WEBVTT 1 00:00:00.000 --> 00:00:04.040 [Host] Hello and welcome to today's Tech Talk with the Department of Homeland Security (DHS). 2 00:00:04.040 --> 00:00:08.190 Science and Technology (S&T) Directorate. Today we are going to be talking about automotive 3 00:00:08.190 --> 00:00:12.210 cyer security. We've got three folks who are here to join us. I'd like to give yall a chance to introduce yourselves 4 00:00:12.210 --> 00:00:16.250 before we get started. [Chase] Sure, I'm Chase Garwood. 5 00:00:16.250 --> 00:00:20.330 I'm with the DHS S&T Directorate, Homeland Security Advanced Research Project 6 00:00:20.330 --> 00:00:24.340 agency, cyber security division and I'm the federal program manager 7 00:00:24.340 --> 00:00:28.390 overseeing portfolio and research development projects. 8 00:00:28.390 --> 00:00:32.480 Automotive and vehicle cyber security one of those areas. 9 00:00:32.480 --> 00:00:36.490 [Host] Great. [Brendan] I'm Brendan Harris, I'm a cyber security specialist in the advanced vehicle 10 00:00:36.490 --> 00:00:40.570 technologies division at the U.S. Department of Transportation (DOT), 11 00:00:40.570 --> 00:00:44.660 Volpe National Transportations Systems Center in Cambridge, Massachusetts. 12 00:00:44.660 --> 00:00:48.680 [David] And my name is David Bailinson, I'm a senior computer scientists with Non-Profit 13 00:00:48.680 --> 00:00:52.750 SRI International and I'm part of a team that provides 14 00:00:52.750 --> 00:00:57.310 technical and programatic support for the DHS S&T cyber security R&D program. 15 00:00:57.310 --> 00:01:01.360 And in particular I support Chase on the cyber physical systems security 16 00:01:01.360 --> 00:01:05.440 project. [Host] Great, I'm so glad to have yall here today. We're gonna kick things off 17 00:01:05.440 --> 00:01:09.450 and I'm gonna ask a few questions, but type in your questions if you have one and we'll get to them in a 18 00:01:09.450 --> 00:01:13.460 few minutes. So just to set the stage, can you tell us about some of the current 19 00:01:13.460 --> 00:01:17.540 issues in cyber security for vehicles? What do we need to 20 00:01:17.540 --> 00:01:21.540 be concerned about? [Chase] Sure, I'll kick it off for the group here. 21 00:01:21.540 --> 00:01:25.590 Basically, cars are not what they were 22 00:01:25.590 --> 00:01:29.680 30-40 years ago You had the classic cars or you had a 23 00:01:29.680 --> 00:01:33.710 cadillac converter, you had an engine, you put gas in it. 24 00:01:33.710 --> 00:01:37.710 A lot of physical engineering into that vehicle right? 25 00:01:37.710 --> 00:01:41.800 Cars today, current models and what we are seeing coming out here very shortly 26 00:01:41.800 --> 00:01:45.820 are computers on wheels, multiple computers on wheels. 27 00:01:45.820 --> 00:01:49.830 Complex systems in a vehicle from 28 00:01:49.830 --> 00:01:53.920 your fuel management, to your 29 00:01:53.920 --> 00:01:57.950 info, entertainment right. Your DVD player, to video player, to your 30 00:01:57.950 --> 00:02:02.010 whatever mobility connections. To your 31 00:02:02.010 --> 00:02:06.110 air bags, to everything in the car. So it's very complex 32 00:02:06.110 --> 00:02:10.150 and since it is a computer, multiple computers on wheels 33 00:02:10.150 --> 00:02:14.220 just like with our desktops or our mobile phones, our 34 00:02:14.220 --> 00:02:18.230 home automation whatever it may be. There are risks, there are issues. 35 00:02:18.230 --> 00:02:22.270 There are things that can be hacked or what not, so we need to take 36 00:02:22.270 --> 00:02:26.340 very similar cyber approaches 37 00:02:26.340 --> 00:02:30.350 to those potential risks. [ Brendan] And building 38 00:02:30.350 --> 00:02:34.370 on that, so not only do you have these more 39 00:02:34.370 --> 00:02:38.370 computers controlling more of the physical aspects of the vehicle, your also seeing 40 00:02:38.370 --> 00:02:42.380 at the same time a proliferation of communications technologies being 41 00:02:42.380 --> 00:02:46.430 added. These come in the form of wi-fi hotspots, bluetooth 42 00:02:46.430 --> 00:02:50.510 connectivity to your radio, so you can do hands free communication. You have 43 00:02:50.510 --> 00:02:54.530 tire pressure monitoring systems in your car, in your tires that monitor the air pressure so 44 00:02:54.530 --> 00:02:58.580 in addition to these new cyber physical systems in the car 45 00:02:58.580 --> 00:03:02.660 it's being paired with tremendous conductivity to the outside world, particularly when you look at 46 00:03:02.660 --> 00:03:06.670 fleets and fleet management technologies to look at large 47 00:03:06.670 --> 00:03:10.730 numbers of vehicles to assist in maintenance and monitoring of vehicles 48 00:03:10.730 --> 00:03:14.740 making sure that things are fixed on time. Making sure that 49 00:03:14.740 --> 00:03:18.760 things are taken care of in a reasonable manner. 50 00:03:18.760 --> 00:03:22.770 [David] It's my understanding even the seat belt tension 51 00:03:22.770 --> 00:03:26.860 is computer controlled. [Host] Wow, I did not know that. 52 00:03:26.860 --> 00:03:30.890 So it sounds like we are growing more custom to having more smart devices 53 00:03:30.890 --> 00:03:34.910 more connected devices in our daily lives 54 00:03:34.910 --> 00:03:39.000 thats happening in cars that opens it up to the typical cyber 55 00:03:39.000 --> 00:03:43.030 risks that we're used to seeing with making sure your systems are protected and how they are communicating 56 00:03:43.030 --> 00:03:47.100 with each other that sort of thing. [Chase] Well as Brendan said, it's not just from a 57 00:03:47.100 --> 00:03:51.100 computer virtual world anymore. [Host] Right. [Chase] We're concerned about 58 00:03:51.100 --> 00:03:55.130 you loosing data or somebody getting access to 59 00:03:55.130 --> 00:03:59.200 data or ransomware are those things that we are concerned about with regular computer 60 00:03:59.200 --> 00:04:03.300 hygiene on phones, or our laptops or our PC's. 61 00:04:03.300 --> 00:04:07.310 Now in especially in an automobile or vehicle 62 00:04:07.310 --> 00:04:11.380 in other cyber physical spaces, its now those computers 63 00:04:11.380 --> 00:04:15.390 can have real world effects in realtime, not just the ones 64 00:04:15.390 --> 00:04:19.400 and zeros virtual issue anymore. [Host] So it's not 65 00:04:19.400 --> 00:04:23.480 someone shutting down your computer, it's someone shutting down your car and everything that might entail. 66 00:04:23.480 --> 00:04:27.490 Gotcha. So thats sort of the environment that we're operating in. 67 00:04:27.490 --> 00:04:31.540 What are some of the ways that we can either mitigate or start protecting from cyber attacks? 68 00:04:31.540 --> 00:04:35.540 [Brendan] Sure, so one of the 69 00:04:35.540 --> 00:04:39.560 major aspects of our research several years ago was looking at 70 00:04:39.560 --> 00:04:43.610 mitigations that exist right now that are either after market 71 00:04:43.610 --> 00:04:47.690 or can be built into the supply chain of automobiles. There's 72 00:04:47.690 --> 00:04:51.700 kinda like four major ones and most of them are adopted from traditional enterprise IT 73 00:04:51.700 --> 00:04:55.750 environments. So these are things like using a firewall to 74 00:04:55.750 --> 00:04:59.840 segment and breakout different parts of your automotive network to separate those 75 00:04:59.840 --> 00:05:03.860 high conductivity from the components which have 76 00:05:03.860 --> 00:05:07.920 tremendous physical consequences like Chase was talking about. 