Automotive Cyber Security

Here are some responses from Professor Siraj Shaikh to the questions that we didn't get around to answering on the Automotive Cybersecurity webinar on 28 January.

Q. How relevant is this topic given the demise of the car industry in the UK?
Siraj. While the industry is challenged in the UK, there is still a wealth of an ecosystem (in terms of the different tiered suppliers, electronics, telco, design, etc…) in the UK, which is rich and healthy, and we should strive to support that. Moreover, from my individual perspective, automotive cybersecurity in itself offers a value proposition which we can take to non-UK markets/OEMs. To answer your question, this is highly relevant. PS. not to mention, even if industry lags behind, our reliance on automotive-related transport (and therefore its security/resilience) would need to remain important.

Q.  With respect to Operating Technology and Information Technology (OT and IT) - in the automotive industry there is a challenge of keeping systems separate and safe from cyber-threats, but a constant push for technological advancement with connectivity - leaving doors open to web-based threats. How can OT keep it's productivity and isolated functionality whist the lines are being blurred between OT and IT because of Cyber Threats? 
Siraj. Our methods of secure design, assessment and monitoring should all address systems where IT/OT integration may be present. This will probably require some further R&D to furthe rour modelling/verification techniques to account for such integration. As such, both IT and OT, which have been apart, would have to bear this burden to ensure overall systems security.

Q. Has 4D Integrated Data Modelling as developed by Shell (20%2B years ago) for modelling their Downstream Operations been considered for Automotive modelling?
Siraj.  I have not come across this in my review of the literature or practice. So happy to receive more details/pointers for review.

Q. Marianna Mazzucato (author of Mission Economy) raises the thought that society must get better at pinpointing value creation because it is often destroyed. The IEA Energy Technology Perspective 2020 pinpointed 3 sources of value - R&D, Economies of scale, Learning by doing. Prof Shaikh's excellent definition of R&D tasks aligns with these 3 strategies. Are we all aligned to these strategies? Thoughts from panel please?
Siraj. I believe I am talking to the delegate who raised this question, so happy to talk to them directly (offline) on this. 

Q. Do you think technological developments in the automotive industry are outpacing the security around them?
Siraj.  Indeed, some aspects (autonomy, connectivity, etc) are racing ahead, so there is some catchign up to do. From experience, some of this is inevitable: this helps drive the use cases which then drive requirements for security/resilience. In an ideal world, devlopments should go hand-in-hand. That is, in an ideal world.

Q. Have you done much work to look at the motivation behind various attack modes against vehicles - the 'why' rather than the 'what' or 'how'.
Siraj. Indeed, within our Systems Security Group, we have looked at this in much detail. Happy to share thoughts/insights offline.

Q. On metrics, are you able to say more about how you assess trends and potential future capabilities (good and bad)?
Siraj.  If I understand the question correctly: there are some healthy developments in terms of standards, best practices, assessment, testing and trials (all in the context of security) that I welcome. But critically, for me, the business case for cyber security/resilience needs to be clearer, and established within the industry (which it isnt necessarily yet...).

Q. How much of the research is a social science, covering behaviors of developers and attackers and how much physical, the vulnerabilities of the hardware and software?
Siraj.  Much of it is in the physical sciences and engineering domain. However, more of economic and social sciences are picking this up in terms of economic modelling of benefits, cultural and societal impact, consumer chains, and developer practices, etc. Indeed more needs to be addresses in that space. In our group, we are just beginning a project (from 1st Feb!) that is going to look at this.

Q.  While we are trying to define regulations and methodologies to address security threats, attacks are still happening and attackers are learning more about the vehicle systems and weak points. What could we do in the meantime as a proactive approach to limit these attacks?
Siraj.  In the meantime, we need to work out mechanisms (cheap enough and feasible) to log/monitor for suspicious activity (so a better understanding is gained. Also, we need to raise awareness particularly amongst vehicle owners on what risks there are (as they stand to suffer from some of this). 

Q. Given the potential safety and legal issues identified, how does Chris Grayling's statement that self driving cars will be on UK roads in 2021 be valid?
Siraj. While there is a strong desire and push towards realising the Avs on our road, and I welcome it, there will still be some time before they are accepted and widely present. Remember elevators, anyone?

Q. Is there a case to be made for vehicles to need more regular software updates through out their life?
Siraj. Indeed. I see this happening. But I hope it doesn’t become a norm at the expense of more rigourous design and engineering.

Q. Is one of the messages from this thinking that the average life of future vehicles will reduce and reach a point of a vehicle being ' no longer supported' ?
Siraj. This is an important point: this needs to be viewed in the context of what vehicle ownership models would there be in the future. I think that would drive some of the thinking. But even if we "own" a vehicle for a very short time, it still needs to be safe and secure. Rather like elevators, we may not care about them much even if we use them everyday, but they need to be work safely for us to have the assurance to use (and accept) them. 

Q. To what extent (if any) is the manufacturer's natural desire to protect their own intellectual property regarding their systems hindering the wider industry addressing the challenges faced?
Siraj. There is some truth to this, but this is not entirely driving the challenge here in my view. 

Q. How do the panellists propose that the ideas they are discussing are actually implemented. What are the mechanisms for this?
Siraj. More and more R&D (particuarly that is supported by industry), standards, regulations, best practice models, are all healthy signs that some of the ideas/insights are being driven to practical adoption.

Q. Do you foresee a time when there maybe 'legal' cyber attacks e.g. the police stopping or slowing a car?
Siraj. Technically, that is not a cyber attack. There could be proactive mechanisms which are designed to assit law enforcement in "some" way. Happy to share more ideas offline.

