How a UK software firm is helping manufacturers repel the cyber threat

Industrial espionage sounds like it belongs in the realms of fiction. Sinister characters lurking around test sites or peering through factory windows. The reality is both more shocking, and at times more mundane.

These days, the biggest threat comes from data breaches. In the UK alone, the cost of cyber crime is estimated at £27bn a year, with £9.2bn of this relating to intellectual property theft. Instances range from opportunistic employees manually copying data to attacks from hackers at home or overseas.

These attacks can be state-sanctioned. In 2018, 10 Chinese nationals, including intelligence officials, were indicted in the US for allegedly stealing trade secrets to be used in the design of the Comac C919 airliner. But there’s a question mark over Western governments too. The CLOUD Act, for instance, allows the US government to request access to any data stored by cloud providers based on its soil – even if the actual data is held overseas.

Closer to home, a major UK-based manufacturer of off-highway vehicles launched its new model at a trade show a few years ago, only to discover an identical vehicle launching on the stand opposite. Upon closer inspection, it even turned out to have a mirror image of the original manufacturer’s logo on the inner surface of some of the panels. The conclusion was inescapable. This wasn’t a hastily-concocted lookalike based on a chance sighting or leaked photos – the competing manufacturer must have had access to the original surface data.

As with all the best heists, the easiest way to steal data is generally in transit from one place to another. The average passenger car, for instance, has around 30,000 separate parts, and manufacturers rely on a complex network of external suppliers, spread right across the globe. Even if the suppliers themselves are absolutely secure, that still leaves terabytes of data passing between them.

And it’s not just R&D material that’s at risk. Earlier this year, Toyota had to shut down 14 factories for a day after a cyber attack on one of its suppliers, halting the production of an estimated 13,000 vehicles. With the move towards smart factories and digital manufacturing, even the design of the production facilities themselves has become a valuable secret.

“If you were planning to steal gold, you probably wouldn’t try to break into Fort Knox, but you might intercept one of the trucks on its way there,” comments Simon Ordish, director of Majenta Solutions. “It’s a similar situation with data. When it moves from place to place in the cloud it briefly rests in data centres that are outside your firewall. That’s where it’s most at risk.”

The Coventry-based company has developed its own file sharing system known as MX ASR. It uses the patented ASR process, which is short for Anonymise, Shard and Restore. Here, the data is anonymised so it’s impossible to trace, and then split into four separate shards. These are transmitted individually – potentially via completely separate cloud services – before being restored at the other end.

The key point is the sharding process. This, combined with the anonymisation, gives the transmitted data a property known as perfect secrecy, where the encrypted message provides no information about the original data.

“This process makes it mathematically impossible to reconstruct the data without the full set of shards,” explains Charlie Brown, cybersecurity architect at Anzen Technology Systems, which worked with Majenta on the programme. “Even if you have, say, three out of four shards, it’s completely unreadable.”

Different regions have different cyber security protocols, so another benefit of splitting the data is that each individual shard can be sent through separate countries. This means that even if a hacker or a government agency is able to gain access to a shard in one location it’s unlikely that they’ll be able to reach the others. Similarly, storing shards in different geographical locations can help with data sovereignty issues, if at least one data shard is held in the home nation. 

The impact of a data breach isn’t necessarily felt straight away. Trade secrets can be sensitive for the entire lifecycle of a technology. In the automotive industry that might be five or 10 years, but in defence it could be half a century.

“If someone’s hoarding data, there’s always a risk with conventional encryption that they might be able to come back and unlock it in 10 or 15 years time, even if they don’t possess the technology to do that now,” comments Brown.

“One of the big talking points at the moment is the development of the Cryptographically Relevant Quantum Computer (CRQC). This has some properties that allow you to carry out multiple operations simultaneously. In theory, it could dramatically reduce the amount of time that would be required to crack even the most complex encryption key, creating vulnerabilities in systems that we consider very secure today.”

An independent report by the UK Ministry of Defence concluded that MX ASR ‘would be immune to quantum computing-based brute force attacks’. What’s more, the software has a feature that can permanently invalidate the entire set of shards if a single breach is detected.

“ASR is fundamentally different to encryption,” adds Brown. “If you tried to apply brute force it would be like trying to conjure the file out of nothingness.”

This is by no means the only secure way to share data between an OEM and a supplier, but Majenta says it has focused on developing a solution that’s simple and comparatively affordable.

“Some OEMs effectively try to keep data internal, by getting major suppliers to work inside their firewall and within their own PLM software,” comments Ordish. “That only really works for some of the larger tier ones who can justify the overheads involved in setting that up. In most cases, it will still be necessary to pass data outside of the organisation for smaller vendors.”

There’s also anecdotal evidence to suggest that secure transfer systems aren’t always used if they introduce too much complexity.

“One of the companies that we work with has inherited a lot of its personnel from a sister organisation. They admitted that the methods of sending data there were so complicated that no one really used them. So when the new company was set up as a fresh start they were determined to find an alternative that was easier to use and administer,” comments Ordish.

Of course, not all data breaches originate externally. At least one major UK automotive OEM is understood to have sacked an industrial designer who was passing information to a third party. There are tools to monitor this too – typically using artificial intelligence to spot patterns and highlight any unusual behaviour, such as an employee suddenly downloading large quantities of data that they wouldn’t normally handle. Majenta’s software is designed to interface with these tools, allowing the organisation to log and audit all its transfers.

This traceability can have other benefits. One automotive OEM commissioned an expensive piece of tooling from an overseas supplier, only to find that it had been produced to an outdated iteration of the design, rendering it useless. A legal dispute followed, in which the logs from MX ASR proved that the supplier had successfully received the updated designs, yet failed to use them. It’s another example that highlights the importance of data management – not just from malicious intrusions, but also sheer incompetence.

A shocking number of breaches are deliberate, however. And this number is on the rise due to a perfect storm of factors, including a massive surge in cyber crime (partly spurred on by the conflict in Ukraine), the prospect of quantum computing and the increased information sharing that’s driving concepts such as Industry 4.0. Far from being a work of fiction, it means that we’re all now facing the realities of industrial espionage.