Michael Weber is a cybersecurity expert who concentrates on automotive security. In our discussion, he shares some specific challenges in his field and also addresses similarities with OT and IoT security.
What are the biggest challenges today for you and your colleagues?
Definitely the new regulations going into effect – UNECE WP.29, of course, but ISO 21434 too. They will significantly change not only the process landscape but also the security functionalities actually required in individual control units and the vehicle architecture. Relatedly, we have a shortage of personnel – and the same is probably true for the whole industry.
But our biggest challenge still lies ahead. Until now, the development work on a vehicle was essentially complete at SOP (start of production). But in the future we will need to keep increasingly connected cars safe and secure throughout their entire life cycles. For a normal car that means 15 years, and for commercial vehicles or exclusive sportscars it can be much longer – up to 30 years.
If you connect a computer with Windows XP to the Internet today, it’s infected within minutes. In other words, you don’t even have time to download the patches you need. And Windows XP came on the market at the end of 2001. That’s 20 years ago – a shorter period than we need to consider now as we look to the future.
Personnel issues and long system service lives are both major areas that automotive and OT security have in common.
What aspects of cybersecurity are you especially focused on?
Classic embedded security still accounts for the lion’s share of our business. It’s essential that it runs seamlessly.
Security is a horizontal topic, which makes it complicated. If you are programming a functionalities driver in a control unit, the interdependencies are relatively limited. But when it comes to security, they affect nearly everything: bootloaders, basis software, diagnostics, functional safety, hardware – all the way through to production. For example, interfaces must be thoroughly defined so that the integration of cryptographic material through key management systems works in manufacturing.
In recent years I have also devoted a lot of attention to firewalls, network security, and intrusion detection. People in IT security have long been familiar with these topics and the associated technologies. But special challenges arise when these ideas are within the limits created by embedded controllers and vehicles.
Cybersecurity is still sometimes viewed as nothing more than a cost factor. What’s the opinion of the customers you have contact with?
Some of them still think that way. After all, security isn’t an end in itself. But I am seeing signs of change, too.
The coming UNECE regulations help on this point. No one can avoid them. And the entire industry is coming under increasing scrutiny – from white hats and black hats alike.
At the same time, risk is growing due to increasing networking and connectivity. Recent years brought several prominent examples. And such incidents receive much more public attention today than they did just a few years ago. This means that good security can bring a competitive advantage.
What developments in OT and IoT security are especially interesting to you?
Recently we held OEM supplier security audits where experts from IT, OT, and automotive security came together. It was very exciting. If you want to prevent attacks across the entire fleet, you quickly find yourself talking about individual cryptographic keys and certificates for control units. But that’s not possible without the right infrastructure at the plants. This situation illustrates how changes on one side (automotive security) lead to changes on the other side (IT and OT security).
The IoT has gained an incredibly bad reputation in the past several years. Sometimes you even hear the joke that the s in IoT stands for “security.” Many of these devices are open to anyone over the Internet and often there are no plans for updates or bug fixes. But regulators have recognized the need for a response and are increasingly taking action, as with the US IoT Cybersecurity Improvement Act of 2020. A consumer protection law for digital content has been drafted, too. It requires updates for “goods with digital content” throughout “the period consumers would reasonably expect.” These are definitely positive developments.
It’s natural for OT users to want to benefit from the possibilities that IoT/IIoT offer, including their lower costs. And the convergence of IT/OT away from the proprietary solutions of the past opens up a lot of opportunities. But it brings a lot of risk as well. The list of companies whose production facilities have been brought to a halt gets longer every year. When devices that weren’t designed for online use are plugged into the Internet, problems are guaranteed.
Can you share some good practices and approaches that are proven to work in your view?
First: complexity is the enemy of security. Because security is a topic with many interdependencies. In automotive, for example: diagnostics, firmware over the air (FOTA) updates, safety, EEA, and production/plant infrastructure. In this context, streamlined solutions, clear structures, and simple interfaces help. A lot of security doesn’t always translate into a lot of benefits. Often is just increases your exposure. Just look at the CVE entries in the Internet.
Every compromise, exception, or quick add-on after the fact makes itself felt later in security (in the sense of “technical debt”). Such mistakes often only become evident years later, when updates take place. The more complex the system is, the more difficult maintaining it becomes. One typical type of errors – in everything from simple embedded control units to cloud infrastructure – is configuration errors. And these errors become more likely as systems become more complex.
Second: The defense-in-depth approach, which involves taking a holistic view of security at different levels or layers. In automotive security, this starts with protecting individual controls. The next level is network communication. Suitable EEA design – that is, based on segmentation or separation – can shield safety-critical controllers from exposed control units. Publications in recent years suggest that a central gateway can provide very effective protection. The last level is secure communication to and from the vehicle. Defense-in-depth was originally used in IT security, and analogous methods can be applied in OT as well.
Third: Security is not a one-time event. It’s a continuous process – in R. Bejtlich’s words, “a lifelong journey.”
If you could send an e-mail to every CISO on earth, what would be the most important points you would make?
Honestly, many CISOs already know all this. But I still often hear them say things like, “Why should they attack us?” They continue to think that a hackers is a guys in a hooded sweatshirt working alone in a dark room.
But in reality they’re dealing these days with criminal organizations that have hierarchical structures and marketing, sales, development, and support functions, just like real companies.
Attacks are often highly automated. According to the latest Upstream report, global IT crime represents a USD 600 billion market. For comparison, the global market for illegal drug sales is worth USD 400 billion.
It’s clear to me that a new mindset is needed. The question isn’t whether you’ll be hacked, but when. So the questions to ask are: How quickly can I detect an attack? How can I mitigate the results? How can I limit what attackers can do after they have a foothold – for example, can I prevent lateral movements? How and when can I restore normal operations? The point is to prepare for the worst.
Thank you, Michael! We wish you continued success.
Please remember: This article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.
And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.