaknesses in security and management processes. Therefore, this talk will go on discussing the organizational factors enabling insider threat operations as well as countermeasures against them, by combining the lessons learned on insider activity prevention from the fields of counterintelligence, psychology, and cyber-security.

  • Be the first to comment

Protecting Automotive Intellectual Property from Insider Threats

  1. 1. Christina Lekati Social Engineering & Insider Threat Security Cyber Risk GmbH Protecting Automotive Intellectual Property From Insider Threats Automotive Security Research Group WORLD
  2. 2. Overview • The role of intellectual property (IP) in the automotive industry & market dynamics, today • Intellectual property theft from insiders • Theft of IP from foreign governments or organizations • Mitigation strategies/ countermeasures • Closing remarks Christina Lekati | Cyber Risk GmbH
  3. 3. Christina Lekati • Psychologist focusing on the human element of security • Assisting in cyber security projects from a young age • Trainer & Consultant for Cyber Risk GmbH on the Human Element of Security • Main developer of the training programs on insider threats and social engineering for Cyber Risk GmbH About Me @ChristinaLekatiChristina Lekatiwww.cyber-risk-gmbh.com/
  4. 4. Intellectual Property in the Automotive Industry • Until a few years ago, the automotive sector was considered a mature industry with well-established players. • Core competencies of the automakers were familiar to most people, but not so the technological waves that are transforming and reshaping the industry, today. • Although fully autonomous vehicles (Level 5) are years away from reaching the market, deep-learning, data analytics, real-time control algorithms and a slew of connected devices and components are already changing the car industry. Christina Lekati | Cyber Risk GmbH Source: World Intellectual Property Report 2019
  5. 5. Intellectual Property in the Automotive Industry Christina Lekati | Cyber Risk GmbH Source: World Intellectual Property Report 2019 Increasing trend in innovative activity in AV technology.
  6. 6. Intellectual Property in the Automotive Industry Christina Lekati | Cyber Risk GmbH In the face of the AV technological shock, auto companies have an incentive to join forces to share the costs and risks but also defend their market position. This is just one of a long list of examples of collaboration between tech companies.
  7. 7. Intellectual Property in the Automotive Industry The automotive industry is in the early phases of a period of technological disruption, with several new entrants, both from the automotive and the technological sides. Most tech firms, especially the smaller startups, occupy niches, focusing on hardware, software, mobility services, connectivity, communications and many more. Two main things happen in regard to intellectual property: 1) Significantly increased numbers of intellectual property-related documents and patents 2) Decreased control over ownership rights & sharing Christina Lekati | Cyber Risk GmbH Source: World Intellectual Property Report 2019
  8. 8. Christina Lekati | Cyber Risk GmbH With the first-mover advantage increasing the stakes in market share and many vehicles now coming to market featuring some level of automation, while fully autonomous cars being tested on public roads, we need to focus more on IP rights management and protection. Intellectual property (IP) is right now one of the most important and valuable set of assets that an automotive company can own. Technology and innovation are shifting the market dynamics and intellectual property will play a major role in the way the industry will be shaped within the next years. Intellectual Property in the Automotive Industry
  9. 9. Intellectual Property Goes Beyond Patents Christina Lekati | Cyber Risk GmbH “Intellectual property (IP) refers to creations of the mind, such as inventions; literary and artistic works; designs; and symbols, names and images used in commerce.” -World Intellectual Property Organization IP Includes: • Proprietary software/ source code • Customer information • Product-related IP (designs, formulas, schematics) • Business plans, trade secrets, proposals, strategic plans
  10. 10. Any current or former employee, partner or contractor that has or used to have access to the organization’s digital assets and may intentionally or unintentionally abuse this access and harm the organization. Insider Threats: Who Are They? Christina Lekati | Cyber Risk GmbH ENISA Threat Landscape Report 2018
  11. 11. “Any current or former…. employee, partner, or contractor… Insider Threats: Who Are They? Christina Lekati | Cyber Risk GmbH Source: ENISA Threat Landscape Report 2018
  12. 12. “…may intentionally or unintentionally abuse their access and harm the organization” Insider Threats: Who Are They? Christina Lekati | Cyber Risk GmbH Source: ENISA Threat Landscape Report 2018
  13. 13. • Current employees/ contractors • They already have authorized access to the IP they steal • They usually steal it during normal business hours • Scientists, engineers, contractors, salespeople, and more Who Are The Usual Culprits? Christina Lekati | Cyber Risk GmbH
  14. 14. • Misconception: they want to sell it for monetary gain • Reality: they steal it for a business advantage (a new job, to start a competing business, to send it to a foreign government/ organization) Why Do Insiders Steal Intellectual Property? Christina Lekati | Cyber Risk GmbH
  15. 15. The Anthony Levandowski Case Christina Lekati | Cyber Risk GmbH Sources: https://www.bloomberg.com/news/features/2017-03-16/fury-road-did-uber-steal-the-driverless-future- from-google https://www.bloomberg.com/news/articles/2020-04-18/uber-says-guilty-engineer-on-his-own-for-180-million-to- google
  16. 16. • Insider acts alone • Helped develop the IP/ perceives their role in its development as important • Sense of entitlement & ownership of IP • Intense & explicit evidence of entitlement or possessiveness in many cases Two Main Types Christina Lekati | Cyber Risk GmbH • One insider may recruit other insiders for theft of IP • Want to gain access to more information – may try to assemble an entire strategic plan or software system • Motives vary –recruits are promised higher rewards Individuals Recruiters
  17. 17. • Sense of entitlement • Possessiveness • Disgruntlement Most IP theft happened within 1 month before/after employment termination. The most frequent data exfiltration methods are emails, removable media & remote network access. However physical exfiltration of information also happens. The insider often felt that they exfiltrated what righteously belonged to them- and did little effort to conceal their theft. Patterns Around IP Theft Christina Lekati | Cyber Risk GmbH
  18. 18. Concerning Indications Include: Christina Lekati | Cyber Risk GmbH Extreme disgruntlement with the organization Unusual IT activity; accessing/ emailing/ exfiltrating IP Suspicious comments; entitlement, possessiveness etc.
