King: “It’s about anticipating the unexpected and being ready.” Photo credit: Angelina Czarnecki
UPDATED: 8/3/18 3:59 pm ET – adds comments
DETROIT — Risk management for autonomous and connected-vehicle cybersecurity requires public-private cooperation and partnerships, panelists said Friday at the second Billington Global Automotive Cybersecurity Summit.
“We need robust risk management processes and a cybersecurity culture” that works to identify vulnerabilities and risks, said Heidi King, deputy administrator of NHTSA. “It’s about anticipating the unexpected and being ready.”
King also emphasized the need for public perception of autonomy and connected-vehicle technology to be comparable to domestic technologies in which the public already places trust. To do this, King said cooperation between the government and private sector is critical, especially when it comes to reinforcing a culture that invests in threat management.
Public mistrust, she said, could delay deployment of safer connected-vehicle technologies.
“Public confidence is key to technology deployment,” King said.
Michael Chertoff, former U.S. secretary of homeland security, discussed the growing need for initiating conversations about cybersecurity throughout the industry.
“Issues of safety and security are hardly new to the automotive industry,” Chertoff said. “As we think about those analog safety improvements and security improvements, we’re going to need to think about these from the area of cyber.”
Read more >
Chertoff wondered whether the design required to meet new cybersecurity threats would be able to evolve in a competitive industry marketplace.
“The complexity not just of the suppliers but of the entire ecosystem that supports automobiles” needs to be considered, Chertoff said. “As we have autonomous vehicles and smarter and smarter vehicles, the challenges of security will multiply.”
Along with issues of development, the implications of the data in question will also need to be addressed, Chertoff said. He cited the potential for incidents of terrorism with autonomous and connected vehicle technology.
“We need to consider how we use the data responsibly but also show people that it’s not going to be marketed to others or transmitted to people who use it in ways we don’t expect,” Chertoff said. “One of the weapons of choice now for terrorists is the automobile or the truck.”
Chertoff also stressed the role of the federal government in cybersecurity and risk management.
“Most of the infrastructure is in the private sector’s hands,” Chertoff said. “The only way the government can actually protect the private sector is with the cooperation of the private sector.”
General Motors President Dan Ammann echoed similar sentiments. Ammann highlighted the impact autonomous vehicles can have — as long as cybersecurity becomes part of early design stages.
“We must as an industry work together to prevent security breaches and fight bad actors,” Ammann said. “We are designing against a rapidly evolving threat.”
Ammann stressed the need to invest in fostering talent, as the industry faces a shortage in engineers.
“The talent shortage on the front lines of the cybersecurity wars is real,” Ammann said. “The need to grow our engineering and technical talent applies directly to the cybersecurity field.”
Ammann also told Automotive News that GM will continue to “be engaged heavily” in discussions regarding changes in fuel efficiency standards by the Trump administration.
Detroit 3 commentary
“One company’s detection is another company’s prevention,” Faye Francy, executive director of Auto-ISAC, said to attendees of the summit’s afternoon session. The Auto-ISAC is known formally as the Automotive Information Sharing and Analysis Center, which was formed in January 2016 as the cybersecurity information hub for the North American auto industry.
Michael Westra, connected vehicle cyber security technical manager for Ford Motor Co., emphasized the need for automakers and suppliers to adapt their culture to pending security threats.
“You need to build the architecture with the assumption that some (failures and system updates) is going to happen no matter what,” Westra said.
In terms of those updates, Westra said: “That’s part of where I think the culture has to change to some degree.”
Aside from challenges with industry culture, Mark Chernoby, chief technical compliance officer for Fiat Chrysler Automobiles, noted automakers and suppliers face challenges of when to share the possibility of a common cyber vulnerability with others.
“The reality is, if something really big happened, if a major event occurred, (ISAC) would become very, very function very, very quickly, because it has to,” said Jeffrey Massimilla, GM’s vice president of global cybersecurity.
Panelists further discussed the importance of having the public’s trust in the industry, especially regarding the influence public perception or fear could have on policymaking for the automotive sector.
“How do we show that industries actually acted on these things,” Nat Beuse, associate administrator of vehicle safety research at NHTSA, wondered, “in a way that is constructive such that it is informative to policymakers?”
Automotive News Shift Editor Sharon Silke Carty led a discussion about ways that automakers and suppliers can tangibly implement cybersecurity within tomorrow’s autonomous vehicles.
“I personally think suppliers need to get on board a little bit more and be a little faster on what we’re doing here, especially around standards,” said Tim Piastrelli, director of security for GM’s Cruise unit. “Autonomous vehicles are a different breed. It’s a different attack vector.”
Piastrelli could not comment on who would be liable to pay for injuries incurred if an autonomous vehicle was hacked or to the extent to which intrusion technologies play in building Cruise’s cyber framework.