Cybersecurity and Liability in the AV era

OEMs and Tier suppliers are faced with an increasingly daunting cyber threat landscape. Attack vectors are developed faster than teams can defend against them. As manufacturers race to release the latest and greatest technology, how can security teams keep pace and ensure what’s being released is safe?

Traditional security solutions have become largely ineffective, and validation efforts such as penetration testing and red teaming are limited in scope, and aren’t reflective of real-world threats. They are unscalable, costly and risky, according to Bryson Bort, CEO of SCYTHE, an advanced cybersecurity products company, and Founder and Chairman of GRIMM, a high-end security consulting and R&D firm. Both companies work with customers in automotive and manufacturing industries.

“Over time, we observed a consistent gap in our customers’ abilities to gain insight into their actual defenses: employees, security products, and the security team’s efficacy. This problem is compounded when you go from a typical enterprise environment to one like auto manufacturing where there is a massive network of suppliers, partners and manufacturers working together. In response, we built a security validation platform known as CROSSBOW to solve this visibility and validation with enough power that even enterprises of scale, such as auto manufacturers, can glean the benefits,” says Bort.

According to Bort, continuing the present manufacturing process is rife with potential risks and security threats, and will lead to major problems further down the road. Increasingly connected and autonomous vehicles are introducing an even greater number of potential vulnerabilities, manufacturers need to reexamine how they approach security in order to manage liability.

Automotive Industries (AI) asked Bort about some of the liability issues related to the cybersecurity systems of autonomous and connected vehicles and how they impact development and innovation.

Bort: For AV (autonomous vehicles) and CV (commercial vehicles), the initial question is accountability. Manufacturers will be the primary point of contact for liability, but they will shift as much liability as possible down the supply chain. Manufacturers will need to protect themselves through proof of secure design, release testing, operational monitoring and forensics (including incident response plan) and security updates. For AV, we are going to see a radical shift in the insurance market, away from individuals to the manufacturers (OEMs) and operators like Waymo, Uber, etc. where the liability resides.

AI: We’ve seen spectacular examples of “car hacking” featured in Hollywood movies – how accurate are those portrayals? 

Bort: They are not. One of the major challenges we’re seeing is how to integrate physical security and safety systems with “cybersecurity” systems that are becoming increasingly common in CVs and AVs. Traditionally, physical security equated to locking systems, which has been a challenge for years. Considering that the primary motivation for car hacking is financial – A.K.A. theft – thieves have found numerous ways to compromise lock systems. Some cases are as simple as using an RF replay to activate passive RF on keys to relay from the house to the car for theft at home. At the end of the day, hacking starts with a motive. Other than the hacks carried out in research by independent white hat security firms, real hacks have been limited to physical vehicle theft.

AI: How have companies like GRIMM and SCYTHE enhanced collaboration with software developers, component manufacturers and automakers to improve the security of vehicles and integration of hardware, software, firmware systems and communication channels?

Bort: I am only aware of two other domestic (U.S.) companies and two foreign companies that do what we do commercially. There are multiple security product companies. I believe the market will consolidate as OEMs acquire these technologies since they are a strategic necessity (for example, Continental’s purchase of Argus).

AI: How will a platform like CROSSBOW™ help automakers and designers?

Bort: Currently, CROSSBOW is built for enterprise IT environments and supports protection of traditional back-end company operations and data. This will provide protection for CV and AV, which rely significantly more on traditional infrastructure and supply chain validation of security posture for operations and data

AI: What regulatory and policy conversations need to happen to ensure that AVs across sectors – trucking, shipping and personal transportation – are able to operate safely, across state lines and geographic borders?

Bort: In the near-term, actual AV testing should be facilitated at the local level. At the national level, federal support and guidance on development, testing and direction has to be implemented. Over the longer term, I predict that AV will be classified as critical infrastructure, which will establish DHS involvement, which could include investigative oversight to bring technical forensic capabilities and analysis to operations/incidents.

AI: How vulnerable do you think vehicles, smart cities, mobility services, telecommunications/telematics devices and public transportation are to threats in today’s connected world?

Bort: The challenge is that there is no one SME which can offer a definitive answer. The increase in connectivity leads to an exponential increase in vulnerabilities. What are they? What is their nature? How will they be compromised? No one knows. We can extrapolate our understanding, but there are so many new combinations. There is such a wide variety of potential future threats. For example, we could see a ransomware attack where a car’s infotainment system delivers a ransomware notice and renders the car inoperable. I could also see a connected vehicle become collateral damage in an attack where a weaponized campaign accidentally spills over into the car because of its connectivity and mutual vulnerabilities in the infected platforms. You also have to consider the threat of embedded hijacking like we’ve seen in IOT, re-purposed for various uses, such as DDOS, cryptocurrency mining and more.

AI: What AV and CV security issues are there, and what are the realities of autonomous and connected vehicle security, moving forward?

Bort: A major issue is manufacturers and operators moving iteratively through the challenges of AV deployment. They recognize there is a mix of legacy and autonomous vehicles in the environment. The reality is that we’ll see designated AV-only locations over time, partly to ensure safe AV operation (closed, finite environment with known variables and easier oversight and reaction) but also to act as a proving ground before AVs are widely deployed.

Block

CROSSBOW™ and SCYTHE

In October 2017 GRIMM Founder and CEO, Bryson Bort, announced the launch of CROSSBOW™, a security assessment platform that enables organizations to fully validate their defenses against cyber-attacks without the need for costly training or complex setup.

Security operators can use CROSSBOW’s advanced capabilities to validate the risk posture and exposure of businesses and their employees as well as the performance of security teams and the solutions they use. It offers the ability to setup, customize, and run adversarial campaigns in a matter of minutes and receive granular reporting about an organization’s production environment and degree of compromise quickly and effectively.

CROSSBOW was released under the banner of a new company, SCYTHE, which is focused on bringing complementary commercial security solutions to market. GRIMM and SCYTHE are closely linked companies with collaborative research and development efforts. GRIMM focuses on its service offerings including engineering, consulting and R&D, while SCYTHE is dedicated to developing and bringing to market advanced products to address the world’s most pressing cybersecurity challenges.