The threat to people’s lives is terrifying, so auto manufacturers need to change their old-school strategies to protect people.
TechRepublic’s Karen Roby spoke with Eric Sivertson and J.P. Singh of Lattice, a human resources platform, about cyberattacks in cars. The following is an edited transcript of their conversation.
Karen Roby: Car manufacturers are at a crossroads, as they’re trying to deliver the features that customers want, while keeping safety and security. Lattice recently held a webinar to discuss these safety and security issues. Eric, I’ll start with you. Before we started recording, we were talking about the old guard is out. Things are changing, and it’s so important when it comes to cars that we keep up with security, because the thought of someone being able to just take over a car remotely, it’s a pretty scary thought.
SEE: Security incident response policy (TechRepublic Premium)
Eric Sivertson: What’s happened in the world today is we really have moved away from an older paradigm when computers started with mainframes. And you had the guns-guards-and-gates mentality, where you could protect a computing center and it was hard to have physical access, hard to attack those centers. And now we’ve become a very distributed computing world. You have your iPhone, a lot of the cloud is going to the edge. And then when you look at an automobile, and Tesla’s a very good example, it’s extremely electric. I mean, all of the controls for the car are electric, they’re all computers. And that’s very distributed and very open and vulnerable. I mean, the car sits out exposed in a parking lot. Anyone can access it. So, the paradigm I can protect from an attack with a guns-guards-and-gates model is gone.
These attacks are going to happen. They are happening. You can already see Tesla’s been hit. The Jeep hack that caused Jeep to have to recall 1.4 million vehicles. These vehicles are now being attacked. So, the new paradigm is one that you can’t avoid attack, you will be attacked. And so you need to be resilient. And the term is cyber resilience. So you really want to be able to fend off, fight against that attack and then operate through it. These are all critical. And these were the concepts that J.P. And I talked about yesterday in the webinar.
Karen Roby: Yeah. And people can’t say, “If something were to happen,” they have to plan for anything. Now that so many devices and our cars are connected to the internet, you have to be so cautious.
J.P. Singh: And especially with the cars becoming more and more electronified and modernized. These are, as I mentioned, these are becoming servers or computers running on wheels. And all of these are susceptible to hacking, which can have some serious consequences in terms of the human life, as well as the cost to the car manufacturers. As Eric mentioned, a lot of recalls have happened in the past. So, we need to protect these cars to be resilient to these attacks, secure these vehicles so if there’s an attack, they can be brought to a safe stop or a safer state so that human lives can be saved, especially. And then it also saves a lot of money for the car manufacturers.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
Karen Roby: I referenced earlier the webinar that you guys just hosted, that Lattice did, to talk about the security and safety issues, where does it stand? Where is the market in terms of understanding and adopting what needs to be in place to keep people safe?
Eric Sivertson: There’s a lot of discussion, if you read all the latest things that have happened in this space, you’re going to see that it was just recently, I think Tesla was hit. Someone did a hack on a Tesla vehicle. And so, yeah, there’s a lot of concern in the industry on this right now. And also kind of tangential the oil pipeline ransomware attack that just occurred. I mean that shut down gas on the east coast for weeks I think now, they’ve had gas issues and shortages because of that attack. And so it’s definitely on the minds of everyone.
And I think people are waking up to the fact that you can’t really avoid these attacks. They are going to happen. It’s how you operate through them that matters. So we see a great interest in what we’re doing with the products that we have, and particularly with the cyber resilience concept. In the compute space, they’re a little bit ahead of automotive. Almost every server now has what’s called platform firmware resiliency, or PFR, it’s a form of cyber resiliency built into them. So on the server side, they’ve already adopted this technology. It’s now coming into these other vertical markets pretty rapidly.
Karen Roby: And when we talk about the major players here, who needs to be involved in these discussions, the car manufacturers, of course, is it lawmakers, who needs to be involved here J.P.?
J.P. Singh: I think a lot of the OEMs, the car manufacturers, they are mandating. The standards space was quite defragmented. And with the new standard that is coming together, the ISO/SAE 21434, we have brought all these standards together, especially driven by the car OEMs, manufacturers, so everybody can talk the same language. That’s very important because there are a number of suppliers in the car market. There are tier twos, tier ones, car manufacturers, dealerships, distribution, a lot of things are happening and then they are all coming together. And so the people who are influencing are the OEMs who are seeing the problem, and they are mandating the requirement and that’s needed to have a more consolidated, a single reference guideline. And that’s where the standard comes in. So, I think all of us are coming together to meet these requirements of cyber resiliency in the cars.
SEE: Ransomware attack: Why a small business paid the $150,000 ransom (TechRepublic)
Karen Roby: A lot of layers here guys. Final thoughts from both of you?
J.P. Singh: For me, I feel like cybersecurity has been always thought of as a back-office job, especially in the car and vehicle space. Cyber leaders were not able to have the influence in the process, but that’s all changing. The discussions are changing. OEMs are requiring all the cybersecurity and resiliency to be built in. And that’s what is now driving all these things.
Eric Sivertson: Ultimately, the security problem is now moving down to the lowest level of the hardware. So you really need a strong hardware root of trust in your silicon devices that run anything critical on a system. And there’s been a historic movement now to go from those being a static component, like a TPM type of thing, to a dynamic component, which is what you get with cyber resiliency. So, not only do you protect all the things of the system and have a strong anchor or foundation, but now from that anchor and foundation, you can build out a very strong defensive mechanism to protect itself, and do that in real time as threats come in.