Different Industries Face Divergent Cyber Challenges
A major cybersecurity challenge for satellite manufacturers is that their products have to be designed to be beyond the reach of human hands for decades. Automobile companies face the opposite problem — their products have to spend 15 years or more being touched by human hands every day.
Right to repair laws mean that “Everyone has the right to perform maintenance on their vehicle without having to go to a dealer,” Mitsubishi Automotive Cybersecurity Senior Manager Kristie Pfosi told CyberSat last week.
And that means that system access and software tools required to modify onboard IT systems have to be public, she said. “It’s basically like giving anyone who wants it administrator access to any vehicle.”
She added that market imperatives would likely drive auto manufacturers to monetize driver data to offset the costs of cybersecurity and other investments required to maintain connected cars.
Market imperatives were also driving connectivity in the cruise industry, said Greg Sullivan, CIO of Carnival cruise line. Passengers were generating or accessing 10 to 12 GB data per second across the company’s 105 vessels, he said.
The successful hack of onboard driving controls on a Jeep Cherokee in 2015, when a Wired reporter was driven off the road by security researchers — and the subsequent federally ordered recall — really got the attention of the auto industry, explained Pfosi.
Last year the industry spent $1.3 billion on cybersecurity and that is projected to rise to $6 billion over the next couple of years, she said. Cyberattacks were also on the rise, and the auto sector was seeing a quadrupling in the number of online attacks so far this year, compared to the whole of 2018.
“We’ve certainly got the attention of the hacker community. Yay!” she joked.
For the automobile industry, Pfosi said, cybersecurity defense in depth meant thinking about the much greater attack surface represented by long range connectivity like Wi-Fi, cellular or satellite, as opposed to short range like Bluetooth or direct access like USB ports. Long range attacks could reach thousands of vehicles, she said, whereas a direct physical access attacker might be able to reach only dozens.
But right to repair laws — and the aggressive lobbying by their “after market” supporters — seriously limited the security controls manufacturers could employ to limit direct physical access, she said.
By law, every car has to have an On-Board Diagnostics (OBD) port. Once plugged into that port “You can do anything, you can read and write, you can flash the software … anything you want,” Pfosi said.
Efforts to introduce authentication requirements, or to require software updates to be cryptographically signed by the manufacturer — to prevent the introduction of malicious software to onboard systems — might fall foul of right to repair laws, Pfosi said.
“We’re seeing a lot of pushback,” she said.
An even bigger problem was the CANbus, a chip that connects the car’s systems. Currently, the chip doesn’t require any authentication: It’s designed to implement any command it receives, without checking where it comes from.
In the next generation of connected cars, “We have to make an architectural change … to introduce encryption and authentication,” she said.
“We need to have a way to know that a command to apply the brakes is a genuine command (from the driver), not coming from off board the vehicle,” she said.
A connected car generated as much as 4,000 GB of data per day, she said, and auto manufacturers were looking to monetize that, to pay for the networks and the software development required to keep connected cars updated.
“In order to be able to support the cost of the infrastructure and even the cybersecurity (investments) … there needs to be an offset revenue stream,” Pfosi said.
She said that cybersecurity vendors had priced the cost of regular updates to vehicle software at about $4 per vehicle per month. “That’s not acceptable,” as a cost that has to be eaten to an industry that makes design changes based on fractions of a penny change in the price of materials, she said.
“There’s no subscription plan that is palatable to the consumer today. There’s no consumer demand (for cybersecurity), there’s no regulation. We’re doing this because it’s the right thing to do and … also perhaps to avoid the risk and cost” associated with a cyberattack.
If for the consumer, the car purchase remained a one off capital expenditure, “There needs to be some backend revenue that’s generated off that car, and that’s a focus” for the industry.
Another focus of the industry was trying to create a cybersecurity aware workforce for the future, she said. “We are working with universities to build up a pipeline that doesn’t exist today.”
In the meantime, the sector was seeking to “educate our current workforce so that they’re not reliant on cybersecurity professionals to tell them how to design their products but can rely on the engineers who write the code, who interact with our products every day to take security into account from the very beginning,” Pfosi said.
Sullivan agreed that workforce training was key. Carnival was using training to “dramatically raise cybersecurity awareness for all shipboard crew,” he said.