event coverage

Cybersecurity Lessons Learned from Outside the Automotive Sector

Jennifer Tisdale, Cybersecurity & Intelligent Transportation Systems Manager, Michigan Economic Development Corporation, moderated this panel, which included Marty Edwards (Assistant Deputy Director, NCCIC and Director, ICS-CERT, US Department of Homeland Security), Brian Witten (Senior Director, Symantec Research Labs, Symantec Corporation), and Phil Harvey (Technical Director, Cybersecurity and Special Missions, Intelligence, Information, and Systems, Raytheon Company).

After Edwards set the table with a roles-and-missions discussion of Federal cybersecurity responsibilities, Whitten noted that automotive cybersecurity is a variety of IoT security. The automotive sector should pay close attention to lessons learned from the Internet-of-things. Harvey pointed out that a lot of the 100M or so lines of code in a luxury vehicle come from other sectors.

The industry needs high-quality, disciplined coding, the panel agreed, and security isn't always about technology: it's as much about practices as it is about technology. Whitten advocated risk management of security in code modules, and Harvey advised taking the first of the familiar twelve-steps: admitting that there's a problem is the first step.

Tisdale asked the panelists have any solutions they'd care to recommend. Harvey said the industry should start by getting serious about processes, and about finding vulnerabilities early. Give developers insight into security. There are proven approaches, tools and standards, Whitten added, in other verticals (he cited cryptography as an example).

Asked to share their concerns, Edwards said he was concerned about level of connectivity in daily life. "At some point we may decide, intentionally, not to connect some things." Some car systems, like braking, perhaps, shouldn't be connected. Harvey found the general lack of understanding we have of features we demand in our lives disturbing. Whitten took the final word, stressing that there's not yet enough transparency in automotive security.