Cybersecurity is a team sport. Are you on board yet?
Contributed by Bob Chabot
Technology impacts everyone, from businesses through individuals. This includes members of the Equipment and Tool Institute (ETI). Not only are we getting more useful technologies, we’re adopting them at an increasing rate. But the burden and the challenge of safeguarding adopted technology are also growing at an exponential rate, as are the vulnerabilities to attack.
Recently, Hewlett-Packard released a study that conveyed the scope of the challenge security technologists face today. Of all the devices — including automobiles — with mobile applications connected to networks, the Cloud or the Internet of Things (IoT), the study noted:
- 60% used interfaces were easily vulnerable to a wide range of cyberattacks.
- 70% lacked security to prevent attackers accessing user accounts.
- 80% relied on network, cloud or IoT services that were unencrypted.
- 90% of devices collected personal information vulnerable to cyberattacks.
It’s clear that in our connected world, innovative and aggressive cyberattacks pose a serious threat. It has automakers and everyone downstream pushing toward developing security solutions, even though a complete set of common standards have yet to be established. Similar to that old English idiom, this can seem like “closing the barn door after the horses have bolted.”
But cyberthreats cannot be dismissed or ignored. We should all be thankful that ETI, the SAE, other industry associations and security technologists have teamed-up to develop effective standards and solutions.
Connected cars and the advanced technologies are like an iceberg. While users tend to be focused on what’s above the waterline, security technologists must also consider on what’s immersed, a mass that is much larger, as is its impacts. (Image — Praveen Narayanan/Frost and Sullivan)
Building a Cybersecurity Ecosystem
Over the course of the last decade, there have been multiple successful cyberattacks on vehicles. Automakers and their suppliers were initially slow to respond to, even denying such attacks were even possible, but are now learning how to better, and more quickly, address security holes.
“One of the most important actions automakers have undertaken recently is creating ‘virtualized layers’ by which they secure and stonewall mission critical vehicle systems, software and more,” noted Praveen Narayanan, Research Manager for Connected Cars Automotive and Transportation at Frost and Sullivan. “Examples include the Extended Vehicle concept that the International Organization for Standardization (ISO) is considering or the Service Vehicle Interface being discussed by the Society of Automotive Engineers (SAE). Both are vast improvements compared to the current porous automobile interfaces that are a quarter century behind the today’s hacking technologies and competencies.”
Did you know that owners of aftermarket service and repair facilities, led by the Automotive Service Association, are actively moving toward learning how to “lock down” their shops from potential cyberattacks? Whether originating from digital resources the shop connects to (e.g. online services provided by firms like yours), employee smartphones, customer vehicles via connected shop diagnostic tools, customers using Wi-Fi networks in waiting rooms, or others, the aim is clear: Shops cannot afford to be the weakest link in the automotive cybersecurity value chain.
According to Frost and Sullivan, more than 50 vulnerable attack points exist in connected cars. These include back-end security, in-car hacking and remote attacks. The market researcher notes that cybersecurity can range between 3 to 5 percent of total manufacturing costs. These would be difficult to pass on to customers, explaining the slowness of manufacturers to respond with complete solutions. (Image — Praveen Narayanan/Frost and Sullivan)
Preparing for the Cyberthreats of Tomorrow
For ETI, which serves both automakers and service/repair facilities, cybersecurity has also been an area of focus for several years. At ToolTech 2017, for example, Executive manager Greg Potter moderated a panel titled Cybersecurity and the Connected Car, which provided attendees an in-depth technical look at cybersecurity tools and procedures.
To compliment that “down in the weeds” discussion, this article provides an overview of insights gathered from a broad spectrum of cybersecurity experts. The intent: To pass on to you their experience-based insights for your consideration. The technologists included:
- Bruce Schneier, Chief Technology Officer at IBM Resilient and Special Advisor to IBM Security.
- Eric Chan, Global Technical Expert for Ricardo Ltd.
- Andy Rhodes, Vice President of IoT Commercial Solutions, Dell Inc.
- Craig Smith, Rapid7’s Research Director of Transportation Security
- Christopher Young, who leads the Intel’s Security Group.
- Dan Cornell, Chief Technology Officer at the Denim Group.
Schneier: Larger Successful Cyberattacks are Going to Happen
“Security is both a feeling and a reality,” explained Schneier. “You can feel secure even if you’re not, and you can be secure even if you don’t feel it. Unfortunately, as consumers, we respond more readily to the feeling of security created by marketing, quite possible an illusion, rather than the reality of security ensured by pre-launch testing and immediate adequate defenses should successful attack occurs. Until we’re burned.”
