Data Privacy Day is a great time for businesses, institutions and even individuals to remember their goals, ideas and technologies that will help in safe-proofing data from cyber threats. HARMAN remains laser-focused in ensuring the connected car is always protected from vulnerabilities that would distress both automakers and consumers. To discuss this subject in more detail, we sat down with Amy Chu, Senior Director of Product Security for HARMAN’s Automotive Cybersecurity team for some excerpts from that conversation:
1. The Hubble space telescope employs 4 million lines of code, a Boeing 787 has 6.5 million and a high-end connected car runs over 100 million lines of code. Where does one even begin to put in place effective, adaptable, and scalable systems to protect all of that automotive data?
It is certainly a challenge unique to the automotive industry due to our extremely complex ecosystem and the cyber-physical element. This is an industry which has been evolving for well over 100 years, starting out with mostly mechanical parts, and over the years innovating new technologies for not only the vehicle itself, but the methods that make the manufacturing and quality control process more cost effective and efficient. Delivering a vehicle off a production line to a consumer is no small feat, and it involves many individuals all over the world to make that happen. The supply chain consists of multiple tiers of suppliers, where each level directs the design and delivery of their subsystem within the vehicle. Each subsystem is running its own software code, with OEMs having little to zero visibility into that code.
With cybersecurity, we can employ various methods for detection, prevention and response, but no one can guarantee 100% protection, it just doesn’t exist. Still, by layering different security methods within the product architecture, we can significantly minimize the risk – such as the new cybersecurity product we announced at CES, which manages cybersecurity vulnerabilities in the automotive supply chain.
HARMAN is committed and will continue to invest heavily in bridging the knowledge gap from the traditional automotive environment, to development practices that minimize the security risk and foster quick remediation. We are also active members of industry organizations such as the Auto-ISAC and the SAE, advocating for increased collaboration, information sharing and training so we can build standards and common infrastructure within the automotive industry, keeping passengers safe and connected vehicles protected.
2. Protecting the connected car ecosystem will become a difficult task, especially as the proliferation of data across different connected devices makes them more susceptible to cyber threats. What are some encouraging technologies or breakthroughs that the HARMAN team has produced or is working on already?
With a great understanding of the automotive development process, combined with expert knowledge in embedded security practices, we have a multi-faceted approach. There are three main categories: hardening & defense in depth, monitoring & intrusion detection/prevention, and thought leadership within the evolving automotive cybersecurity space.
For hardening & defense in depth, we have assembled late 2016 my team, the Automotive Product Security (PSEC) Team within HARMAN’s Connected Car Division, ensuring that our own security policies, processes and guidelines are aligned with industry best practices. We are striving for layered security approach to minimize the attack surface and add extra protection for our most critical assets. We have also launched an awareness and training campaign to educate our global employees on their responsibilities in developing secure products.
Only recently, HARMAN was recognized as the 2018 Winner of the “Intrusion Detection Solution Provider of the Year” award for our HARMAN SHIELD Solution. HARMAN SHIELD for Connected Vehicles is comprised of state-of-the-art building blocks to provide a modular scalable architecture for OEMs and auto fleets. HARMAN SHIELD agents employ award-winning HARMAN IDS technology and are equipped with full backend reporting capabilities and OTA updatability, protecting connected vehicles using Intrusion Detection and Prevention (IDPS) algorithms, which enable double-perimeter protection of both internal and external (wireless) vehicle communication channels. HARMAN SHIELD agents defend vehicles from direct attacks, communication channel attacks (Cellular, WiFi and BT) and vehicle internal network attacks.
Finally, we are active leaders within the Automotive ISAC (Information Sharing Analysis Center), advocating the need for a clear framework of vehicle cybersecurity, developing a culture of information sharing, drafting standards and incident response processes. We also offer consultancy services to our OEM customers to help them direct their suppliers and lower the overall vehicle security risk.
3. What do you think are or will be the biggest benefits of the connected car? Essentially, why do you think that even with increased security concerns – the benefits of this type of technology far outweigh the negatives?
I find it amazing that over the past 10-15 years, connected technologies have completely changed the way we live our day-to-day lives. We can order groceries, dinner, and clothing, manage our banking, pay our bills, check on our kids at school or daycare, have access to a variety of entertainment and hail a ride -- all from our handheld smartphones.
With fully autonomous driving on the horizon, we can let our vehicles do the driving for us, so that we can focus on other more productive tasks. It’s almost like adding more hours into the day to think that we can be more productive in the same amount of time. The benefits of this added time is very attractive to consumers and quite honestly, they are just expecting their security and privacy to be protected. But it doesn’t come for free.
We know from the increased connectivity within our homes and on our personal devices, there is always risk of compromise. However the vehicle being a cyber-physical system, our physical safety is now a risk factor in addition to our personal information. So it is our responsibility as industry leaders to ensure that we are building products that minimize the security risk, and also build an infrastructure to enable quick and seamless remediation of new threats and vulnerabilities as they come along. The progress we make together as an industry in cybersecurity policies and innovation MUST remain a key component in the connected and autonomous vehicle movement.
4. The security strategies and technologies you’ve described already are incredibly impressive. But, what’s coming down the line in one, two, or even five years from now in terms of automotive cybersecurity?
Automotive is going through a transformation in its cybersecurity. We know from market research that cybersecurity is a top concern for automotive executives in enabling connected car technology, but being such a complex and specialized subject matter, it can be difficult to decide how to prioritize your investments in building the capabilities to minimize security risk and still keep your company profitable. Technology advancements in the consumer electronics space with smartphones and IoT have grown fast, which were quickly applied to connected car products and at a time when security was not top of mind. We are working diligently to change this, but even with the headway we have made in the past several years, we must manage the safety and security aspects of our legacy products. For products in development, we are pushing to include a way to monitor and patch our systems of the future. The products and technologies we are developing at HARMAN today will be crucial in the coming years to monitor and protect our connected vehicles on the road.
Products alone will not be the only change we will experience. It is imperative that we begin to accept that connected cars will be attacked, and incident response and vulnerability management is our new normal. We must be quicker with our information sharing and understand that patching our software in vehicles will become a regular occurrence. With the current model, a vehicle recall is required to remediate a high risk vulnerability which is extremely costly to all parties involved. As the market leader in OTA (Over-the-Air) Software Update with 23 contracted OEMs, I believe that HARMAN technologies such as SHEILD and OTA, coupled with a robust backend as the Cybersecurity Analytics Center (CSAC) will be essential in the day-to-day management of connected cars on the road.
5. In terms of final thoughts, what would you say to someone who’s dubious about the benefits of the connected car, or our ability to effectively protect them against hackers and other threats?
I would encourage them to accept the inevitable and embrace the new normal. Connected cars are here to stay, and this connectivity brings security risks that we must manage. Frequent patching for threats and vulnerabilities are a reality in our connected consumer devices today, and tomorrow this will be a reality for our cars as well. Knowing this, we must face our security challenges head on and without hesitation by designing our products and policies to handle this in the most efficient way we can.
The other thing we must accept is that there is no silver bullet. It’s complicated. There is not just one way to secure a connected vehicle. It must be multi-layered and address each phase in the development process over the FULL lifetime of a vehicle, which could even span up 18-20 years.
HARMAN is making this commitment with increased investment in our organization and product innovation so that when the industry is ready to go full scale with real-time security threat monitoring with a fully staffed security operations center, we are already their most trusted and valued partner.