Tech Talk: Vehicle Cybersecurity

Tech Talk: Vehicle Cybersecurity


[Host] Hello and welcome to today’s Tech Talk with
the Department of Homeland Security (DHS).
Science and Technology (S&T) Directorate. Today
we are going to be talking about automotive
cyer security. We’ve got three folks who are here to join us.
I’d like to give yall a chance to introduce yourselves
before we get started. [Chase] Sure, I’m Chase Garwood.
I’m with the DHS S&T Directorate, Homeland
Security Advanced Research Project
agency, cyber security division and I’m the
federal program manager
overseeing portfolio and research development projects.
Automotive and vehicle cyber security one of those areas.
[Host] Great. [Brendan] I’m Brendan Harris, I’m a
cyber security specialist in the advanced vehicle
technologies division at the U.S. Department
of Transportation (DOT),
Volpe National Transportations Systems Center
in Cambridge, Massachusetts.
[David] And my name is David Bailinson, I’m a
senior computer scientists with Non-Profit
SRI International and I’m part of a team that provides
technical and programatic support for the DHS
S&T cyber security R&D program.
And in particular I support Chase on the
cyber physical systems security
project. [Host] Great, I’m so glad to have yall here today.
We’re gonna kick things off
and I’m gonna ask a few questions, but type in your
questions if you have one and we’ll get to them in a
few minutes. So just to set the stage, can you tell
us about some of the current
issues in cyber security for vehicles? What do we need to
be concerned about? [Chase] Sure, I’ll
kick it off for the group here.
Basically, cars are not what they were
30-40 years ago You had the classic cars or you had a
cadillac converter, you had an engine, you put gas in it.
A lot of physical engineering into that vehicle right?
Cars today, current models and what we are
seeing coming out here very shortly
are computers on wheels, multiple computers on wheels.
Complex systems in a vehicle from
your fuel management, to your
info, entertainment right. Your DVD player, to
video player, to your
whatever mobility connections. To your
air bags, to everything in the car. So it’s very complex
and since it is a computer, multiple computers on wheels
just like with our desktops or our mobile phones, our
home automation whatever it may be.
There are risks, there are issues.
There are things that can be hacked or
what not, so we need to take
very similar cyber approaches
to those potential risks. [ Brendan] And building
on that, so not only do you have these more
computers controlling more of the physical
aspects of the vehicle, your also seeing
at the same time a proliferation of
communications technologies being
added. These come in the form of wi-fi hotspots, bluetooth
connectivity to your radio, so you can do
hands free communication. You have
tire pressure monitoring systems in your car, in your tires
that monitor the air pressure so
in addition to these new cyber physical systems in the car
it’s being paired with tremendous conductivity to the
outside world, particularly when you look at
fleets and fleet management technologies to look at large
numbers of vehicles to assist in maintenance
and monitoring of vehicles
making sure that things are fixed on time. Making sure that
things are taken care of in a reasonable manner.
[David] It’s my understanding even the seat belt tension
is computer controlled. [Host] Wow, I did not know that.
So it sounds like we are growing more custom
to having more smart devices
more connected devices in our daily lives
thats happening in cars that opens it up to the typical cyber
risks that we’re used to seeing with making sure your
systems are protected and how they are communicating
with each other that sort of thing. [Chase] Well as
Brendan said, it’s not just from a
computer virtual world anymore. [Host] Right.
[Chase] We’re concerned about
you loosing data or somebody getting access to
data or ransomware are those things that we
are concerned about with regular computer
hygiene on phones, or our laptops or our PC’s.
Now in especially in an automobile or vehicle
in other cyber physical spaces, its now those computers
can have real world effects in realtime, not just the ones
and zeros virtual issue anymore. [Host] So it’s not
someone shutting down your computer, it’s someone
shutting down your car and everything that might entail.
Gotcha. So thats sort of the environment that
we’re operating in.
What are some of the ways that we can either
mitigate or start protecting from cyber attacks?
