Dive into the intricate world of automotive cybersecurity with Scott Sheahan, as he navigates the confluence between technology, safety, and privacy in connected vehicles on the Redefining Cybersecurity Podcast with Sean Martin and special guest, Marco Ciappelli. Unpack the evolving landscape of the automotive industry, the challenges of cybersecurity, and the philosophical musings on autonomy and control, in a conversation that beckons the curious mind.
Guests:
Scott Sheahan, Owner/Principal Consultant, Rustic Security LLC
On LinkedIn | https://www.linkedin.com/in/scottsheahan/
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
___________________________
Episode Notes
In this episode of the Redefining Cybersecurity Podcast, host Sean Martin is joined by co-founder Marco Ciappelli, host of the Redefining Society Podcast, and guest Scott Sheahan, a seasoned professional with a rich background in the automotive industry and embedded software development. The episode digs into the pressing issue of automotive cybersecurity, exploring the challenges and complexities that manufacturers, OEMs, and consumers face in an increasingly connected world.
Sheahan shares insights from his transition from aerospace to automotive, emphasizing the similarities between the industries, particularly their reliance on embedded systems and the heightened concern for cybersecurity. The conversation touches on the evolution of connected cars, highlighting the myriad of data collected through telematics devices and the potential privacy concerns this raises. The episode also discusses the impact of cybersecurity on vehicle safety, the role of industry standards like ISO/SAE 21434, and the paramount importance of secure by design principles.
The dynamics of the automotive supply chain and the right to repair are examined, alongside a discussion on the future of autonomous vehicles and the implications for consumers' connection with driving. Scott Sheahan encourages aspiring cybersecurity professionals to dive into the industry, underscoring the demand for talented individuals in this critical area. The episode wraps up with a philosophical reflection from Marco on the essence of ownership and control in the era of connected and autonomous cars, posing thought-provoking questions about the nature of technology's role in our lives.
Key Questions Addressed
___________________________
Watch this and other videos on ITSPmagazine's YouTube Channel
Redefining CyberSecurity Podcast with Sean Martin, CISSP playlist:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
ITSPmagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
___________________________
Resources
Inspiring post: https://www.linkedin.com/posts/scottsheahan_getting-into-automotive-cybersecurity-activity-7143250700741804032-FJe4/
ISO/SAE 21434:2021: https://www.iso.org/standard/70918.html
Road Vehicles: Cybersecurity Engineering: https://www.iso.org/standard/70918.html
ASRG Youtube Channel: https://www.youtube.com/@automotivesecurityresearch1613/videos
ASRG website: https://asrg.io/
___________________________
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring this show with an ad placement in the podcast?
Learn More 👉 https://itspm.ag/podadplc
Wheels, Wires, Silicon, Sensors, Networks, and Data: Navigating the Cybersecurity Across an Automotive Ecosystem on the Road to Passenger Vehicle Autonomy | A Conversation with Scott Sheahan and Marco Ciappelli | Redefining CyberSecurity with Sean Martin
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
Marco Ciappelli: [00:00:00] Marco Sean, welcome. Thank you. Thank you for having me. I'm not sure I know why I'm here, but thank you.
Sean Martin: Me neither. Me neither. You just, you drove up, honked your horn and said, I'm coming on this show.
Marco Ciappelli: You say you wanna join me. I'm like, sure. I got nothing to do,
Sean Martin: so why not join me on this ride? Join me on this ride.
Literally a backseat driver, literally. This is, uh, this is cool. Thanks everybody for, uh, joining me. You're all very welcome to, uh, a new episode of Redefining Cybersecurity podcast. And, uh, this is Sean Martin, your host of course, where I get to talk about all cool, all kinds of cool things, cybersecurity related, um, most times as it hits businesses and operations and.
It's hard to disconnect that from the real world. That's why, uh, I brought Marco on as well. 'cause the topic today, which is automotive security, definitely touches the real world, right? So certainly those, those [00:01:00] organizations as manufacturers and, and systems operators and huge supply chain entities have, uh.
Have a lot to worry about on their own, but all of that stuff ends up hitting the roads and, and, uh, everything else that we, that we do in our lives. So I'm thrilled to have, uh, Scott Sheehan on. Scott, thanks for joining. Glad to be here, guys. And this was, uh, this was inspired by a post that you made on LinkedIn, which I'll include here.
I, I encourage everybody to, to have a peek at that. There are countless resources that Scott provided and, and some of other folks commented with even more. The whole point is why should we concern, be concerned about cyber security and how do you get involved in, uh, in helping to improve the, the safety of cars from a cyber perspective?
And, uh, Scott, I'm, I'm excited to dig into this with you and, and interested to hear what Marco brings as a backseat driver on this chat.
Marco Ciappelli: I wanna hear, and I already think I have a few [00:02:00] questions in my, in my head, but, uh, I'll sure you.
Sean Martin: You're gonna ask that one more question at the end, I'm sure, but before we get there, Marco, I wanna know who's in the car with me today, Scott?
