Automotive cybersecurity: Keeping your vehicle safe in a digital age

Show Notes

In today's world, automotive cybersecurity is a critical issue. As vehicles become increasingly connected and software-defined, the risk of cyber threats grows. It is essential to protect vehicles from potential attacks. In this episode, we are joined by John Krzeszewski, functional excellence leader of cybersecurity and functional safety for vehicle systems. John shares his insights on the current landscape of cyber threats, the impact of electric and autonomous vehicles, practical tips for vehicle owners, key cybersecurity codes/standards, the deep importance of industry collaboration and more. Tune in to learn how to keep vehicles safe in this digital age.

To learn more and access all episodes, visit Eaton.com/10in10podcast

Transcript

NARRATOR: Welcome to Eaton's 10 in 10 podcast, where we focus on industry trends shaping the future of power management. In this series, our expert answers 10 questions about one of today's most talked about industry topics -- in 10 minutes or less. From the energy transition to digital transformation and beyond, we explore trends and discuss strategies for delivering safer, more efficient, and reliable power.

 CALEB MARCY: Hi, I'm Caleb Marcy, Electrification Content Marketing Specialist at Eaton. Today, I'm thrilled to be joined by John Krzeszewski, Functional Excellence Leader of Cybersecurity and Functional Safety for vehicle systems at Eaton. In today's episode, we'll be discussing the ongoing importance of automotive cybersecurity in our increasingly digital and electrified world. John, I have 10 questions for you in 10 minutes. So let's go ahead and get started. Thanks for joining us today, John. 

JOHN KRZESZEWSKI: Yeah, glad to be here. It's an honor.

CALEB MARCY: Let's kick this off at a broad note. For listeners who may not be as familiar with the topic, at a high level, can you start by explaining what automotive cybersecurity is and why it is such a critical issue in today's world, as vehicles become increasingly always connected and software-defined?

 JOHN KRZESZEWSKI: Yes. Unfortunately, we've seen cybersecurity attacks not only affecting high-profile targets, such as major businesses, but also individuals, such as our neighbors and our friends. Now, that vehicles are connected to the Internet, due to consumer preferences and to provide updates to features, such as driver assistance systems or in other words, autonomous, it's now susceptible to attacks from threat actors who are motivated for various reasons to wreak havoc in terms of the vehicle's operation or affect safety, privacy, and even financially, such as ransomware. Automotive cybersecurity is the process and technology to ensure, by design, that consumers are protected by managing these cybersecurity risks, such that an attacker doesn't succeed.

 CALEB MARCY: Looking at today's current landscape, what are some of the most common cyber threats that modern vehicles face today? 

 JOHN KRZESZEWSKI: Compromise of the telematics servers or the cloud, which interfaces with the vehicle to control various functions, such as unlocking it, remote start, and basically every function the vehicle exposes. Other attacks have included exposure of personally identifiable information of the vehicle owners, such as their location, credit card information, phone numbers, addresses, et cetera. It also has involved disruption of the infotainment and autonomous systems, and EV chargers. One particularly interesting attack involved smashing vehicle headlights, which exposed the network connection to the vehicle's immobilizer. Thus, it allowed the vehicle to be stolen. Another attack affected US dealership management systems for nearly three weeks, basically halting dealer operations such as vehicle service.

CALEB MARCY: Now, when thinking specifically about electric vehicles, cybersecurity expands beyond the vehicle, as EVs connect to the broader energy ecosystem-- homes, the grid, et cetera. How are EVs changing the landscape and/or scope of automotive cybersecurity?

JOHN KRZESZEWSKI: EV chargers are yet another potential target. Weaknesses in several EV charging stations have been exposed, which can result in a theft of a person's personally identifiable information, like we talked about before, payment information, or it could prohibit vehicle charging or even affect the electric grid, resulting in brownouts or a loss of power to neighborhoods, if an attacker were to cause chargers to output maximum power, not to mention potential damage to vehicles.

CALEB MARCY: OK. Now, what about vehicles with autonomous driving capabilities? It's undoubtedly exciting and convenient, but how are you seeing autonomous driving technology changing the landscape of automotive cybersecurity? 

JOHN KRZESZEWSKI: Autonomous vehicles are even more reliant on connectivity to the cloud, as OEMs enhance the features in these assisted or self-driving systems, such as updating algorithms for robustness and the download of high precision maps so they can operate on additional roads beyond major highways, in addition to addressing field issues. This introduces additional threat vectors, whereby threat actors can download perhaps errant maps or malicious software to affect safety. Or even ransomware that could disable your vehicle until a ransom is paid. 

CALEB MARCY: With all of this in mind, what are some practical tips that you can offer to vehicle owners to ensure their cars are cyber secure and provide some peace of mind? 

JOHN KRZESZEWSKI: Great question. And up to now I feel like the bearer of bad news and depressing news. First and foremost is to apply all software updates as soon as you're aware of their availability. In fact, I often manually check for updates on my own devices, even before I'm notified. These updates usually contain fixes for cybersecurity vulnerabilities and sometimes these vulnerabilities are actively being exploited. In some cases, these vulnerabilities can actively be exploited by attackers without any required user interaction. In other words, you can just be connected to the Internet and be infected. Good passwords and leveraging multifactor authentication are also critical. Password length is really important, such as using a sentence that you only know. Like, "I walked Charlie to Aunt Betty's house to pick up 12 candles." Limiting what you connect to is vital. Every connection to another system represents just yet another way an attacker could compromise your system. Ultimately, I think a healthy sense of paranoia is really beneficial in protecting yourself.