[Brendan] Sure, so one of the
major aspects of our research several years
ago was looking at
mitigations that exist right now that are either after market
or can be built into the supply chain of automobiles. There’s
kinda like four major ones and most of them are adopted
from traditional enterprise IT
environments. So these are things like using a firewall to
segment and breakout different parts of your automotive
network to separate those
high conductivity from the components which have
tremendous physical consequences like Chase
was talking about.
And we are also seeing hardware security modules,
which can create
encryption between messages. So it’s harder
to send messages that have poor
that have detrimental effects and we are also
seeing intrusion detection and prevention
systems, which can monitor the state of the communications.
In the event that there is something
that’s dubbed anomalous
it can intervene and prevent those messages from having
their intended consequence. So those are
kind of some of the major ones.
What we’ve seen is that these were aftermarket devices
that were kinda being hacked into the car, between different
components and now, the tier one suppliers,
the people who manufacturer the components
of the vehicle are starting to build these into their offerings
and that the OEM’s are now integrating
more secure architectures
in the future. [Host] And I want to pull that point out a little bit.
Because it’s not patching something anymore it’s
really building the security into it. Can you talk a
more about why that is important? [Brendan] Sure.
Will that’s important. So I think in a little bit we
are going to talk about software updates
and patching but thats really an after the fact kind of thing.
And in order to really have a robust, secure system
particularly when human life is involved.
You really want the architecture to be
designed in such a way that its not going to malfunction
that these risks are accounted for. Because a lot of these
risks weren’t something that was being thought of
5 or 10 years ago and with the long lifecycle of cars
on the road, it’s important for them to be secure
when they come off the assembly line.
[Host] That’s a great point. [David] This notion
that designed in security is
actually is something that’s been integral in the
cyber physical systems security program.
A lot of these new CPS and internet of things are
IOT type devices are designed with functionality as their
primary concern and now is the time
to start thinking about security.
So as they start to populate and proliferate, we will see
them with security as an integral part.
[Chase] We found in a lot of areas
especially in the cyber physical systems space and the IOT
space that it’s must more cost effective to
design in at the front end as usual right?
This is not anything new to community, so it’s much more
cost effective, much more efficient and much more effective
to do at the engineering, design and architectural
stage than kind of a typical
“hold on” or “we accept the risk” you know later on
down the product lifecycle and that’s one thing to mention
I think is while we are talking about cyber security risk and
cyber security aspects, there’s a lot of great things that we
are seeing coming out of the automotive
technology and the cyber physical
space that is going to improve safety,
effiecncies, you know a lot of things that
are real positives. We just want to make
sure that the cyber security angle
is also considered in there so that we can
take full advantage of these new features
and new technologies that are rapidly evolving and being
distributed into product models and what not.
[Host] Absolutely and with that in mind what are
some of the projects, the research and
development projects that S&T is funding
that are looking at some of those solutions?
[Chase] Well one of them, we were just talking about
or mentioned kinda patching in management.
Just like or updating just like with your
phone, whatever model you have. Your updating your
phone on a regular basis, you’re laptop, you’re PC whatever
software is in there. So cars are no different right?
In the past we’d have to go into the garage or
into a dealership or a mechanic and
they would hook up, I had a, I won’t say which model, but I
in my college army days I had a car that I
could actually physically work on.
Go in and change the spark plugs, I’d monkey
around with it. Not that I’m any
big auto mechanic kind of guy, but I could do some.
Nowadays there’s too many computer modules,
there’s things in there sure you can work on it
some basic things, but your bringing it into a mechanic
and hooking it up to a machine and there flashing
things into those ECU ports or their plugging things in for
diagnostic or to update. Kind of like the firmware or virus
on your computer type of thing. That’s still gonna
be in effect in our eco system “so to speak”, but
as Brendan said these ars are now connected right.
One has bluetooth, wi-fi, LTE whatever your mode there’s
now connectivity over the air. So you may not have to
go into a mechanic physically, have a mechanic physically
connect your car to do an update right.
