Cybersecurity Panel at 20/20 CCAT Global Symposium

Cybersecurity Panel at 20/20 CCAT Global Symposium

Show Video

So. Welcome, to the cybersecurity, panel. Today, I. Have. To admit this is a first, time for me a virtual tennis or, I hope, this will go where. Really. Quick about myself. I am, responsible. For the, product, cybersecurity and also function safety, italia cooperation. Lea's, the is. America's, largest, automotive. Supplier, located. In Southfield we, also have an office in Ann Arbor. Downtown. I used. To be with the University, of Michigan, with amphibs still quite and worked in EM City so I'm really glad to be here thank, you again for the invitation and. In. Today's panel. We will talk about cybersecurity. Of. Connected, and automated beakers. Wanna. Touch. On you, know obviously. Technologies. Mitigation. But. Also on, collaboration. How are we successful together. And how. Do we you, know test, cyber. Security, and, and you know make sure that our products, are secure. Really. Happy about having, the, panner that we have today I think we have a great mixture we. Have and, you can see them on the screen screen, we, have Sam. Lausanne, from, ant we used, me my colleague, Adam tree we. Have I, hope. I can say your name affair Malone, from, Rd, our security. We. Have Cindy. MERS from the Washtenaw Community College. And, Christie. For Z of Mitsubishi, Electric. Automotive. But. I would. Like. Each. Panelist. Starting, with Sam -, you know introduce, yourself, say who you are who. Do you work for, and basically, what, is your job. All. Right hi can you hear me Andre yes, yes. Somebody was Sam Lausanne I'm a lead, engineer in research with untry University, of Michigan's Transportation, Research Institute, and I. Focus, mainly on cyber, security and, privacy issues, and all, sorts of transportation. We've. Been working with NASA, DoD will, be those. Sorts of groups. Mainly. Working with sensors, recently. Worked. With over, the air updates, and. Intrusion, detection technologies. Thank. You Sam and Lafayette. Hi. There can. You hear me yes. Thank. You Rocka mattone I'm with. Deus, security. CEO. And Founder we, are headquartered in, downtown. Detroit and we. Focus on. Small. Medium sized businesses, as well as in the future of consumer. With. A SAS. Platform. To, protect their endpoints. And. Different. Areas in their home or businesses. Thank, you and, I, not Cindy. Good. Morning, can. You hear me now yes. Great. Thanks I'm Cindy Mills I am, the lead faculty for. Cyber security at Washtenaw Community College. I have been there for almost two years now prior. To that I taught computer networking, and, cyber security at, Pinkney High School in, Livingston, County and led. The launch of the Pinkney cyber training, institute, which, is the first and I, believe still, the only high school that is a Michigan cyber range hub, using. The Michigan cyber range for testing. Prior. To teaching cybersecurity I worked in risk management human. Resource management and compliance. Thank. You Cindy and last. But, not least Christine. Mitsubishi. Electric is a Tier one automotive. Supplier we, primarily they make infotainment systems, powertrain modules eight US products. Basically. The, biggest. Vectors, into the vehicle affecting, safety and security I have. Responsibility, for global. Product cybersecurity so anything on vehicle, security, related for. Any of our products. All. Right Thank You Kristy so. Perfect. Well, we prepared. A few questions that we thought are. Interesting. For you. Quite. Frankly, I by, far prefer. Less. Interaction. With the audience and, I know that. That. Might. Be tough I think you need to type it in but. Please, if. You. Have any questions. From the audience please. Type, them in and. You. Know I think that will also enable us to, be. Of more value to, to, what you do what you work on or. What questions you might have and. I. Assume, I can see, the questions, in the chat box once, you type them in so at, any time just, should, type, them in don't. Wait for the end. This is Francine, just to interject a little bit if. Those, panelists. Have. Video, capability. If you'd like to make your video available. Then. We may have a little bit more of an interactive, experience people, really enjoy seeing the, faces of the people who are who are speaking. And. Again as Andre, just mentioned, please go ahead on the QA button, and. Add, your question, Andre, will be able to see them and under, if we get too many I will be here to. Moderate. Them and share them with with, you to, have. Your panelists, address thank. You effect thank you well I just turned, on my video I can't. See myself interestingly. I. Hope. You can see me and I'm really glad that it turned. Out to be of value that I put on a shirt for the first time in like a month.