Here are some responses from Professor Siraj Shaikh to the questions that we didn't get around to answering on the Automotive Cybersecurity webinar on 28 January.

Q. How relevant is this topic given the demise of the car industry in the UK?
Siraj. While the industry is challenged in the UK, there is still a wealth of an ecosystem (in terms of the different tiered suppliers, electronics, telco, design, etc…) in the UK, which is rich and healthy, and we should strive to support that. Moreover, from my individual perspective, automotive cybersecurity in itself offers a value proposition which we can take to non-UK markets/OEMs. To answer your question, this is highly relevant. PS. not to mention, even if industry lags behind, our reliance on automotive-related transport (and therefore its security/resilience) would need to remain important.

Q.  With respect to Operating Technology and Information Technology (OT and IT) - in the automotive industry there is a challenge of keeping systems separate and safe from cyber-threats, but a constant push for technological advancement with connectivity - leaving doors open to web-based threats. How can OT keep it's productivity and isolated functionality whist the lines are being blurred between OT and IT because of Cyber Threats? 
Siraj. Our methods of secure design, assessment and monitoring should all address systems where IT/OT integration may be present. This will probably require some further R&D to furthe rour modelling/verification techniques to account for such integration. As such, both IT and OT, which have been apart, would have to bear this burden to ensure overall systems security.

Q. Has 4D Integrated Data Modelling as developed by Shell (20%2B years ago) for modelling their Downstream Operations been considered for Automotive modelling?
Siraj.  I have not come across this in my review of the literature or practice. So happy to receive more details/pointers for review.

Q. Marianna Mazzucato (author of Mission Economy) raises the thought that society must get better at pinpointing value creation because it is often destroyed. The IEA Energy Technology Perspective 2020 pinpointed 3 sources of value - R&D, Economies of scale, Learning by doing. Prof Shaikh's excellent definition of R&D tasks aligns with these 3 strategies. Are we all aligned to these strategies? Thoughts from panel please?
Siraj. I believe I am talking to the delegate who raised this question, so happy to talk to them directly (offline) on this. 

Q. Do you think technological developments in the automotive industry are outpacing the security around them?
Siraj.  Indeed, some aspects (autonomy, connectivity, etc) are racing ahead, so there is some catchign up to do. From experience, some of this is inevitable: this helps drive the use cases which then drive requirements for security/resilience. In an ideal world, devlopments should go hand-in-hand. That is, in an ideal world.

Q. Have you done much work to look at the motivation behind various attack modes against vehicles - the 'why' rather than the 'what' or 'how'.
Siraj. Indeed, within our Systems Security Group, we have looked at this in much detail. Happy to share thoughts/insights offline.

Q. On metrics, are you able to say more about how you assess trends and potential future capabilities (good and bad)?
Siraj.  If I understand the question correctly: there are some healthy developments in terms of standards, best practices, assessment, testing and trials (all in the context of security) that I welcome. But critically, for me, the business case for cyber security/resilience needs to be clearer, and established within the industry (which it isnt necessarily yet...).

Q. How much of the research is a social science, covering behaviors of developers and attackers and how much physical, the vulnerabilities of the hardware and software?
Siraj.  Much of it is in the physical sciences and engineering domain. However, more of economic and social sciences are picking this up in terms of economic modelling of benefits, cultural and societal impact, consumer chains, and developer practices, etc. Indeed more needs to be addresses in that space. In our group, we are just beginning a project (from 1st Feb!) that is going to look at this.

Q.  While we are trying to define regulations and methodologies to address security threats, attacks are still happening and attackers are learning more about the vehicle systems and weak points. What could we do in the meantime as a proactive approach to limit these attacks?
Siraj.  In the meantime, we need to work out mechanisms (cheap enough and feasible) to log/monitor for suspicious activity (so a better understanding is gained. Also, we need to raise awareness particularly amongst vehicle owners on what risks there are (as they stand to suffer from some of this). 

Q. Given the potential safety and legal issues identified, how does Chris Grayling's statement that self driving cars will be on UK roads in 2021 be valid?
Siraj. While there is a strong desire and push towards realising the Avs on our road, and I welcome it, there will still be some time before they are accepted and widely present. Remember elevators, anyone?

Q. Is there a case to be made for vehicles to need more regular software updates through out their life?
Siraj. Indeed. I see this happening. But I hope it doesn’t become a norm at the expense of more rigourous design and engineering.

Q. Is one of the messages from this thinking that the average life of future vehicles will reduce and reach a point of a vehicle being ' no longer supported' ?
Siraj. This is an important point: this needs to be viewed in the context of what vehicle ownership models would there be in the future. I think that would drive some of the thinking. But even if we "own" a vehicle for a very short time, it still needs to be safe and secure. Rather like elevators, we may not care about them much even if we use them everyday, but they need to be work safely for us to have the assurance to use (and accept) them. 

Q. To what extent (if any) is the manufacturer's natural desire to protect their own intellectual property regarding their systems hindering the wider industry addressing the challenges faced?
Siraj. There is some truth to this, but this is not entirely driving the challenge here in my view. 

Q. How do the panellists propose that the ideas they are discussing are actually implemented. What are the mechanisms for this?
Siraj. More and more R&D (particuarly that is supported by industry), standards, regulations, best practice models, are all healthy signs that some of the ideas/insights are being driven to practical adoption.

Q. Do you foresee a time when there maybe 'legal' cyber attacks e.g. the police stopping or slowing a car?
Siraj. Technically, that is not a cyber attack. There could be proactive mechanisms which are designed to assit law enforcement in "some" way. Happy to share more ideas offline.