77 00:05:07.920 --> 00:05:12.020 And we are also seeing hardware security modules, which can create 78 00:05:12.020 --> 00:05:16.030 encryption between messages. So it's harder to send messages that have poor 79 00:05:16.030 --> 00:05:20.090 that have detrimental effects and we are also seeing intrusion detection and prevention 80 00:05:20.090 --> 00:05:24.180 systems, which can monitor the state of the communications. 81 00:05:24.180 --> 00:05:28.210 In the event that there is something that's dubbed anomalous 82 00:05:28.210 --> 00:05:32.280 it can intervene and prevent those messages from having 83 00:05:32.280 --> 00:05:36.360 their intended consequence. So those are kind of some of the major ones. 84 00:05:36.360 --> 00:05:40.370 What we've seen is that these were aftermarket devices 85 00:05:40.370 --> 00:05:44.450 that were kinda being hacked into the car, between different 86 00:05:44.450 --> 00:05:48.460 components and now, the tier one suppliers, the people who manufacturer the components 87 00:05:48.460 --> 00:05:52.500 of the vehicle are starting to build these into their offerings 88 00:05:52.500 --> 00:05:56.580 and that the OEM's are now integrating more secure architectures 89 00:05:56.580 --> 00:06:00.590 in the future. [Host] And I want to pull that point out a little bit. Because it's not patching something anymore it's 90 00:06:00.590 --> 00:06:04.640 really building the security into it. Can you talk a more about why that is important? [Brendan] Sure. 91 00:06:04.640 --> 00:06:08.720 Will that's important. So I think in a little bit we are going to talk about software updates 92 00:06:08.720 --> 00:06:12.730 and patching but thats really an after the fact kind of thing. 93 00:06:12.730 --> 00:06:16.780 And in order to really have a robust, secure system 94 00:06:16.780 --> 00:06:20.790 particularly when human life is involved. You really want the architecture to be 95 00:06:20.790 --> 00:06:24.810 designed in such a way that its not going to malfunction 96 00:06:24.810 --> 00:06:28.870 that these risks are accounted for. Because a lot of these 97 00:06:28.870 --> 00:06:32.900 risks weren't something that was being thought of 5 or 10 years ago and with the long lifecycle of cars 98 00:06:32.900 --> 00:06:36.970 on the road, it's important for them to be secure when they come off the assembly line. 99 00:06:36.970 --> 00:06:41.050 [Host] That's a great point. [David] This notion that designed in security is 100 00:06:41.050 --> 00:06:45.060 actually is something that's been integral in the cyber physical systems security program. 101 00:06:45.060 --> 00:06:49.110 A lot of these new CPS and internet of things are 102 00:06:49.110 --> 00:06:53.190 IOT type devices are designed with functionality as their 103 00:06:53.190 --> 00:06:57.210 primary concern and now is the time to start thinking about security. 104 00:06:57.210 --> 00:07:01.210 So as they start to populate and proliferate, we will see 105 00:07:01.210 --> 00:07:05.300 them with security as an integral part. [Chase] We found in a lot of areas 106 00:07:05.300 --> 00:07:09.310 especially in the cyber physical systems space and the IOT 107 00:07:09.310 --> 00:07:13.360 space that it's must more cost effective to design in at the front end as usual right? 108 00:07:13.360 --> 00:07:17.450 This is not anything new to community, so it's much more 109 00:07:17.450 --> 00:07:21.470 cost effective, much more efficient and much more effective 110 00:07:21.470 --> 00:07:25.520 to do at the engineering, design and architectural stage than kind of a typical 111 00:07:25.520 --> 00:07:29.620 "hold on" or "we accept the risk" you know later on 112 00:07:29.620 --> 00:07:33.640 down the product lifecycle and that's one thing to mention 113 00:07:33.640 --> 00:07:37.700 I think is while we are talking about cyber security risk and 114 00:07:37.700 --> 00:07:41.790 cyber security aspects, there's a lot of great things that we 115 00:07:41.790 --> 00:07:45.820 are seeing coming out of the automotive technology and the cyber physical 116 00:07:45.820 --> 00:07:49.890 space that is going to improve safety, 117 00:07:49.890 --> 00:07:54.000 effiecncies, you know a lot of things that 118 00:07:54.000 --> 00:07:58.030 are real positives. We just want to make sure that the cyber security angle 119 00:07:58.030 --> 00:08:02.110 is also considered in there so that we can take full advantage of these new features 120 00:08:02.110 --> 00:08:06.120 and new technologies that are rapidly evolving and being 121 00:08:06.120 --> 00:08:10.160 distributed into product models and what not. [Host] Absolutely and with that in mind what are 122 00:08:10.160 --> 00:08:14.240 some of the projects, the research and development projects that S&T is funding 123 00:08:14.240 --> 00:08:18.260 that are looking at some of those solutions? [Chase] Well one of them, we were just talking about 124 00:08:18.260 --> 00:08:22.300 or mentioned kinda patching in management. Just like or updating just like with your 125 00:08:22.300 --> 00:08:26.310 phone, whatever model you have. Your updating your 126 00:08:26.310 --> 00:08:30.320 phone on a regular basis, you're laptop, you're PC whatever 127 00:08:30.320 --> 00:08:34.380 software is in there. So cars are no different right? 128 00:08:34.380 --> 00:08:38.470 In the past we'd have to go into the garage or 129 00:08:38.470 --> 00:08:42.470 into a dealership or a mechanic and 130 00:08:42.470 --> 00:08:46.520 they would hook up, I had a, I won't say which model, but I 131 00:08:46.520 --> 00:08:50.610 in my college army days I had a car that I could actually physically work on. 132 00:08:50.610 --> 00:08:54.610 Go in and change the spark plugs, I'd monkey around with it. Not that I'm any 133 00:08:54.610 --> 00:08:58.960 big auto mechanic kind of guy, but I could do some. 134 00:08:58.960 --> 00:09:03.060 Nowadays there's too many computer modules, there's things in there sure you can work on it 135 00:09:03.060 --> 00:09:07.100 some basic things, but your bringing it into a mechanic and hooking it up to a machine and there flashing 136 00:09:07.100 --> 00:09:11.100 things into those ECU ports or their plugging things in for 137 00:09:11.100 --> 00:09:15.120 diagnostic or to update. Kind of like the firmware or virus 138 00:09:15.120 --> 00:09:19.220 on your computer type of thing. That's still gonna 139 00:09:19.220 --> 00:09:23.440 be in effect in our eco system "so to speak", but 140 00:09:23.440 --> 00:09:27.450 as Brendan said these ars are now connected right. 141 00:09:27.450 --> 00:09:31.590 One has bluetooth, wi-fi, LTE whatever your mode there's 142 00:09:31.590 --> 00:09:35.850 now connectivity over the air. So you may not have to 143 00:09:35.850 --> 00:09:39.940 go into a mechanic physically, have a mechanic physically 144 00:09:39.940 --> 00:09:44.120 connect your car to do an update right. So software over the air is gonna be 145 00:09:44.120 --> 00:09:48.130 more and more prevalent and in that case 146 00:09:48.130 --> 00:09:52.240 we want to make sure that those updates are legitimate. Than they are safe. 147 00:09:52.240 --> 00:09:56.450 The same, some of the same threats and risks 148 00:09:56.450 --> 00:10:00.490 that we see in other use cases with phones 149 00:10:00.490 --> 00:10:04.630 and laptops ad what not. Man in the middle of tags, other things that 150 00:10:04.630 --> 00:10:08.880 can get malicious code into there, that you thinks legitimate. 