So software over the air is gonna be
more and more prevalent and in that case
we want to make sure that those updates are legitimate.
Than they are safe.
The same, some of the same threats and risks
that we see in other use cases with phones
and laptops ad what not. Man in the
middle of tags, other things that
can get malicious code into there, that you thinks legitimate.
Phishing attacks and all sorts of things clicking on that link.
So we have one interesting and really rapidly progressing
project combination, collaborative efforts with NYU,
UM Tree, which is the University of Michigan research
Transportation research Institute and
also Southwest Transportation Intitute
Working on making sure that when your
a tier one supplier or the OEM, you know
wherever you bought your car from, makes your car
that that secure update
is legitimate as much as we can. That it is encrypted
properly. That it’s framework, called “uptain”, thats based
upon the trust conductor. Update framework out of touring,
not just specifically into the automotive space and ECU’s
and all those modules. So we have a few others that you
guys want to kind of go over? [Brendan] Sure, yes.
So another aspect of the research
we’re doing is into this realm ofopen
source automotive research tools.
So open source refers to tools where the source code or
schematics in the case of hardware.
Their all available, it’s freely online
and trying to make these tools more accessible
to people who are interested in
doing this research, because for a long time one of the big
barriers to get into monitor and seeing how these giant
computers on wheels work, was that the tools
to do it were really expensive and the ways to
interact with your car were very expensive.
So there is a great hobbyist community out there
of people who are involved in monitoring their
cars and trying to see how they work.
So a few years ago, or last year in October. So just about a
year ago we had an open source workshop at the Volpe Center.
We brought together all these people building these
different tools. All of them were open source.
Trying to connect them with other industry stakeholders
and to figure out how we can work together
in order to advance this automotive research challenge.
[Dave] Another example, is a project by
HRL Laboratories in California on side channels to
detect faults. And these are cyber physical systems, so
they combine the cyber and physical worlds and so this is
looking at physical characteristics to help substantiate
what’s going on in the cyber
side. So side channels are commonly used by attackers to
reveal secret keys. So they will look at things like
RF emissions, acoustic emissions
or power fluctuations and they can actually apply signal
processing and figure out what your cryptographic key is
just from these minor.[Host] Oh my gosh.] [Brendan]
signals and whatever it is they are monitoring. So HRL
laboratories is exploring the use of electromagnetic
emulations to monitor power usages of these
embedded processors or ECU’s
in automobiles. So they apply signal processing to this
in order to be able to understand and learn the
different processor states and then they can
use this information to detect a system compromise.
So just as an example, by monitoring the transmisson ECU
one can actually determine what gear the car is in and then
if you then pair that with the information on the automotive
bus, the automotive network is called the “can bus”, then
you can correlate that and make sure that the car is actually
in the same cyber state as the corresponding
physical state. It is also difficult for an attack
to alter the functionality of the car without also altering
this observable side channel behavior. [ Host] Interesting,
wow. So theres a lot of avenues and a lot to
think about when it comes to securing these
systems, these networks, because it sounds like there is
a lot of different ways they can get in. [Chase] Yeah, it’s
things like the side channel that you really don’t
think about but then you just think about well
if I can detect the electromagnetic or the RF frequencies
off that and do that with off the shelf tools and what not
it’s an interesting thing. But using it from
a defensive standpoint
is really more the innovation of saying can we detect
you know cost effectively, a regular state with something
that’s change and at least raise that kind of logic
into the cyber security realm and say hey
this may not be appropriate, let’s pause or let’s take a
different avenue or something like that, there’s some
interesting approaches there. [Host] Very cool.
What are some of the ways that S&T and the DOT
Volpe Center are partnering together on this?
[Chase] Well, from a DHS perspective,
I mean DHS obviously were
national security, homeland security and were in this space
in this area because we are fleet managers, our mission
components, what we call are sub agencies
within a department
are very law enforcement sensitive.
