Automotive Cyber Security

Here are some responses from Professor Siraj Shaikh to the questions that we didn't get around to answering on the Automotive Cybersecurity webinar on 28 January.

Q. How relevant is this topic given the demise of the car industry in the UK?
Siraj. While the industry is challenged in the UK, there is still a wealth of an ecosystem (in terms of the different tiered suppliers, electronics, telco, design, etc…) in the UK, which is rich and healthy, and we should strive to support that. Moreover, from my individual perspective, automotive cybersecurity in itself offers a value proposition which we can take to non-UK markets/OEMs. To answer your question, this is highly relevant. PS. not to mention, even if industry lags behind, our reliance on automotive-related transport (and therefore its security/resilience) would need to remain important.

Q.  With respect to Operating Technology and Information Technology (OT and IT) - in the automotive industry there is a challenge of keeping systems separate and safe from cyber-threats, but a constant push for technological advancement with connectivity - leaving doors open to web-based threats. How can OT keep it's productivity and isolated functionality whist the lines are being blurred between OT and IT because of Cyber Threats? 
Siraj. Our methods of secure design, assessment and monitoring should all address systems where IT/OT integration may be present. This will probably require some further R&D to furthe rour modelling/verification techniques to account for such integration. As such, both IT and OT, which have been apart, would have to bear this burden to ensure overall systems security.

Q. Has 4D Integrated Data Modelling as developed by Shell (20%2B years ago) for modelling their Downstream Operations been considered for Automotive modelling?
Siraj.  I have not come across this in my review of the literature or practice. So happy to receive more details/pointers for review.

Q. Marianna Mazzucato (author of Mission Economy) raises the thought that society must get better at pinpointing value creation because it is often destroyed. The IEA Energy Technology Perspective 2020 pinpointed 3 sources of value - R&D, Economies of scale, Learning by doing. Prof Shaikh's excellent definition of R&D tasks aligns with these 3 strategies. Are we all aligned to these strategies? Thoughts from panel please?
Siraj. I believe I am talking to the delegate who raised this question, so happy to talk to them directly (offline) on this. 

Q. Do you think technological developments in the automotive industry are outpacing the security around them?
Siraj.  Indeed, some aspects (autonomy, connectivity, etc) are racing ahead, so there is some catchign up to do. From experience, some of this is inevitable: this helps drive the use cases which then drive requirements for security/resilience. In an ideal world, devlopments should go hand-in-hand. That is, in an ideal world.

Q. Have you done much work to look at the motivation behind various attack modes against vehicles - the 'why' rather than the 'what' or 'how'.
Siraj. Indeed, within our Systems Security Group, we have looked at this in much detail. Happy to share thoughts/insights offline.

Q. On metrics, are you able to say more about how you assess trends and potential future capabilities (good and bad)?
Siraj.  If I understand the question correctly: there are some healthy developments in terms of standards, best practices, assessment, testing and trials (all in the context of security) that I welcome. But critically, for me, the business case for cyber security/resilience needs to be clearer, and established within the industry (which it isnt necessarily yet...).

Q. How much of the research is a social science, covering behaviors of developers and attackers and how much physical, the vulnerabilities of the hardware and software?
Siraj.  Much of it is in the physical sciences and engineering domain. However, more of economic and social sciences are picking this up in terms of economic modelling of benefits, cultural and societal impact, consumer chains, and developer practices, etc. Indeed more needs to be addresses in that space. In our group, we are just beginning a project (from 1st Feb!) that is going to look at this.

Q.  While we are trying to define regulations and methodologies to address security threats, attacks are still happening and attackers are learning more about the vehicle systems and weak points. What could we do in the meantime as a proactive approach to limit these attacks?
Siraj.  In the meantime, we need to work out mechanisms (cheap enough and feasible) to log/monitor for suspicious activity (so a better understanding is gained. Also, we need to raise awareness particularly amongst vehicle owners on what risks there are (as they stand to suffer from some of this). 

Q. Given the potential safety and legal issues identified, how does Chris Grayling's statement that self driving cars will be on UK roads in 2021 be valid?
Siraj. While there is a strong desire and push towards realising the Avs on our road, and I welcome it, there will still be some time before they are accepted and widely present. Remember elevators, anyone?