151 00:10:08.880 --> 00:10:12.970 Phishing attacks and all sorts of things clicking on that link. 152 00:10:12.970 --> 00:10:17.150 So we have one interesting and really rapidly progressing 153 00:10:17.150 --> 00:10:21.170 project combination, collaborative efforts with NYU, 154 00:10:21.170 --> 00:10:25.280 UM Tree, which is the University of Michigan research 155 00:10:25.280 --> 00:10:29.490 Transportation research Institute and also Southwest Transportation Intitute 156 00:10:29.490 --> 00:10:34.490 Working on making sure that when your 157 00:10:35.520 --> 00:10:39.570 a tier one supplier or the OEM, you know 158 00:10:39.570 --> 00:10:43.720 wherever you bought your car from, makes your car that that secure update 159 00:10:43.720 --> 00:10:47.970 is legitimate as much as we can. That it is encrypted 160 00:10:47.970 --> 00:10:52.060 properly. That it's framework, called "uptain", thats based 161 00:10:52.060 --> 00:10:56.260 upon the trust conductor. Update framework out of touring, 162 00:10:56.260 --> 00:11:00.280 not just specifically into the automotive space and ECU's 163 00:11:00.280 --> 00:11:04.410 and all those modules. So we have a few others that you 164 00:11:04.410 --> 00:11:08.670 guys want to kind of go over? [Brendan] Sure, yes. So another aspect of the research 165 00:11:08.670 --> 00:11:12.730 we're doing is into this realm ofopen source automotive research tools. 166 00:11:12.730 --> 00:11:16.890 So open source refers to tools where the source code or 167 00:11:16.890 --> 00:11:21.170 schematics in the case of hardware. Their all available, it's freely online 168 00:11:21.170 --> 00:11:25.280 and trying to make these tools more accessible to people who are interested in 169 00:11:25.280 --> 00:11:29.490 doing this research, because for a long time one of the big 170 00:11:29.490 --> 00:11:33.540 barriers to get into monitor and seeing how these giant 171 00:11:33.540 --> 00:11:37.690 computers on wheels work, was that the tools to do it were really expensive and the ways to 172 00:11:37.690 --> 00:11:41.940 interact with your car were very expensive. So there is a great hobbyist community out there 173 00:11:41.940 --> 00:11:46.030 of people who are involved in monitoring their cars and trying to see how they work. 174 00:11:46.030 --> 00:11:50.240 So a few years ago, or last year in October. So just about a 175 00:11:50.240 --> 00:11:54.260 year ago we had an open source workshop at the Volpe Center. 176 00:11:54.260 --> 00:11:58.300 We brought together all these people building these different tools. All of them were open source. 177 00:11:58.300 --> 00:12:02.510 Trying to connect them with other industry stakeholders 178 00:12:02.510 --> 00:12:06.550 and to figure out how we can work together in order to advance this automotive research challenge. 179 00:12:06.550 --> 00:12:10.570 [Dave] Another example, is a project by 180 00:12:10.570 --> 00:12:14.600 HRL Laboratories in California on side channels to 181 00:12:14.600 --> 00:12:18.650 detect faults. And these are cyber physical systems, so 182 00:12:18.650 --> 00:12:22.810 they combine the cyber and physical worlds and so this is 183 00:12:22.810 --> 00:12:27.080 looking at physical characteristics to help substantiate what's going on in the cyber 184 00:12:27.080 --> 00:12:31.090 side. So side channels are commonly used by attackers to 185 00:12:31.090 --> 00:12:35.290 reveal secret keys. So they will look at things like RF emissions, acoustic emissions 186 00:12:35.290 --> 00:12:39.300 or power fluctuations and they can actually apply signal 187 00:12:39.300 --> 00:12:43.420 processing and figure out what your cryptographic key is just from these minor.[Host] Oh my gosh.] [Brendan] 188 00:12:43.420 --> 00:12:47.450 signals and whatever it is they are monitoring. So HRL 189 00:12:47.450 --> 00:12:51.480 laboratories is exploring the use of electromagnetic 190 00:12:51.480 --> 00:12:55.630 emulations to monitor power usages of these embedded processors or ECU's 191 00:12:55.630 --> 00:12:59.900 in automobiles. So they apply signal processing to this 192 00:12:59.900 --> 00:13:04.000 in order to be able to understand and learn the different processor states and then they can 193 00:13:04.000 --> 00:13:08.010 use this information to detect a system compromise. 194 00:13:08.010 --> 00:13:12.390 So just as an example, by monitoring the transmisson ECU 195 00:13:12.390 --> 00:13:16.530 one can actually determine what gear the car is in and then 196 00:13:16.530 --> 00:13:20.650 if you then pair that with the information on the automotive 197 00:13:20.650 --> 00:13:24.710 bus, the automotive network is called the "can bus", then 198 00:13:24.710 --> 00:13:28.860 you can correlate that and make sure that the car is actually 199 00:13:28.860 --> 00:13:33.130 in the same cyber state as the corresponding physical state. It is also difficult for an attack 200 00:13:33.130 --> 00:13:37.230 to alter the functionality of the car without also altering 201 00:13:37.230 --> 00:13:41.260 this observable side channel behavior. [ Host] Interesting, 202 00:13:41.260 --> 00:13:45.550 wow. So theres a lot of avenues and a lot to think about when it comes to securing these 203 00:13:45.550 --> 00:13:49.680 systems, these networks, because it sounds like there is 204 00:13:49.680 --> 00:13:53.920 a lot of different ways they can get in. [Chase] Yeah, it's 205 00:13:53.920 --> 00:13:57.940 things like the side channel that you really don't think about but then you just think about well 206 00:13:57.940 --> 00:14:02.100 if I can detect the electromagnetic or the RF frequencies 207 00:14:02.100 --> 00:14:06.360 off that and do that with off the shelf tools and what not 208 00:14:06.360 --> 00:14:10.470 it's an interesting thing. But using it from a defensive standpoint 209 00:14:10.470 --> 00:14:14.480 is really more the innovation of saying can we detect 210 00:14:14.480 --> 00:14:18.510 you know cost effectively, a regular state with something 211 00:14:18.510 --> 00:14:22.630 that's change and at least raise that kind of logic into the cyber security realm and say hey 212 00:14:22.630 --> 00:14:26.850 this may not be appropriate, let's pause or let's take a 213 00:14:26.850 --> 00:14:30.910 different avenue or something like that, there's some interesting approaches there. [Host] Very cool. 214 00:14:30.910 --> 00:14:35.070 What are some of the ways that S&T and the DOT Volpe Center are partnering together on this? 215 00:14:35.070 --> 00:14:39.330 [Chase] Well, from a DHS perspective, I mean DHS obviously were 216 00:14:39.330 --> 00:14:43.440 national security, homeland security and were in this space 217 00:14:43.440 --> 00:14:47.640 in this area because we are fleet managers, our mission 218 00:14:47.640 --> 00:14:51.680 components, what we call are sub agencies within a department 219 00:14:51.680 --> 00:14:55.700 are very law enforcement sensitive. (Image of Fleet Management Risk projected on screen) 220 00:14:55.700 --> 00:14:59.780 Very law enforcement heavy to an extinct, but we buy the 221 00:14:59.780 --> 00:15:03.930 same vehicles as you and I drive and we're not 222 00:15:03.930 --> 00:15:07.960 experts. We're experts in cyber security in other areas obviously, so partnering with 223 00:15:07.960 --> 00:15:12.060 DOT Volpe as well as leveraging SRI and others 224 00:15:12.060 --> 00:15:16.700 to bring in that deep wealth of knowledge 225 00:15:16.700 --> 00:15:20.790 and capabilities that they have inheritantly has been a great 226 00:15:20.790 --> 00:15:24.800 partnership and feedback our needs and mission concerns 227 00:15:24.800 --> 00:15:28.820 into the automotive community and help broaden that out 228 00:15:28.820 --> 00:15:32.910 as well as has been a great partnership. [Brendan] So the division I'm in focuses 229 00:15:32.910 --> 00:15:37.100 on advanced vehicle technology so this is an area that we've 230 00:15:37.100 --> 00:15:41.420 been familiar with for a very long time, mostly looking at 231 00:15:41.420 --> 00:15:45.550 electronics reliability research was the long history. 