(Image of Fleet Management Risk projected on screen)
Very law enforcement heavy to an extinct, but we buy the
same vehicles as you and I drive and we’re not
experts. We’re experts in cyber security in
other areas obviously, so partnering with
DOT Volpe as well as leveraging SRI and others
to bring in that deep wealth of knowledge
and capabilities that they have inheritantly has been a great
partnership and feedback our needs and mission concerns
into the automotive community and help broaden that out
as well as has been a great partnership.
[Brendan] So the division I’m in focuses
on advanced vehicle technology so this is an area that we’ve
been familiar with for a very long time, mostly looking at
electronics reliability research was the long history.
And then recently got more involved in cyber security after
the national traffic highway safety administration had
approached us and said, you know this looks like a
very interesting concern. You know
how valid is this concern? [Host] Yeah.
[Brendan] It came out that they were on to something.
[Host] Very valid. [Brendan] And it became
as we started to think more about the problem,
we tried to think of a way
if OP is a broad reach and a lot of very multi-model
approach to things we work on
a variety of vehicles both on the ground and
in the sky and ever in between.
And we wanted to apply our expertise in
understanding kind of the technical bits of these machines
and apply that to something more programmatic and to
kind of assist the Department of Homeland Security
as best we could. So to that end we focused
a lot on securing government fleets and
looking at specific vulnerabilities in government fleets.
That center mostly around fleet management systems.
These are generally after market devices, which get
connected into vehicles and they monitor
the health and safety
of the vehicles. They help do preventive maintenance.
They help to make sure theres no waste
fraud and abuse going on. That people aren’t
taking vehicles where they shouldn’t be.
We count for the primer for fleet managers to help them start
to think about their fleet of cars more
of like a fleet of computers.
And we are additionally helping the General Services
Administration (GSA), who does all of the purchasing
for the government.
Help them to build in procurement language when they are
trying to buy these systems to make sure the systems are
secure. [Chase] And one thing to mention to again for the
audience is when we talk about fleet management,
that’s UPS, FedEx our fleet of vehicles right.
That is a more robust version that we’re
seeing in a commercial space or an individual
citizen space, where your seeing insurance companies
and others that are pushing out dongles and other
things to plug in for you know monitor
how your driving, safety things. So again,
much smaller version, but that’s on a
spectrum wouldn’t you say Brendan? [Brendan] Oh
absolutely, yeah. [Chase] So things that were
discovering, learning helping to adjust into this ecosystem
will trickle out into a broader
regular citizen, I’m driving a car and I’m
concerned about these things.
[Host] Absolutely. [David] Brendan] ought
to say a little bit about thee
lab they have and some of the technical assessments
that they conduct. [Brendan] Sure, so
we currently have a lab in Cambridge, Massachusetts
is where the Volpe Center is located.
And we do have a couple late model year vehicle, which we
actually receive through a partnership with the
Canadian government. So this is actually
like a international collaboration. [Host] Oh cool.
[Brendan] and some of
the assessments we’ve done on those vehicles have
been looking at these mitigation tools that I
talked about a little earlier and making sure that
they work as they intended.
Obviously, more research to do there looking
at adverse effects of
connecting them and more recently we’ve been looking
at and partnering with
Carnegie Mellon University, down in Pittsburg to look at
these actual devices and too test and validate their
security to make sure that there aren’t any back doors or
unintended functionality that can be taken
advantage of to manipulate
the vehicle in a way that is not safe for the driver or operator.
[Host] So we are talking about government fleets. I want to
talk about some of the unique challenges that presents.
In terms of protecting from cyber attacks.
What are some of the treats, if you can
get into it that is unique to the government fleet?
Or what sort of things are we looking at
from a government fleet perspective? [ Chase] Well as I
mentioned especially for DHS and other law enforcement
and national security,
cyber security, homeland security, law enforcement
focus, you know we have your regular vehicles that may
have the police lights on them, when very obvious that
their a law enforcement vehicle, but we also
have a undercover vehicle.
