The Michigan chapter of the National Defense Industrial Association (NDIA Michigan) is gearing up for its annual Cyber-Physical Systems Security Summit. The virtual event, scheduled for March 9th and 10th, will cover the importance of cybersecurity relative to connected and autonomous military systems. This includes ground vehicles, military drones, heavy trucks, aerospace, robotics, and maritime platforms.
“The National Defense Industrial Association is a membership-based, non-profit organization dedicated to being the connector between industry and government in developing, collaborating, and educating to protect our women and men in uniform,” said Jennifer Tisdale of the NDIA Michigan Board of Directors (Tisdale is also Principal of Cyber-Physical Systems Security for GRIMM).
Tisdale invited me last year (pre-COVID) to the Cyber-Physical Systems Security Summit here in the Detroit metro. I had just finished interviewing Tisdale for a then-upcoming AutoSens panel on automotive cybersecurity when she extended the invitation. Two things really stood out at the event last year: cybersecurity is too easily overlooked or rushed, and ambitious cybercriminals (often called “bad actors”) can cause a lot of damage.
As I watched the presentations, the Sun Tzu quote “all warfare is based on deception” came to mind. In my still limited knowledge of cybersecurity, these bad actors seem engaged in a new Art of War. And on this modern battlefield, it’s easy to deceive, especially if today’s cybersecurity programs often lack the resources and funding they need.
“From a government perspective, specifically the military, these tactics are more than a researcher with a curious mind,” Tisdale explained. “From a nation-state, these are, potentially, acts of war, and flaws in one system could mean a flaw for all, be it industry or government.”
The State of Cybersecurity Today
According to a report last year from ISACA, over 90 percent of security professionals say that cybercrimes have increased during COVID-19. The report, Part 2 of ISACA’s Global State of Cybersecurity 2020, sought responses from more than 2,000 information and security professionals from nearly 20 different industries. In the survey, 62 percent said their cybersecurity teams are understaffed, while another 53 percent believe their organization is likely to experience a cyberattack within the next year. According to the survey, cybercriminals and hackers remain the most significant threats, but a growing number of respondents believe cybercrimes are underreported.
According to the National Cyber Investigative Joint Task Force, an estimated $144.35 million in Bitcoin was paid out as ransomware ransom between 2013 and 2019. In response, the task force outlined its Operation Clean Slate initiative in four stages: Prioritize the Threats, Identify the Actors, Enact the Best Response, and Implement Appropriate Neutralization and Mitigation.
“Specifically, Operation Clean Slate’s objective is to eliminate the most significant botnet activity and increase the consequences for those who use botnets for terrorist purposes, intellectual property theft, or other criminal activities,” the task force writes in a PDF document that outlines Operation Clean Slate. “Given that no single agency or company tracks the number of botnets in existence, the number of victims impacted, or the dollar value of damages caused by all botnets, the initiative will harness multiple inputs to describe the results of its efforts.”
The findings from ISACA, and the importance of initiatives like Operation Clean Slate, are underscored in another survey (PDF) conducted by Synopsys and SAE International, along with the Ponemon Institute, about the state of automotive cybersecurity. In that study, 84 percent said cybersecurity practices are not keeping pace with new technologies. Meanwhile, 63 percent said they test less than half of their hardware, software, and other technologies for vulnerabilities. Another 30 percent do not have a single cybersecurity program or team in place.
“The challenge is getting the literal buy-in,” Tisdale told me during the aforementioned AutoSens interview. “We need the budget from senior leadership to invest in the testing so we can better develop the tools to ensure security.”
Parallels Between Military & Automotive
While the upcoming NDIA Michigan event is focused on military applications, there are plenty of takeaways for automotive, both in terms of ADAS technology and full-on autonomous driving. “The threat landscape differs, but the risk is similar,” Tisdale said, noting that automotive and defense do have the same technological and cybersecurity concerns. “Hence the importance of this symbiotic relationship between defense and automotive.”
One of the main ideas is a cross-pollination effect between the military and the automotive industry. Since the military already has access to self-driving technology, dozens of applicable use-cases, and government budgets to facilitate further research and development, there are bound to be key insights for the automotive sector.
“NDIA recognized the need to bring automotive, cybersecurity researchers, and Army engineers together to have these discussions, conceptualize innovative solutions, and to ultimately test the technologies,” Tisdale explained. “The NDIA Michigan Cyber-Physical Systems Security Summit is a convener of thought-leaders to address, educate and help solve the potential for cybersecurity issues which may be used against us by malicious actors.”
One potential hurdle for automotive cybersecurity is the relationship between cost and threat. When automakers benchmark their vehicles, usually against a competitor, they examine several factors; but cost is always at the top of that list. As Tisdale explained, cybersecurity in the military sense is easier to conceptualize as risk and threats to national security are already present and identified. “In commercial automotive, it is a bit trickier,” she said. “The race to get to market seems to be prioritized and, while cybersecurity is important, it doesn’t make money; it costs money.”
Asking The Cybersecurity Question
It may come down to asking the “cybersecurity question” for us in the automotive industry. As new innovations and insights come to light, especially in ADAS and autonomous driving, it’s perhaps a good idea to have cybersecurity somewhere in our minds. On a personal note, I have started doing this since the NDIA Michigan event last year. Looking at autonomous cars and connected infrastructure through a “cybersecurity lens” since attending the NDIA Michigan event last year has really changed my perspective.
For example, Automoblog, the sister publication of AutoVision News,had a “Future of Transportation” section back in 2015 and 2016. We earnestly reported on the happenings around autonomous vehicles but became caught up in some of the pomp and circumstance in hindsight. We may have embraced the “Peak of Inflated Expectations” in the Gartner Hype Cycle a little more than we should. But the last five or six years have taught all of us in the automotive industry a lot.
Today, the industry has more working knowledge about the capabilities and limitations of autonomous cars. We have a greater understanding of some of the fundamental benchmarks and core technical tenets that will bring next-generation ADAS technology and perhaps even full autonomy to the market. These things include (but are most definitely not limited to) how adverse weather impacts sensors, the benefits of in-cabin monitoring, how AI will play a role, and now, cybersecurity.
“As consumers, we love the convenience, the ability to work smarter versus harder, the ability to develop connected and automated cars, and the like,” Tisdale said. “But as we’ve discussed before, the sensors and software introduced into our connected products, be it an everyday passenger vehicle or a military ground vehicle, may also include cybersecurity vulnerabilities. The criticality of these flaws should be identified, assessed, and managed.”
2021 NDIA Michigan Event Registration
The NDIA Michigan Cyber-Physical Systems Security Summit will be held virtually, March 9th and 10th, 2021. Topics include Crypto Agility – Robotics, wireless communications, Automotive IoT, IDS/IPS Solutions: Beware of the Snake Oil Salesman, cybersecurity policy, aerospace/drone cybersecurity, securing convoys, practical limitations of fleet SOCs, and more.
AutoVision News readers are invited to register via the NDIA Michigan website. Sponsorship opportunities are also available for businesses, academia, and non-profits.