The Requirement

A solution is required which is accepted by the entire automotive community and which allows individual companies to use a single solution to securely exchange business documents with different partners on a global basis.

Document Sensitivity

We can’t treat all transmitted content equally but can apply one or more of the following attributes to an item being transmitted:-

Of no great importance e.g. a party invitation at the successful conclusion of a joint project.
Commercially Sensitive e.g. Orders, Invoices and other such information that could be used by others for competitive advantage.
Highly Commercially Sensitive e.g. Technical drawings for the latest technological devices, possibly still in a pre-patent phase.
Legally Restricted e.g. Invoices that must contain certain information and increasingly be signed to prove authenticity.

Apart from legal restrictions, if the network infrastructure used for transmitting such documents is intrinsically secure, then in most cases additional security is not required.

Assuming that a secure network infrastructure that can be used for all trading partners is not available, a solution is therefore required that will allow commercially sensitive documents to be securely exchanged with a number of different trading partners.

The Internet

The internet is the dominant and ubiquitous network that is used for networking between companies today and nobody would claim it to be anything other than insecure.

Unfortunately, there is no other cost effective alternative. Even purportedly secure virtual networks such as ENX (European Network Exchange is an association, and a Virtual Private Network, for the European Automotive industry), JNX and ANX (Japanese and US based automotive networks) run over the same back bone as the Internet, sharing the same routers, telecommunications lines and bandwidth as the internet. In the absence of a global network that is intrinsically secure, we are forced to use the existing internet network and apply our security upon it.

Security Types

There are a number of different issues with regard to securing data transmission between companies and we now need to consider the two main techniques of data security:-

Encryption of data, used to prevent 3rd parties viewing the content.
Digital Signatures, used to prove the authenticity of partners and ensure integrity of data.

There is a case for encryption to be used in all practicable circumstances. Encryption for non-sensitive E-mail, however, may be impractical to implement as there will be thousands of external recipients who have never considered implementing digital security.

The main trend with respect to the use of digital security between trading partners is towards the use of company certificates or server certificates to protect web exchanges by using SSL/TLS.

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide secure communications on the Internet for such things as web browsing, e-mail, Internet faxing, instant messaging and other data transfers. There are slight differences between SSL and TLS, but the protocol remains substantially the same.

The Three Tier model

Security is required at all levels of a company. Certificates can be used on a:

company basis for general purposes
at a departmental level and
at an individual level to provide signing and encryption capabilities for specific people within an organisation.

For example, an automotive company may utilise a certificate to secure data over the public internet. The company’s engineering department may utilise their own certificate to sign and secure CAD designs and the Chief Engineer may also have his own certificate to sign and secure particularly sensitive designs.