  19. 19. Disgruntled Insiders Christina Lekati | Cyber Risk GmbH Disgruntlement with the organization is often explicit and can lead to malicious insider activity Source: https://www.csoonline.com/article/3284444/insider-threat-becomes-reality-for-elon-musk.html
  20. 20. Enablers of Insider Threat Activity Christina Lekati | Cyber Risk GmbH “…Where an insider act takes place there is often an exploitable weakness with the employer’s own protective security or management practices which enables the insider to act.” CPNI Insider Threat Collection Study 2013
  21. 21. Lack of a proper inventory. Easy access to hardware and software assets - trade secrets, and other proprietary information etc. *and more!!!* Poor Asset Management Absence of sufficient technical controls. Rare or unsystematic IT auditing that would spot irregularities or unusual behaviors. This enabled insiders to act in the first place. Poor Usage of Technical & Auditing Functions Lack of adherence to security policies & practices allowing insiders to have access to foreign computers, sensitive materials, privileged/accumulated access to information beyond the scope of their work etc. Poor Security Culture Many concerning behaviors/ problems & activities of the insider were noticed but unaddressed. Poor Management Practices Christina Lekati | Cyber Risk GmbH Enablers of Insider Threat Activity
  22. 22. Both technical and behavioral monitoring is required. 72% of IP theft cases were detected and reported by non-technical employees. Signs are often observable by technical and/or non-technical means if you are vigilant. Appropriate policies & processes are also essential. Countermeasures for Insider IP Theft Christina Lekati | Cyber Risk GmbH Source: Cappelli, D., et al. “The CERT Guide to Insider Threats: How to Prevent, Detect and Respond to Information Technology Crimes”, New York; Addison-Wesley.
  23. 23. • Understand the positions at risk – who handles your most critical IP? • Recognize the patterns & organizational factors surrounding IP theft • Employee training on insider threats • Improve termination policies & processes • Clear reporting process in case of suspicious activity • Well-defined and clear contracts on IP development, rights & ownership • Implement technical countermeasures (Data loss prevention systems, digital rights management, etc.) • Review & adjust access controls on the people that move to different projects/departments in your organization. Do they just accumulate privileges? Countermeasures for Insider IP Theft Christina Lekati | Cyber Risk GmbH
  24. 24. Economic Espionage: “the conscious and willful misappropriation of trade secrets with knowledge or intent that the offense will benefit a foreign government, foreign instrumentality, or foreign agent.” Industrial Espionage: “the conscious and willful misappropriation of trade secrets related to, or included in, a product that is a product that is produced for, or placed in, interstate or foreign commerce to the economic benefit of anyone other than the owner, with the knowledge or intent that the offense will injure the owner of that trade secret.” Theft of IP from Foreign Governments or Organizations Christina Lekati | Cyber Risk GmbH -Office of National Counterintelligence Executive
  25. 25. Malicious insiders who infiltrate an organization or get recruited. They misuse their access and involvement to intellectual property rights and development to benefit a foreign entity. Unintentional insiders who do not practice appropriate security practices (e.g. while traveling) and are being targeted by external threat actors. Theft of IP from Foreign Governments or Organizations Christina Lekati | Cyber Risk GmbH It is very difficult to recover stolen IP once it leaves the legal jurisdiction of its “home country”.
  26. 26. Reporting Christina Lekati | Cyber Risk GmbH Source: Red Goat Cyber Security, (2019). Insider Threat Report 2019 Someone meets friendly, fun individual while working on a project abroad …and eventually is offered a large amount of money to provide access to the corporate networks …which the individual refuses… …but after a while notices a coworker enjoying large amounts of sudden, inexplicable wealth.
  27. 27. Reporting Christina Lekati | Cyber Risk GmbH “…I didn’t ask about it or report it because I felt I would also be implicated and actually I would rather not be involved. " Source: Red Goat Cyber Security, (2019). Insider Threat Report 2019 DID HE/SHE SAY SOMETHING?