Uh, a few words about you, what you're up to. Sure.
Scott Sheahan: Um, I, uh, I'm a Hoosier now. I live in Indiana and have been involved in the automotive industry for about five full years. Before that, I was an embedded software developer in the defense industry. And so aerospace and automotive are pretty similar industries.
Transitioned over mainly 'cause I didn't want to have to deal with classified labs. Um, and it's a lot, been a lot easier with remote work. But, uh, so I've been involved with securing, embedded in connected systems and cars for different OEMs and tier ones. Um, that's what I do day to day and I enjoy the industry and really like it.
Sean Martin: I love it. And, [00:03:00] uh, Marco, of course, is the, the host of the Redefining Society podcast, uh, where he connects technology to the impact of everything on it. Do you wanna say something about your show, Marco? I. People who know. That's pretty cool. It's cool. I don't, I don't seem to get invited to that one anymore.
Marco Ciappelli: Yeah, you do what? We don't go technically deep in things like you, you do, but uh, it all bonds around. Right. You know, like right now, Scott just said aerospace and cars, it's not that different. That they're already like, wait, wait a minute, you gonna have to explain me that until I get flying cars. I don't really see the connection.
So, you know, one-on-one on why that's the case. Could be some place where we can go and uh, and that's usually where I go with issue. So, Sean, thanks for asking.
Sean Martin: Well let, let, let's start there. What, what are some of the similarities? Uh. You've, you said embedded a few times as well. Um, yeah. So maybe kind of paint a [00:04:00] picture of the world of automotive infrastructure and, and maybe what folks need to know on that front.
Scott Sheahan: Yeah, so I think I, I related the two because they're transportation industries and mobility industries, and so aerospace, automotive, they're very heavily reliant on these embedded systems in their. Architectures, whatever. For the vehicle architecture, there's all these different control units inside of it that have very, very specific function.
One might be to control the different door functionality or win windows. Um, your infotainment unit. And now, I mean, nowadays the concern with cyber security is very recently talking about in the last 10 to 15 years, we started to hook these all up to a sub. Component of the internet, right? So there's telematics units, uh, mobile modems, uh, four and 5G modems that get put into [00:05:00] these vehicles.
And so now that you have connected these embedded systems to a larger amount of, you know, the, the internet, there's, there's a lot more risk involved as far as cybersecurity. So the industry has adapted over the last 10 years, especially. And it just, yeah, it keeps things interesting. It's, it's a new world regarding connected cars in the future with hooking everything up.
I mean, it's not just cars, it's, you know, you guys are, know IOT cars, um, airplanes. It's all, it's all hooked up to the internet, cities.
Sean Martin: Yeah. Structure, you name it. Uh, throw, throw an internet connection on there. You used a used plural, uh, version of. Uh, 4G and 5G routers or modems. Are there more than one in the car?
Scott Sheahan: I, I guess I'm just trying to highlight the transition in the, in the modems [00:06:00] as well over the last number of years for modems. That may have just been 4G support and then others that may have just, that may have, yeah, the backwards compatibility, but they have 5G. Okay. So not, but you also have to, yeah, and you usually have to.
Remember, these cars are on the road for a number of years, and so, uh, you have connected cars from before 5G that, you know, they got 4G modems. Um, and I mean, my phone, I guess right now I think is technically has a 5G interface, but I don't use it. It still uses the 4G interface. So yeah, it's a, it's all this backwards compatible technology that just keeps building and, and you guys know for cybersecurity that just causes.
Company's headaches. 'cause there's a lot to maintain and a lot of, if vulnerabilities are found, there's a lot to be done in the area of, of responding to it.
Marco Ciappelli: So, sorry. Can, can we assume that every car that you buy now, or I don't know when this started, is pretty much [00:07:00] connected? Because I, I don't think people go like, oh, I'm not gonna get that car because that's connected.
I'm not gonna get the connected fridge. But yeah, the car, do you have a choice anymore?
Scott Sheahan: It depends on the OEM and to my knowledge, summer, yeah. Almost all of their models are a hundred percent connected. 'cause their business model relies on it. There are other OEMs that have your lower end models that don't.
But I think as a business case as well, the OEMs are realizing, hey, there's a lot of valuable data in the car. If we have the modem, we can stream it back. They make a business case for it that they're gonna, yeah, they'll include the modem. It's some additional cost into the bill of materials, but it provides them with insight into how people drive the surroundings around people.
The sensor, uh, data that's being read in from your vehicle and go to improve, yeah. Uh, the [00:08:00] different types of autonomous or driver assistance technology. But that's, I would say, yeah, most, most businesses now are, are defaulting to the connected vehicle because of that aspect.
Sean Martin: So I can, I can probably think of, I don't know, 10, 20 different use cases where I'd want a bunch of data from the car and, and have it available to me from an individual car, from a particular model, from a particular region, from, I don't know, slice and dice this information for different reasons.
