With cybersecurity and cyberattacks becoming key talking points within the automotive industry, many companies are investing in ways to prevent and combat these attacks from taking place.
Thales, a company based in France with multinational operations, designs and builds electrical systems as well as providing services for a vast range of industries. It has been focusing on combatting cyberattacks within the automotive industry.
We spoke to Peter Davies, director for security concepts, Thales, to find out how the company are assisting the industry against cyberattacks.
Just Auto (JA): Could you tell me a little bit about your job role and what it involves?
Peter Davies (PD): I am the director for security concepts at Thales. That essentially means I look at security across many different sectors and I have done for a long period of time.
It’s one thing to say you need to buy security because there’s a regulatory requirement, there’s quite another thing to say you need to get it because it’s part of achieving your business aims and doing things of that nature.
I’ve become increasingly involved in the automotive sector. I do an awful lot of work over there, which is a crossover with the realisation on significantly digitised platforms, which focuses on your ability to achieve safety, your ability to achieve your regulatory requirements, your ability to do not only security, but the right type of security in relation to that.
The other side of that is I’m a specialist in cyberattacks. I generate them, I understand them. When you’re looking at vehicle and transport attacks, you’re looking at is things that can harm people.
Thales can give proper advice; we help the industry understand the scale of the problem but also where things can work.
Looking at the current threat landscape what cybersecurity issues are most prominent within the automotive industry?
You see a lot of manual attacks, things to do with key locks – that gets a lot of press because vehicles get stolen and so on. When it comes to looking at cyberattacks, people are looking at elements to do with privacy, which is also to do with the amount of data that’s now being held and the transferring of data backwards and forwards between vehicles, and the backend infrastructures that people are now putting in place. Both of these are, shall we say, fairly conventional, in terms of IT type of type attacks in relation to those.
I think both of those sorts of things are well understood or at least reasonably understood in terms of how you approach them, what you might want to do in relation to them.
Then sitting behind that, vehicles are still based often on things like CANbus, which is not protected. You’ve also got legislation that’s bringing in requirements for connectivity, which are introducing additional threat surfaces into the vehicle all the time. These are much more safety-related things then, than the purely IT-related.
Another area is looking at ransomware attacks. They can have the ability to compromise braking systems or things of this nature; these are very significant ransomware attacks. Companies would have to take their vehicles off the road. In that context the interesting thing is the fastest growing area of product recalls in the automotive industry is in software complexity. Complexity gives you an area for cyberattacks.
How prominent are cyberattacks within the industry?
One of the things that we’ve been trying to point out is that if you look at the stats on the type and number of cyberattacks, just taking things coming out of the IT industry, over eight years that will be about quarter of a million attacks. It’s a lot.
These are the areas that I’m trying to look at in my work at Thales, to seek to advise and in some accounts as well to make sure that we can support this area.
What solutions can Thales provide the industry against cyberattacks?
In the discussions that we have had with people, we focus on how you are going to automate these things. We have focused on having people understand that while they may never do a software update, in the supply chain somebody else may change the way their vehicle works, and it may result in an outcome that’s bad from their point of view.
So there’s that understanding that that you can’t simply address this by control, you have to address this by monitoring, by understanding and by understanding how to update that.
Essentially, we’ve tried to look at how will you do that – how will you be able to do verification, which you must do in in real-time rather than taking three years to or 18 months.
We’ve put in place an entire process for cyber resilience which we can put into the public domain for people, which is looking at the key principles that you must be looking at in your engineering process.
For the last five, six years I have led a group for the automotive industry that has worldwide participation. It has automotive manufacturers who sit down and say what is the problem that we’ve got? How would you go about doing these sorts of things? How do we collaborate on doing these things?
This is an industry that’s transforming from bashing a lot of metal to: we’ve got to do a lot of software, we’ve got to do hardware.
We run this group on the basis of giving standards, putting things into the public domain, and it’s fascinating to think of the conference we did last year. We had speakers from Amazon, we had speakers from defence organisations, just to bring along knowledge of how you do these things and help others. And that collaboration is absolutely key to making sure that you understand those sorts of things.
I am truly impressed I have to say with the willingness of the industry, to join in with that conversation and try and understand the problem they have and what they should be doing about it, and to actively contribute to that. I think that there are very few other industries where I have seen that level of collaboration, and they don’t normally collaborate, they’re normally very competitive even in this area.
What more do you think could/should be done?
There’s a really big structural problem with people having to upgrade their engineering processes, and companies having to work out how they interact with each other on a global scale. Structurally, I believe that to be the big problem that the automotive industry has.
They have different legal obligations, if you look at it enshrined in law, it’s a very 20th century view of how things go; it tells you that you are responsible for your product, for your Ford or your Tesla or the individual company that ships that is responsible for that.
I think that also when looking at security, famously it’s not composable, but one of the things that you have there is this idea that just because it’s secure for one thing, doesn’t mean it’s secure for something else.
They say the automotive industry is becoming an increasingly regulated industry, but the danger around that is that it makes it increasingly unresponsive in the face of cyberattacks. So it makes it much easier to attack. That isn’t the intention of the regulators, so they must work together to say: “That can’t actually work in our process, we could never do this.” They must stand up for that.