CALEB MARCY: All right, we've gotten through five questions. Five more to go. Let's dive in on some more technical questions. It's understood that security must be a crucial consideration at every stage in both the product and software development life cycle. Can you walk us through some of the key stages of development where cybersecurity measures need to be integrated?

JOHN KRZESZEWSKI: The first and foremost is the concept phase or the very beginning of a project. Even at the "drawing on a napkin" stage, cybersecurity has to be the foundational feature of the system and not a "bolt on". Specifically, it starts with what we call "threat modeling", where you determine what are the potential threats to a system via all potential entry points. And then you design mitigations at multiple layers to thwart those threats. So, using a castle analogy, you would have a moat, a drawbridge, tall walls, soldiers on the walls, various weapons, et cetera. Likewise, in automotive, we use layers, such as segregating safety critical systems, protecting vital components via "secure gateway", leveraging bank-grade cryptography. This methodology continues for many years, as we do field monitoring and use intelligence feeds so that we can incorporate the latest protections for new threats in our products and those in the field. 

CALEB MARCY: And what are some of the key cybersecurity codes and standards that automotive manufacturers need to adhere to during this development life cycle?

JOHN KRZESZEWSKI: The 21434 cybersecurity engineering standard, it's important for assessing and managing risks throughout the entire product life cycle. And it's also a means to meet various cybersecurity regulations, such as the European Union's R. 155 and recent Chinese GB 4495 standard. This standard, the 21434, it provides a structured process for the entire product lifecycle to ensure complete and conscious decision-making. Also, the soon to be released specifications on cybersecurity assurance level and targeted attack feasibility from ISO and SAE Joint Working Group is helpful. From a technical perspective, best practices from the National Highway Traffic Safety Association, the Auto-ISAC and SAE are beneficial, along with NIST Special Publications to ensure technical implementations are correct.

CALEB MARCY: John, I know this is right up your alley - thinking about collaboration in the industry, how important is the collaboration between automotive manufacturers, cybersecurity experts, and regulatory organizations in addressing and preventing cybersecurity threats?

JOHN KRZESZEWSKI: It's vital. Organizations like the Automotive ISAC (or Information Sharing and Analysis Center), it's a very good organization. And it includes members from suppliers, government entities, OEMs, service providers, and they collaborate to publish best practices and share information on attacks, while yet anonymizing this information such that it can't be attributed back to any business entity. A collaboration also occurs via industry-wide cybersecurity conferences and events, such as the "Embedded Security for Cars (or ESCAR) Conference or DefCon Car Hacking Village, where the latest research information is presented, along with the opportunity to network with other experts in the industry about their approaches and lessons learned. Another opportunity is in the development of new standards and best practices in standards organizations, like SAE and ISO.

CALEB MARCY: Now, what are we, Eaton, doing to improve automotive cybersecurity? What are automakers doing? And how is Eaton collaborating with them?

JOHN KRZESZEWSKI: Eaton is active on many fronts. As you mentioned, we chair the SAE Vehicle Cybersecurity Systems Engineering Committee. And thus, we are global co-convener on behalf of SAE, leading the ISO-SAE Joint Working Group, which develops global standards and specifications such as the ISO-SAE 21434, of which Eaton was also an author. And upcoming specifications, including planning for the second edition of 21434. We also participate in development of frameworks by collaborating with other industry experts, such as the Auto-ISAC's Automotive Threat Matrix. See, by working on these standards and frameworks and participating in relevant automotive cybersecurity conferences and events, we are able to learn from each other, promote best practices, and implement even better security in our products.

CALEB MARCY: Alright, John. Last question: What do you see as the future of automotive cybersecurity? And how can the industry stay ahead of potential threats through technological innovations and enhancements? 

JOHN KRZESZEWSKI: AI or Artificial Intelligence, like we keep hearing in the news all the time, it's going to be a significant factor in automotive security, in both offensive and defensive front. Specifically, bad actors will be able to mount attacks with even more proficiency and speed. However, we can leverage AI and machine-learning to both detect and defend from these attacks. I'm particularly optimistic about AI being able to detect weaknesses or vulnerabilities in our software and hardware earlier in the design phase. For example, the current tool sets for scanning software for weaknesses, they're not perfect and they're not able to detect everything. We witness this every day with continuous deployment of patches from major companies who produce the mobile phones and computers we use, for example. As I put it, the first company that can produce a product that can detect all vulnerabilities in software, they'll be the richest company in the world. So until then, we have to continue implementing best practices, such as layers of defenses, staying up to date on the latest threat intelligence, and industry collaboration, and ongoing education and training. 

CALEB MARCY: Thank you so much. It's been a pleasure to speak with you today and get the opportunity to pick your brain on this important topic. To learn more about how we're taking the lead in cybersecurity, please visit eaton.com/cybersecurity.