Too Few White Hats to Protect Connected Cars, Says GM

Auto industry is struggling to find cyber-security talent, General Motor’s Matt Mackay tells Louis Bedigian.

With connectivity in full swing, cyber-security has become one of the hottest topics in automotive. From ransomware, which could cost consumers and businesses an endless amount of money, to the risk of someone maliciously commandeering a connected car, the potential threats are truly massive.

Matt Mackay, manager of product cyber-security governance and risk analytics at General Motors, said that this is an emerging area that lacks hackers both good and bad. Said Mackay: “In traditional IT, the barrier for hackers and researchers to explore is much lower. It doesn’t cost a lot of money to either have your own personal computer or mobile phone that you can go online, find out information about how to explore, look for vulnerabilities, and use standard software libraries that do a lot of the heavy lifting for you. In vehicles, it’s a much higher bar because there’s the potential for you to do some really detailed security vulnerability research. There has to be a willingness to have a vehicle that you could potentially disable in your research.”

Consequently, Mackay has found that White Hat hackers are in short supply. He added: “It’s an emerging field and we don’t have, right now, the same participation of hackers that the broader Internet and global services have today. So, the challenge for us is really to find and engage with the researchers who are doing advanced security testing with respect to automotive.”

That said, there are a growing number of cyber-security firms that either specialize in automotive or have added auto protection to their roster. Mackay doesn’t see these offerings as “more of the same” but rather a sign of the intense interest for protecting the future of mobility. “There are opportunities to become a market leader from the perspective of being recognized as a company with unique skills and a unique value proposition,” he said. “It’s understandable that, because this is a relatively new field, there would be a lot of entrants trying to vie for supremacy and, if that starts to drive interest in the field, where there are more security researchers and people with the skill to both attack and defend vehicles, that’s good for us because it broadens the talent pool.”

Talent, as it turns out, is a problem for automakers seeking cyber-security specialists. Mackay isn’t sure why but he said the intoxicating allure of start-ups and technology in Silicon Valley and the Bay Area is very difficult to compete with. He is hopeful that the tide is starting to turn. “Automotive seems to be the convergence of almost everything that is intensely interesting in the computer science and computer security arena,” said Mackay. “Over time I think we are starting to see more recognition and we’re certainly seeing more engagement.”

Ready to share?

Automakers and Tier 1 suppliers aren’t known for their eagerness to share information but the industry has turned a corner with the formation of the Auto-ISAC (Information Sharing & Analysis Center). Mackay was part of the first group of people trying to bring the Auto-ISAC to life. He said that, at the time, he could feel the reluctance from its potential members. Said Mackay: “I am always struck now by how normal it is to have conversations with Tier 1 suppliers about cyber-security-related research or something that was in the news recently. It’s pretty free-flowing and easy to have these conversations where you’re a phone call and email away.”

Has the Auto-ISAC made carmakers and suppliers more willing to share other information as well? Mackay isn’t so sure but he said there could be an opportunity to share research related to autonomous driving. He explained: “These are in the very early stages but it’s an example of moving from a cyber threat clearinghouse into a more standardized potential framework of data sharing regarding autonomous. We haven’t officially committed but this is an example of how the Auto-ISAC can help to bring in other opportunities to collaborate.”

The dangers of OBDII

One area that’s very difficult to secure is the OBDII port. There isn’t anything stopping consumers from plugging something into it, whether it’s a diagnostics device purchased on Amazon, a data and analytics dongle from an insurer, or a new-fangled idea from a start-up. The risks are so great that some in the industry have called for its removal. Mackay didn’t go that far. In fact, he said it is actually necessary to preserve the Right to Repair law but he isn’t a fan of its widespread use.

“We are not in favor of customers plugging any untrusted device into the OBD port,” he warned. “We know that it opens up, from a hacker’s perspective, an attack surface. It’s an area to explore and look for vulnerabilities.”