So. With. That let's, start with, your first question for, the panelists. Before. You the audience can think of your own questions so. What do you think are currently the main issues, of connected. And automated vehicle. Cybersecurity and. What. Are you working, on you. Know often people start, this, with like what. Gives you a hard time to sleep. During. The night what what do you think what we should do and what are you working on so, let's start again with Sam. All. Right I got my video here. So. Recently. We've been working with knits. Investigating. Sensors, and the ability for a malicious, actor, to sort of. Manipulate. The environment to. Fool a sensor. Say. For example video could. I put a speed limit sign on the back of a shirt and I, actually have, the vehicle pick that up believe. It's a real speed, sign and then, take action on it either alert the driver or. Okay. So an autonomous vehicle speed, up slow down and other. Researchers, have sort of jumped on the same bandwagon. And have shown that a Tesla. Does. Believe signs that aren't actually, real. So, I think that the, sensors, and the data being fed into these systems is, very critical, at this point especially. In a Vida X environment, where that data might be relayed, to other vehicles, or other people in the environment as, well. Yeah. Great topic, M. City is actually working a lot on that. Rough. Area what. Do you think what. Are you working on yeah. So um I think there you. Know as an outsider, looking into, the auto industry, I'm, not seeing a standard. Approach to how to. Tackle this especially, with, the vehicles, you. Know there's a misconception out there that cybersecurity is, an IT item. And. I think that that's changing, in a lot of industries, and would. Need to do so with the car manufacturers. And. Kind. Of at the forefront, similar. To, important. It is to have seatbelts and brakes and everything, else they you see in a vehicle I also, think the technology, that are going into vehicles, are amazing. But. With that we need to start looking through the lens of you. Know with that technology it's the same as its coming into your home for a consumer, and with. That there's a lot of things that can happen from. A vehicle perspective. If, we don't start having some standards. Over. The last what I've been doing over the last year founded, a day of security, as I mentioned earlier were headquartered in, downtown. Detroit, we. Focus on you know ensuring. That small, and medium sized companies, as well, as consumers, have some. Form of complete. Solution, versus, point products, that are usually designed for, the enterprise, nothing. Wrong with that but, you know if you look at what's out there a lot of the things need, to be maintained, by IT, professionals. Or InfoSec, professionals, and what we're trying to do is change, that mindset. Which. Aligns. To what's going on with the auto industry and that you, really need to peel things back and look holistically, at all user, groups especially. We feel small business. And. Medium. Sized customers so we're, prioritizing the. Where were in a way that they can leverage it as well as pricing, in, a way that they can afford it. Yes. Yeah thanks, great comment. Cindy. Yes. So. One of the main issues that I kind, of that makes me stay up at night is talent. And ensuring, that we have a future workforce who, understands, both automotive, and cybersecurity. And. Can train, an environment, that's similar. If not close, to identical as to what they might see in industry. Recently. Last. Year Washington. Our Community College purchased, an automotive hacking, workbench that was developed, by when our industry partners Grimm and they. Specialized, in testing, cyber physical systems including. Automotive. We've, used those to, train individuals on. How to identify interpret. And manipulate CANbus, signals to.

Demonstrate, Unintended, consequences. And how, to identify security. Measures that need to be put into place along. With that I've been working to launch an automotive cybersecurity, certificate. For the college that. Includes courses in local and mobile networking essentials, network security. Automotive. Electrical systems, computer. Science, and the capstone, class pentesting, automotive, platforms, and, one. Of the for, me the most exciting things about this is crossing, over and, collaborating. With our automotive technology. Department. And faculty, there so we're really coming together, you. Know as a cohesive ye-in developing, this program. So, we're looking to develop, this program to, meet the demand. For highly skilled automotive cybersecurity. Professionals. It. Introduced. Them to the skills and strategies that are needed to be able to test security related, to, any automobile network, and related infrastructure, so, we're really excited about that and, the. Partnerships, we're developing, and you, know the the. Abilities. That we're going to have to kind of contribute to that that talent, needed. In the industry. Yeah. Thank you that's that's an excellent topic and I'm sure you, pretty. Much everyone. Here in the Corps was desperate, hiring, people with let's, go. Thank You, Christy. Yeah. I think you, know this is not something, that's unique only to automotive, right as the, entire world is experiencing, in this digital transformation of. These traditionally. Mechanical, systems like your car are, now being primarily, software, driven and now connected, on top of that that, that adds in, a lot of inherent risk not only to legacy products, that. We're, never designed to be connected to the internet because, the internet didn't exist when they were designed, but. Then even looking forward right you have an engineer, who has you. Know written you, know steering, control module software, or, heart. Made Hardware decisions. For, the last 20 years and has never had to consider cybersecurity, before, and. So it's this the, step change that, we're trying to get caught up on and so we as an, industry we, made, a decision to make everything connected, and now we're kind of playing catch-up and realizing I wish it thought about security at the same time so, I think we've taken our lessons learned there for sure but, really it's a cultural, change that the, entire industry has to go through and to experience. Right so we need to make, sure that every engineer is educated, on cyber security that, they're aware of it and the impact that their decisions and their design choices make, for. The, end product and so we're you, know the industry has been through this before where. Safety, is everyone's responsibility, now. Cyber, security is everyone's responsibility as, well yeah. Perfect, epic so, once you made similar experiences, as I did all. Right, so. Once, again I think, that should have given you like a dozen, questions at, least or so and, actually. I see, one so. Administrators. Here. Yes. So, the question is. And. Any one of you can, answer. So. Is this so, it's not a security, just an issue for the future, or, our advanced, autos. Tesla's. Given here's an example but there are many more already. Being hacked. Who, wants to give it a tie and the answer. Well. That does kind of blend into one. Of. The things that I wanted to talk about and what that's realistic that can somebody actually hack into a vehicle and is it happening and you. Just have to search car hit on the Internet not that the Internet is you know 100%, factual but you're gonna find a multitude of articles and news headlines, for, example one of them that popped right up was exploiting, from the Wi-Fi stack on a Tesla, Model S. Another. Big study that I've followed, Keene, security, labs working. With the BMW they've. Gained local and remote access to entertainment components. Telematics, and diagnostic, systems, and. They can actually gain control of the can bus with, the execution, of arbitrary.