You know diplomatic, fleet type of vehicles with the
department of state and other things that may be slightly
modified. But like we were discussing earlier their the
cars, they may be somewhat modified because
they are law enforcement. They may have a
little bit bigger engine or something, but they
are not dramatically different then the car
that you and I are driving. So some of the concerns
on there obviously, theres a lot of advantages for GPS
tracking and monitoring right. So making sure that is secure,
so that bad guys can’t tell exactly where that secret service
vehicle is, or that coast guard vehicle or that
other law enforcement vehicle is.
We’ve already talked a little bit about it.
We’d all be concerned about any kind of
interruption of the vehicle, deploying
you know, your driving along and all of a sudden your car
is trying to self park. And theres things, you
know I’m exaggerating a little bit but
those are some of the same concerns that I
think anybody would have but probably
a little bit different for a law enforcement sensitive aspect.
So probably we won’t get into, I won’t get into any specifics
but maybe Brendan can cover some generalities as well
because we all deal in the same
areas. [Brendan] Sure, so I would say one issue that
comes to mind is that government vehicles
as you were mentioning that they
tend to be similar across the spectrum. So you have
a wide variety, or not a wide variety of, a small variety of
vehicles but you have a lot of them. So that means that in
the event that a exploit was crafted that could effect these
vehicles it could potentially effect a large number
of them. [Chase] Not just one or two.
[Brendan] Not just one or two. So we really get
concerned about that fleet effect and
the impacts that it could have not only on our first
responder community, but also on
kind of like the U.S. economy as a whole. [Chase] Well I
should have mentioned not just law enforcement
but well not specific to DHS, but theres first responders
that are a very important part of our community right.
So firefighters fire trucks, EMT vehicles, ambulances those
things as well. State and local governments as well.
[Host] Good point and linking that again towards,
you mentioned you know theres
industry that have the same concerns that are
going to be interested in this type of technology.
I wonder how is the government collaborating
with automobile manufacturers
on some of these items, on some of these issues?
[Chase] Yeah, thats excellent maybe Dave can
field this a little bit. [David] Yeah, its interesting we’ve
worked collaboratively with DHS and
Volpe to create a automotive
cyber security industry consortium or ACIC
is what we call it. [Chase] Love our acronyms. [Laughter]
[David] This is a voluntary public private partnership.
So you’ve got government working
working with private industry. It’s a collaboration between
DHS S&T, Volpe along with support from SRI
International and the basic idea is we work with a number
of major OEM’s, Original Equipment Manufactures. And the
OEM’s pull there funding and leverage
it with government funding so
each puts in a little bit and then you multiply that by a factor
of say 10 and next thing you know you have a nice
pool that you can leverage in order to
can conduct research. So the consortium identifies, prioritizes
and conducts what we call pre-competitive research
projects that address critical cyer security
challenges in automobiles.
So the projects are identified by the group and they
provide neutral benefit across all of the members and for
the nation helping to address the cyber
security risk in automobiles. In fact
we’re just about to initiate our very first project,
which is going to be in the
area of tools and testing. And we are also starting to
put together a second project that will be looking at
sort of doing a threat assessment
for vehicle. [Chase] One important to tag onto that as well is
that, that’s also a indication that the automobile
manufactures, the ones that are
taking cyber security very seriously. They are addressing it,
they are not ignoring
the risk at all. So they are being very proactive and what not
and it’s always great to see that kind of collaborative. And
again from a governmental perspective and DHS, DOT
Volpe and others. We are there to help catalyze and fills
those gaps and to put things together that isn’t
already being addressed by
the private sector and others. And also to kind
of take advantage of each others so that
kind of dialogue with the group and the
automobile manufactures have been
great, I mean key. We have a similar consortium in the
gas industry and aviation, finance so that is key that
you know that you don’t hear a lot about. But it’s
key to have that collaborative community
and partnerships with the OEM’s in this space.
