Fall Conference Summary
by Rick Matz
2018 SAE OBD Symposium
The SAE held the 2018 OBD Symposium in Indianapolis this year.
By mistake, the SAE scheduled the OBD Symposium the same week as the Commercial Vehicle Conference (COMVEC), which took place in Chicago. Many people and exhibitors attend both events and had to make some choices this year.
Even with the error, the >350 people who attended the OBD Symposium set a new record for the Indianapolis event, which is held every other year. The alternate years are held in Southern California.
More and more countries are instituting their own OBD standards. Fortunately, none of them are creating regulations from scratch, but are leaning heavily on either the US OBD II or the Euro 6 regulations.
As these countries get involved with their own OBD regulations and certifications, without having the prior history or experience, more opportunities are opening worldwide for scan tools, test equipment and consulting.
There were several cyber security related presentations. Many different approaches to secure vehicle communications continue to be proposed.
It’s clear that all the automotive OEMs are working very hard, at a fast pace to implement some type of security on their vehicles. It also became very clear that these multiple approaches will be nothing short of a nightmare for not only the aftermarket, but for downstream suppliers as well.
With regards to cyber security, the high point was the agreement in the room that talking about cyber security to OBD people, as though these were the people who set policy, was misguided. The people who are responsible for meeting OBD II requirements are consumers of cyber security, not producers.
It was suggested loudly, vigorously and repeatedly that the SAE convene a forum inviting OEM cyber security and networking management and engineers, as well as other stake holders such as the aftermarket, to voice what are everyone’s interests and concerns and to begin working towards some consensus.
2018 TMC Fall Meeting
The 2018 TMC Fall Meeting was held in Orlando, FL.
Where the spring meeting featured a very large exhibition area, the analogous space at the fall meeting was taken up by the technician competitions.
A constant theme that ran throughout the meeting was a chronic shortage of drivers and technicians.
As SAE level 3 and 4 ADAS systems take root in the heavy duty space, and level 5 (fully autonomous) comes into view, the fleet operators have every incentive to aggressively adopt the technology to mitigate the ability to hire perhaps less skilled drivers to fill their needs.
Under the new tax laws, fleet operators can amortize a truck in only 3 years, which will allow them to upgrade their fleets rapidly.
With regards to the technicians, the large fleets are adopting big data and prognostics, the ability to predict failures before they happen, to streamline maintenance and help to reduce the stress.
The fleets are also asking for smarter, more powerful tools to help offset the shortage of technicians.
The plan for RP1210D is to have it up for ballot in the spring of 2019.
The cyber security session began with a review of the liaison activities that are underway between the light and heavy duty SAE committees and with CyWatch, the trucking industry equivalent to the Auto ISAC. Not much was said of ISO activities.
The ISO activities in cyber security should not be overlooked as the ITS committee is going to determine the future course of V2X, which will be the enabler to smart infrastructure, upon which the fleets will be heavily dependent.
There was a good presentation for CyWatch. Like light duty, heavy duty vehicles are not yet being attacked by anyone other than researchers, but like every company, fleet operators are enduring thousands of attack every day on their servers.
CyWatch is operated by the ATA (American Trucking Associations) and is the equivalent of the light duty Auto ISAC. The prime difference is that the main members of CyWatch are the major fleet operators rather than the automotive OEMs. CyWatch is partnered with the Auto ISAC and exchanges information with them.
2018 Auto ISAC Conference
The 2018 Auto ISAC Conference was held in Detroit. The conference was heavily supported by government agencies such as NHSTA and DHS. Every single panel has someone from government represented. I think this shows the commitment and concern by the government regarding cyber security in the automotive segment.
Except for researchers who have funding, time and access, a car hasn’t been hacked in the wild yet. The attacks automotive companies are seeing, like those in heavy duty are at the server level. Having said that, Bill Evanina, the Director of the National Counterintelligence and Security Center says that after human threats (employees stealing technology for foreign entities) a ransomware attack on vehicles is what he fears most.
The DHS hosed a recent wargaming exercise which included thousands of participants spread over dozens of companies, which mimicked a ransomware attack on cars. What caught the OEMs off guard was the (simulated) damage done by the resulting social media firestorm because of the attack.
The one activity in the SAE which was often referenced and had a presentation dedicated to it was the joint ISO/SAE 14234 document which lays out a “Security Framework.” ISO/SE 14234 grew out of the SAE J3061 activity.
This framework doesn’t specify what technology anyone should employ when designing a cyber security system, but rather suggests how to go about designing one.
ISO/SAE 14234 has created something names a Cybersecurity Assurance Level (CAL) which is analogous to the ASIL lever in Functional Safety. The CAL doesn’t guarantee how secure a system is; it indicates the rigor that went into the design of the system.
In the future, you can expect that a CAL level will be used by purchasing organizations in sourcing systems.
The Department of Defense is beginning an exercise this fall, where they will be developing a framework for purchasing elements which contains cybersecurity. The DOD has the biggest fleet in the world. It will be a (short) matter of time before this framework is used in all Federal fleet purchasing and will filter out to state and local jurisdictions as well as privately owned fleets.
There was a section on autonomous vehicles and cybersecurity. The risks of tampering are heightened in a driverless vehicle.
As with every other segment, the shortage of cybersecurity specialist was a constant theme. Universities are now beginning to issue degrees specifically for cybersecurity, but it will be years before the pipeline feels the impact. In the meantime, industry is going to have to convert existing engineers into cybersecurity specialists.
The field of cybersecurity is huge, and the task will be never ending. Even when defenders are successful in thwarting the attackers, the defensive systems are going to constantly need to be refreshed to prevent the attackers from having a static target which they can analyze.
This is a big enough task, but there is a new wave of regulations coming to consider: privacy laws.
The EU adopted the Genera Data Protection Regulation in 2016, which became enforceable in May of 2018. This regulation has very strong language regarding data ownership and protection. This year, California passed a sweeping privacy law which is to take effect in 2020. With the adoption by California, it is only a (short) matter of time before a Federal law is passed.
Are you taking a VIN number off a vehicle with your scan tool? What are you doing with it? How is it stored? Do any third parties have access to it?
GDPR will be our next hurdle before we even get cybersecurity fully sorted out.