Code So there are things happening currently. You. Know another. One this morning I did a quick search on the CVE database. Showing. Any of the. Vulnerabilities. That have been identified, out there in the wild and there's one, in 2020, that. Is, on. A popular, 2017. Model, year display control unit that allows. On unauthenticated. Attacker, with Bluetooth, range to, cause a denial of service attack they're out there so. It's it's definitely something, we need to you. You. Know to be. Paying attention to what's happening I. Think. There's you know like. Cyndi saying like there's technologies, that we're putting on our vehicles today that are out on other products, as well like Bluetooth and Wi-Fi that, have vulnerabilities, discovered on, them and then they can be therefore you. Know exploited. On a vehicle and absolutely that's happening today I think, the risk, profile, increases, significantly for. Future vehicles, right more. Autonomy. Where your vehicle is now making a decision like, Sam was talking about in his intro based. On some, sort of input that has now been fabricated or, been, manipulated. Through a cyber attack and, now your vehicles making a safety decision, based on poor. Or, you know, data. That doesn't have any integrity to it for example so. I think that definitely the threat, profiling, Risa's right with Tesla's and we're autonomy, and as we go down to level 4 and level 5 certainly, becomes. A higher risk we also see higher risk as we go through additional. Features, that we add to our, vehicles, right one, of the things that we try. To do is engineers, especially working in infotainment is to try to make that driver experience. Better. Right. And some, ways to do that is you, know now we're gonna put credit card transactions, on your vehicle right so now you don't even have to interface with the person at the drive-through your vehicle pays. For you or you don't have to you. Know interface with the gas pump your vehicle you know makes the that, financial. Transaction, happen on your behalf, well, now your vehicle, has a bigger, threat profile because now we have financial data stored on your vehicle, that, didn't exist there before so, I think that you know as we continue to add these more additional, features and as we try. To increase that that driver experience, and, more, autonomy, into the vehicle, certainly the risks are only going to continue to get bigger. Anyone. Else, and. I can add to that in that, sort. Of some of these firmware, issues. That we were talking about with the Bluetooth of the Wi-Fi stack some, of those are hard-coded on to chips, and, some. Infotainment. Systems, aren't able to update those features, or those particular areas, of the infotainment system. You, know as we're a regular software, update covers, you know the user facing, portion it doesn't actually cover the firmware for the Wi-Fi, chips and things like that so, looking. At the longevity, of a vehicle on the road whether it's 10 to 20 years we, have to look at how long you, know services, are going to be able to be supported Wi-Fi. Bluetooth, because, exploits. Are going to be found in technologies, made today, so. As, we continue on we'll still have to prepare for everything, that's made and how long we want to support it yeah. Definitely. And I just want to add I don't, you know all the cyber security is new today. Estimates. Added about 50 percent of cars are stolen by. Undermining. The, electronics. And you know that's like that, started something like 20, years ago, so. It's, a pretty old issue all. Right I want. To move, on to.

Privacy. Offer. Here should. We care, about privacy and, what. Is the worst thing that can, actually happen regarding, privacy. Yeah. I think Kristie, touched on it so we absolutely need, to worry about privacy the same way we do with our phones now, in vehicles, the, automakers, are going to put what. I would call the ease-of-use items. Into, our vehicles, like credit cards, or connecting, with our home all, great, technology. But, it does open up the door for hacker. To, gain that, information and, I'll, see at the information, level because I don't like, using, fear and cyber security but that information, is, used to. Get into other areas of your life it could be your. Bank account it could be into, your business so, even, though you might be thinking right now but it's just a car and yeah, they're putting my information. Into it I would say that you we need to start thinking of them like we do now with our phones we're so hypersensitive, about the information on our phones, it's that information, that's so valuable. With, all the cool technology that's, going in Wi-Fi. As. You view that some of the things you mentioned, from the question, - is, it really an issue now or in the future it. Is right. Now I think it really is about the. Privacy of your data and what's going on in the vehicle, I also, think that right. Now you see a lot of ethical, hackers, which, is some of those videos that are out there trying. To show the audio and auto industry, from their perspective, what, can be done in the current vehicles I think, that in the future your. Privacy, could even get down to the conversations. You're having who, you are, and. What, they're, trying to achieve either, through, government. Agencies, or. Other. Sensitive. Information so, long. Live interests your question privacy, is really important, we're seeing that and that, is the next phase of where. Unfortunately. The bad hackers, want to go and it purely is around gathering information about you or your data so, that they can leverage it in other, areas as, they, progress, in. Different industries, or the. Information can be sold on the black market, if. You talk, about the one that I followed, was was the ethical. Hack of the Jeep that, was almost five years ago and that.

