Spoiler alert: critical plot elements including the ending revealed.
Shawshank Redemption, the 1994 movie about a prison inequity, has topped the IMDb 250 List for nearly its full 26 years as the anointed #1 movie of all-time, and celebrated with a massive cast reunion nearly one year ago to the day. Why? People love a story about two underdogs overcoming extreme odds, outsmarting an evil tyrant, succeeding through acts of decency and intelligence, and relearning the joy of hope. The protagonist, Andy Dufresne, overcame a quasi-metaphor for our mundane burdens when he crawled “…through a river of s**t and came out clean on the other side.” We all want that newfound freedom. The enablers to this fantastic story are a series of poor security measures that may act as relevant guideposts when using pop culture to better consider the risks. And it isn’t until many years of focused diligence and creative solutions that these guideposts are navigated successfully to a better reality.
The auto industry must soon navigate some serious, looming deadlines for security as well: international mandates at the end of this year that could prevent the sales of vehicles without certification. Using the metaphorical guideposts from Shawshank Redemption as navigators may help with understanding the cybersecurity struggle ahead.
So as Andy Dufrense would remind us, “salvation lies within” … so let’s have a look.
Guidepost #1: Failed Product Risk Assessment
Using the prison as a quasi-product that delivers rehabilitation services, Andy literally unearths a product flaw that was essentially foreseeable by even his fellow inmate. “I guess you’d want to escape? Tunnel under the wall?” predicts Red when talking about Andy’s request for a small rock hammer. Should tunneling out from a prison have been a foreseeable risk for the warden and prison system? Should the walls have been designed with something sturdier than crumbling rock? Certainly. Considering Shawshank supposedly takes place mostly in the 1950’s and 60’s in the United States, the movie The Great Escape was released in 1963, nominated for Best Motion Picture (Golden Globes, 1964) and was based upon the War World II 1944 escape of over two hundred prisoners via a tunnel. If you can imagine a jury asking the warden about near-history, failure modes, “state of the art” and gross negligence as part of a risk assessment, it would be an indefensible oversight. Prison management should have recognized the mediocre assets, recognized tunneling as a likely threat, and taken corrective action.
Companies must face this same scrutiny. They must account for looking repeatedly at threat scenarios, conducting attack path analyses, judging feasibility of those attacks and determining the associated risks. These are process elements of the new cybersecurity standard (ISO/SAE 21434) that will be officially released early in 2021. Most automotive cybersecurity flaws to date have been design oversights, which were likely avoidable with proper controls. As the international regulatory body for vehicles, the UNECE (United Nations Economic Commission for Europe), mandates cybersecurity certification every three years, manufacturers will have to demonstrate that due diligence in order to sell vehicles in the European Union, parts of Asia, and possibly parts of North America. “The impact of these new regulations could be considerable,” states Secura’s summary when discussing the impact of the UNECE regulation. “[This is] especially true if manufacturers are not well prepared in advance … from a development process perspective.”
Guidepost #2: Insider Threats
Early on, Andy approaches Red and says, “I understand you’re a man who knows how to get things.” Red, in fact, states as much by narrating a mini-autobiography: “There must be a con like me in every prison in America. I’m the guy who can get it for you: cigarettes, a bag of reefer, if that’s your thing, a bottle of brandy to celebrate your kid’s high school graduation, damn near anything within reason. Yes sir, I’m a regular Sears and Roebuck.” This security hole was assuredly permitted by complicit employees (e.g. warden, security guards) since they visibly encounter “the contraband” on multiple occasions without surprise; an inference that they are quietly compensated for enabling these breaches.
Insider threats are also a reality for the non-fictional world. According to a 2019 Data Protection Report, 21% of C-suite executives and 28% of small business owners “… admit deliberate threat or sabotage by an employee or other insider was the cause of a data breach” with 31% of C-suites and 28% of small business owners additionally reporting human error or accidental loss. July’s Twitter attack was later reported to have been enabled by an insider’s assistance. Supervisory Special Agent Edward Parmelee of the FBI’s Cyber Division told WardsAuto in 2018 of multiple insider-induced attacks and warned that, “Dealerships are in control of some important data and protecting that data is critical to both themselves and their customers.” In fact, in 2017 the Hooligans, a Tiajuana-based biker gang obtained a proprietary database of Vehicle Identification Numbers (VINs) for $4.5M worth of Jeep Wranglers, reprogrammed keyfobs, drove the vehicles from San Diego to Mexico and either sold or stripped them for parts.
Possibly the hardest part about insider threats is they are constantly changing. Employees turnover. New phishing techniques are devised. When one hole is plugged, another one arises. This series of threats requires more ongoing analyses than all others since they are operational threats within a living system.
Guidepost #3: Third Party Reviews
It becomes obvious later in the movie that the Warden of Shawshank Prison has no oversight. No third party confirming the practices are sound. “Nothing stops. Nothing… or you will do the hardest time there is. No more protection from the guards. I’ll pull you out of that one-bunk Hilton and cast you down with the Sodomites … And the library? Gone… sealed off, brick-by-brick. We’ll have us a little book barbecue in the yard. They’ll see the flames for miles. We’ll dance around it like wild Injuns! You understand me? Catching my drift?… Or am I being obtuse?“ It isn’t until late in the tale that Andy is able to involve the local authorities, and the practices are immediately curtailed.
There are three types of third party reviews suggested for cybersecurity: external threat analyses, red hat teams and threat audits. The threat analyses look at the system or product per the first guidepost, but invites a set of fresh eyes to investigate what might not be apparent to those close to the designs. The red hat team acts as a surrogate hacker; attempting to penetrate the defenses and find potential, malicious attacks. The last third party oversight is an audit, which confirms the process of the team rather than focusing solely on the product. As Peter Abowd, CEO of Kugler Maag Cie North America proclaims, “How a team does the work is as important as the work they do.” And a 2017 study found “… more than 40 percent of survey respondents said their organizations’ risk management program and process ‘require substantial work’ and a similar percentage said that overseeing those major risks Is increasingly difficult.”
It isn’t enough to know there’s a warden. There needs to be someone making sure the warden is doing the job correctly.
Conclusion
Just as the movie leads viewers to conclude, hope can be achieved. Yes, there are impediments. Yes, the crawl might be a slog through a river of difficulties. Yes, the path might be uncharted or unclear. But salvation is found within.