Security News

Will the Auto Industry Turn the Corner on Data Security?

Recently, a group of leading automakers agreed to guidelines aimed at safeguarding the burgeoning volumes of sensitive informationbeing collected by today’s vehicles. We applaud this move because it is the right thing to do, and also because it helps get the industry out ahead of the regulators, at least for now.

According to Automotive News, “The Alliance of Automobile Manufacturers and the Association of Global Automakers, two Washington, D.C., trade groups, laid down a set of rules intended to guard the most sensitive information, taking effect for the 2017 model year. Under the principles, automakers would need to disclose what data they collect and how the data are to be used or shared. Disclosure will be done in owner's manuals, on in-vehicle displays or on Internet-based registration portals managed by the companies. Consumers would be able to review the policies before buying a car. The automakers agreeing to the voluntary rules include BMW, Fiat Chrysler, Ford, General Motors, Honda, Hyundai-Kia, Mazda, Mercedes-Benz, Nissan, Toyota and Volkswagen Group.”

Such disclosures make sense and should help put many buyers’ minds at ease. Additionally, with the new guidelines, consumers would have to opt-in to any use of their personal data for fueling marketing activities. Many car owners will be happy with this guideline however, this will create a bigger challenge for marketing efforts in the future. OEM marketers will need to clearly articulate the benefits of “opting-in” to the consumer in order to obtain participation in such programs. The “opt-in” model will create a much smaller population to approach, but those that participate will definitely be more receptive to the marketing messages conveyed.

Yet industry standards governing automakers’ collection and use of personal information is just the start. There also needs to be just as much focus on protecting drivers' and passengers' personal information from external entities who lack such standards and principles – i.e. hackers.

With more and more vehicles connected to the Internet, and with a growing number of vehicle operations and data services now being managed via smartphones and other mobile devices, the risk of sensitive data being stolen by people with malicious intent is intensifying daily.

And that’s not all. In addition to personal identity theft, there are also threats to data and message integrity (e.g. changing the content of messages in order to issue counterfeit commands, etc.), the risk of denial of service attacks, and even the specter of cars being used like virus-infected PCs to help carry out mass cyber attacks. 

The next steps the industry must take is embracing standards around tightened data security, and do so before the regulators do it for us. Along with this, automakers need to implement a set of forward-looking technology solutions that will scale as the connected vehicle universe expands. These include deploying:

  • Comprehensive identity management, including dynamically authenticating a user’s request to access certain information or have an application perform certain actions based on such criteria as pre-specified trust level, GPS location, nature of the request, timing and velocity of requests, etc.
  • A secure token service with robust private-key encryptionto secure data and vehicles each time access or actions is requested.
  • A cloud-based interoperability platformso that security/encryption services, as well as all business rules governing data and vehicle access, can be centralized in the cloud for cost effective scalability, optimal security and rapid implementation.

Now that the industry is at the turning point of safeguarding the sensitive data it collects, it is time to take the corner and comprehensively protect connected drivers and passengers against outside intrusion. Doesn’t it make sense for all the same reasons?

Report Details How Healthcare Workplace Violence is on the Rise

The Occupational Health Safety Network (OHSN) found that injuries associated with workplace violence increased overall from 2012 to 2014 and "nearly doubled for nurse assistants and nurses." 

In 112 U.S. healthcare facilities, the overall rate of workplace violence rose from 4 to 5 percent for every 10,000 worker months--or the number of full-time equivalent workers at a facility multiplied by the number of months worked within the reporting period--between 2012 and 2014.

The problem is particularly acute for nurse assistants, who had more than twice the workplace-violence injury rate of nurses (about 6 and 14 percent, respectively), according to the data, which was published in the Centers for Disease Control and Prevention's Morbidity and Mortality Weekly Report. Nurses and nursing assistants also experienced 57 percent of the overall injuries to healthcare workers.

Fifteen percent of nurses and nearly 40 percent of nursing assistants also reported injuries related to patient handling and movement, a finding that echoes recent reports that have chronicled hospitals' and the government's repeated failure to curtail this workplace risk. Indeed, 62 percent of the patient-handling injury reports that OHSN recorded included information on how to use lifting equipment, but 82 percent of those reports noted that staff did not use lifting equipment, even though experts have argued this is the only safe way to lift patients.

