“A sect or party is an elegant incognito devised to save a man from the vexation of thinking.” – Ralph Waldo Emerson
Hey, buddy, you want a good deal on a gearbox for a city bus? Hardly used, works great. I’ll give you a good deal. Take your pick; I got thousands of ’em.
In fact, I’ll rent ’em to you if you don’t have the cash to buy. Low monthly rates. My associate here will help you install ’em. I’ll even throw in regular maintenance; first oil change is on me. You can’t lose!
That was essentially the deal offered to the burghers of a certain German city. Rather than own its entire fleet of 14,000 buses, the town would rent some of the major hardware components – like the massive manual transmissions – from a gearbox manufacturer. In return, the gearbox vendor would cover maintenance and upgrades.
But the real clincher was the gamification. Let’s challenge the city’s bus drivers to see who can drive the most efficiently and save the most fuel. We’ll post a leaderboard every month, and the driver with the best fuel economy gets a prize and eternal glory. By making it a competition, the drivers participated wholeheartedly – and citywide fuel consumption dropped 20%. Everybody wins.
The enabling technology in this unusual municipal business arrangement was an array of sensors on the gearboxes that monitored each bus driver’s speed and shifting patterns. By streaming that data to the gearbox manufacturer for analysis, the company could recommend ways to increase mechanical longevity, improve fuel economy, and reduce costs.
And the enabling technology for that was increased data security. The data from those 14,000 buses was extremely valuable, both to the hardware manufacturer and to the city operating the buses. (And to the drivers competing.) Securing it is what allowed the gearbox manufacturer to instrument its products, which in turn allowed the city government to trial the program. Seemingly the least important link in the chain is what enabled the whole business model.
“Security is an enabler,” says Christopher Schouten, Security-by-Design Evangelist (it says so on his business card) at Nagra/Kudelski. He sees security as a feature, not an irritation – as something you want to add to your product, not something you paste on later because your boss told you to.
He cites the OBD-II port found on nearly all modern cars. It’s a hidden connector, usually somewhere under the steering wheel, that allows mechanics to plug in diagnostic machines and troubleshoot electrical gremlins. Think JTAG for vehicles. But Schouten says that diagnostic port is also a business opportunity, especially for insurance companies. Every car’s onboard computer records things like top speed, brake pressure, and other data intended for diagnostic purposes, but which could also be used to gauge a driver’s behavior, driving patterns, or aggressiveness behind the wheel. If you’re willing to share that data with your insurance company, they may offer you lower rates. (Or maybe raise them, if you drive like Max Verstappen.) But securing that data would be vital for privacy, as well as commercial, reasons.
In short, security isn’t always for prophylactic purposes. Sometimes it’s profitable. It’s not always about stopping the bad guys, but sometimes about empowering the good guys.
Nagra/Kudelski is another one of those “20-year overnight success” stories. The Swiss company is actually closer to 65 years old and started out making tape recorders. To a certain class of old-school journalists, “Nagra” is synonymous with “tape recorder,” like Xerox and photocopier. Nowadays, the company has almost 4000 employees and has branched out considerably beyond its reel-to-reel roots.
The company’s security nous grew out of its work with Dish Network and satellite set-top boxes. Pay TV is notoriously prone to piracy and content theft. It’s a cat-and-mouse game between the content providers and the hackers who’d pirate that content. That gave Kudelski Group (as the company prefers to be known) decades of experience thwarting outside attacks from a global and ever-changing collection of motivated hackers. Three years ago, Kudelski separated the security group into its own division with over 100 employees.
Kudelski prefers to take a “cradle to grave” approach to security, getting involved in customer designs as early as possible. That starts with early brainstorming and consulting, all the way through to EOL product retirement, and every stage in between. Industrial customers, for example, may have products in the field for decades, and Kudelski basically owns and manages the product’s security for that entire time.
Schouten uses the example of an industrial turbine. It works fine for years before there are hints of malfeasance. Perhaps there’s a disgruntled employee; maybe it’s coming from a well-funded government-sponsored malware lab. Either way, Kudelski is able to update the machine’s security, change out keys, apply countermeasures, receive security telemetry that’s firewalled off from customer data, send secure commands, revoke permissions, etc. “You don’t want to just launch [a product] secure, you need to keep it secure,” he says.
Industrial customers tend to have more tolerance – and budget – for premium-grade security like what Kudelski offers. Consumer products, on the other hand, have tighter design cycles and smaller budgets. They also have less to lose, as a rule. A hacked music player is an embarrassment, but a hacked power station is a national emergency.
That’s not to say that Kudelski works only with massive conglomerates and heavy metal. On the contrary, the company’s recent efforts have focused on small IoT devices and on ways to streamline their security requirements in resource-constrained environments. Security keys are exchanged using a proprietary algorithm that uses about one-quarter the bandwidth of a typical PKI exchange, according to the company. That conserves bandwidth and helps sleeping devices stay asleep.
The company also manages its own cloud platform, for customers’ benefit, and staffs it with 24/7 security experts. Threats are monitored, triaged, and escalated when necessary. Patches can be applied remotely, keys changed, APIs disabled, users locked out, or whatever else the team feels is appropriate. “We own the end-to-end chain, so we have more skin in the game,” says Schouten.
Kudelski’s pricing can even be based on performance. They keep your system safe from threats, or you don’t pay until the breach is resolved. If something doesn’t work, customers “get a vacation from paying the bill until the bug is fixed.”
Picking a security provider is like picking a dentist: it’s impossible for an outsider to evaluate their competence or quality. You can look at the diplomas (or patents) on the wall, but there’s no good way to tell a good one from a bad one. Kudelski feels that its history and its headcount are good proxies for quality. “We’re the oldest startup in the IoT space,” says Schouten. Employee retention is good, and they’re active in standards bodies and in academic research.
Security is also like insurance: it should be boring. If all goes well, your monthly payments are wasted. You don’t really want to see any activity. Kudelski would like to shake off the boring part and make security more interesting, even profitable. Just ask your bus driver.