Um, there's the, I want to improve the efficiency of the car. There's, I want to improve. The, uh, help, help, uh, steer folks in the right direction from a traffic perspective or help with, with insurance policies or, yeah. You mentioned some of the business cases where I presume it's your car's due for, for service 'cause of the way you [00:09:00] drive you maniac.
Um, I dunno, those are some of the things that come on top of my mind. Are there other, other scenarios where this becomes important or at least in somebody's mind, important.
Scott Sheahan: Uh, and I would say another one that I didn't highlight is over-The-air updates just as far as maintaining your control units and, and patching the firmware.
So for cybersecurity stuff, if you have to release a patch now, you don't have to, you don't have to have people drive into the dealership to have a technician flash that onto your control unit. You can do it over the air. So that's a, that's a big one. I mean, I don't know how many millions of dollars that saves, but for each OEM that's.
Having the connected vehicle is a, is a big advantage there.
Sean Martin: So instead of pulling in and dropping the car off, you sit on the side of the road for an hour?
Scott Sheahan: Yeah. Or they generally, generally they wait till you're, you're parked in the garage and a lot of 'em connect to your home. Wi-Fi, or a different access point that you've configured, and then [00:10:00] they wait for a good time in the middle of the night and, and update themselves.
Sean Martin: I rented one and didn't have that option.
Scott Sheahan: Oh, really?
Sean Martin: I stopped, huh? Before you could go. You have to wait. So interesting scenario, Marco.
Marco Ciappelli: I don't know. I have a ton of questions, but I wanna, I wanna go maybe where, Sean, where you wanna go. So, with great power. Mm. Great responsibility as usual or great risk. So maybe we can go Mm-Hmm.
In, in, in highlighting the role of cybersecurity professional in this. As a consumer, again, I would say, well, if you make my car safer, cool. Right. But if then I go with the risk of being actually unsafe because I open a lot of door and windows and, and, and allow risk into my life in my driving actually where [00:11:00] I want to be secure.
Then maybe a little bit different perspective. So we, we, we need the security aspect in here. So what are the main, um, the main things that we need to look into?
Scott Sheahan: Yeah. I'd say the, the safety and security element that you mentioned are very intertwined. Now. There is, as as engineers, as we're making the vehicles for these companies, safety is always top priority, right? There's lives at risk, these vehicles. Passengers and drivers and other people around them. And so safety has always been top of mind.
But now you have the element of cybersecurity in your design and there is some overlap, um, because, uh, I've heard the, I guess the kind of the phrase is that safety is pretty static. You cover all your bases and, and there's not gonna be any like kind of new cases really for safety. You kind of understand them, but [00:12:00] cybersecurity is very dynamic.
And the fact that the firmware that's in these vehicles lives for a long time, the different tactics and techniques that the hackers or, or state entities are using is changing. And so you have a, an element of actually dynamic, uh. Change coming into your, into your vehicle and it can, so that can affect safety.
So yeah, I think a lot of OEMs are taking a lot of precaution when it comes to these connected vehicles to make sure they're secure and nobody can, can take them over on the, on the road. And there is a lot of, um, I don't know, just representation may be out of Hollywood. That's kind of, I mean, it's theatrical, it's Hollywood, so of, of cars being remotely taken over.
A bunch of 'em being driven remotely, which there's a lot of safeguards that goes into making sure why, why that is very hard to do. It's theoretically possible, but extremely hard to do. [00:13:00]
Sean Martin: I think the lesson is not to have a white autonomous vehicle. If I'm thinking of the same movie you're thinking of where they're all controlled by.
Scott Sheahan: Oh, yes, yes.
Sean Martin: Um, but, uh, so I wanna ask you this 'cause. Clearly. You said what? 10, 15 years now? It's been a topic. I know there's been a lot of progress. I don't know how many years ago it was. We Marco, I think we, well, did you say twenty-fifteen. We connected with Ian. Tabor in, uh, uh, London. No, 18.
Twenty-eighteen, yeah. Somewhere around there. Twenty-eighteen Ian Tabor. And, and the, and Casey Ellis. The team at Bug. Crowd we're doing some things with some automotive. Organizations from a bug bounty perspective. So I, I think there's been a lot of, and I know at DEF CON there's activities and, and policy folks were being brought together with the hacking community to raise awareness.
So I guess my [00:14:00] point is there, there's been a lot of external, I. Um, interest and discussions around the need for cyber security investments by the automotive industry. Um, mark and I have, we have a friend that actually does that in, uh, in an automotive agency in, uh, out of, uh, Japan. He was hired to help them with that.
So I know there's some inside, but I guess I want to get your view of how, how well has the industry embraced. The idea that we need to be more secure.
Scott Sheahan: I'd say pre 2015 people were on the fence and then obviously at Defcon, um, Charlie Miller and Chris Valasek demonstrated the remote hack through the cellular modem to get onto the, the Jeep's powertrain and, and be able to actually, they did actually inject some commands.