232 00:15:45.550 --> 00:15:49.810 And then recently got more involved in cyber security after 233 00:15:49.810 --> 00:15:53.840 the national traffic highway safety administration had approached us and said, you know this looks like a 234 00:15:53.840 --> 00:15:58.020 very interesting concern. You know how valid is this concern? [Host] Yeah. 235 00:15:58.020 --> 00:16:02.320 [Brendan] It came out that they were on to something. [Host] Very valid. [Brendan] And it became 236 00:16:02.320 --> 00:16:06.580 as we started to think more about the problem, we tried to think of a way 237 00:16:06.580 --> 00:16:10.750 if OP is a broad reach and a lot of very multi-model approach to things we work on 238 00:16:10.750 --> 00:16:14.820 a variety of vehicles both on the ground and in the sky and ever in between. 239 00:16:14.820 --> 00:16:18.820 And we wanted to apply our expertise in 240 00:16:18.820 --> 00:16:23.110 understanding kind of the technical bits of these machines 241 00:16:23.110 --> 00:16:27.220 and apply that to something more programmatic and to kind of assist the Department of Homeland Security 242 00:16:27.220 --> 00:16:31.450 as best we could. So to that end we focused a lot on securing government fleets and 243 00:16:31.450 --> 00:16:35.480 looking at specific vulnerabilities in government fleets. 244 00:16:35.480 --> 00:16:39.620 That center mostly around fleet management systems. 245 00:16:39.620 --> 00:16:43.880 These are generally after market devices, which get 246 00:16:43.880 --> 00:16:47.950 connected into vehicles and they monitor the health and safety 247 00:16:47.950 --> 00:16:52.140 of the vehicles. They help do preventive maintenance. They help to make sure theres no waste 248 00:16:52.140 --> 00:16:56.460 fraud and abuse going on. That people aren't taking vehicles where they shouldn't be. 249 00:16:56.460 --> 00:17:00.590 We count for the primer for fleet managers to help them start 250 00:17:00.590 --> 00:17:04.970 to think about their fleet of cars more of like a fleet of computers. 251 00:17:04.970 --> 00:17:08.990 And we are additionally helping the General Services 252 00:17:08.990 --> 00:17:13.230 Administration (GSA), who does all of the purchasing for the government. 253 00:17:13.230 --> 00:17:17.240 Help them to build in procurement language when they are 254 00:17:17.240 --> 00:17:21.360 trying to buy these systems to make sure the systems are 255 00:17:21.360 --> 00:17:25.580 secure. [Chase] And one thing to mention to again for the 256 00:17:25.580 --> 00:17:29.620 audience is when we talk about fleet management, 257 00:17:29.620 --> 00:17:33.760 that's UPS, FedEx our fleet of vehicles right. 258 00:17:33.760 --> 00:17:38.000 That is a more robust version that we're 259 00:17:38.000 --> 00:17:42.080 seeing in a commercial space or an individual 260 00:17:42.080 --> 00:17:46.260 citizen space, where your seeing insurance companies 261 00:17:46.260 --> 00:17:50.570 and others that are pushing out dongles and other things to plug in for you know monitor 262 00:17:50.570 --> 00:17:54.700 how your driving, safety things. So again, much smaller version, but that's on a 263 00:17:54.700 --> 00:17:58.720 spectrum wouldn't you say Brendan? [Brendan] Oh absolutely, yeah. [Chase] So things that were 264 00:17:58.720 --> 00:18:02.730 discovering, learning helping to adjust into this ecosystem 265 00:18:02.730 --> 00:18:06.890 will trickle out into a broader 266 00:18:06.890 --> 00:18:11.150 regular citizen, I'm driving a car and I'm concerned about these things. 267 00:18:11.150 --> 00:18:15.250 [Host] Absolutely. [David] Brendan] ought to say a little bit about thee 268 00:18:15.250 --> 00:18:19.460 lab they have and some of the technical assessments that they conduct. [Brendan] Sure, so 269 00:18:19.460 --> 00:18:23.490 we currently have a lab in Cambridge, Massachusetts is where the Volpe Center is located. 270 00:18:23.490 --> 00:18:27.630 And we do have a couple late model year vehicle, which we 271 00:18:27.630 --> 00:18:31.880 actually receive through a partnership with the Canadian government. So this is actually 272 00:18:31.880 --> 00:18:35.940 like a international collaboration. [Host] Oh cool. [Brendan] and some of 273 00:18:35.940 --> 00:18:40.120 the assessments we've done on those vehicles have been looking at these mitigation tools that I 274 00:18:40.120 --> 00:18:44.120 talked about a little earlier and making sure that they work as they intended. 275 00:18:44.120 --> 00:18:48.210 Obviously, more research to do there looking at adverse effects of 276 00:18:48.210 --> 00:18:52.430 connecting them and more recently we've been looking at and partnering with 277 00:18:52.430 --> 00:18:56.460 Carnegie Mellon University, down in Pittsburg to look at 278 00:18:56.460 --> 00:19:00.500 these actual devices and too test and validate their 279 00:19:00.500 --> 00:19:04.730 security to make sure that there aren't any back doors or 280 00:19:04.730 --> 00:19:08.780 unintended functionality that can be taken advantage of to manipulate 281 00:19:08.780 --> 00:19:12.940 the vehicle in a way that is not safe for the driver or operator. 282 00:19:12.940 --> 00:19:17.220 [Host] So we are talking about government fleets. I want to talk about some of the unique challenges that presents. 283 00:19:17.220 --> 00:19:21.320 In terms of protecting from cyber attacks. What are some of the treats, if you can 284 00:19:21.320 --> 00:19:25.530 get into it that is unique to the government fleet? Or what sort of things are we looking at 285 00:19:25.530 --> 00:19:29.550 from a government fleet perspective? [ Chase] Well as I 286 00:19:29.550 --> 00:19:33.570 mentioned especially for DHS and other law enforcement and national security, 287 00:19:33.570 --> 00:19:37.790 cyber security, homeland security, law enforcement 288 00:19:37.790 --> 00:19:41.840 focus, you know we have your regular vehicles that may 289 00:19:41.840 --> 00:19:46.000 have the police lights on them, when very obvious that 290 00:19:46.000 --> 00:19:50.450 their a law enforcement vehicle, but we also have a undercover vehicle. 