{David] You know what else occurs to me, you mentioned
the uptain project earlier right. The secure
software over the air updates and that project
with NYU, Umptree and [unintelligible] has
also engaged the OEM’s and
a lot of the suppliers. So they have held a regular series of
working group meetings where industry comes in and
helps identify requirements and provides guidance
in terms of putting together
the specifications that then become available for them
to incorporate into their products. [Host] Wow, so it’s a real
force multiplier. Everyone’s got shared interest in here so
why not pull resources and make sure that everyone
is getting the benefit of this research [Chase] Well
especially in these areas, I mean so DHS
we’re very much into the applied R&D space so
we partner with the National Science Foundation (NSF)
and others for more longer reaching and foundational
research, but we are in the applied space so
the work that our projects that we’re collaborating
that are funding
and working with great performers and we’ve
mentioned a few of them, getting that
out of laboratories into commercialization
and transition to practice is what we are all about,
so having that key with the
industry helps bridge that
transom, that valley to get great technologies
out of our labs and into
everybody’s hands. [Dave] We alway say, engage your
customers early and often, throughout the entire
lifecycle. [Host] Well speaking of engaging.
We want to answer a couple of questions
from Facebook. Our first one is how can graduate students
in engineering, whether there electrical or
mechanical etc. use their core skills
in cyber security. Are there any specific applications?
[Chase] Well I’ll take the general, cause I’m the
generalist in the room to an extent.
One thing I’ve found in the cyber physical systems
in our cyber physical security space at large
mainly from the infrastructure standpoint right.
Power plant, water plant, chemical plant whatever it may be
we’ve had a 100 years of engineer
operational technology, with information
technology. So operational technology, you may
have heard skate and control
and other things. Industrial control systems that have been
in place. We didn’t think they’d be still in
place this long, 75 years later
but they are. But I think from an engineering standpoint
the disciplines are really kind of the blur in the cross right
so, even though we are architecting
and systems engineering
the cyber security aspects or just cyber
information technology aspects into these systems
what is that physical
safe mode. What happens if something
happens here is there a manual valve
that you can turn? Is there something in a car that you still
have it’s mostly fly by wire to an extent but what are those
kind of safety design features that engineers, I think
whether or not it’s electrical engineering,
mechanical engineering just all aspects of
the engineering spectrum tied in with
systems engineering on a software basis, tied in with
hardware, I think thats ho you apply that. I think
that an interdiscipline eam when your designing
a product, or an outcome or a feature
is kind of key. That’s why we kind of keeping hitting on kind
on that security by design. It’s safety engineering
by design and all those things into it now I’ll defer to
the real experts on those. [Brendan] I
mean I think, I probably have like
a shorter more practical question. I would say start
like think like a hacker. Take stuff apart, break it, un break it.
Tinker with it, see how it works and then
try to make it malfunction.
And then if you can make it malfunction, think
about how you could design it differently
so that it wouldn’t malfunction.
And that can be a good way to put yourself into that mine
space of instead of something to work well,
build something to work securely.
[Chase] We saw a graceful degradation in other things
in safe mode, but that’s what happens when it doesn’t work
perfectly. Does it have that graceful degradation capability
or safe mode that you can glide into you know the parking
lot or whatever it may be.
[David] We are also finding that more and more
universities are starting to offer
introductory cyber security courses, if not entire programs.
In the are, so I would strongly encourage any engineering
students that are out there to take advantage of any
courses that might be offered at your university.
Even if you are not planning to go into cyber security per se,
as these guys were eluding to, it is an important skill to
know and understand and should become a pervasive
part of everything we design and engineer.
[Host] Next question, do any of you have
any background on legislation
regarding cyber security, either in the
U.S. or international, like EU
or China. [Chase] Well, since we are techy,
geeky kind of guys
well at least I’m kind of geeky, I kinda think he’s cool.
There’s all sorts of legislation out there that’s
currently floating around or what not. So really probably
from a policy perspective, that’s something,
monitor the websites,
monitor kind of the news and see the interactions
and what’s kind of driving those
and get out there and vote. Talk to your
county, all that kind of stuff.