[00:15:00] The security engineering was not all that well-developed and post-GPAC, I think that's a big, everybody references it. I mean, in the industry here, that, that moment referenced a lot. But we've had a lot of development in this space, and so we're roughly at about 10 years since then. Um, and there's been standards, so we have an ISO standard.
Um, ISO and SAE, they came together and made the 2 1 4 3 4. Road vehicles, um, cybersecurity engineering for road vehicles. Um, and so that was, that's been a huge effort and that means that OEMs and tier ones are responsible for kind of best practices in cybersecurity management systems. How to engineer a vehicle, how to engineer an embedded controller, or whatever component it is.
You have to go through the proper process and. It, it's just when you make something secure by design, 'cause you've gone through all these [00:16:00] steps, it comes out pretty good. And when you don't, obviously you guys Yeah, you see the news articles when things are not designed securely from the get-go. Um, but that's, I'd say, yeah.
Now we've had that, that standard was published, I believe it was in 2021. We've had a number of years to go through it. And the OEMs and tier ones are, are now. Becoming more and more mature all the time. Their teams are, are quite large and there's a lot of investment just to make sure that the engineering design is making these products securely.
Sean Martin: There, there are a ton of parts and I, I mean, in the news right now, connecting back to aerospace, um, uh, simple thing like a bolt can be missed, right? That can cause a big safety issue. Yeah. Um, so that bolt clearly. It's part of the supply chain to build an airplane. Same for a car. There, there's a ton of stuff.
Uh, ton of physical things, ton of sensors, a ton of [00:17:00] software components. Like, I don't know if there's any one entity that builds it all themselves. I can think of one that might try, but a lot of them probably have a huge supply chain of digital elements as well. Yeah. So how does that complicate things for manufacturers actually that put this stuff on the line and then out on, on the streets.
Scott Sheahan: Yeah. That's a, that's a excellent part of, of the industry is, is this supply chain of, you have the OEM that has a lot of parts, electronic components that are supplied by what we call tier one suppliers. And so they bring these two Yeah, there's this overlap of, yeah, who's responsible for what in the design process that is covered in the standard and so.
It is ultimately the responsibility flows up to the OEM 'cause they're putting the product in their connected vehicle. And so there's a lot of, there is shared responsibility, but a [00:18:00] lot of the risk gets, operational risk is taken by the OEM. And so I've been able to work at, um, an OEM. I was working, I was working at Ford for a while and then I got to go to a supplier active and see, actually I got to hop onto one of the parts that I was.
Helping with and work at the tier one level designing that part, um, for cybersecurity. And so this, yeah, this changeover between OEMs and tier ones, it's, it's really important. And there's, yeah, there's, I can tell you there's a lot of meetings every week of the Williams monitoring, like, Hey, we have our weekly cybersecurity sync up on this part that you're making, and they wanna make sure it's done correctly.
Marco Ciappelli: So, can I ask you this? 'cause I, I keep thinking you, you buy a car. And not every car is the same. And I'm talking about a price tag on it too. Mm-Hmm. Uh, you can get a car with, I don't know, 20,000. You can get a car for 300,000, 400,000, and you assume it's a better, [00:19:00] safer, more comfortable car. Maybe there is a brand value on it too, but you know, at least the safety.
You think it's, it's always been thinking that. If it's more expensive, it has more advanced technology, it's probably gonna keep me safer. Then we get into self-driving, whatever level it is that I can keep the distance on the highway or whatever it is, it breaks on its own and da, da, da. So I know that I'm, I'm gonna have to pay probably more for more safety.
Does it come cyber security with a price tag in different level as well? Or when you work on that, you. You do end up
Scott Sheahan: like, yeah, more of the, the second part there with most of those connected components are the same within the connected vehicle architecture. So yeah, the Renal may have one set of connected components that they use and, and yeah, Ford as well, their own in-house [00:20:00] components that they're just gonna reuse across the connected architecture.
Then the differentiation there might be small, yeah, small inputs that are different into the systems, different sensors, sensor packages, camera packages, uh, different, yeah, maybe a different infotainment screen. Ones like a massive, huge touch screen. But ultimately. The cybersecurity engineering is, I can tell you from my experience, it's, it's the same as far as, you know, there's, nobody's gonna skimp on that because if they have an incident, they know the next big incident.
They're, I mean, we're talking tens to hundreds of millions of dollars that the OEM has to, to put out, if not more. You know, it depends, and everybody's, I, I think Elon Musk has referenced. A few years ago that the fleet-wide hack is what all OEMs are worried about. And I think his particular quote was about the next OEM that has one is could potentially go out of business.
So everybody's really worried about it and they're, [00:21:00] yeah, there's no, like all of 'em are going to be as, as secure as as possible. Okay.
Sean Martin: So hard. Let's talk about some of the activities involved. 'cause I'm, I grew up in, in traditional IT network environment where there are a bunch of best practices. The one obvious one is separate the good stuff from the open stuff.
