DETROIT – The automotive industry must build in cybersecurity as it designs new components and vehicles to counter the real and potential threats that could stifle future innovations, particularly autonomous vehicles, experts say.
“Cybersecurity is the cornerstone of autonomous and connected driving,” notes Thomas Billington, the founder of Billington Cybersecurity, as he opens today a conference here hosted by his firm.
“There is no magic bullet,” says Heidi King, deputy administrator of the National Highway Traffic Safety Admin. The challenge is to build a culture of strong risk management that searches for threats and vulnerabilities, she adds.
“Public confidence is key to technology deployment,” notes King, who also emphasizes that collaboration and cooperation between government, suppliers and manufacturers is critical to bolstering cybersecurity in an industry where it has been an afterthought until recently.
“Increased collaboration is important,” says Josh Davis, chief cybersecurity officer and vice president of Toyota Motor North America, who adds that any security effort has to protect a company’s entire enterprise as well as its products.
As General Motors moves toward its vision of zero crashes, zero emissions and zero congestion, GM President Dan Ammann says the automaker and its Cruise self-driving vehicle unit now are investing substantial resources to protect all of the company’s products from hackers.
Moreover, the entire automotive industry has a stake in cybersecurity as it moves toward an age of autonomous vehicles, Ammann says.
“Autonomous vehicles can provide a major benefit to society,” he says.
But one incident involving a security breach in an autonomous vehicle could cripple the future development of AVs at every company, Ammann says.
GM’s effort begins with a commitment to hiring more technical talent to address the challenges. In addition, GM engineers every vehicle to protect against cyber threats from the ground up.
GM also has an in-house “Red Team” to attack the defenses built into new vehicles and systems. The team is being augmented by outsiders invited to test GM security with attacks. So far, more than 500 outside hackers have participated and uncovered some 700 different areas of vulnerability.
Ammann says GM plans to invite dozens of “bug hunters” to Detroit, furnish them ample supplies of pizza and Red Bull energy drinks and turn them loose on GM’s networks.
The automaker also is developing a “rapid response system” to counter any threats directed at the company’s operations and products.
Michael Chertoff, former U.S. secretary of Homeland Security and an expert on terrorism and cybersecurity, tells the conference that “security by design” is critical to protecting against cyberattacks.
At the same time, threats are multiplying, and the attackers are growing more sophisticated. Trucks seem to have become the weapon of choice of terrorists, and it doesn’t take a big leap to imagine a terrorist taking over a passenger vehicle, Chertoff says.
There are also nation states, such as North Korea, Russia and China, that have used hacking to spy on the U.S. or achieve specific objectives such as stealing trade secrets and technology.
The recent Facebook and Cambridge Analytica scandal underscores the necessity of keeping private the data of customers or users, he notes.
The combined threats to data and operational control from cyber attacks are bound to result in government regulations in the future, he adds. “There is increased pressure to regulate in this area.”
The auto industry must prepare to respond with a unified voice or risk the government dictating standards, he says, and ensure policies and practices are in place that protect the privacy of customers.
The threats are increasingly pervasive, says Jason Binoski, supervisory special agent of the FBI’s Detroit office, who noted that his unit recently arrested a man as he was preparing to leave the country with stolen information about the autonomous vehicles under development in Michigan. Ransomware also is a growing threat.
Automakers should be willing to learn from other industries and sectors facing threats from hackers, says Gregory Swinehart, an expert on risk with Deloitte and Touche.
Cybersecurity design teams in the auto industry must have diverse expertise and work toward zero defects to be successful, he says.