Was Still, not. The level of technology that are in vehicles, today, as. We get into self-driving. Vehicles, and, a. Lot, of cloud, base offering, in those vehicles I just go back to in. The simplest, form think, of your. Your. Phone or even. Your laptop that we all know now we need to critically protect, that's. That's, how we need to start thinking about our vehicles. Yeah, good. Yeah. And I'm like to add just maybe. Another corner, case to consider for privacy is right now you know your vehicle has GPS, on it and so that data could potentially, be harnessed, which for the average consumer is probably not the biggest concern right the fact that I Drive. To work and you, know go to the grocery store that's not super exciting well you know once upon a time before I was stuck in my house. But. If, you look at other, vehicles. That are sold for fleet purposes. Like to law enforcement or. To, intelligence. Organizations. Right so now you have a you, know FBI Detroit. Vehicle, that's going to go visit specific. Assets, and specific, safe locations, right of what they expect and then, they need to go and sell that vehicle is all, that data stored on that vehicle is it being pushed off of that vehicle what. Are the concerns that they have from an operational, point of view to protect their. Assets, and their sources and means and now the vehicle, is an M row to get to that data so just to kind of another use. Case for the privacy, that maybe we don't really think about necessarily, as an, average consumer, but certainly something that will continue to grow and be an issue right just like we have with our cell phones as you identified, not, everybody wants their cell phone broadcasting, their location all the time, well now our vehicles, are doing the same thing but. Yeah that's actually another concern, for unmarked. Government, vehicles, in the event that they remove communications, from them are they then anomalous, and can an attacker be. Able to identify an unmarked, government. Vehicle, in a way. So. There's a double-edged sword there as well. So. So. Christie why don't you continue, should. We actually only, be concerned, about the vehicle, also, about a larger, ecosystem you, know there's manufacturing. Cloud. Service. Cars. Might be up might, be able to open your garage door, that sort of stuff. Yeah. I think that's actually you, know in terms of current, security. Issues, of some of our biggest problems. Right so the. Hacking. Of the vehicle is not as, well. Established, in the hacker community right. To get practice on your car and you accidentally break your $50,000, vehicle like, that so that's a pretty big oopsie, compared. To looking. At technologies, that exist in other markets and have other maybe, greater, monetary, gain in other industries. To. Understand, that technology right. And so looking at cloud services, that certainly, has huge. Implications across, many different industries and so it's a hacker if I'm going to choose a technology. To. Be, an expert in that, seems like a really viable one and so, as the car is the cards as, our vehicles become more and more connected to the cloud that certainly becomes one of the biggest risk factors so, again lots, of data lots of privacy, on the cloud for, data coming off the vehicle that's also how we potentially push out updates to, the vehicle so, again. You know sending out malicious code direct to the vehicle through and established, and you, know potentially. Believable. Concerned. Secure. Interface, to the vehicle so. I think you know looking at that larger, ecosystem. Is definitely, something that needs, to be considered and it needs to be protected, not, just on board the vehicle but also anything, that interfaces with it off board the vehicle same. Thing as you identified, through our manufacturing, plants, right if we start you, know putting bad hardware or, hardware. That's been injected with malicious, code already that. Is now being installed on our vehicles, and rolling off the assembly line as you. Know considered, to be validated. Or even signed with our OEM. Certificates, whatever. It might be that poses a pretty significant, risk to our.

Vehicle Operation as well. Very. Good all. Right so, I found there's a Q & A a dedicated, Q&A. Box. Here and. We. Sort of got a li question. For, everything, so. From, a top ten guiding, principles. For automated. And connected, because readiness. Standpoint, what. Should always am some infrastructure, owner-operators. Be focused, on during the next two to three years. You, can hopefully see, that also on your screen. And. This. Question. Comes from the. WS. What is that Washington beauty. And if he was with Wisconsin, Wisconsin, could. Be Wisconsin I think. Data integrity is a huge thing, like. I said that the data coming from sensors, being. Transmitted, to other vehicles, with v2x or even to the road slide, and. Understanding. Exactly what, happens when a sensor is damaged, for example if you're in a minor, vehicle, accident, your radar is, bumped. Or out of alignment can. The vehicle know that the radar is out of alignment so that it actually prevents, that data from being sent other cars erroneously. And. That sort of things oh I think integrity. Of the data is, going to be very critical. Washington, State washing. Yes thanks, Ted Washington, State what about software. Updates over there I. Think. Software updates over the air is a very important, thing however. I think it's also sort of a double-edged sword if they're critical, vulnerability, is known and an operator, pushes out an update too quickly, they. May introduce, other flaws, into the software as well so they have to be very careful, about how, often they update the software and that they're doing all the appropriate checks, and making. Sure they're not introducing, new bugs or new flaws for attackers to take advantage of along the way. All. Right and the opinions, what about the new iso standard, 2 1 4 3 4, this, thing that should be on that list. You. You. I. Can. Let anyone else jump in as well sure. Standards, are great as long as people actually adhere to them and I. Think. In Europe where you have type certification and, other people looking at how you're building a vehicle it's. A little different than how it's done in the States. But. I at the same time I don't think any vehicle manufacturer. Equipment, manufacturer, wants to be the company that gets her stuff, hacked, so. I think everybody's, doing as much as they can do, you. Know and they look at the standards, and they they take those two into account pretty, thoroughly, yeah. And I think the one thing you have to keep in mind two standards, like that is once you create the standard it's not done, it's, baseline. And that's gonna be ever-evolving. Especially, they you, know with the video acts utilization. So. I think, that's another thing that we have to look at is how, are we kind continuously.