Mm-Hmm. The exposed stuff. Yeah. Um, do, do a lot of those same practices follow through and are there. Do, what do security researchers and practitioners have to think about differently perhaps in the auto infrastructure?
Scott Sheahan: Yeah, that's, there is a lot of traditional, I mean the IT cyber security defense principles are, are, I would say that the neat thing about a car is you have.
All of these types, the, like the full stack of like, you have like really small embedded devices. You have [00:22:00] like a, basically like a tablet type infotainment display. You have your advanced driver assistance that's doing a bunch of like video processing and machine learning algorithms. You have a cellular modem.
You have like all these layers of components that each has their own little. Security controls that are different than the others, like securing an Android based infotainment is not the same as securing like an AUTOSAR based body control unit or something like that. Um, but the same principles apply. I mean, you do a threat analysis and you look at kind of, I generally go through the stride type mnemonic and look at the different threats there, securing the network, securing the, the endpoints, the computing.
Power, the, the electronic control units. Um, network segmentation is a big one. Um, and the classic, you know, now, actually now automotive Ethernet is pretty prevalent in the vehicle. So you have [00:23:00] your, your Ethernet frame and above, like from there to the, to the application layer. You have your traditional, um, like IP based defenses that you can put into the vehicle now.
And so. It's not reinventing the wheel it's using. Yeah, it's using a lot of your traditional defenses MTLS, mutually authenticated TLS connections within the vehicle, segmenting the, the most important modules on one network and the, maybe the powertrain gets its own network and the body control gets one network and maybe the chassis control gets one network and then all the, maybe some of the other ones.
But yeah, this is all very well thought out. Um. But, but I would say the, the neat thing and why, what I would say to somebody, why, why automotive, cyber? Well, because it has like, everything, it has blue, it has Bluetooth, it has cellular, it has USB, it has, I mean, near field, near field. Like it [00:24:00] has all this, all these interfaces, you get 'em all in the vehicle.
And so you just, like every day you're just constantly learning as a security engineer. Okay. How do we use the same Secure by design principles, but okay, now it's for a new interface and it's, it keeps things interesting
Marco Ciappelli: and you're still thinking about, at least I'm thinking while you're talking about the car one car or the fleet of car.
But then I, I started thinking about when you talk about edge computing and car communicating, one with another in an autonomous environment, or my car knows where the closest car is and how fast it's going. I, I think you even get more cherry on top of this cake. Like, yeah, it just, like, it just get everything.
Um, is that a lot of changes when a car get towards a certain level of autonomy? I mean, I'm assuming there, there is more, even more risk, but am I correct or not? [00:25:00]
Scott Sheahan: Well, I would say that the traditional security defense, yes, there's more risk because now the vehicle is, is driving itself, but the traditional security defenses are, are all about the same.
Um, firmware integrity, the, like we talked about, the network protection, um, the connectivity from vehicle to cloud or edge computing resources. The, uh. The thing, there's this technology called vehicle to Everything technology. I don't know if you guys have heard of that, but the, yeah, the V two X, Um, the thing that's interesting is I look at all the autonomous companies in my own personal opinion is that obviously if you're making an autonomous system, you can't make it reliant on the V two X signals coming in.
So none of the autonomous companies use that technology like, oh, okay, that's gonna, you know. You can't, if there's anything that goes out, you can't, you have to rely on the onboard [00:26:00] sensors, the lidar, the radar ultrasonics, um, and cameras. And so the, the funny thing is, is I don't know, I'm not too involved with this area, but there's millions and millions of dollars that's been put into V two X and a lot of promises.
But I see a lot of people kind of like the general sentiment is how. How are we gonna actually use it? I mean, in that sense, for autonomous driving, there might be other use cases where it makes more sense. Like toll. Yeah, maybe toll booths. Um, great. That makes sense. Um, but for autonomous driving, it's kind of a, a case where there's a lot of critics on it.
Sean Martin: Yeah. So the, uh, I don't. The old CIA triad, uh, availability is key, right? Mm-Hmm. And also integrity. I don't know if we wanna head down that, down that path or not. Um, are systems getting jammed with, with erroneous data to, to cause stuff? But I want to maybe kind of bring it back to the post a little bit in [00:27:00] that people interested in helping to secure cars.
Um. I know you have a ton of resources in your post, as I mentioned at the beginning. Are there any areas that you recommend folks, I, maybe there's two types, folks who know cyber and wanna enter auto, cyber. Mm-Hmm. Or folks who aren't in cyber, but have a love for cars that want to Mm-Hmm. And wanna figure out cyber on any, any tips for those folks?
Scott Sheahan: I, I really, this is in the post, but I really. Have benefited from the Automotive Security research Group. It's ASRG, and that's a group that's been started, a non-profit, just to get a lot of knowledge sharing. It's people from all over the industry, all these different OEMs engineers and tier ones, just kind of, we, we all come together and during covid they've got a good [00:28:00] YouTube library of videos.