Q. Is there a case to be made for vehicles to need more regular software updates through out their life?
Siraj. Indeed. I see this happening. But I hope it doesn’t become a norm at the expense of more rigourous design and engineering.

Q. Is one of the messages from this thinking that the average life of future vehicles will reduce and reach a point of a vehicle being ' no longer supported' ?
Siraj. This is an important point: this needs to be viewed in the context of what vehicle ownership models would there be in the future. I think that would drive some of the thinking. But even if we "own" a vehicle for a very short time, it still needs to be safe and secure. Rather like elevators, we may not care about them much even if we use them everyday, but they need to be work safely for us to have the assurance to use (and accept) them. 

Q. To what extent (if any) is the manufacturer's natural desire to protect their own intellectual property regarding their systems hindering the wider industry addressing the challenges faced?
Siraj. There is some truth to this, but this is not entirely driving the challenge here in my view. 

Q. How do the panellists propose that the ideas they are discussing are actually implemented. What are the mechanisms for this?
Siraj. More and more R&D (particuarly that is supported by industry), standards, regulations, best practice models, are all healthy signs that some of the ideas/insights are being driven to practical adoption.

Q. Do you foresee a time when there maybe 'legal' cyber attacks e.g. the police stopping or slowing a car?
Siraj. Technically, that is not a cyber attack. There could be proactive mechanisms which are designed to assit law enforcement in "some" way. Happy to share more ideas offline.

Responses from Peter Davies, Thales UK to questions posed on the Automotive Cybersecurity Webinar in January.

Q. Is the WP.29 from UNECE include a regulatory framework for cybersecurity?
Peter. Yes, it includes requirements for on and off vehicle.  There are also inteprtation documents which help to understand what you might need to do for international recognition.

Q. Which International IEC standard is applicable for Automotive Cyber Security applications?
Peter. In late 2019 BSI sponsored an analysis of potentially relevant standards including IEC.  This came out with 6 A4 pages of standards that could be applied but set out why they should not be. The outcome was verified by another independent study undertaken by Warwick in Q1 of 2020.

Q. What do you think, should we look Automotive - Functional Safety and Cybersecurity - separately or integrated?
Peter. Integrated absolutely, how can you be safe if you are not cyber safe with the amount of digitalisation we currently have.

Q, With that scaling of complex issues; is it going to be possible to protect vehicles as they age and drop out of warranty?
Peter. That will certainly be an issue, however we have not really done anything yet to consider how we might protect vehicles even before that.  We are currently doing some work to show the issues associated with fixed SW / HW / Firmware in a changing environment.  Complex systems yield many, many benefits, our challenge is to get the security monitoring to a point where it is part of recognising positive (money making) aspects of complexity as well as the negative outcomes.  We have to stop thinking of security as a compliance issue and start seeing it as a benefit.

Q. Were the brake attacks carried out remotely or from the car?
Peter.  They have been carried out both remotely and locally.  One of the really important aspects when demonstrating attacks of this type is to do so safely, no one wants to see a potentially lethal attack escape into the wild and start spreading.

Q.  Regarding the post accident investigation.  Is there / will there be, something similar to OBD so that key data can be accessed?
Peter. This is being worked on at the moment so yes I would expect so.  Similar to eg. aircraft black boxes what is being looked for is a standard set of data which when used in conjunction with other information sources will provide the 'Pattern of Life' that provides evidence for forensic investigation.  Those with a background in IT have a tendancy to want to collect 'all the data' whereas in fact this is neither feasible nor useful.

Q. Are there increased concerns that security will invalidate safety analysis?
Peter.  Yes.  This is one of the reason why we say that security is not an objective, it is a mechanism by which you achieve other objectives.  However, to take some examples encryption techniques are often creating DoS situations for safety critical systems, they change the failure mode eg. if I enrypt the CAN bus and lose the key then I can't read the data so can't decide just to use it or compare it with other sources.  If the security forms part of a safety case then the absence of it becomes part of the FEMTA and this can be extraordinarily difficult to calculate.