  28. 28. Reporting: What Does the Research Say? Christina Lekati | Cyber Risk GmbH Quantitative & Qualitative Research: • 1145 participants • Different countries • Different roles • About 15 different industries Source: Red Goat Cyber Security, (2019). Insider Threat Report 2019; Research Results and Analysis” Retrieved from: https://red-goat.com/insiderreport19/
  29. 29. Reporting: What Does the Research Say? Christina Lekati | Cyber Risk GmbH High Reluctance to Report: • Employees’ cost / benefit analysis for reporting insider threat activity is discouraging. - Moral inhibitions - Fear of social judgment within the organization - Fear of personal risks “ I would rather come forward as a witness after the attack than risk my life and career being ruined by reporting it earlier.. ” Source: Red Goat Cyber Security, (2019). Insider Threat Report 2019; Research Results and Analysis” Retrieved from: https://red-goat.com/insiderreport19/
  30. 30. Reporting: What Does the Research Say? Christina Lekati | Cyber Risk GmbH HR Preferred for Reporting Over Security Teams: • Closer to the employees • Trust; HR would keep the confidentiality • Believed to handle the issue better Source: Red Goat Cyber Security, (2019). Insider Threat Report 2019; Research Results and Analysis” Retrieved from: https://red-goat.com/insiderreport19/ …BUT HR is typically NOT trained on the security implications of insider threats (or security in general) and may not pay the proper care and attention to a reported incident.
  31. 31. Reporting: What Does the Research Say? Christina Lekati | Cyber Risk GmbH Lack of Training is the Biggest Barrier to Reporting • Over 72% of respondents cited a lack of training knowledge and confidence to report suspicious activity. • Staff is unclear in identifying suspicious behavior. • Staff does not realize the significance of insider threats and reporting. Source: Red Goat Cyber Security, (2019). Insider Threat Report 2019; Research Results and Analysis” Retrieved from: https://red-goat.com/insiderreport19/ “Our company just says report anything suspicious – there is no guidance, no training, nothing.” “It is a scary thing to do (reporting). I need some form of training and process otherwise I feel like I am playing God.”
  32. 32. Through training & management Separation of duties and least privilege. Keep an eye on the physical environment. Monitor and respond to suspicious or disruptive behavior --insiders feel free to act when they fear no risk of detection or consequence!-- Improve Security Culture Technical Security Controls/ Asset Management Christina Lekati | Cyber Risk GmbH Countermeasures - Recommendations Identify your critical IP assets and place technical controls for their protection. Log, monitor and audit (periodically) employee online actions. Deactivate/control employee access to accounts, networks, systems, applications, data & physical locations upon employment & termination. *and more!!!*
  33. 33. Straight forward process. Confidentiality/ anonymity need to be ensured. “No fault” reporting policy. Report to specific teams/ people Reporting Process For HR, management and employees. Recognize insider threats & know how to report. BONUS Benefits: Training strengthens security culture & social engineering defense! Training Christina Lekati | Cyber Risk GmbH Countermeasures - Recommendations
  34. 34. • Fear of creating a toxic organizational culture • Not enough cases made public • “Not In My Back Yard” phenomenon This is still a controversial topic Christina Lekati | Cyber Risk GmbH
  35. 35. Christina Lekati | Cyber Risk GmbH A last word on (avoiding) PARANOIA…
  36. 36. Christina Lekati | Cyber Risk GmbH Community support is still very important, especially towards common threats.
  37. 37. Additional Recommended Resources Christina Lekati | Cyber Risk GmbH • Cappelli, D., et al. (2012) “The CERT Guide to Insider Threats: How to Prevent, Detect and Respond to Information Technology Crimes”, New York; Addison-Wesley. • Center for the Protection of National Infrastructure (CPNI), (2013). “CPNI Insider Data Collection; Report of Main Findings”, Retrieved from: https://www.cpni.gov.uk/system/files/documents/63/29/insider-data- collection-study-report-of-main-findings.pdf • Center for the Protection of National Infrastructure (CPNI), (2012). “Holistic Management of Employee Risk (HoMER)” Retrieved from: https://www.cpni.gov.uk/system/files/documents/da/00/Holistic- Management-of-Employee-Risk-HoMER-Executive-summary.pdf • Charney, L., D., (2014). “True Psychology of the Insider Spy” Retrieved from: https://noir4usa.org/wp- content/uploads/2014/07/NOIR-White-Paper-17JUL14.pdf • European Network and Information Security Agency, (2019). “ENISA Threat Landscape Report 2018”, Retrieved from: https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018 • Red Goat Cyber Security, (2019). “Insider Threat Report 2019; Research Results and Analysis” Retrieved from: https://red-goat.com/insiderreport19/
  38. 38. Contact Details: “Knowledge is a weapon. I intend to be formidably armed.” - Terry Goodkind Christina Lekati @ChristinaLekati Christina Lekati Social Engineering Security Trainer & Consultant Cyber Risk GmbH

×