André Weimerskirch on the Long, Bumpy Road to Maximizing Vehicle Cybersecurity


André Weimerskirch is vice president of Global Cyber Security at Lear Corporation and an instructor at the University of Michigan College of Engineering’s Integrative Systems + Design program. He is cofounder of the American workshop on embedded security in cars (escar USA) and vice chair of the Society of Automotive Engineers (SAE) Vehicle Electrical System Security Committee.

Weimerskirch’s research spans all areas of automotive and transportation cybersecurity and privacy. He recently contributed to the IEEE Center for Secure Design’s workshop discussions and paper on “Design Flaws and Security Considerations for Telematics and Infotainment Systems,” addressing recurring security flaws and vulnerabilities identified within vehicle telematics/infotainment systems.

In this interview, he describes some of the progress in improving vehicle cybersecurity—and the challenges on the road ahead.

Question: You’ve been working in transportation cybersecurity for a long time for a lot of organizations. How has the transportation industry’s awareness of vehicle cybersecurity changed during that time? For example, is cybersecurity now a fundamental part of the design philosophy for automakers, their suppliers and aftermarket vendors? Or is awareness and understanding (for example, of attack vectors) still low?

Weimerskirch: It’s all changed quite a lot over the past decade. For example, automakers such as GM now have a chief product cybersecurity officer and large security teams. So do their suppliers.

There’s also a lot of activity on the standards side as well. SAE now has at least five committees working on automotive cybersecurity topics. One example is J3061, “Cybersecurity Guidebook for Cyber-Physical Vehicle Systems,” which waspublished in January 2016.

Even so, there’s certainly still a lot left to do. Cybersecurity is a never-ending process, just like safety: You have to keep improving the technology, the processes, and the awareness. But with cybersecurity, there’s a chronic shortage of people with that expertise. As soon as someone is available, they get snapped up, which is another indication of how much is going on.

Question: Today’s vehicles have an average of 100 million lines of code and 60 control units. Those amounts will only increase in future models. What kinds of cybersecurity risks do these volumes create? For example, many of those telematics systems need to interact with one another, so they need to be able to authenticate and trust one another. What are some ways to ensure that one system doesn’t become the weak link that creates a back door into other systems in that vehicle?

Weimerskirch: One aspect is that if you’re designing a component or a system or a vehicle, it’s essential that you don’t trust any input. Say you’re designing the interface of an entertainment system or telematics unit. You should assume whatever comes from the server might not be trustworthy. Maybe someone hacked into the server. Be a bit paranoid, and always assume the worst case.

It’s also really important to understand what the risks are in each situation and the options for mitigating those vulnerabilities. For instance, if we add vehicle-to-vehicle (V2V) safety communication to vehicles, the wireless V2V interface must be properly separated from real-time safety network segments, and all received input needs to be properly checked for plausibility. This allows us to introduce new technologies while understanding and mitigating the risk.

So the bottom line is, yes, complexity is increasing. The way to respond is by having the appropriate security mechanisms and risk assessments.

Question: Are there any big differences in the way some major countries and regions (for example, the EU) are developing laws that affect vehicle cybersecurity and privacy? If so, doesn’t that make it challenging for automakers and their suppliers to develop a product that can comply with myriad laws so it can be sold into as many countries as possible rather than having to create country-specific versions?

Weimerskirch: One challenge is that privacy regulations vary widely. For example, the EU has data protection laws, the US doesn’t. Then inside the EU, Germany is known for having especially strict data protection laws. Complying with all of these laws is complex.

Another challenging aspect is cryptography. China is especially interesting. It has laws that basically dictate the use of cryptographic algorithms, whereas the US and EU—and probably the majority of other countries—allow the use of any cryptography. That means for China, you need to have somewhat different implementations that use approved cryptographic algorithms.

Cybersecurity is a very fast-moving area. That makes it tough to have sound and useful technical regulations mandating how to achieve that because research and known attacks move forward so rapidly. The National Highway Traffic Safety Administration recognized this already and supports stakeholders by providing best-practice guidance and sponsoring research.

Question: Are there any aspects of vehicle cybersecurity that you think aren’t getting the attention they deserve?

Weimerskirch: One is the need for a way to measure privacy protection. In order to build good privacy protection mechanisms, it’s really important to be able to measure their efficacy.

It’s also essential to understand metrics for a vehicle’s cybersecurity. Suppose I show you two cars and say, “On a scale of 0–100, tell me how secure each car is.” You can’t do that today.

We can, for example, do penetration testing and say that one car took X amount of time longer to breach than the other. But such tests take a lot of time and people, and there are also some big variables, such as one team just happening to try the right approach earlier than the one trying to hack the other vehicle.

It would be great to have a standardized way of measuring how secure a vehicle is, the way we do with other aspects. For example, we crash cars in a controlled manner and can measure the physical effects on the crash-test dummies. Then buyers can look at those safety ratings to see how they compare to other vehicles they’re considering.