So I, I used to attend, um, online, just their weekly stream. And then now they also have a, a conference coming up. It's secure our streets, so that's a free conference that they put on, uh, for the industry as well. So I, I'm a big fan of that because it's, it's like the open source model, which Right, it's, it's free.
Everyone's invited and the knowledge gets shared and it's, it's good quality stuff. Um, and so generally there are other great resources where you have to pay. Um, and I, as a professional, obviously I have incentive to pay for knowledge in this area, but that's one thing I like about ASRG is it's free. And if somebody's getting started, they can go catch up on the YouTube videos.
They can go look at, there's probably a local group that they could meet up with and learn about vehicle security. Um, so yeah, in Indiana I gotta go to Detroit or, uh, Chicago if I want to get to get to one, but like a local meetup. [00:29:00] But. But maybe someday, maybe we'll have one here.
Sean Martin: There's none around, uh, Indianapolis, uh, racetrack there.
Scott Sheahan: I, I was I just talking with, um, John Heldreth is one of the, he's the, the starter, the founder of ASRG, and I think he told me there used to be an ASRG in Indiana, but it kind of fell through. So, but Detroit, yeah, Detroit's very active. And then Chicago, the guys outta Chicago are pretty active as well.
Marco Ciappelli: So I, I have a question.
So you, you mentioned a lot of things that are related to the safety of the car itself and, and often in cyber security, the. The privacy, you know, protection of identity and a lot of other stuff comes, or at least has come as an afterthought, but it's still part of cyber security, especially if you go in healthcare and, and, and other things.
And we mentioned this before we started. The, the [00:30:00] Mozilla report that came out a few months ago where the car is pretty much spying on you, even in on your sexual orientation. And you wonder why the hell the car cares about that or the car manufacturer. Now I know it cares 'cause they get the data, they resell it to someone else and that's how, that's how it works.
Are we there where the privacy of the owners is part of the cybersecurity package that company are dealing with? Or maybe they're, it's more of an afterthought at this time.
Scott Sheahan: So I will say the the 2 1 4, 3 4 standard I was talking to you guys about. This for engineering. One of the elements for the impact assessment is to look at the privacy specific aspects related to your road users.
So that's pedestrians, the driver, other, other people around [00:31:00] the vehicle. And so that is, that is definitely analyzed and has to be shown what data is being kept. Just like, uh, the different privacy laws that are around. You have to be able to enumerate what, what it is, all the data you're collecting.
However, when you sign up for terms and conditions, right, this is more of a legal thing. You somewhere buried down in those terms and conditions of the whatever privacy statement you have agreed to. All the sell, every, I mean, not sell it, but you give it, you give it all away. And I was reading actually one.
A different one this morning and I was like, yeah, some, some lawyer has made up all sorts of data. That possible data. I'm like, how could they get that from this device? But maybe they do. And they've said, this is okay to take. And obviously you have, you just sign it all away by agreeing you're using the service.
So as a consumer, I guess you've been tricked. I dunno. I mean, right. It's, you're, i, I, I [00:32:00] kind of straddle this, like, I don't like it. But also I understand the business case for why, why companies do it. So there's a business case for it too. The companies are ma, they're, that's their job is to make money. So as a consumer, I'm kind of stuck in the middle, right?
Uh, uh, and then as a professional, I have a different viewpoint. So, and most
Marco Ciappelli: of the time you don't even own the car. So even less as, as long as you're loaning or leasing it, or you're not even, it is not even your car. But I like to wear my, uh. You know, eighties kid hot and think back when I didn't have to worry about the stuff, right?
I mean, the car, the only security I wanted for my Vespa was that, you know, the tires are pumped and the engineers working and the brakes are working. That was my cybersecurity guy. The mechanic.
Scott Sheahan: Yeah. And it wasn't spying. Yeah. It wasn't spying on you. Yeah.
Sean Martin: Right. What about
[00:33:00] what, what about the, because Marci, you mentioned something that triggered this thought.
We. I forget how long ago it was we had the topic of the right to repair. Um, yeah, not, not, mm-Hmm. So not owning. I know there's a lot of, a lot of hoopla around the John Deere tractors and whether or not the farmers actually own them or not, and whether, whether what they can do with the car. So I know at least at some point it probably still happens.
Uh. You can plug into the bus and, and change the way the car works to remove limiters or boost the, boost the turbo or all that kind of stuff. So, go ahead.
Scott Sheahan: A lot of that is, is going to be dying out or it's exactly what, yeah. With cybersecurity, what does the OEM allow you to change if they do?
Sean Martin: So that's the, is that under the guise of.
Providing better safety or protecting themselves or what
Scott Sheahan: as, as a, [00:34:00] as a professional in this industry that I've, I've helped implement a lot of this access control, the algorithms, the design of this for these modules. I have an appreciation more on this side of like, it has to be done to keep the device secure.