Overall, healthcare and social assistance workers experienced the highest number of nonfatal occupational injuries among employees across the private sector, with a total of 10,680 OSHA-recordable incidents reported. Compared to nursing staff and maintenance workers--the latter of which were prone to high rates of slips, trips and falls--physicians, dentists, interns and residents had low injury rates, according to the data.

Given the workplace dangers the data highlight, hospitals should create "injury prevention interventions mitigating high-risk aspects of nurse and nurse assistant duties," the report authors write. "Targeting prevention strategies can protect healthcare personnel from prevalent, disabling injuries and help in managing resources."

The full report is at 

http://www.cdc.gov/mmwr/preview/mmwrhtml/mm6415a2.htm
 

Adding Thermal Cameras for Better Intrusion Detection

In order to achieve more while reducing costs, many enterprises’ security leaders have turned to automation. By adding thermal cameras as part of a larger intrusion detection system, security departments can reduce false alarm rates and even bring operational value back to the enterprise.

Off the coast of Venezuela, there is a cluster of oil platforms. As oil and gas companies try to cut expenses while maintaining operations and profitability, the key is reducing personnel, often by moving to more automation. According to Greg Humphreys, President of WAYFARER Technologies, a firm that focuses on wireless technology for remote areas, and project agent and technical lead for Rockwell Automation for this installation, there are two factors to securing an oil platform, both reliant on staff: convenience and time. In terms of convenience, executives have to account for the cost and availability of helicopters and stand-by staff for emergency evacuations. For time, once a water vessel gets close enough to be a threat, there is a very limited window of opportunity to respond.

“You’re responsible for protecting your workers and your platform assets,” says Humphreys. “An approaching watercraft is a very big ‘what if.’ The degree of that threat can be minimized with cameras. If you can determine a vessel’s threat level at a longer distance, you can take action and evacuate the platform early, solving a problem before the problem begins.”

For the oil platforms in question, Humphreys worked with MOOG Inc. for thermal cameras, which are tied to a radar system through software, so an off-site security team can verify whether an alarm was triggered by an incoming, unknown vessel or a fishing boat that just wandered a little too close. Then, a non-lethal deterrent system (long-range acoustic devices or LRADs) can be used to warn off possible intruders. The LRADs are aimed by MOOG positioners for an accurate and focused deterrence. Through the 25-mile range of the radar, the system creates a 360-degree perimeter around all three nearby platforms.

In Norway, electric utility company Lyse AS acquired security company Nor-Alarm in 2007 for its monitoring centers and residential alarm system capabilities, and in the acquisition, Lyse also gained Nor-Alarm’s technical department, which focuses on developing innovating and cost-efficient security solutions.

According to Nor-Alarm department security manager Ronny Hjørnevik, “The acquisition made us aware that there was a lack of solution for monitoring the security perimeters of the grid and substations. The Norwegian Water Resources and Energy Directorate had through the emergency response requirements set a lot of compliance measures that the utility companies had to fulfill in regards to intrusion and monitoring of unwanted incidents in the grid and substations.”

In class three substations, he notes, regulations stated that “Every unwanted incident or action shall be detected immediately, be verified and managed by an effective response pattern” and “The facility shall have equipment and procedures for efficient and reliable detection, alerting, verification and rapid reaction in case of unwanted events or actions.”

However, Hjørnevik says, utility companies were reluctant to acquire security solutions due to the daunting number of false alarms shown in pilot programs. In 2008, Nor-Alarm started looking into a solution, eventually putting in a successful bid for an integrated system using a video management system, video analytics and a variety of hardware, including access control, intruder alarms and Pelco thermal cameras for an overall concept called NorAlarm Vital Security. The security team also offers its monitoring center as an additional solution for customers who need more personnel to handle incoming alarms.

Now, all alarms are presented through the VMS system, and the operator can trigger a preset message to broadcast through speakers at the substation, or even enable a voice channel to give instructions or warnings. If the alarm is verified as being triggered by an intruder, response personnel are dispatched.

In addition, using thermal surveillance technology helps Lyse AS manage its critical infrastructure on site. The Pelco cameras have the option of adding temperature monitoring, which is used to monitor transformers and other electrical components for signs of overheating, which can give the enterprise a greater return on its investment, as it can reduce the need for manual inspection and mitigate the risk of outage due to overheating.

“Good planning is critical for the cost of installation,” Hjørnevik says. “We have used existing infrastructure where it existed, and where we needed new infrastructure, we have engaged local entrepreneurs. Defining your needs beforehand and keeping cost-efficiency in mind during site and installation planning helps. … We also use fiberoptic technology whenever we need to establish new infrastructure, as we believe this is a future-proof infrastructure,” he adds.