Q. Do you think technological developments in the automotive industry are outpacing the security around them?
Peter. Indeed, some aspects (autonomy, connectivity, etc) are racing ahead, so there is some catching up to do. From experience, some of this is inevitable: this helps drive the use cases which then drive requirements for security/resilience. In an ideal world, developments should go hand-in-hand. That is, in an ideal world.

Q. Is the new methodology aligned with the new automotive law from the UN WP29 and The new ISO standard for Road Security?
Peter. Yes, AESIN has begun work on showing the alignment point by point for both.  But the methodology is more extensive and better founded for the long term.

Q. Who do you see will be the centre of building the secure ecosystem. The Vehicle OEM or players such as Thales?
Peter.  Generally, the reason for referring to this as an ecosystem rather than a supply chain is because the there are many suppliers of techniques, products and capabilities at all levels and the necessary relationships to achieve a good (or bad) outcome are different than they might have been in the past.  Overlay on that the legal responsibilities of various entities worldwide and there is no simple answer to your question.  I do believe there is a place for all individuals and organisations with the necessary expertise for this new system and that every organisation within that ecosystem must be expert in and take responsibility for the aspects for which they are claiming expertise ie. every organisation is the centre of trust for the claims that they make.  Since you ask about Thales it has fantastic international expertise in delivering safe and secure systems and components that must continue to operate in highly challenged environments .... that would not make it an automotive OEM but it might well give an indication of what and OEM, Tier supplier or other significant part of the auto ecosystem might be looking for.

Q.  interesting point about previous techniques not scalable any more. Does this mean new techniques are required, or we need to find different ways to develop the previous techniques to meet the challenges?
Peter. I believe that in areas of safety we have done a fantastic job of developing techniques that we first developed for electro mechnical systems which were small scale and designed for a single purpose.  Increasingly we are getting are benefits from systems that are neither small scale, nor designed for a single purpose and where we have to combine often pre-existing digital components.  I believe that on any rational analysis there is no foreseeable way in which we can simply upgun existing techniques  to meet the challenge.  That said, many techniques that we have developed if used in different places will be the basis of what we need to do going forward.

Q.  I was recently reading in a standard that historical accident data/statistics should be used as part of validation and verification of automated systems, but Peter was saying this is actually not such a good approach, can he expand on this?
Peter. There are different categories it's true, so for instance if the nature of an accident is that a pedestrian stepped out 2m in front of a vehicle travelling at 80kph then at that stage the physics of the accident will dominate.  Accidentologists argue that we have been able to make assumptions for which the human being is part based on historical evidence.  For cyber / digital attacks this is not true however which is what we have been trying to demonstrate with examples such as braking where ABS and High Speed Emergency Braking give good early examples of automated systems in vehicles.  So I think that where a standard is saying that we are able to control the physics of a situation such that the potential for harm can be controlled and quantified then the historical accident data is useful for calculating this; where that is not true and we cannot control the potential for harm then less so or not at all.

Q. Do those who are drafting standards in this area understand that they need to focus on requiring outcomes rather than defining designs?
Peter. There is a massive change underway in standards based on digitalisation and it is wrong to say that those drafting standards are not trying to achieve outcomes; though for some that may be the case, and we have already been seeing a shift in emphasis eg. on quality standards where the management plan and the feedback loop is becoming a far more importent part of the standard.  The issue we now have in the automotive area is that whereas in the past we would have trialled techniques and measured their effectiveness before standardising them we do not have that luxury here.  This is happening at the same time that many of the excellent and positive standards that we have developed are starting to have negative consequences in the scale and type of systems that we are now deploying and which we will certainly be deploying in the near future.  This has given those who are defining standards a very difficult task which they are certainly not getting right on all occasions and for which they need all of our help.  The defining of certain design patterns that demonstrably are unachievable or which produce negative outcomes in significant cases is certainly one area where these difficulties are being brought into sharp relief.

Q. How can I participate in AESIN workstreams?
Peter. Please contact me. 

Thanks to both our speakers for the providing the detailed Q&A. Really interesting to read their answers.

If you missed the webinar, you can catch up on demand at: http://bit.ly/3oCkgal