Examining the Critical Need for Automotive Cybersecurity

By Carl Anthony, Managing Editor of Automoblog.net

This year at AutoSens, Detroit edition, one of the central discussions will be on the importance of automotive cybersecurity in a panel session. Panelists in the discussion include representatives from GRIMM, Cruise and EY Americas. It will be moderated by Gail Gottehrer.It will be moderated by Jennifer Tisdale, Associate Principal, Embedded Systems & Advanced Transportation Security, GRIMM.

Automotive Cybersecurity: Setting the Stage

Synopsys and SAE International, along with the Ponemon Institute, conducted an independent survey concerning the landscape of automotive cybersecurity. The study examined the automotive industry’s ability to access and respond to security risks posed by connected vehicles. Researchers surveyed nearly 600 professionals working in the field.

The consensus? Cybersecurity is behind the curve.

“When automotive safety is a function of software, the issue of software security becomes paramount – particularly when it comes to new areas such as connected vehicles and autonomous vehicles,” the authors of the study wrote. “Yet, as this report demonstrates, both automobile OEMs and their suppliers are struggling to secure the technologies used in their products.”

What the Study Found

In the SAE International study, 84 percent said cybersecurity practices are not keeping pace with new technologies. 63 percent test less than half of their hardware, software, and other technologies for vulnerabilities. Another 30 percent do not have a single cybersecurity program or team in place.

“When you are talking engineer to engineer, it’s like preaching to the choir,” explained Jennifer Tisdale, Associate Principal, Embedded Systems & Advanced Transportation Security, GRIMM. “But these engineers often do not control the budget.”

Tisdale, a former defense contractor, is joining a panel discussion on automotive cybersecurity at AutoSens. The session will cover the challenges facing automotive cybersecurity, and its significance as vehicles become more connected. Tisdale is joined by Cassie Clark, Senior Security Awareness Program Manager, Cruise; and Vicki Kamenova, Partner & Cybersecurity Leader, EY Americas.

“I like how we are having more conversations about security, coupled with the innovation and development that AutoSens is promoting,” Tisdale said. “Automotive cybersecurity is still an emerging space, but I am glad to see more collaboration to solve the problems we are facing.”

“We need to, from an engineering perspective, start thinking about security the way we do about safety,” Kamenova added. “I think this is new territory for many companies; some are doing quite a bit and some are still lagging, but overall, the whole domain of cybersecurity is evolving dramatically.”

Looking Further: Increasing Concern but Little Capital

In the SAE study, 62 percent say a malicious or “proof-of-concept” attack against automotive technologies is likely or very likely in the next 12 months; but a majority say they do not feel comfortable raising this with their superiors.

The SAE study also concluded that cybersecurity divisions are understaffed, with companies averaging just nine employees dedicated to the task. And among companies that do, more than half (51 percent) say they lack the budget and human capital to address the most serious of cybersecurity risks.

“In automotive, where everything is measured by the fraction of a cent, making that investment into cybersecurity testing when there is not a tangible product – when it doesn’t add value in terms of the typical consumer conveniences we think of – is incredibly difficult,” Tisdale said. “The challenge is getting the literal buy-in. We need the budget from senior leadership to invest in the testing so we can better develop the tools to ensure security.”

Putting Automotive Cybersecurity at the Forefront

Self-driving cars were once more plausible in a science fiction movie versus our everyday lives. Today, by contrast, we have seen autonomous cars in action, both on controlled courses and the open road. We have a better understanding of the individual components that make up an autonomous vehicle. We have this more concrete understanding through good science and sound engineering; and as a result, we are better at developing, testing, and building these systems.

“The latest autonomous vehicles have a truly futuristic level of functionality, and some of the greatest engineering minds in the world are working on these topics to improve and augment ADAS capabilities,” explained Robert Stead, Event Director of AutoSens. “But there is still a long way to go before people all over the world are riding to work or to see family in an autonomous vehicle. The technical challenges are immense.”

AutoSens organizers say because cybersecurity is among the technical challenges facing autonomy,
they arranged this upcoming panel discussion to give attendees a clearer picture on the topic.

“We need to think about security in every aspect of the technology we are rolling out,” Kamenova said. “From the sensors to how we deal with data and the testing of components, we need to consider security very early in the product development process.”

“We need to have cybersecurity at the forefront,” Tisdale added. “And we want to talk about the real problems in a practical sense.”

Automotive Cybersecurity in Familiar Terms

To draw a comparison between the tangible components of an autonomous car, and the importance of cybersecurity, Tisdale uses the credit cards in our pocket and the computers at our desk. Protections are in place for both, but we often don’t think about them until there is an immediate concern; in this case, identity theft or a virus. Over the years, as our finances and computers became more connected and intertwined (i.e. shopping online), the need for cybersecurity increased. It’s remarkably similar with connected and autonomous vehicles.

“To answer the question of ‘what is cybersecurity,’ it is the protection of the system. In this case, it just happens to be an automobile as opposed to a credit card or laptop,” Tisdale said. “It is very important to understand that cybersecurity is not intended to undermine mobility; we are in support of connected vehicles and autonomous systems, and we are advocates that it be done smartly, securely, and safely.”

During the panel discussion at AutoSens Detroit, Tisdale and her contemporaries will focus on how cybersecurity can be applied in such a way, and how key threats and areas of weakness can be addressed. One particular threat seems nearly invisible, and could radiate through the larger autonomous system at the hands of unsuspecting consumers.

