Safety Starts With Data: An Interview With GMs Head of Product Cybersecurity

  /     /     /  
Publicated : 22/11/2024   Category : security


Safety Starts With Data: An Interview With GMs Head of Product Cybersecurity


An insightful Security Now interview with Jeff Massimilla, vice president global vehicle safety and product cybersecurity at General Motors.



Jeff Massimilla is vice president of global vehicle safety and product cybersecurity at General Motors, and also vice chair of the Auto Information Sharing and Analysis Center (ISAC). Security Nows Simon Marshall conducted a telephone interview with Massimilla as part of our ongoing coverage of security in the connected and self-driving automobile industry. The interview that follows has been edited for clarity and space.
Simon Marshall:
How has cybersecurity at GM changed over time?
Jeff Massimilla:
We have been working with cybersecurity for years really, but it was all siloed. We had Onstar security, we had corporate IT security, we had R&D, we had some vehicle-based security activities. As vehicle security posture become more important, given my knowledge of execution on the primary attack surface of the vehicle -- infotainment -- in 2014 I took on the chief product responsibility in the firm for security. Having individual people looking at cybersecurity was no longer appropriate. We replaced that with me owning everything that touched the product or the customer ecosystem. Cybersecurity today is really all about keeping our customers safe, and so we recently combined global vehicle safety with the product cybersecurity safety organization. Now Im head of a single organization.
SM:
For what reason were the two groups moved together? Improved physical safety of the car?
JM:
We have big sets of data on the vehicle safety and the cybersecurity side. A lot of the same data is used throughout our analytical processes. If you look at regulation and legislation, the safety and cyber aspects are very closely tied together. Car recalls, crash and safety worthiness will remain, but therell now be my security specialists, there will be my red team of hackers, working on these tasks too. Then theres incident response where groups can learn from each other, and so weve also aligned the safety and cyber response approach to more effectively find any anomalies.
SM:
Do you collaborate with external cybersecurity organizations?
JM:
Absolutely... any company that can talk about their cybersecurity effectiveness will talk about collaboration. We have to be right 100% of the time but the bad guy has to be right only once. When youre up against those odds, the only way to beat them is through a significant collaboration. We work with industries including aerospace, defense, consumer electronics, the armed forces and other government agencies. We also pay contractors to find new solutions, we may want a third-party review of our procedures, and also, I may hire an external third party red team. Thats because we want to learn from them or have them teach us things too.
SM:
Do you employ hackers?
JM:
I have 85 people working in our connected security ecosystem. I have a full-time red team of ten people, which are all hackers to some extent, theyre certified ethical hackers. Some are from other walks of life that have entered our organization. In terms of a bug bounty approach, we have put the welcome mat out there, and asked please tell us what you find in our environment. We havent talked much in public about this yet, but we dont really want a public bounty program because maybe then you arent incentivizing at the level where you would get the best people looking at your stuff.
Through our relationship with Hackerone, we offer private bug bounty programs where we encourage people we have a relationship with to compete with each other, and we give them access to assets they wouldnt normally be able to get ahold of.
SM:
What threats are you facing today that werent there five years ago?
JM:
Its great the industry is getting out in front of this before we see any incidents in the field. The potential adversaries that we see are hacktivists, criminals, the nation state, but they havent taken a focus on our ecosystem yet. But we all know its a matter of when, and not if.
SM:
Are you worried that hackers are out there already, gathering information unobserved?
JM:
Worried is not the word I would use. People who have encountered zero-day exploits in any cyber environment of any industry know that threats dont just fall from the sky, they take time. So realistically, there are activities that are happening out there right now.
SM:
Youre designing an autonomous vehicle (AV). Is it ready?
JM:
The security posture and learnings from our regular vehicles are the foundation of what well deploy in our autonomous vehicle. But were not ready to stick an AV on the road today. Do we believe were ahead of the other manufacturers? Of course. But our launch timing will be dictated by how successful our testing is.
SM:
How are you testing?
JM:
If you depend on just red team testing, youll only find all the issues at the end, and then your ability to keep product launches on time is challenged. Instead, red teaming should really be a confirmation that we ran a truly secure process during the development of the vehicle.
When we do red team testing, we do a combination of white, grey and black box environments. We have an internal or external red team. At the end, their findings are then shared with the blue team to make sure that were learning from them. Obviously, we need to keep the two teams separated, but when youre doing white box, for example, youre telling the red team everything you possibly can about the cars development, so they can take that and try to find a new attack surface or methodology to get in.
SM:
A lot of threats out there in other industries apply to automotive. But its not often that a security attack results in actual bodily harm. Thats a very real possibility with AVs isnt it?
JM:
This is not just specific to AVs, Id argue that with any connected vehicle, harm could be the objective of an adversary. Unauthorized access of vehicle control and safety systems could be their primary motivation. And its our primary motivation on our side to protect customers.
SM:
Explain how youre protecting specific devices on an AV, and computer control systems on connected cars.
JM:
We look at the entire attack surface of the vehicle. Weaknesses could be wireless or wired, or they could be devices brought into the vehicle. We have to look at all threats. And then we appropriately apply controls and capabilities to systems, subsystems or individual components to prevent unauthorized access or control. An example would be how we authenticate a sensor to make sure its the appropriate sensor for that vehicle, is the intended design, and that its the same part that was tested and validated during production. These systems are really no different from digitally signed software, its just that theyre applied to vehicles. We have to make sure that nothing else can be added onto the vehicle that would represent a weakness. This is a good example of how we view the attack surface.
SM:
Do you have a secret sauce?
JM:
No! I wish it was as simple as having a secret sauce. But from my perspective the secret sauce is the capability of the team. Theres the great challenge of cybersecurity -- its exciting and motivates people. Also, many people think that automotive is a very sexy industry. I put the two together and I say to team candidates Id love to offer you a job to work on the red team to hack a Camaro, and people are very, very motivated to do that work. The only way we can be successful really is through great talent.
SM:
Characterize how much of a priority security threat management is throughout the entire GM organization.
JM:
Im a very well-funded and resourced organization within the company. The work that we do is on the critical path, and represents future technologies that are going into a secure environment. If were not ready with cybersecurity on our cars, we will not launch them. I have regular interaction with Mary (Barra) and the board, so this is all at the highest level of priority for the company.
SM:
How many hours a week do you work?
JM:
The best way for me to answer is that I make it a huge priority to have dinner with my family and young children. Im highly dedicated to the mission and the role but its a big priority for me to have family time too.
Related posts:
Law Comes to Self-Driving Wild West
Law Comes to the Self-Driving Wild West, Part 2
Intent-Based Security Is New Path for Vendors
— Simon Marshall, Technology Journalist, special to Security Now

Last News

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Safety Starts With Data: An Interview With GMs Head of Product Cybersecurity