Stolen! Engineering IP Theft.
The aerospace and automotive industries are at particular risk of commercial espionage and theft of engineering intellectual property from rogue states and other threat actors with varied motivations. These two industries are characterised by significant time and cost investment in engineering IP, which makes misappropriation of IP financially appealing and both sectors operate complex, globally dispersed tiered supply chains providing multiple points of weakness or access to data that can be exploited. In short, engineering data is valuable an attractive target.
Testing & Simulation Review, with Whistle Ignite, brought two industry experts, Simon Ordish of Majenta Solutions and Charlie Brown of Anzen Technologies together to consider the nature and extent of the problem and what potential remedies might exist
Simon is a Director at Majenta Solutions with three decades of experience in helping engineering companies to digitise, integrate and efficiently operate tiered supply chains. Majenta’s clients include various automotive OEMs such as Jaguar Land Rover and Nissan and he has also worked with a variety of aerospace companies including Airbus and Rolls-Royce
Charlie is a cybersecurity architect and engineer developing solutions for high value commercial and governmental IP in contexts ranging from automotive, and aerospace to military and healthcare.
Charlie: Simon, both our businesses are premised on the concern that sensitive or valuable IP is going missing in certain industries such as the automotive and aerospace industries. Where is the evidence for that?
Simon: You’re hinting at a problem of visibility. We know that there are call-out cases where a car or aircraft breaks cover and is very evidently an undeniable result of reverse engineering. Jaguar Land Rover prosecuted Land Wing in the Chinese courts for infringement of copyright with the X7 which looked superficially identical to the Evoque. And there are similar cases certainly with fast jets and drones in the military aviation, some of which have reached court and provide the most tangible evidence of misappropriation of engineering design.
But in truth the biggest liabilities for IP theft sit under the skin of cars or aircraft that don’t look similar at all. This is where the effort resides and where technology can be ‘borrowed’ or at least usurped to create a springboard without the need for lengthy R&D cycles.
And as much as intentional misappropriation, there are many other ways IP can seep out of organisations. If companies make security too cumbersome for employees, you can be sure that convenience workarounds will very quickly be discovered and embraced. Over-rigid security protocols and systems that are difficult to use are actually far more of a liability than disgruntled employees stealing engineering designs and sharing them with competing organisations.
Simon: I imagine you have a perspective on the threat landscape too?
Well, the war in Ukraine has unleashed a significantly heightened volume of nefarious cyber-activity. This is perhaps less about the appropriation of IP and more concerned with cyber-vandalism, but this simply continues a pattern of ever-increasing threat levels. And since we have entered a time of conflict, it is worth reflecting that military engineering is not immune from these problems. Even confidential IP for the military needs outsourcing, for instance to source silicon because there are currently only a handful of foundries in the world capable of small feature size lithography.
Charlie: Can we put some numbers round the scale of the problem?
Well in 2021, the UK government reported that that 6 in 10 medium-sized and larger companies suffered cyber-attacks last year. A quarter of businesses report an astonishing weekly frequency of breaches and 40% of these occurrences result in a material loss to the companies involved. So it’s a significant problem and if it hasn’t happened to your company, it is only a matter of time until it does
But why is IP security of particular consequence to aerospace and automotive?
Well it is not unique in these industries, but one feature they have in common is highly complex supply chains. Engineering design for a car for instance might involve three or four tiers of supplier drawing offices operating from an original set of engineering designs. As with any security context, the more access that is needed operationally, the more weaknesses will be exposed. Bear in mind these tier suppliers as well as the OEM will be spread around the globe in different engineering offices. And another feature of data risk is the increased liability that occurs when data is moved. So we have lots of complex, valuable data being accessed by hundreds of engineers who are transferring files all over the world, often without recourse to logs of who is opening, viewing and sharing the data.
But there is another risk on the horizon which our solution has been developed to overcome. Can you explain the quantum threat and how our data transfer product, MX ASR, overcomes this challenge?
Sure. As you will know, the protocol used most often to protect data in transit is encryption of various types. Encryption will occur when we make an online bank transaction for instance, with the instruction unencrypted at the other end. This form of protection is more than sufficient to deter challenges made using conventional computing. But quantum computing is on the horizon, if not here in some capacity. And quantum can break encryption in a matter of minutes.
And what makes this especially relevant is while quantum computing is not ubiquitous yet, no-one doubts that it is coming in the near future. For automotive and aerospace with long lead development timelines, we’re now within the quantum window – in other words, designs being created for cars and aircraft now will reach maturity at a point in time when quantum can unpack that information if it is encrypted. So IP owners need to start embracing security measures now.
Yes, that’s right, Simon. Once your company’s data is out there, even in an encrypted form, you simply can’t get it back. And while encryption might preserve it for the meantime, it won’t for very long and likely it will be cracked while it still has some commercial value.
So Charlie, perhaps you could explain how MX ASR, Majenta’s data exchange tool, takes a different approach to allow it to be quantum-secure?
Yes, of course. The technical approach we have taken – as suggested by the ASR which stands for anonymise, shard, restore – is to take a data package, let’s say a set of CAD files for a sub-assembly in an aero-engine or a gearbox assembly for a car and split it into separate elements – or shards. Each shard is stripped of metadata so it is therefore anonymised. We transfer these shards by different routes through the cloud and then restore it when all of the shards arrive at the destination point.
So what happens if I intercept one of the shards. Do I have one shard’s worth of CAD files from the turbine or gearbox?
No, the data in shard form is useless and contains nothing that can be restored – this is what the ASR process achieves. The sharding allows us to use different routing through the cloud and only the recipient has the ability to access all the shards and bring them together.
That sounds impressive. But in practical application, how secure is it?
It enables perfect secrecy. ASR has been assessed by the UK MoD, and a professor of computing & chair of cybersecurity of a major UK university who have confirmed that it is mathematically impossible to penetrate. This method of transferring important data like engineering files is unbroachable.
So does that guarantee of security make this is a perfect solution?
I think your security engineering and the technical heart of MX ASR is beyond question. What is really important once the core proposition is resolved is to make these technical breakthroughs easy to use and an enhancement to an engineer’s daily workflow.
MX ASR is the most recent in a line of data transfer tools that Majenta has developed to enable and protect the sharing of engineering data. As a consequence, the usability of MX ASR is very straightforward. It is a SaaS tool, so it requires no enterprise IT support, no complex installation and roll-out. It is plug and play. The UI is simple and intuitive and within minutes an engineer can be securely sending files. In essence our objective has been to capture the convenience of the cloud but make it hyper-secure and quantum resistant.
So the tool does some smart things. It generates end-to-end logs, so anyone that receives, opens or shares data is registered in a very granular audit trail, version control is simply managed, send expiries can be set, access can be revoked and so forth. We hope it ticks all the boxes for CIOs and CSOs across many forms of engineering business at an affordable rate.
To gain more information about MX ASR, visit mymxdata.com