291 00:19:50.450 --> 00:19:54.570 You know diplomatic, fleet type of vehicles with the 292 00:19:54.570 --> 00:19:58.790 department of state and other things that may be slightly 293 00:19:58.790 --> 00:20:02.790 modified. But like we were discussing earlier their the 294 00:20:02.790 --> 00:20:06.950 cars, they may be somewhat modified because they are law enforcement. They may have a 295 00:20:06.950 --> 00:20:10.980 little bit bigger engine or something, but they are not dramatically different then the car 296 00:20:10.980 --> 00:20:15.070 that you and I are driving. So some of the concerns 297 00:20:15.070 --> 00:20:19.240 on there obviously, theres a lot of advantages for GPS 298 00:20:19.240 --> 00:20:23.520 tracking and monitoring right. So making sure that is secure, 299 00:20:23.520 --> 00:20:27.640 so that bad guys can't tell exactly where that secret service 300 00:20:27.640 --> 00:20:31.860 vehicle is, or that coast guard vehicle or that other law enforcement vehicle is. 301 00:20:31.860 --> 00:20:35.870 We've already talked a little bit about it. 302 00:20:35.870 --> 00:20:40.030 We'd all be concerned about any kind of interruption of the vehicle, deploying 303 00:20:40.030 --> 00:20:44.290 you know, your driving along and all of a sudden your car 304 00:20:44.290 --> 00:20:48.390 is trying to self park. And theres things, you know I'm exaggerating a little bit but 305 00:20:48.390 --> 00:20:52.590 those are some of the same concerns that I think anybody would have but probably 306 00:20:52.590 --> 00:20:56.610 a little bit different for a law enforcement sensitive aspect. 307 00:20:56.610 --> 00:21:00.730 So probably we won't get into, I won't get into any specifics 308 00:21:00.730 --> 00:21:05.010 but maybe Brendan can cover some generalities as well because we all deal in the same 309 00:21:05.010 --> 00:21:09.080 areas. [Brendan] Sure, so I would say one issue that 310 00:21:09.080 --> 00:21:13.250 comes to mind is that government vehicles as you were mentioning that they 311 00:21:13.250 --> 00:21:17.550 tend to be similar across the spectrum. So you have 312 00:21:17.550 --> 00:21:21.670 a wide variety, or not a wide variety of, a small variety of 313 00:21:21.670 --> 00:21:25.900 vehicles but you have a lot of them. So that means that in 314 00:21:25.900 --> 00:21:30.010 the event that a exploit was crafted that could effect these 315 00:21:30.010 --> 00:21:34.100 vehicles it could potentially effect a large number of them. [Chase] Not just one or two. 316 00:21:34.100 --> 00:21:38.380 [Brendan] Not just one or two. So we really get concerned about that fleet effect and 317 00:21:38.380 --> 00:21:42.470 the impacts that it could have not only on our first responder community, but also on 318 00:21:42.470 --> 00:21:46.680 kind of like the U.S. economy as a whole. [Chase] Well I should have mentioned not just law enforcement 319 00:21:46.680 --> 00:21:50.690 but well not specific to DHS, but theres first responders 320 00:21:50.690 --> 00:21:54.830 that are a very important part of our community right. 321 00:21:54.830 --> 00:21:59.060 So firefighters fire trucks, EMT vehicles, ambulances those 322 00:21:59.060 --> 00:22:03.080 things as well. State and local governments as well. 323 00:22:03.080 --> 00:22:07.260 [Host] Good point and linking that again towards, you mentioned you know theres 324 00:22:07.260 --> 00:22:11.540 industry that have the same concerns that are going to be interested in this type of technology. 325 00:22:11.540 --> 00:22:15.660 I wonder how is the government collaborating with automobile manufacturers 326 00:22:15.660 --> 00:22:19.880 on some of these items, on some of these issues? [Chase] Yeah, thats excellent maybe Dave can 327 00:22:19.880 --> 00:22:23.930 field this a little bit. [David] Yeah, its interesting we've 328 00:22:23.930 --> 00:22:27.930 worked collaboratively with DHS and Volpe to create a automotive 329 00:22:27.930 --> 00:22:32.190 cyber security industry consortium or ACIC 330 00:22:32.190 --> 00:22:36.250 is what we call it. [Chase] Love our acronyms. [Laughter] 331 00:22:36.250 --> 00:22:40.390 [David] This is a voluntary public private partnership. So you've got government working 332 00:22:40.390 --> 00:22:44.410 working with private industry. It's a collaboration between 333 00:22:44.410 --> 00:22:48.460 DHS S&T, Volpe along with support from SRI 334 00:22:48.460 --> 00:22:52.630 International and the basic idea is we work with a number 335 00:22:52.630 --> 00:22:56.930 of major OEM's, Original Equipment Manufactures. And the 336 00:22:56.930 --> 00:23:01.040 OEM's pull there funding and leverage it with government funding so 337 00:23:01.040 --> 00:23:05.270 each puts in a little bit and then you multiply that by a factor 338 00:23:05.270 --> 00:23:09.310 of say 10 and next thing you know you have a nice pool that you can leverage in order to 339 00:23:09.310 --> 00:23:13.470 can conduct research. So the consortium identifies, prioritizes 340 00:23:13.470 --> 00:23:17.740 and conducts what we call pre-competitive research 341 00:23:17.740 --> 00:23:21.760 projects that address critical cyer security challenges in automobiles. 342 00:23:21.760 --> 00:23:25.950 So the projects are identified by the group and they 343 00:23:25.950 --> 00:23:30.270 provide neutral benefit across all of the members and for 344 00:23:30.270 --> 00:23:34.420 the nation helping to address the cyber security risk in automobiles. In fact 345 00:23:34.420 --> 00:23:38.690 we're just about to initiate our very first project, which is going to be in the 346 00:23:38.690 --> 00:23:42.770 area of tools and testing. And we are also starting to 347 00:23:42.770 --> 00:23:46.960 put together a second project that will be looking at sort of doing a threat assessment 348 00:23:46.960 --> 00:23:51.280 for vehicle. [Chase] One important to tag onto that as well is 349 00:23:51.280 --> 00:23:55.300 that, that's also a indication that the automobile manufactures, the ones that are 350 00:23:55.300 --> 00:23:59.540 taking cyber security very seriously. They are addressing it, 351 00:23:59.540 --> 00:24:03.540 they are not ignoring 352 00:24:03.540 --> 00:24:07.710 the risk at all. So they are being very proactive and what not 353 00:24:07.710 --> 00:24:11.730 and it's always great to see that kind of collaborative. And 354 00:24:11.730 --> 00:24:15.800 again from a governmental perspective and DHS, DOT 355 00:24:15.800 --> 00:24:19.990 Volpe and others. We are there to help catalyze and fills 356 00:24:19.990 --> 00:24:24.400 those gaps and to put things together that isn't already being addressed by 357 00:24:24.400 --> 00:24:28.550 the private sector and others. And also to kind of take advantage of each others so that 358 00:24:28.550 --> 00:24:32.810 kind of dialogue with the group and the automobile manufactures have been 359 00:24:32.810 --> 00:24:36.900 great, I mean key. We have a similar consortium in the 360 00:24:36.900 --> 00:24:40.920 gas industry and aviation, finance so that is key that 361 00:24:40.920 --> 00:24:45.220 you know that you don't hear a lot about. But it's key to have that collaborative community 362 00:24:45.220 --> 00:24:49.360 and partnerships with the OEM's in this space. 