“As vehicles and other connected devices come under increasingly software control, they’re becoming more vulnerable to all the attacks we’ve seen before against computers, along with new ones emerging today with the advent of Cloud computing and the IoT. In addition, vulnerabilities on one system can cascade into other systems. Software that might seem benign to software developers of a particular system can become harmful in unforeseen ways when combined with some other system. This can result in a new vulnerability that no one saw coming and no one wants to bear responsibility for fixing.”
“As the IoT grows, exploitable vulnerabilities will increase and associated cyberattacks become more common. If 100 systems are all interacting with each other [think automobile], then 5,000 potential vulnerabilities need to be secured. If 300 systems involved [think connected cars], then 45,000 potential vulnerabilities need to be secured. Scaled up to 1,000 systems [think intelligent transportation system], 12.5 million interactions would need to be secured. Most of them will be benign or uninteresting, but some of them could be very damaging. Now factor in that up to 80 percent of connected devices, including automobiles, on the IoT today do not have the security measures they need to protect us. That’s a lot of security prevention, defending and patching to do to catch up. And, it’s a never-ending quest.”
Smith: With the Cyber Landscape Wide Open, There’s a Lot to Defend
“Attackers only have to be right once, whereas defenders have to be right all the time,” noted Smith. “That doesn’t mean hacking is easy, but it does show how enormous the task of defending is for the automotive industry. For instance, electronic diagnostic tools trust that a car is a car, but are a soft target.
“Expect complex encryption protocols to become a primary defense mechanism, as vehicles become more software-defined with the advent of telematics, advanced safety systems, connected transportation and ultimately, autonomous driving. Connected cars today typically have around 100 million lines of software code embedded. Connected, self-driving cars in the next decade will have more than 500 million lines of code. There a lot of exposure to defend, much of it with a legacy of little or no security in the past.”
“One of the biggest worries facing cybersecurity companies is the security and privacy issue associated with IoT connected devices. Every wave of connected devices — whether you’re talking about cars, tools or smartphones — blurs the line between hardware and software. This bridge lets you exit the Matrix and directly affect real, physical things. Rapid7 helps provide security professionals with the resources they need to test and ensure the safety of their products, no matter what side of the virtual divide they are on. For example, Rapid7’s Metasploit Security Kit enables cybersecurity professionals and researchers to conduct penetration testing of both hardware and software for IoT devices — hardware as well as software. Until now, multiple tools needed to be built to do this, but Metasploit condensed a slew of independent software exploits and tools into one framework that allows professionals to find vulnerabilities using just a single tool in far less time.”
Rhodes: Cloud Security and IoT Security Differ
“Security for cloud computing has been around for a long time and there are lots of good security tools, permission protocols and other strong practices to manage both users and cloud applications,” advised Rhodes. “Typically human users are involved with Cloud security measures, being asked to click ‘OK’ for an update. One might think that as long as a Cloud system utilized by the IoT device is secure, then all is well, but that just isn’t the case.”
“The IoT is more complex than Cloud computing; hence cybersecurity is also more complex. The IoT connects many more diverse devices, operating systems and protocols, which makes it harder to consolidate and standardize as companies grow and products change. Another difference is human interaction is more limited. In fact, users may not be involved at all when updates are made. That leads to the need for increasing device-to-device cybersecurity.”
“Just because the IT crew has the ecosystem covered on the cloud doesn’t mean the devices and sensors connected on the IoT are secure. To make the IoT ecosystem more secure, engineers and IT professionals need to demolish their silos, learn from and collaborate with one another. Security must be in place across the whole spectrum — on the device, on the cloud and on the IoT network — because data can flow many ways. For instance, unsecured vehicle sensors connected to the IoT are an exploitable attack vector.”
Chan: Cybersecurity Doesn’t End at Prevention
“The need to provide cybersecurity for the vehicles we own and operate is a crucial and growing imperative,” asserted Chan. “Connecting everything together risks a compromised system being used as a gateway to others, placing confidential personal information and potentially valuable data at risk of being accessed by any other device connected to the same network, whether full-time or occasionally.”
“Cybersecurity is an ongoing war of attrition against constantly innovating criminals who will have access to new data and tools over the life of any vehicle. Examples include, but aren’t limited to, radio amplification attacks to spoof keyless entry systems, taking control of key encryption (including remotely), using pirated software and exploiting vulnerabilities in security software systems (like a human-written software code that has a typo). Besides vehicle theft, other criminal motivations for hacking include lifting personal information from payment systems, accessing data from onboard sensors, taking control over vehicle functions, and using the vehicle as a compromised gateway into other connected systems for ransomware attacks.”
“That’s why cybersecurity in my view must be resilient, ongoing and dynamic — we can’t stand still when lives and property are at risk. Besides initial preventive mechanisms during the design phase, cybersecurity must include immediate detection and defensive measures, followed by development of longer term technical responses learned from penetration testing and real world experiences, which can then be integrated into prevention. This represents a major challenge for automotive OEMs to transition from their legacy, often proprietary, vehicle architectures and development processes toward taking into account these new requirements and realities.”