At What Point Does Surveillance Violate Privacy Rights?

The cities of Baltimore, New York and Chicago continue to demonstrate the effectiveness of city-owned video camera networks as they relate to crime reduction, effective law enforcement, and increased officer safety. It is worth noting, however, that publicly-owned video camera networks are by and large unregulated.  Amidst the positive results, however, an important question has surfaced: when does public video surveillance cross the line from an efficient law enforcement tool to an illegal infringement of an individual’s reasonable expectation of privacy?

Three recent court decisions establish the limits that law enforcement needs to bear in mind when targeting video cameras, using GPS systems and “pinging” cellphones.  In U. S. v. Jones, 132 S. Ct. 945 (2012), the U. S. Supreme Court decided that tracking a car with a GPS for 28 days violated an individual’s reasonable expectation of privacy.  The opinion broke new ground by deciding that publicly disclosed information by an individual (like the location of a car) is subject to Fourth Amendment protection. As Justice Sotomayor wrote in her concurrence, “I would ask whether people reasonably expect that their movements will be recorded and aggregated in a manner that enables the government to ascertain, more or less at will, their political and religious beliefs, sexual habits, and so on.”  The prolonged monitoring by a GPS, like the prolonged targeting of video surveillance cameras, creates a complete picture of the private life of an individual.  As Justice Alito wrote in his concurring opinion, “We need not identity with precision the point at which the tracking of this vehicle became a search, for the line was surely crossed before the 4-week mark.” 

A second decision shedding light on how long is too long is U.S. v. Vargas, (U.S. District Court, Eastern District of Washington, December 15, 2014) where the court found that a video surveillance camera focused on an individual’s front yard in a rural setting violated his reasonable expectation of privacy.  “Accordingly, the Court’s analysis focuses on whether Mr. Vargas had a reasonable expectation of privacy to not have his front yard continuously observed and recorded for six weeks by a camera with zooming and panning capabilities hidden on a telephone pole over a hundred yards away, and whether his subjective expectation of privacy is objectively reasonable.”  Quoting George Orwell's 1984, and its vision of the future where Big Brother is always watching, the court found that continuous video surveillance of an individual’s front yard for six weeks “provokes an immediate negative visceral reaction: indiscriminate video surveillance raises the specter of the Orwellian state.” The court focused on the fact that the unsuspecting Mr. Vargas lived in a rural area on a gravel road and “Mr. Vargas could hear a vehicle coming down the gravel road and modify his behavior …” The reasonableness of his expectation of privacy was therefore influenced by where he lived.  If he lived on Chicago’s South Side near the home of the White Sox in April, and the camera was targeted on his front yard for three weeks, his expectation of privacy might have been found to be unreasonable, and the video surveillance might have been upheld as consistent with Fourth Amendment protections.

U.S. v. White  (U.S. District Court, Eastern District of Michigan, Southern Division, November 24, 2014) involved the “pinging” of an individual’s cellphone repeatedly over two 30-day periods to determine his constant whereabouts.  The court wrote, "The ‘nature and quality’ of an intrusion of that magnitude (in excess of the ‘the 4-week mark’) tips the balance in favor of the individual; it constitutes a breach of one’s reasonable expectation of privacy that requires the state to demonstrate probable cause as a justification for the intrusion.”   

Three common threads emerge from these cases as it relates to video surveillance.  First, publicly disclosed information (i.e., an individual’s location) is subject to Fourth Amendment protection, just as much as a search of a private residence.  Justice Sotomayor concluded that GPS monitoring “generates a precise, comprehensive record of a person’s public movements that reflects a wealth of detail about her familial, political, professional, religious and sexual associations…” A second thread is the consensus around how long is too long for an individual’s public movements to be monitored.  The four-week mark, according to these three recent court decisions, is too long.  Perhaps changing the targeting of a Police Department’s video surveillance cameras every three weeks adequately protects the reasonable expectations of privacy of city residents and visitors as required by the Fourth Amendment.  The third point which emerges is that the advance of technology continues to change what an individual can reasonably expect to be private.  Supreme Court Justice Alito has the last word:

New technology may provide increased convenience or security at the expense of privacy, and many people may find the tradeoff worthwhile.  And even if the public does not welcome the diminution of privacy that new technology entails, they may eventually reconcile themselves to this development as inevitable.