363 00:24:49.360 --> 00:24:53.610 {David] You know what else occurs to me, you mentioned the uptain project earlier right. The secure 364 00:24:53.610 --> 00:24:57.670 software over the air updates and that project 365 00:24:57.670 --> 00:25:01.700 with NYU, Umptree and [unintelligible] has also engaged the OEM's and 366 00:25:01.700 --> 00:25:05.720 a lot of the suppliers. So they have held a regular series of 367 00:25:05.720 --> 00:25:09.800 working group meetings where industry comes in and 368 00:25:09.800 --> 00:25:14.010 helps identify requirements and provides guidance in terms of putting together 369 00:25:14.010 --> 00:25:18.320 the specifications that then become available for them 370 00:25:18.320 --> 00:25:22.500 to incorporate into their products. [Host] Wow, so it's a real 371 00:25:22.500 --> 00:25:26.780 force multiplier. Everyone's got shared interest in here so why not pull resources and make sure that everyone 372 00:25:26.780 --> 00:25:30.850 is getting the benefit of this research [Chase] Well especially in these areas, I mean so DHS 373 00:25:30.850 --> 00:25:34.880 we're very much into the applied R&D space so 374 00:25:34.880 --> 00:25:39.160 we partner with the National Science Foundation (NSF) 375 00:25:39.160 --> 00:25:43.280 and others for more longer reaching and foundational research, but we are in the applied space so 376 00:25:43.280 --> 00:25:47.310 the work that our projects that we're collaborating that are funding 377 00:25:47.310 --> 00:25:51.330 and working with great performers and we've mentioned a few of them, getting that 378 00:25:51.330 --> 00:25:55.460 out of laboratories into commercialization 379 00:25:55.460 --> 00:25:59.700 and transition to practice is what we are all about, so having that key with the 380 00:25:59.700 --> 00:26:04.050 industry helps bridge that 381 00:26:04.050 --> 00:26:08.250 transom, that valley to get great technologies 382 00:26:08.250 --> 00:26:12.270 out of our labs and into 383 00:26:12.270 --> 00:26:16.390 everybody's hands. [Dave] We alway say, engage your customers early and often, throughout the entire 384 00:26:16.390 --> 00:26:20.630 lifecycle. [Host] Well speaking of engaging. We want to answer a couple of questions 385 00:26:20.630 --> 00:26:24.680 from Facebook. Our first one is how can graduate students 386 00:26:24.680 --> 00:26:28.700 in engineering, whether there electrical or mechanical etc. use their core skills 387 00:26:28.700 --> 00:26:32.970 in cyber security. Are there any specific applications? 388 00:26:32.970 --> 00:26:36.970 [Chase] Well I'll take the general, cause I'm the generalist in the room to an extent. 389 00:26:36.970 --> 00:26:41.160 One thing I've found in the cyber physical systems 390 00:26:41.160 --> 00:26:45.480 in our cyber physical security space at large 391 00:26:45.480 --> 00:26:49.630 mainly from the infrastructure standpoint right. 392 00:26:49.630 --> 00:26:53.880 Power plant, water plant, chemical plant whatever it may be 393 00:26:53.880 --> 00:26:57.950 we've had a 100 years of engineer 394 00:26:57.950 --> 00:27:02.150 operational technology, with information 395 00:27:02.150 --> 00:27:06.480 technology. So operational technology, you may have heard skate and control 396 00:27:06.480 --> 00:27:10.620 and other things. Industrial control systems that have been 397 00:27:10.620 --> 00:27:14.870 in place. We didn't think they'd be still in place this long, 75 years later 398 00:27:14.870 --> 00:27:18.950 but they are. But I think from an engineering standpoint 399 00:27:18.950 --> 00:27:23.130 the disciplines are really kind of the blur in the cross right 400 00:27:23.130 --> 00:27:27.150 so, even though we are architecting and systems engineering 401 00:27:27.150 --> 00:27:31.160 the cyber security aspects or just cyber 402 00:27:31.160 --> 00:27:35.180 information technology aspects into these systems 403 00:27:35.180 --> 00:27:39.480 what is that physical 404 00:27:39.480 --> 00:27:43.610 safe mode. What happens if something happens here is there a manual valve 405 00:27:43.610 --> 00:27:47.850 that you can turn? Is there something in a car that you still 406 00:27:47.850 --> 00:27:51.930 have it's mostly fly by wire to an extent but what are those 407 00:27:51.930 --> 00:27:56.100 kind of safety design features that engineers, I think 408 00:27:56.100 --> 00:28:00.400 whether or not it's electrical engineering, mechanical engineering just all aspects of 409 00:28:00.400 --> 00:28:04.440 the engineering spectrum tied in with 410 00:28:04.440 --> 00:28:08.520 systems engineering on a software basis, tied in with 411 00:28:08.520 --> 00:28:12.540 hardware, I think thats ho you apply that. I think 412 00:28:12.540 --> 00:28:16.580 that an interdiscipline eam when your designing a product, or an outcome or a feature 413 00:28:16.580 --> 00:28:20.670 is kind of key. That's why we kind of keeping hitting on kind 414 00:28:20.670 --> 00:28:24.680 on that security by design. It's safety engineering 415 00:28:24.680 --> 00:28:28.740 by design and all those things into it now I'll defer to 416 00:28:28.740 --> 00:28:32.740 the real experts on those. [Brendan] I mean I think, I probably have like 417 00:28:32.740 --> 00:28:36.760 a shorter more practical question. I would say start 418 00:28:36.760 --> 00:28:40.820 like think like a hacker. Take stuff apart, break it, un break it. 419 00:28:40.820 --> 00:28:44.920 Tinker with it, see how it works and then try to make it malfunction. 420 00:28:44.920 --> 00:28:48.940 And then if you can make it malfunction, think 421 00:28:48.940 --> 00:28:53.000 about how you could design it differently so that it wouldn't malfunction. 422 00:28:53.000 --> 00:28:57.100 And that can be a good way to put yourself into that mine 423 00:28:57.100 --> 00:29:01.130 space of instead of something to work well, build something to work securely. 424 00:29:01.130 --> 00:29:05.200 [Chase] We saw a graceful degradation in other things 425 00:29:05.200 --> 00:29:09.210 in safe mode, but that's what happens when it doesn't work 426 00:29:09.210 --> 00:29:13.240 perfectly. Does it have that graceful degradation capability 427 00:29:13.240 --> 00:29:17.260 or safe mode that you can glide into you know the parking lot or whatever it may be. 428 00:29:17.260 --> 00:29:21.360 [David] We are also finding that more and more universities are starting to offer 429 00:29:21.360 --> 00:29:25.360 introductory cyber security courses, if not entire programs. 430 00:29:25.360 --> 00:29:29.440 In the are, so I would strongly encourage any engineering 431 00:29:29.440 --> 00:29:33.440 students that are out there to take advantage of any courses that might be offered at your university. 432 00:29:33.440 --> 00:29:37.490 Even if you are not planning to go into cyber security per se, 433 00:29:37.490 --> 00:29:41.560 as these guys were eluding to, it is an important skill to 434 00:29:41.560 --> 00:29:45.580 know and understand and should become a pervasive part of everything we design and engineer. 435 00:29:45.580 --> 00:29:49.620 [Host] Next question, do any of you have any background on legislation 436 00:29:49.620 --> 00:29:53.710 regarding cyber security, either in the U.S. or international, like EU 437 00:29:53.710 --> 00:29:57.730 or China. [Chase] Well, since we are techy, geeky kind of guys 438 00:29:57.730 --> 00:30:01.780 well at least I'm kind of geeky, I kinda think he's cool. 439 00:30:01.780 --> 00:30:05.870 There's all sorts of legislation out there that's 440 00:30:05.870 --> 00:30:09.890 currently floating around or what not. So really probably 441 00:30:09.890 --> 00:30:13.950 from a policy perspective, that's something, monitor the websites, 442 00:30:13.950 --> 00:30:18.040 monitor kind of the news and see the interactions and what's kind of driving those 443 00:30:18.040 --> 00:30:22.070 and get out there and vote. Talk to your county, all that kind of stuff. 