Young: Cybersecurity is a High-Stakes “Cat and Mouse” Game
“Despite technology taking ever-progressive steps into the future, cybercrime has rapidly evolved,” stated Young. “With the rise in connected devices, a new landscape of attack vectors has opened up for hackers. For example, ransomware has transitioned from being just a variant of malware to being an entire category of profitable attacks in itself. The Cloud has opened the door for ransomware attacks to many more lucrative targets, but the IoT has grown those opportunities exponentially.”
“In May and June alone, the WannaCry ransomware attack — a software exploit ironically developed by the National Security Agency that can be used against many versions of Microsoft Windows operating system — stuck many businesses, including automakers. For example, Honda, Renault and Nissan had to temporarily shut down vehicle production lines at plants in Japan, Britain, France, Romania and India. But ransomware and other attacks can be aimed at individuals too. Just imagine you, or your customer, driving your connected computer-on-wheels and getting a pop-up that says ‘If you pay me $300, I’ll let you drive to work today.” And it could be worse. Much worse.”
“With the average cyberattack costing larger enterprises over $600,000 each, developing an adequate ‘hack response’ in the U.S. and nations across the world is essential. But we have a notable skills shortage in cybersecurity. Government, educators and the industry need to get involved in helping to attract and train cybersecurity talent so that we can attract the men and women needed to deal with the growing issues over the long term.”
Cornell: Cyberattacks Have Exposed Deficits in Computer Science Education
“When it comes to confidentiality, integrity and availability, end users have reasonable expectations about how data is going to be treated. Software developers (aka coders) and other security technologists need to address these expectations, which include: Do I have access to my data? Who else has access to my data? Who can modify my data? If you think about applications that manage, manipulate and move data, it’s software. If you want to provide or access automobile service information, if you want to order or supply parts online, if you want to utilize or offer remote diagnostic services — it’s all software.”
“But real world cybersecurity issues have exposed hidden gaps in computer science education: (1) University programs and coding academies treat security as a separate or special concern, rather than a fundamental responsibility all coders building new technologies should have; and (2) Neither professors nor their students adequately understand the context and needs of any specific industry needs them to have. Combined, they make developing automotive industry-ready cybersecurity solutions problematic.”
“We need to change the way we build coders. Traditionally, coders have been taught to ask themselves, ‘What should my software do?’ We need to flip the education landscape by installing an adversarial mindset and injecting responsibility into those who teach, as well as those who write software, by requiring them to ask instead, ‘What shouldn’t my code be doing?’
The industry and its consumers have a right to expect a reasonable answer to ‘What have you done to ensure the coding for this technology only does what it’s supposed to do?” That has to be baked in from the start; it’s not as effective when bolted on afterwards. In addition, we must teach coders how to design resilient systems that prevent end user mistakes seamlessly. If we can do all that, we can start building a more secure future.”
I see cybersecurity evolving “cyber resiliency,” a continual dynamic process or loop intended to keep pace with hackers find new ways and new technologies to attack over time. Beyond prevention built in at initial design, breaches must be capable of in-the-moment detection and reaction (such as an over-the air software patch that immediately places vehicles in a “safe operating mode.” Once the immediate danger has been handled, the attacked entity can develop a longer-term in-depth response (enhanced prevention measures), which after thorough testing can be integrated into the prevention suite. (Image — ManicMedia LLC)
Takeaways That Impact Matter
At the dawn of my interest in cybersecurity, one of the first security experts I listened to was Amy Zegart, at that time the Co-director of Stanford University’s Center for International Security and Cooperation. One statement she made back then lingered: “The cyber threats of tomorrow won’t just make our information and data unsafe, they could make our physical world unsafe by disabling the cars we drive, knocking out power to our networks, shutting down traffic infrastructure, disrupting production and much more.”
That statement sparked my interest in cybersecurity and spurred me attend both mainstream gatherings, such as TEDx Talks, the International Consumer Electronics Show, as well as more unconventional events, such as various Defcon Hacking Conferences. My hope is that what the experts shared above does the same for you. Moreso, I hope it stokes you with takeaways and the motivation to take action now.
In closing, let me share two takeaways I garnered and am carrying forward:
- It’s no longer just about cybersecurity to me anymore. It’s broader and more holistic than that. It’s about building “Cyber Resiliency,” a dynamic, continual loop, as illustrated in the circular image above.
- Cyber Resiliency is a team sport. We must rely on and trust experts like those above to build cyber resilient solutions. Those experts may well include some ETI members.
But at the end of the day, the real challenge boils down to the experts and the industry making cyber resiliency work seamlessly for end users, who shouldn’t have to be experts to make security technology work. Can you help make that happen?