Um, and that's the argument that's made by the Williams and I, I generally back that up, is that. For locking down firmware and making it so not just anybody can replace the firmware and tune the different calibration parameters or, you know, it's, that's a cybersecurity reason why you do that. Um, and, but on the, at the same time, the consumer can't just be like, okay, so you have to go to the OEM shop to get it repaired.
Um, so I think I've, I think that I've seen, at least in the industry, the solution is there's going to be. Different for the access control, there's different levels of con of control. You can request from the OEM say, Hey, I'm a maintenance tech. I need to get [00:35:00] to change this very specific thing on my module to repair my car.
They're gonna give you a token, a cybersecurity token. It's like, okay, now you're gonna load it electronically over the bus, but once you load that token, now you can make the changes that you might need to make. So there's that. It's the balance. And I think the industry is adapting to that. Um, where you're gonna have more, you're gonna be, have to put into a system state why you need the access, but then the access will be given because I, I think that's at the root of right to repair.
Right? If, if you're going to have a device, you should be able to, I mean, yeah, I know, I realize there's various degrees of what, what, what you should and shouldn't be able to do, but for security as well, the. The financial risk goes to these OEMs that are making the devices and their reputation is on the line.
So they want it, they want it as secure as possible. And, and I think so, I think that's a good thing.
Sean Martin: So [00:36:00] I'm gonna go, we're coming up toward the end here, so I'm, I'm gonna stick with a more technical bit and then, and maybe Marco has one more, uh, Philosophical Mindblower. Question to, to throw at you, but look, looking at the, the ecosystem, not just, not just the supply chain of building, but the ecosystem, uh, with which these vehicles operate.
So I'm talking about the cellular networks and the Cloud systems, and I don't know whatever else is out there. Are, are there any areas in particular, and you can look at the supply chain as well, but are there any areas in this ecosystem where. We should be paying a little more attention that we're not.
Scott Sheahan: Yeah, that's, that's a good question. So you're saying in in the operational environment, like of the, of the vehicle?
Sean Martin: Yeah. I think driving around, we've done a lot about, a lot about the building. Um, so more about the operations. Are cloud Yeah. [00:37:00] Cloud providers connected to this stuff. Are they ready for whatever the, the amount of data, the types of data, the, the access to the data?
I don't know.
Scott Sheahan: Yeah. And on the, on that side, the, the OEMs are working with whatever their preferred cloud provider is to, to have, whether it's a private cloud or, um, yeah. That they, that they own and control and, and it hooks up to the car to. Provide, I don't know, whatever, whatever connected resource it is providing.
Um, that's not an area I, I guess my expertise has mainly been in vehicle. Okay. Like in inside the vehicle network with these controllers. And so maybe I, nothing huge has coming to mind as far as the focus on, um, but that's probably because, like I said, it's, my expertise has been so much in vehicle that.
I just drawing a blank on it.
Sean Martin: Yeah. Because the, the cloud is one that [00:38:00] first came to mind. But then as I'm sitting here thinking of the connectivity that, I mean, there's a lot of conversation around API security, right? In the software world. Yeah. So I don't know how things look in the, the automotive world in that front.
Scott Sheahan: Well, I would say generally the, the general architecture is the vehicle is either using. Connections to the back end. And also it could be even inside of a VPN tunnel. I know some OEMs use a, the, the connection is all inside the encrypted VPN tunnel, and there might be even additional layers as you pass through that tunnel.
Um, but that's, that's pretty well secured. But as you say, I think, um, the, there's an annual report about connected vehicle security that comes out and a lot of. The effort if you were, um, going to hack an OEM would be to get into these back-end systems. So yeah, there's, uh, Tesla has like, I [00:39:00] think they call it the mothership and the other OEMs have their own connected vehicle back-ends.
That's going to help update, um, update those vehicles. The telematics data get streamed back. So yeah, if, if you were a nation-state that really wanted to disrupt an OEM. You would have to, that would be the, the place to go. And I think there are, the manufacturers, um, are also seeing attacks on their own manufacturing plant environments too.
So, um, it's an interesting, that's an interesting place. But I will say there is, there was like a fast and furious video where like every single OEM at once got all hacked. I was like, the time. Yeah. That's, that's Hollywood again. The time to do that would just be the very specific technology for all of those different brands would be, you'd, you'd need an army and maybe, maybe somebody has that, but it would be, it would be very hard.
I mean, I. You're gonna be expending a lot of resources just to get into one [00:40:00] brand of connected vehicle.
Sean Martin: So as you're, as you're talking about, uh, breaking into the back end, all I can picture is busting in busting the lock on the, on the trunk.
Scott Sheahan: Oh, yeah.
Sean Martin: And you're in. Pull the seat down. You're inside. Uh, Marco, what do you think?
You
Marco Ciappelli: want me to, you want me to go philosophical? Sure. So now you're familiar with the sheep of disease. Not does the THO experiment. I'm not all, it's simple. It's a thought experiment where you, if the, if the ship is, change all the parts and repair it, get to the point that it doesn't have the original part anymore.