Research and there are o many different aspects
of that so there are a few out there that are
pending or in motion around and I’ve been along
federal [unintelligible] you see various
flavors of that off and on
So more awareness of cyber security
aspects into all aspects of our life
is positive. [Dave] Well being the techies that we are, one of
the cools about working with DHS S&T and DOT Volpe is
that their not regulatory and their not about policy
and law, it’s all technical. So we just get to focus on the cool
technical stuff and let the politicians and the
lawyers and the lobbyist and all the others
deal with the policy. [Host] They do their thing, we get to dive
in and look at all the cool tech. [Chase] That’s the nice
part, we’re not the regulatory we’re more of a feeder
of our concerns. [David] And that’s critical,
particular with the ACIC.
The consortium, I mentioned earlier, because it is about
the technology and we get to come to the table and sit
down with the OEM’s and they don’t have to fear working
or interacting with us. [Host] Good point. Next question.
Have you seen indications that adversaries
are specifically interested in
exploiting cyber vulnerabilities in vehicles, not necessarily
focusing on government or law enforcement
just vehicles in general? [Chase] Well
and I’ll keep this very general and not that it’s super secret
I’m not in that world or anything, but
I think you can extrapolate
and think some logical things of, if their
individual vehicles, probably not all that
much right, but when your talking about
you know, we talked a little bit about fleet level type of thing
so if there is an exploit or something that you can effect
10’s of thousands, 100’s of thousands
of car that are on the road, that then clog up the road, take
up resources during a hurricane or what not. I mean so
there’s some things there that would be concerning, but
those are some things at why we’re looking at those kind of
generalities from fleet management and
other things in there.
[Brendan] I would say that
the, you know if you look at some of the security
research that has gone on in the hobbyist community that
there is absolutely every indication.
When you see things like car hacking
village at most of the major security conferences
that are happening this year
I mean there is definitely a degree of interest and I think that
people are capable of this if they want to. I think
one of the issues is always the economic model behind it
and I think as soon as it is a way to monetize
some of these exploits that’s when we are
going to start to see a big uptick. [Chase] Just like
ransomware and other areas. [Brendan] Exactly.
[David] I was going to mention up to this point,
fortunately most of
thee attacks have been research, in hacking villages.
I havent seen anything live, but one of the things that I
personally fear is if we were to see an uptick in something
like ransomware which would start to impact
and in that case you’ve got to be real careful about
just like with your home computer,
your laptop, your phone. You’ve just got to
be real careful about how you
work with your car and what you introduce to it.
Good best practices always go a long way.
[Host] Very true. Next question. What are top priority threats
and threat model OEM’s that government are
considering in vehicle cyber security?
Well I think we just touched on that a little bit.
Just like anything in cyber security right, it’s an attack
surface. Attack vectors and what not. So for example, not
that this is any bigger concern than any others,
but we’re also in conjunction with
DOT Volpe, SRI and Department of Energy. We’re also
looking into electronic, electric vehicles. There all
electronic. Electrical vehicles, because again your plugging
your hybrid car or what not into, is that just like
a power cord or an ethernet wire or what not so
again nothing that’s, you know more concerning to other
things in there. Looking at that type of attack surface and
again, I think we talked about a little bit again.
What’s the motivation? Is it a nation state
advasary? Is it a monetary kind of,
what’s the motivation and why?
And when? So I think those kind of exploits.
The car versus your phone, versus your
computer, versus your refrigerator at home and HVAC
system. I mean it’s all becoming interconnected and it
depends on what the motivation is in there, but there all
computers. Is it on wheels, is it in your house
or is it in your phone? So.
[Host] Appropriately spooky for all. [Chase]
Correct me. Build upon what I’ve said.
[Brendan] Yeah, there all
I forgot exactly what the question was, but
in terms of threat and threat factors it’s
the fleet level stuff. We’re not trying to scare
anyone and say your car is going to get hacked tomorrow
and you know you gotta be careful.