444 00:30:22.070 --> 00:30:26.130 Research and there are o many different aspects of that so there are a few out there that are 445 00:30:26.130 --> 00:30:30.330 pending or in motion around and I've been along 446 00:30:30.330 --> 00:30:34.370 federal [unintelligible] you see various flavors of that off and on 447 00:30:34.370 --> 00:30:38.440 So more awareness of cyber security aspects into all aspects of our life 448 00:30:38.440 --> 00:30:42.550 is positive. [Dave] Well being the techies that we are, one of 449 00:30:42.550 --> 00:30:46.590 the cools about working with DHS S&T and DOT Volpe is 450 00:30:46.590 --> 00:30:50.670 that their not regulatory and their not about policy 451 00:30:50.670 --> 00:30:54.680 and law, it's all technical. So we just get to focus on the cool 452 00:30:54.680 --> 00:30:58.730 technical stuff and let the politicians and the lawyers and the lobbyist and all the others 453 00:30:58.730 --> 00:31:02.820 deal with the policy. [Host] They do their thing, we get to dive in and look at all the cool tech. [Chase] That's the nice 454 00:31:02.820 --> 00:31:06.840 part, we're not the regulatory we're more of a feeder 455 00:31:06.840 --> 00:31:10.900 of our concerns. [David] And that's critical, particular with the ACIC. 456 00:31:10.900 --> 00:31:14.990 The consortium, I mentioned earlier, because it is about 457 00:31:14.990 --> 00:31:18.990 the technology and we get to come to the table and sit down with the OEM's and they don't have to fear working 458 00:31:18.990 --> 00:31:23.050 or interacting with us. [Host] Good point. Next question. 459 00:31:23.050 --> 00:31:27.060 Have you seen indications that adversaries are specifically interested in 460 00:31:27.060 --> 00:31:31.090 exploiting cyber vulnerabilities in vehicles, not necessarily focusing on government or law enforcement 461 00:31:31.090 --> 00:31:35.150 just vehicles in general? [Chase] Well 462 00:31:35.150 --> 00:31:39.250 and I'll keep this very general and not that it's super secret 463 00:31:39.250 --> 00:31:43.250 I'm not in that world or anything, but I think you can extrapolate 464 00:31:43.250 --> 00:31:47.270 and think some logical things of, if their 465 00:31:47.270 --> 00:31:51.380 individual vehicles, probably not all that 466 00:31:51.380 --> 00:31:55.390 much right, but when your talking about 467 00:31:55.390 --> 00:31:59.460 you know, we talked a little bit about fleet level type of thing 468 00:31:59.460 --> 00:32:03.560 so if there is an exploit or something that you can effect 10's of thousands, 100's of thousands 469 00:32:03.560 --> 00:32:07.600 of car that are on the road, that then clog up the road, take 470 00:32:07.600 --> 00:32:11.680 up resources during a hurricane or what not. I mean so 471 00:32:11.680 --> 00:32:15.690 there's some things there that would be concerning, but 472 00:32:15.690 --> 00:32:19.740 those are some things at why we're looking at those kind of 473 00:32:19.740 --> 00:32:23.810 generalities from fleet management and other things in there. 474 00:32:23.810 --> 00:32:27.830 [Brendan] I would say that 475 00:32:27.830 --> 00:32:31.880 the, you know if you look at some of the security 476 00:32:31.880 --> 00:32:35.970 research that has gone on in the hobbyist community that 477 00:32:35.970 --> 00:32:39.990 there is absolutely every indication. When you see things like car hacking 478 00:32:39.990 --> 00:32:44.050 village at most of the major security conferences that are happening this year 479 00:32:44.050 --> 00:32:48.130 I mean there is definitely a degree of interest and I think that 480 00:32:48.130 --> 00:32:52.160 people are capable of this if they want to. I think 481 00:32:52.160 --> 00:32:56.220 one of the issues is always the economic model behind it 482 00:32:56.220 --> 00:33:00.230 and I think as soon as it is a way to monetize some of these exploits that's when we are 483 00:33:00.230 --> 00:33:04.260 going to start to see a big uptick. [Chase] Just like ransomware and other areas. [Brendan] Exactly. 484 00:33:04.260 --> 00:33:08.320 [David] I was going to mention up to this point, fortunately most of 485 00:33:08.320 --> 00:33:12.420 thee attacks have been research, in hacking villages. 486 00:33:12.420 --> 00:33:16.450 I havent seen anything live, but one of the things that I 487 00:33:16.450 --> 00:33:20.520 personally fear is if we were to see an uptick in something 488 00:33:20.520 --> 00:33:24.630 like ransomware which would start to impact 489 00:33:24.630 --> 00:33:28.670 and in that case you've got to be real careful about just like with your home computer, 490 00:33:28.670 --> 00:33:32.750 your laptop, your phone. You've just got to be real careful about how you 491 00:33:32.750 --> 00:33:36.760 work with your car and what you introduce to it. 492 00:33:36.760 --> 00:33:40.810 Good best practices always go a long way. 493 00:33:40.810 --> 00:33:44.890 [Host] Very true. Next question. What are top priority threats 494 00:33:44.890 --> 00:33:48.900 and threat model OEM's that government are considering in vehicle cyber security? 495 00:33:48.900 --> 00:33:52.950 Well I think we just touched on that a little bit. 496 00:33:52.950 --> 00:33:57.040 Just like anything in cyber security right, it's an attack 497 00:33:57.040 --> 00:34:01.060 surface. Attack vectors and what not. So for example, not 498 00:34:01.060 --> 00:34:05.110 that this is any bigger concern than any others, but we're also in conjunction with 499 00:34:05.110 --> 00:34:09.200 DOT Volpe, SRI and Department of Energy. We're also 500 00:34:09.200 --> 00:34:13.220 looking into electronic, electric vehicles. There all 501 00:34:13.220 --> 00:34:17.280 electronic. Electrical vehicles, because again your plugging 502 00:34:17.280 --> 00:34:21.370 your hybrid car or what not into, is that just like 503 00:34:21.370 --> 00:34:25.400 a power cord or an ethernet wire or what not so 504 00:34:25.400 --> 00:34:29.470 again nothing that's, you know more concerning to other 505 00:34:29.470 --> 00:34:33.570 things in there. Looking at that type of attack surface and 506 00:34:33.570 --> 00:34:37.720 again, I think we talked about a little bit again. What's the motivation? Is it a nation state 507 00:34:37.720 --> 00:34:41.720 advasary? Is it a monetary kind of, what's the motivation and why? 508 00:34:41.720 --> 00:34:45.730 And when? So I think those kind of exploits. 509 00:34:45.730 --> 00:34:49.770 The car versus your phone, versus your 510 00:34:49.770 --> 00:34:53.840 computer, versus your refrigerator at home and HVAC 511 00:34:53.840 --> 00:34:57.850 system. I mean it's all becoming interconnected and it 512 00:34:57.850 --> 00:35:01.890 depends on what the motivation is in there, but there all 513 00:35:01.890 --> 00:35:05.980 computers. Is it on wheels, is it in your house or is it in your phone? So. 514 00:35:05.980 --> 00:35:09.990 [Host] Appropriately spooky for all. [Chase] Correct me. Build upon what I've said. 515 00:35:09.990 --> 00:35:14.040 [Brendan] Yeah, there all 516 00:35:14.040 --> 00:35:18.140 I forgot exactly what the question was, but in terms of threat and threat factors it's 517 00:35:18.140 --> 00:35:22.160 the fleet level stuff. We're not trying to scare 518 00:35:22.160 --> 00:35:26.220 anyone and say your car is going to get hacked tomorrow and you know you gotta be careful. 