Oh, is still the same ship or not. Right. Okay. So my question here is I'm like, I'm following all of these and you know, I'm in technology, I'm in cyber security, but you know, I think about sociologically speaking and I'm thinking like, where, when is a car, not a car anymore? Meaning [00:41:00] we're not in control of the car anymore.
Its gonna drive itself, gonna send all this data. I, I don't feel like anymore. The joy of even driving the car, you know, given I grew up driving stick and having fun with it. Yeah. Do you know where I'm going with this? Is it, is it just a tool is not a car anymore? What's your thought on that? I'm assuming you are into this because you like cars.
Scott Sheahan: Yes. Well, I, I have, my immediate thought is that, I mean, technology, the technology is in constant progression, so. I always think back to like the early 19 hundreds when the car was just being on the road and, and people were like, Hey, we really like our horses. Um, and it was threatening that industry. And obviously we don't, well in Indiana there are some horses on the road.
It depends on where you're at, but we don't have that many, or the horses riding your horse is more of a hobby now. Um, [00:42:00] and I think I've heard that argument that. As we go into more autonomous vehicles driving a car with it. Yeah. I enjoy driving a stick shift. Um, and if there's a fun element to that, um, and same with, but, but there have, I think, I forget what the book is, but it talks about like, the last person to own a driver's license has already been born or something like that.
Mm-Hmm. And, um, I, I don't know. There's, this is, there's been so much. Focus on the, the claims made by the autonomous car industry, um, that we will see if they clear up as fast as it, it was promised. My, every, everything has been much slower. And there's a, I mean, I remember a few years ago, right, the promises, there's gonna be all sorts of by now self-driving level four or five autonomous cars and, and we don't have them.
Um, and so. We'll see, but I, I think as the, as that the vehicle becomes more and more [00:43:00] autonomous, um, yeah. Drivers are removed from the operation of it. Yeah. It does. It starts to feel less like, you know, your, your traditional car.
Marco Ciappelli: Yeah.
Sean Martin: I'm done. Left my case. Plane. Plane. Still a plane left. Plane's still a plane.
The, the, uh, the pilots don't do as much as they used to either, but
Marco Ciappelli: Well, it flies. The car is still gonna drive you, but you're not driving the car. So my idea is it becomes more of a public sort of transportation. Like as you jump on a train or on a plane, somebody move it for you. Maybe it's a computer, maybe it's remotely someone else.
But I don't know the idea, Sean. We have spent time watching those guys in the uk, you know? Oh, yeah. Destroying car for many, many years. Yes. You know? I like that.
Sean Martin: Yeah. Yeah. And I just, it, there's a clip I came across the other day. It was. It was a chef on a morning show and, and the morning show hosts that if you just [00:44:00] put.
Ham. In this pasta, it would become a carbonara. And the guy said, yeah, and if you put wheels on my grandma, she becomes a bike. So it just seemed funny as you were talking about replacing parts on a sheep, it becomes something else, right? Yeah, it is.
Scott Sheahan: Yeah. Yeah.
Sean Martin: Uh, so when is a car, not a car? We'll, we'll leave that one there for people to ponder.
Um, and as they do. Read some of the resources that, uh, Scott shares in his post, which of course I'm gonna link to as well. And, uh, loads of books, loads of videos, loads of organizations. Of course, uh, there's probably a ton more. Um, and I would encourage you to either comment on, on the post for this, when it's shared or on Scott's post, uh, to help that group, uh, as you find your own stuff that that's helpful.
The idea is to get people to think and participate. And with that, Scott, I wanna thank you for, uh, great conversation. Good. A good view into the, the [00:45:00] state of cyber and, and automotive and the need for, for more people to get involved. For sure.
Scott Sheahan: Well, thank you guys. Thanks for having me on. And the one thing I wanted to say near the end is the industry needs talented professionals.
There's a lot of need in this cyber security area. So those, those that are interested. Get in, in with those resources, start reading and there's a, there are a lot of jobs. The industry needs it so.
Sean Martin: Yep, toss the imposter syndrome aside and, uh, jump on.
Scott Sheahan: Yeah, just go for it.
Sean Martin: Yeah. There's no harm, no harm. Marco, thanks for, uh, thanks for bringing some interesting points to this as well.
The sheep is gonna stick with me now for the rest of the day. Yeah, thanks very much.
Marco Ciappelli: Yeah, you're welcome. And, uh. I really enjoyed this conversation. Actually, I'm asking you publicly here, maybe I should syndicate this on my show because I turned out to be quite philosophical and interesting. So I hope, uh, everybody, not only the cyber security people, but the, the people interested in technology and how it affects our life will enjoy it.
[00:46:00] So yeah, definitely. Um, I really enjoyed it. Thank you, Scott. Thank you Sean, for having me.
Sean Martin: Fun stuff and thanks everybody for joining us today. Appreciate you watching and listening. Of course, as always, uh, subscribe, share with your friends and enemies and, uh, keep thinking and we'll see you on the next one.