Rip all the electronics out of it, it’s that
we’re aware of these kind of structural issues
and we are trying to fix them
before it reaches an issue. [Chase] And I think we’ve talked
a little bit about it, but just like any market forces right
as a consumer just like folks are starting to ask about their
smart thermostat or something. Folks hopefully at large
will start asking those questions to the manufacturers and
we have already seen the OEM’s get ahead of this
that says “hey my car is now, I got you know
wi-fi, hotspot and it’s self parking and lane controls
and media and all this stuff and they should
be asking those questions, “Hey, should I be,
how are we securing this” and what not.
Again not from a fear or that should be, but from just a
general market force that says, hey we wanna
make sure that these thing are
safe and secure, just like anything else we use.
[Host] Another question. Which vehicles are you
seeing as the most hacked system?
[Chase] Well again, I think we talked about it a little bit.
We’e talking generalities now. We’re looking at those
potential and those risks, not seeing across
all models and as David mentioned about
the ACIC and the consortium
and OEM’s, while we aren’t putting out the names of those
manufacturers, it’s a good
good major OEM’s from U.S. and international
based companies that are looking into this and are
taking very proactive actin to make sure that their vehicles
are in the fleet. The models now and especially
the models coming out in 2020 and beyond are secure as
can be. Nothing is 100%, but they are very proactive on it.
So no specific one that we are concerned about or seeing
more of. It’s what’s in the real world and in the “wild” versus
what we are seeing in
potential and labs and what not. [Brendan] Yeah, I mean
I was going to say the most hacked vehicle that
I see is the one that it’s in my lab.
[David] Well, thank God it’s in your lab.
[Laughter] [Chase] Don’t hack your ride. Hack someone else’s ride.
Hack a research vehicle. [Host] Good advice.
[Host] Anymore, any other thoughts. [Brendan] No, no thats it.
Just bringing some humor in. [Host] Gotcha, okay
well so to wrap things up. Are there any final comments
or even advice that you would offer to folks
just about vehicle cyber security in general or
anything you want to leave us with today?
[Chase] Well again, I think it’s remebering
nowadays it’ not just spark plugs and a cadillac converter
and the mechanical aspects of the car.
There are multiple computers and those
computers come from multiple
different suppliers that are very well interconnected. So we
just gotta be safe and secure and think about those things.
But also, don’t be fearful
of your car. Go buy a modern car, don’t buy the
30 year old car, unless your really into older cars.
Because the technology is also
simultaneously being deployed
into our vehicles, increase the safety,
increase efficiency, reduces liability. A lot of great aspects
and then the future is bright kind of a thing.
We just want to be a safe and secure future.
{Brendan] Yeah I’d say I’m interested in a lot of the
new safety features that are coming out that are kind of this
bridge towards autonomous vehicles is
something we think alot about at DOT so
I’m excited for that, but I think before we can fully realize
that we gotta make sure what we have is secure.
So the next generation of secure architecture is
say I’m interested in. [David] And the other thing
I would mention is the work on the cyber physical security
I would mention is the work on the cyber physical system
security program, isn’t just limited to vehicles.
We are also looking at things
like medical devices, building controls, the energy
grid, energy systems and you’ve also got a program
and internet of things our IOT devices. [Chase]
It’s across the board. [Host] It’s all happening. [Chase]
One last thing that I think in our respective organizations
and collectively together. Aspects that we are
doing in the automotive and vehicle
cyber security are and can cross pollinate into other
areas whether or not it’s medical devices,
hospitals, building controls
systems in a smart building and what not and vice versa.
So that things that we’re leaning and have projects
in other areas in IOT
Internet of Things right.
The car is becoming a IOT and more things are
your IOT wearables or what not will interact with your car so
the cyber security efforts in that community and the projects
that we have going on there are also really interesting.
So good point. {Host] Awesome, I am excited
to hear more about those programs
moving forward. Thank you all so much for being here
today. We hope you enjoyed the Tech Talk. If you have any
additional questions we invite you to check out our website
or shoot us an email. We’ll see you next time. Thank you.


Leave a Reply

Your email address will not be published. Required fields are marked *