“There is a concern of introducing vulnerability, even if the car has the right software and security applications built in,” Tisdale explained. “As an example: when you sync your phone to your car, and you have a virus on your phone; are you introducing something that could be detrimental to the vehicle systems or the way it operates?”

Exploring the “What if” Factors

It’s a question now of how much damage such a virus could do when inside the larger system. How might it affect other connected cars or infrastructure? Could it manipulate the communication between different sensors and other vehicles? And if so, what are the potential hazards in terms of public safety? Could somebody take over our vehicles and make them do something we don’t intend? Kamenova believes these are the unintended consequences of the technology, even though engineers design it for the greater good.

“We want to keep a potential bad actor from taking control of your vehicle and causing a chain reaction,” she said. “But this is what hackers do. They invent a new approach and come up with new methods. What that requires is a great degree of agility; and the ability to monitor, identify, and do something about vulnerabilities.”

In a similar way, a driver’s personal information could be at risk. Navigation systems can store home addresses, and are intuitive enough to keep track of our daily routines and routes. Many modern vehicles support connectivity programs like Amazon Alexa, Apple CarPlay, and Android Auto. Chevrolet even unveiled a program late last year that allows a driver to order Domino’s pizza from their vehicle. With each of these conveniences is a potential door that must be closed by a robust cybersecurity program.

“One of the things I want to talk about during the panel discussion is how cybersecurity, for reasons like this, is not going away,” Kamenova said. “It will continue to be important as our connected world expands. Vehicles are always going to be vulnerable, just as any technology would be.”

“There is always going to be another vulnerability and we need to be vigilant,” Tisdale added. “This is why, again, we need the literal buy-in from senior leadership.”

Considering Automotive Cybersecurity Before the Drive

Automakers invest regularly in their manufacturing bases to support vehicle production. These investments streamline the process in a number of different ways, from retooling and employee training, to sometimes constructing entirely new facilities like paint and body shops.

Last year, Honda announced an investment of $61.5 million for electric vehicle manufacturing in Indiana and Ohio. Two years ago, Toyota committed $170 million to support Corolla production on the automaker’s new TNGA platform in Mississippi. More recently, General Motors recommitted to Detroit-Hamtramck Assembly, a plant due to close as part of a restructuring move. That decision was eventually amended after a 40-day strike by nearly 50,000 employees last year.

Detroit-Hamtramck, or D-Ham as it is known in the area, will serve as a manufacturing hub for GM’s electrified and autonomous vehicle platforms. According to a report by The Detroit News, a $2.2 billion investment will take effect in March to support production of the GMC Hummer EV and the Cruise Origin, an electrified self-driving and ride-sharing shuttle.

Kamenova says that while cybersecurity initiatives are important for each individual vehicle, similar protections must also be afforded to the manufacturing floor. As plants become more modernized for the assembly of connected and autonomous vehicles, it will be increasingly important to insulate production environments in terms of cybersecurity. Contrast this with early visuals of Ford’s River Rouge Complex, or the now defunct Packard Plant in Detroit and it seems nearly unfathomable – but the world today is different, and the lack of cybersecurity protections could impact consumers before they even purchase a vehicle.

“If we cannot ensure our manufacturing process is reliable and tamperproof, how can we guarantee the safety and quality of the output,” Kamenova said. “How do we know somebody has not, during the software install process of a particular vehicle, tampered with the code itself; how do we know somebody has not tampered with the actual machine specifications and thereby impacted the way the vehicle was built? These are all important things we need to consider today.”

Not Always About FUD!

While there are many potential dangers and threats, it’s important to note that Tisdale, Kamenova, and their colleagues are not out to scare anybody. Instead, they want to educate the industry and the public on the importance of cybersecurity. Kamenova and her counterparts call it “FUD,” an acronym for fear, uncertainty, and doubt. Rather than framing things as a doomsday discussion, Kamenova suggests we focus on how cybersecurity can help usher in the long-term benefits of autonomous cars.

“I worry that consumers, without the proper context and understanding, may not give the technology a chance,” she continued. “The benefits of autonomous driving are tremendous, from the potential to save lives to reducing congestion in our busy cities. If we apply what we already know from other areas of the cyber discipline, we can go a long way in enabling these benefits for consumers.”

“I think cybersecurity and its benefits will eventually become part of the narrative from a marketing perspective in the automotive industry,” Tisdale said. “I think that is when consumers will start to understand and care more about it. By that point, it will be more a part of their daily life.”

AutoSens Detroit 2020: Tickets, Location & More Information

AutoSens Detroit 2020 begins on Tuesday, November 17th at the Michigan Science Center and runs through the 19th. The full agenda for this year can be found here, along with the full list of speakers.

Tickets, including discount packages for females in the engineering community, are available now.

“The vision has always been about community,” Stead added. “Conversations and collaborations are what drives the success of AutoSens, and will be the signature ingredient at all our events for years to come.”

Carl Anthony is Managing Editor of Automoblog.net, an award-winning automotive news, technology, and lifestyle publication based in Detroit, Michigan and Berlin, Germany. He serves on the Board of Directors for the Ally Jolie Baldwin Foundation and is a member of the Midwest Automotive Media Association and the Society of Automotive Historians. Anthony has worked in experiential marketing roles for Fiat Chrysler Automobiles, Ford Motor Company, General Motors, Mercedes-Benz, Honda, Volvo, and Local Motors over the years.

Responses