Adapting, That you. Know and yeah I'm a standards, person that's where my background is I love compliance, but unfortunately. It's only you know part of the equation. Yeah. For sure all right thank. You I. See. Another question here, I combine, that, one it's one of ours so. Question. Is as cybersecurity. Is. Being a research, topic and other disciplines, such, as computer sign. So. Cybersecurity. Has. Been a research topic in other disciplines. Such as computer science. For years how. Is the cybersecurity, intense. Rotations. Different, or special from, other disciplines and. I. Would. I would. Modify. That slightly either. From other domains, industries. Like airplanes. Medical. IT. Or. You know the security, industry in Genoa. I'm. Struck well I think that the I, think the, baseline, of cybersecurity principles. Is the same no, matter where, your. What industry. Or n I think, you don't have to take the unique. Items from that industry and see how to, apply it we, go back to it Christie, and some others of the mention majority. Of the items are gonna happen in these vehicles are, software. Driven and code. Base millions. And millions of codes that, doesn't mean we need to change, what, other cloud services or, industries, have already done with. The same type of technology, or programming. I think. That that's. Where having a working. Group or. Standards. As. Cindy had mentioned is, critical. So that you're not rebuilding, the wheel there, are decades of cybersecurity. Standards. It's. Just looking, through the lens of an automaker, and ensuring. That you're, allowing experts. In the industry to, partner with the. Manufacturers. And help guide them through this not, give. Them guidance and then let them go on their own with potential, for a risk, to the consumer or to, agencies. Like Christie, mentioned if they've purchased vehicles. That. Are over, designed as well to protect them. Yes yeah, okay good. I'm. Not too sure if this is applicable but from a physical, security approach, you always look at layers unless, if you're trying to protect your house you want to you know put cameras on the outside or build a fence around your property and that sort of thing and I, think automotive, security is very similar in that you.

Know Once somebody actually gets access to your canvas, it's. Sort of over so how do you protect your canvas how do you protect that data integrity, like I said and then how do you build sort of layers going outward, so that your interface is like Wi-Fi Bluetooth your, V decks are also protected, and that if, they are compromised, in some way how. Is the vehicle going to be, maintained. And secured to your safety level. Yep. Excellent. All, right let's let's move towards. B2x. Vehicle. To everything, communication. So how. Much should we actually be concerned, about v2x, security. You, know. An. Argument that I often hear and, and sort of also, created, a bit was that in, the end it's all about driver, notifications. And. You. Know also radar. And camera-based, systems. Would use false arrows so, seems, to be not much of a big deal right if you have a security issue. Sandy. Wants to well, it's. Not. Just from a security perspective but, again if you get into it is you know a minor fender bender or something like that and your radar is unable, to determine. That it's been misaligned, and, then it starts throwing out alerts to you and you say oh yeah, my fender is is out of alignment but if it starts passing on those errors, further, down the road to other vehicles or, to, roadside, units what is the impact of that and. Then how do you remediates. A. You know this car is misbehaving. Those. Sorts of, implementations. Are being studied and looked at now and, worked, out the implementation of I think that's very important. Good. And, then. How. Can we test, a. We track a security. But, I guess we can make. It broader how can we test. Security, properly. It's. Easy to test for standard, compliance. On a functional, sense but it's tough to test security, right and. Christy. What do you think. Can. We lose Christine. Does. Anyone else wanna answer. Sorry. Yes. Okay. All right sorry my internet, was getting, flaky um. You. Know I think that the biggest challenge that most people have with testing, for security, is that, you're trying to test these these corner, cases straight it's not the straightforward. You know functional, testing if I push this button does this happen it's if. I, push these series of buttons and, I do use, it in a way that it's not intended to be used can I trick. It to get into a state where I have greater control. Than I am intended. To have right, and so I think that's come with it the challenges, around the security. Compliance. Issues. And when it comes to testing but I think you know as as salmon, others have talked about if we can build out our, defense. And depth strategy and, our security, strategy and, we can you, know guarantee that we are, you know validate that we have done those, implementations. Correctly, I think that's a good start towards, getting some. Sort of standardized, compliance. In security. Now, the challenge, that I think we'll continue to have is again going back to this cultural, issue is. That even if we test for security. Compliance, today. That. Unlike. Safety. Or traditional safety, compliance. Or, you know. Testing. Is that. Cyber security is a continuously. Evolving activity. Right safety, is relatively. Static we did a crash test and it. Passed at 10 G's or whatever and now, we can say we've checked that box and we've moved on but. Cyber security is reacting, to outside. Forces that we don't control we'll write these malicious, actors and what are they doing and what kind technology. Evolutions. Are happening, in these. Other spaces so. We can say that this is secure today and a, new vulnerability, is disclosed tomorrow you. Know based on open source libraries, or whatever or these standard technologies, that we've been talking about that are also included, in our vehicles, and now, that's no longer valid right and so I think that's that's where the real challenge becomes, for, security. Testing. Is. That. It's, not it's, not a we tested it once and we're done we can put it on the shelf we never have to look at it at it ever again and so, it's coming up with what that that cadence is what that reaction is how do we manage Incident Response how, do we manage our vulnerabilities, you, know as Sam alluded to you know we can't just push out an update every single day, that. Continuous. Change in our software introduces. Additional vulnerabilities. And additional challenges, so, it's coming up with what if this up balance look like going forward so it's it's kind of it's a multi-faceted, challenge. To come up with what, does it mean to say that we have done, security, testing how, often do we need to do that how do we respond to it throughout the product lifecycle. Yeah. Yeah, excellent. Tough topic. But. We. Have a we. Have an audience, question here. And. But. Let's, see it might have been for the previous panel, on a legal aspect so I'm not sure we can answer.