519 00:35:26.220 --> 00:35:30.230 Rip all the electronics out of it, it's that 520 00:35:30.230 --> 00:35:34.250 we're aware of these kind of structural issues and we are trying to fix them 521 00:35:34.250 --> 00:35:38.330 before it reaches an issue. [Chase] And I think we've talked 522 00:35:38.330 --> 00:35:42.430 a little bit about it, but just like any market forces right 523 00:35:42.430 --> 00:35:46.460 as a consumer just like folks are starting to ask about their 524 00:35:46.460 --> 00:35:50.530 smart thermostat or something. Folks hopefully at large 525 00:35:50.530 --> 00:35:54.630 will start asking those questions to the manufacturers and we have already seen the OEM's get ahead of this 526 00:35:54.630 --> 00:35:58.660 that says "hey my car is now, I got you know 527 00:35:58.660 --> 00:36:02.730 wi-fi, hotspot and it's self parking and lane controls 528 00:36:02.730 --> 00:36:06.840 and media and all this stuff and they should 529 00:36:06.840 --> 00:36:10.880 be asking those questions, "Hey, should I be, how are we securing this" and what not. 530 00:36:10.880 --> 00:36:14.960 Again not from a fear or that should be, but from just a 531 00:36:14.960 --> 00:36:18.970 general market force that says, hey we wanna make sure that these thing are 532 00:36:18.970 --> 00:36:23.020 safe and secure, just like anything else we use. 533 00:36:23.020 --> 00:36:27.110 [Host] Another question. Which vehicles are you seeing as the most hacked system? 534 00:36:27.110 --> 00:36:31.130 [Chase] Well again, I think we talked about it a little bit. 535 00:36:31.130 --> 00:36:35.180 We'e talking generalities now. We're looking at those 536 00:36:35.180 --> 00:36:39.270 potential and those risks, not seeing across 537 00:36:39.270 --> 00:36:43.290 all models and as David mentioned about the ACIC and the consortium 538 00:36:43.290 --> 00:36:47.350 and OEM's, while we aren't putting out the names of those 539 00:36:47.350 --> 00:36:51.440 manufacturers, it's a good 540 00:36:51.440 --> 00:36:55.470 good major OEM's from U.S. and international 541 00:36:55.470 --> 00:36:59.530 based companies that are looking into this and are 542 00:36:59.530 --> 00:37:03.630 taking very proactive actin to make sure that their vehicles 543 00:37:03.630 --> 00:37:07.660 are in the fleet. The models now and especially 544 00:37:07.660 --> 00:37:11.740 the models coming out in 2020 and beyond are secure as 545 00:37:11.740 --> 00:37:15.840 can be. Nothing is 100%, but they are very proactive on it. 546 00:37:15.840 --> 00:37:19.880 So no specific one that we are concerned about or seeing 547 00:37:19.880 --> 00:37:23.960 more of. It's what's in the real world and in the "wild" versus what we are seeing in 548 00:37:23.960 --> 00:37:27.970 potential and labs and what not. [Brendan] Yeah, I mean I was going to say the most hacked vehicle that 549 00:37:27.970 --> 00:37:32.020 I see is the one that it's in my lab. [David] Well, thank God it's in your lab. 550 00:37:32.020 --> 00:37:36.100 [Laughter] [Chase] Don't hack your ride. Hack someone else's ride. 551 00:37:36.100 --> 00:37:40.120 Hack a research vehicle. [Host] Good advice. 552 00:37:40.120 --> 00:37:44.160 [Host] Anymore, any other thoughts. [Brendan] No, no thats it. 553 00:37:44.160 --> 00:37:48.250 Just bringing some humor in. [Host] Gotcha, okay 554 00:37:48.250 --> 00:37:52.270 well so to wrap things up. Are there any final comments or even advice that you would offer to folks 555 00:37:52.270 --> 00:37:56.330 just about vehicle cyber security in general or anything you want to leave us with today? 556 00:37:56.330 --> 00:38:00.420 [Chase] Well again, I think it's remebering 557 00:38:00.420 --> 00:38:04.430 nowadays it' not just spark plugs and a cadillac converter 558 00:38:04.430 --> 00:38:08.490 and the mechanical aspects of the car. 559 00:38:08.490 --> 00:38:12.580 There are multiple computers and those computers come from multiple 560 00:38:12.580 --> 00:38:16.610 different suppliers that are very well interconnected. So we 561 00:38:16.610 --> 00:38:20.610 just gotta be safe and secure and think about those things. 562 00:38:20.610 --> 00:38:24.710 But also, don't be fearful 563 00:38:24.710 --> 00:38:28.750 of your car. Go buy a modern car, don't buy the 564 00:38:28.750 --> 00:38:32.820 30 year old car, unless your really into older cars. 565 00:38:32.820 --> 00:38:36.920 Because the technology is also simultaneously being deployed 566 00:38:36.920 --> 00:38:40.960 into our vehicles, increase the safety, 567 00:38:40.960 --> 00:38:45.040 increase efficiency, reduces liability. A lot of great aspects 568 00:38:45.040 --> 00:38:49.050 and then the future is bright kind of a thing. We just want to be a safe and secure future. 569 00:38:49.050 --> 00:38:53.090 {Brendan] Yeah I'd say I'm interested in a lot of the 570 00:38:53.090 --> 00:38:57.180 new safety features that are coming out that are kind of this 571 00:38:57.180 --> 00:39:01.190 bridge towards autonomous vehicles is something we think alot about at DOT so 572 00:39:01.190 --> 00:39:05.240 I'm excited for that, but I think before we can fully realize 573 00:39:05.240 --> 00:39:09.320 that we gotta make sure what we have is secure. So the next generation of secure architecture is 574 00:39:09.320 --> 00:39:13.340 say I'm interested in. [David] And the other thing 575 00:39:13.340 --> 00:39:13.360 I would mention is the work on the cyber physical security 576 00:39:13.360 --> 00:39:17.410 I would mention is the work on the cyber physical system 577 00:39:17.410 --> 00:39:21.510 security program, isn't just limited to vehicles. We are also looking at things 578 00:39:21.510 --> 00:39:25.530 like medical devices, building controls, the energy 579 00:39:25.530 --> 00:39:29.590 grid, energy systems and you've also got a program 580 00:39:29.590 --> 00:39:33.700 and internet of things our IOT devices. [Chase] 581 00:39:33.700 --> 00:39:37.720 It's across the board. [Host] It's all happening. [Chase] 582 00:39:37.720 --> 00:39:41.790 One last thing that I think in our respective organizations 583 00:39:41.790 --> 00:39:45.890 and collectively together. Aspects that we are doing in the automotive and vehicle 584 00:39:45.890 --> 00:39:49.930 cyber security are and can cross pollinate into other 585 00:39:49.930 --> 00:39:54.000 areas whether or not it's medical devices, hospitals, building controls 586 00:39:54.000 --> 00:39:58.010 systems in a smart building and what not and vice versa. 587 00:39:58.010 --> 00:40:02.050 So that things that we're leaning and have projects in other areas in IOT 588 00:40:02.050 --> 00:40:06.130 Internet of Things right. 589 00:40:06.130 --> 00:40:10.140 The car is becoming a IOT and more things are 590 00:40:10.140 --> 00:40:14.140 your IOT wearables or what not will interact with your car so 591 00:40:14.140 --> 00:40:18.230 the cyber security efforts in that community and the projects that we have going on there are also really interesting. 592 00:40:18.230 --> 00:40:22.240 So good point. {Host] Awesome, I am excited to hear more about those programs 593 00:40:22.240 --> 00:40:26.290 moving forward. Thank you all so much for being here 594 00:40:26.290 --> 00:40:30.380 today. We hope you enjoyed the Tech Talk. If you have any additional questions we invite you to check out our website 595 00:40:30.380 --> 00:40:34.699 or shoot us an email. We'll see you next time. Thank you.