So. Question. Is can you comment, on the impact of strengthening. Security and. Access. On right to repair. Well. I'll take a stab at that I'm not entirely, sure what the intention, of the question is but it's one of my favorite topics so I'll try it anyway so, what are the challenges with the rate to repair law just for context, and background is that, it. Gives any user. The. Ability to have, access. To, repair. And run diagnostics, and stuff on their vehicle, so. That it, eliminates. The need for the. The. Car owner to go into the dealership so it doesn't, give the OEM, dealership, monopoly, on service, that you can go to any mom-and-pop, shop or you can repair it in your own driveway if you have the capabilities, and the tools which. Are all required to be available to you underwrite, repair, which. Causes some, challenges. On a security, aspects because in some, sense it's like giving, everyone. Network. Administrator. Access to your network, so. It's kind of like the, inverse of what you really want to be doing from a security standpoint in terms of locking your system down because, you now have to make it open to everybody else but. What we can do is we, can say that. We. Can build out some, restrictions. Along those lines right so now our firmware is signed it needs to be signed by an OEM. PKI. Authority, and so it can't just be any software, that you write you can upload onto your vehicle now it, has to be something that's approved, and signed by. An. OEM so I think that that's that's a first start towards that we've. Also looked at, so. Previous to being at Mitsubishi I was at FCA and so building out and responding, to this challenge of, course is a big part of what am. I. Have. That service. Aspect, that. Falls under their purview and so, understanding. Who has access to your vehicles and, making. Sure that now you're tracking. Those user, logins, into, each vehicle, assigning. It to each VIN and so you can add some, additional data, integrity, behind it to, ensure that it's, not you're not just getting like a blast of, different. Software updates or that. There's a reasonable. Number of vehicles being worked on by each tool each day and those, types of things so it's. Got some challenge, around it but, there's security. Protocols. That you can institute all throughout that whole service. Lifecycle. From. The tool to, the vehicle, to in, the software in between and how it's signed in how its managed to, help reduce. The security risk associated with, right. To repair I, hope. That answers a question. Perfect. That's that. And, Rea this is Francine, and I have a question, I think probably. For Cindy, I, know, that, you are involved. We were involved, at the high school level and now at Washington, Community College, and. I'm interested in what sort. Of from a student perspective about. What they see. The. Future workforce and. Career and job opportunities. And. Whether or not students, are moving from a two-year. Perhaps. A certificate. Or even, an associate's, to a four-year. Program. Okay. So the a couple, of questions I you're. Out of that um, you. Know as far as. The. Ability. For students to, train. In this area right, now there's, a, few. Sources I'm square one does a great job at the high, school level and even actually younger level as well I'm getting. Students, excited interested. And that's kind of where we tend. To. Struggle. Is getting them to understand. Some of the opportunities, that are available beyond. You know their own computers, so. Doing adding. Different. Programs. Such as that, running. Cyber security camps, getting. Students working with the Grimm unit that I had talked about where, they're. Able to go, through and conduct some some. Simple, hacks. If you will and. Really a big part of that is mine, instead, of becoming a, critical, thinker, um how, do you reverse, engineer to, figure out what we need to fix or what we need to secure so. So, kind of starting, at the the high school level getting them interested and excited and, kind of rounding. Out that that, type of user. We're. Seeing a number of different pathways and there is still, you. Know a great. Amount of students that are looking for that four-year, college, bachelor, degree program. What. They're finding too, is, the. Ability to to, go through a program such, as Washtenaw, Community College's, or some of the other schools. Cybersecurity, programs. And then, coupling, that with a computer, science degree those, are great options and.

Great Opportunities. But, by creating, this environment in, automotives, cybersecurity, where they can focus on a. Tool, something, right, now that interests, them and we're, getting them that hands-on, experience. Again. With the technologies, were you even looking to build out a lab. With. Scalable. Work batches from an actual, you know from actual. Vehicles, so that they can have that hands-on experience and. I think part. Of what we can offer at the community college level. That hands-on. Connection. And then also with that we. Have to look at a current workforce, that we we have I get so many. Interested. Students. The coming to me that have already have bachelor's, degrees already have obvious a lot of them even have master's, degrees that, want to come back and train in these other areas and. So being able to provide them, with that cybersecurity background. To to. Work. Alongside of, their automotive engineering, background, is huge, and so having access, to, certificate. Programs, like that is essential. Again. You're gonna have many, different, pathways many people, are gonna choose you know they're gonna do what works for them or giving them those options is kind, of what really a WCC. We're looking at how can we we provide those options, so it's, exciting exciting stuff going on and so, those of you who are in industry. What, are you looking, for as a potential. As. A potential, hire so, we we have students, in our audience right now. Undergraduate. As well as masters, level and. Perhaps they're wondering, what it is that they would need to do, to. Be to. Be a higher in this area. Let's. Raphael I think that, what. I've seen over the last 18, years is, definitely, what, some. Of the touch points have been discussed around the technical, aspect of cybersecurity. There's. Definitely need for more engineers. And developers but. For, those students, or even high school students or those listening and it's, not all about the technical, design you. Know what we look for and I. Look for in past lives as well as other cybersecurity, experts, is good problem solving and communications. There's, a whole nother area, of cybersecurity, that's, not code, base on. Analysts. Operations. Understanding. The different, compliance. Out, there and applying, it to an. Organization. Or even in the auto industry so. I would, say that don't. Assume, there's one flavor of cybersecurity, to. Those students listening, and if you're not that technical, person it's okay. Having. The baseline and that we look for is good. Communication skills, and if you love a good puzzle there. Are so many other, opportunities with, problem-solving and cybersecurity, that, can get your foot in the door as an, analyst, or a. Second. I'm hungry why don't you take a stab you, have a pretty big team over there clear what. Do you look for when you hire into, your team it's. So tough I wish. I could actually, ask you the question, so you know I wasn't I was at in academia, I was a Tom tree now. I'm in industry, so I saw the issue from both sides. When. I wasn't academia, it was so. Tough, to work with industry, because, of all the NDA's. And. Confidentiality. Agreements. And. Now being an industry I understand, why because. I need to get so, many of Hoover's, for these things all right it, needs.

To Go up really, high in the chain, and. It needs to be reviewed by whatever lawyers, and. I. In. Terms of collaboration, you, know so. I wish there were more ways of. Kicking. Of industry. And academic. Collaboration. Of. Doing. Research together. Developments. Together and getting, over this hurdle of you, know. Competitiveness. Confidentiality. The concern, of someone. Finding vulnerabilities in. Your products, and I, have to admit I would, be so. Happy to learn how to do that. So. I I will in. A second, come. Back with a person to you know, in terms of who do we need that. The tough reality, is that, it. Is you. Know of course everyone, says yes you know we we are willing to take young really smart, people, who are trained and problem-solving. And to understand, certain areas, they don't need to be security experts. But, the reality, is we will always prefer someone, who already has a background, so. Because. It takes. A lot of time to train people you know it's like we, don't talk about like three months and then someone is ready to do the job right it's like two years three years. So. What. We look for young. People, who totally, agree with our fair. Who are you know very trained, in problem, solving communication. Is. So important, for security but. Who additionally. Have, an understanding, a mindset of security, whether they displayed. It in the. Studies. At, the university. Or, if they just you know reverse. Engineer, automotive, systems, to do whatever. I I. Personally, prefer. Automotive. Electronics. People to security, people because they the security, part is easier to learn than the automotive, electronics. All. Right now let me reverse the question how do we get over this obstacle, of you. Know academia, and industry, working together I'm, sure all of you experienced, that right if, you're an industry you go to the industry so if you're an academia you go to industry, and it's so. Tough, right and if you're an industry you try to work with academia, and it's really, tough I. Think. From. A historical. Perspective security. Through obscurity was. Used, to be the way and I. Think a lot of people are still sort of hanging on to that idea where, their. Intellectual property is going to make their product, and their company, a whole lot better and they don't want to share that intellectual, property and they want to obscure, their, intellectual property for, safety, security reasons, as well legal. Logistics. Reasons, you. Know somebody finds out the inner workings, of a product will they be subdued even if it isn't defective, for some reason, or it doesn't cause an accident so I think, that the, legal, environment the. Political, environment really, tribe's a lot of the openness and the ability for companies to share which is unfortunate, I don't. Know if that's a cybersecurity issue, that we can solve here. Yeah. That's a tough one i lo so, if anyone ever has an idea let me know. You. Know one approach is m city where. I'm quite active, some. Of you are, where. At least you know we take some, steps. To, collaborate. Between academia, and and, in this theme. All. Right I we. Don't have too much time left but I do want, to talk a bit about automated. Vehicles, so maybe, we we have a broad question to, all of you what, do you think what. Are the. The. Important, aspects. In terms of security, in automated, cars maybe, you think where it's exactly, the same but. Maybe it's not hard and automated. Really. In. The, direction, of self-driving. Vehicles. To stop alright. Well. I'll take some low-hanging fruit since I have to go first. So, I think as. I kind of said earlier I think that once. We add more automation, into the vehicles and we go more, autonomous, we have greater, impact on the decisions, that are relying, more on the decisions that our vehicles are making for the safety of our occupants, then. Obviously cybersecurity needs to be an enabler for, those technologies, being added, on to the vehicle, and so. I think, a lot of the work that we're doing today is building, the foundation. Of our. Security. On our vehicles, right so you. Know like I was talking about this transformation, we've gone through, based. On the lifecycle, of the development, lifecycle of vehicles at the OEM level, we're, just now getting into, building. Vehicles that have an architecture that was electrical.

Architecture, That was built for security. Right. So where we're trying to separate. These infotainment. System. Type, extra, connectivity, for these added, driver. Feature benefits, and separate, them from the safety, functions, of the vehicle, and so now we're building out this foundation, of this architecture that can now be leveraged, into, an increased, automation right. So we're not giving direct Wi-Fi. Acts unfettered. Wi-Fi access direct, into our you, know break, module, to make decisions for our vehicle, so. Trying to add in those additional, layers of security and an additional separation, I think is really a the. Big part of what we're doing today for, the, future of automated, vehicles and so, I think it it all goes back to that cultural. Change that we're talking about is trying to build out this. Concept, that cyber security is required to be able to enable these advanced, features and that we can't have one without the other we can't have safety, without security, and, the two are coupled very closely together. You. Oh here. You might speak, and, you're muted I just. Say building. Our Christie said I think, the auto industry, needs. To decide are you protecting the, automated. Individual, vehicle, or, are you centralizing. Everything because, there's two different ways to protect through. That line that's obviously. Both need to happen but if a vehicle, is, automated. And going back to a single source for, its, next action, its next route. That. Could be problematic if, someone, was to get into the mainframe, of everything, and. Then be able to drive. Different behaviors, within those automated, vehicles, so I think, it's great that they're separating. These social, cloud, offerings, from the safety. Functions, is what I would say of a vehicle but I do think that, there's. Different, layers of security, they're gonna have to be applied to. Ensure that it's. Protecting. The individual, vehicle but also the. Masses, and that's going to be a big burden for the automakers, because they, if we don't. Help, each other get this right and I'm saying cyber security and auto it, could potentially ruin, their brand and fairly quickly which. We've seen in other industries, when it comes to technology, so. It's it's um it, I don't think it's them. Needing, a decided the auto industry, needing to do it alone there's been so many lessons learned by all of us that. Have already gone through this with other platforms. But. That's where I see that kind, of. Influx. In the road of which way are we going so, that there is some sort of standard to that. And. Very good I increasingly, hear.

The Opinion, that. Automate. Or self-driving. Vehicles. Will be owned by fleets, other than end consumers. And one, reason is security, you know like the. The. The, fleet or, the car maker, doesn't. Want to give the decision whether you update, the software in, your car for instance to, the end consumer they. Might be. Unable to just, they know this is necessary, and we push. The update into the car. So. How do you feel around, software. Updates, ownership. And self-driving. Beepers. Well. I was Paris Lee I Ono end user wants, to be the IT person, we. See it all the time with all software updates like you mentioned they might just hit no and then, when, it's your computer, that, could lead to a hack when it's your vehicle that could lead to a safety, so I go, I I think it goes back to what. Are the different, tolerances. For those that are tied to safety. I think it should come from a fleet approach. I think, if it's just social media type applications, that are, being. Leveraged for radio, and other, ease, of use that it. Might, be. An option but I, wouldn't. Put it in the hands of the consumer for the safety item how, could Christy spoke to that but I would. Definitely. Break. Them apart as being. An IT industry for, a long, time end-users, either or distracted. Busy, or just simply don't want to take the steps necessary to, update. All. Right very good so. Now come. To the very, last question to all of you try. To make it short we, have one minute left, what. Do you think is. The most, important. Or urgent, next. Step. Why. Don't we start with, Cindy. Okay. I'm Kevin some trouble with my camera. But I think I can, you still hear me yes there we can okay I'm. Gonna mine. Kind of the obvious training, I'm training the current and future workforce in, cybersecurity, practice, around these cyber physical systems and, critical. Infrastructure, and and really coupling, that with that industry, academia, partnerships. I that's, essential, and you know I hope, that I'm. Encouraged. And excited about, the. Collaboration that's already been taking place and helping to develop the, program we're working on and. You, know I so I really, see some good positive. Steps. In that direction so. Yeah. Very good thank you Christy. Yeah. I think we've touched on it a little bit already but I think you know building out some more greater. Opportunities. For collaboration, not just across the. Research community in academia but also across, our industry right, you know we see more and more that the hacker community is really good at sharing information and, they're really good at partnering, together and, building. Off of each other successes, and then, the. Industry. Side is andre alluded to our. Challenge is that everything, we do we consider to be IP and we don't want to share it at all and, we don't really want to learn from each other in that. Same way so we're, looking at ways to break down some of those barriers in, the industry. Organizations. Like the auto ice tech obviously. Are a great help and trying, to break down some of those but this is a big, cultural. Change for our legal teams to understand, for, our you, know. Traditional. Executives, to even understand, the, way that cyber security needs. To be approached and looked at is different than, the, way that we have traditionally, built vehicles. For the last hundred plus years and it's something that we need to make, accommodations. For and. Change our thought process, in our culture around it. Perfect. Sam. Yeah. I think even looking at the the threat modeling now as we get into an automated vehicle, that doesn't have a driver what are the passengers, going to be doing or going to be able to do and be vehicle, as it's moving down the street.

And. So really looking at what, we're putting into the vehicles as far. As technology goes and, how we're gonna support it for the 10 15 20 years and. Even looking at the model who's gonna own it whether it is the fleet or a personal vehicle and, how those things are going to be handled I think. Those things should probably get sorted out before we start putting them on the road, yeah. Sure, and I. Fell yeah. I. Agree, with both I think the biggest piece is to, have. Others, with. A different, lens look. In to, the space and help, and. That. Can be with collaboration. Or even. Partnerships. But to try, to do it alone would, be a mess I also, think having, ethical. Hackers involved, whilst will guide. Dotto. Industry, on what to look for because that's, how the other industries have done this and. Obviously thought leaders. You. Know once you've done that then I think you can create the standards, I'm. Doing the standards first before that would be a mess in my opinion. All. Right very good thank you so much so, we are two, minutes overtime I hope everyone, enjoyed the panel I would. Certainly. Give you a huge applause now, yeah. And I, don't. Know if our emails, are shared but you know certainly, if anyone. Asked questions, afterwards. I'm, sure all of us are happy to receive, emails, and try. To respond, to them all. Right thanks so much and, enjoy your lunch.

2020-04-28 22:34

Show Video

Other news