MY TAKE: Why security innovations paving the way for driverless cars will make IoT much safer

By Byron V. Acohido

Intelligent computing systems have been insinuating themselves into our homes and public gathering places for a while now.

But smart homes, smart workplaces and smart shopping malls are just the warm-up act. Get ready for smart ground transportation.

Related: Michigan’s Cyber Range hubs help narrow talent gap

Driverless autos, trucks and military transport vehicles are on a fast track for wide deployment in the next five years. The good news is that there is some very deep, behind-the-scenes research and development work being done to make driverless vehicles safe and secure enough for public acceptance.

I’m encouraged that this work should produce a halo effect on other smart systems, ultimately making less-critical Internet of Things systems much more secure, as well.

These sentiments settled in upon returning from my recent visit to Detroit, Ann Arbor and Grand Rapids. I was part of a group of journalists escorted on a tour of cybersecurity programs and facilities hosted by the Michigan Economic Development Corp., aka the MEDC.

One of our stops was at a freshly-erected skunk works for auto software research set up in a low-slung warehouse – previously a country western bar – in rural Sparta, on the outskirts of Grand Rapids. The warehouse today is home to Grimm, an Arlington, VA – based cyber research firm that specializes in embedded systems security, and whose claim to fame is doing proprietary projects for U.S. military and intelligence agencies.

Deep testing

Grimm received a $216,000 MEDC grant to set up shop in Sparta and direct its expertise towards discovering security flaws in autonomous vehicle systems under development by Detroit’s big car makers. Grimm CEO Brain Demuth told me he hopes the work Grimm has commenced in Sparta will also contribute to generally elevating the security of all types of IoT systems.

The embedded device chipsets at the heart of autonomous vehicles also happen to be the same ubiquitous “building blocks” that empower connected medical devices, smart homes, smart factories and smart cities, Demuth explained.

By discovering and fixing security holes in any of these building blocks, Grimm’s researchers can also contribute to improving the security of all types of systems that use that particular component. “These ubiquitous building blocks are shared across a lot of different industries,” Demuth says. “So we spend a good amount of time focused on finding and fixing these flaws, and helping to secure them across all industries.”

Grimm’s new Sparta facility is home to what amounts to deep-level penetration testing of emerging embedded systems. Grimm also plans to train others to do similar research at its Sparta outpost. For a full drill down on my visit to Grimm, please listen to the accompanying podcast. This approach is just one way Michigan is tackling cybersecurity issues head on.

I also interviewed experts from Irdeto and Karamaba Security, two software companies that have set up operations in Detroit to participate in the innovation taking place to bake security much deeper into the array of electronic control units, or ECUs, that work together to govern a modern car’s core systems.

Automation has seeped into the ECUs that power up a vehicle’s fuel pump, steering and brakes. This is measured by the Society of Automotive Engineers’ zero to five scale of vehicle autonomy. Most cars today are at level zero — equipped with automated systems that can send warnings and temporarily intervene, but cannot control the vehicle on their own.

However, an increasing number of models have risen to level two, whereby automated systems are able to completely control steering, accelerating and braking, though the driver must have hands on the controls and be ready to intervene. And a few models have achieved level three, at which the car is capable of emergency braking on its own, under certain circumstances.

At level four, true self-driving can take place within limits, while level five represents a vehicle where human driving is completely eliminated.

Security pitfalls

Early movers seeking to monetize these emerging capabilities are in the mobility-as-a-service space, led by Uber, Waymo and Cruise, says Stacy Janes, chief security architect of Irdeto’s connected transport division.


“Waymo is years ahead in the development of autonomous technology, while Cruise has the advantage of being backed by GM,” Janes says. “On the other hand, Uber already has the ride hailing customer base and knowledge of how to run that type of service.”

Before any of this can come to fruition, the security pitfalls residing in the dashboard of autonomous vehicles must be thoroughly vetted and resolved. The measure of that challenge is still, today, best personified by the research done some three years ago by ethical hackers Charlie Miller and Chris Valasek. In 2015, Miller and Velasek demonstrated several ways to compromise the ECUs of a Jeep Cherokee and then took their findings on a road show to tech conferences across the nation.

The Jeep hack was a game changer. It sparked an R&D surge on the part of car makers and cybersecurity vendors, even as the auto industry continued to advance up the SAE automation curve. While taking steps to address security, the auto industry, nonetheless, has not eased up on efforts to extend Internet services ever deeper into the dashboard.

Meanwhile, on a separate, though related track, research has also expanded into the design and development the infrastructure that will be needed to support autonomous cars and trucks, such 5G networks and car-to-car communications systems.

“The industry is trying to move toward a vehicle-to-everything (V2X) connected model where cars will not only talk to each other, but also to the infrastructure around them and possibly more,” says Irdeto’s Janes.

Ever opportunistic cyber criminals, of course, can be expected to swiftly find and exploit any weak spots. “Attackers will often use weak entry points to gain access and move to more valuable targets,” Janes says. “The eventual V2X network will be exposed to such attacks with possible safety and/or disruption of transportation risks as the result.”

Achieving smart transportation, indeed, is a complex challenge. And, for the moment, the auto industry is primarily focused on locking down, to the extent possible, the automated systems embedded in production line models.

Lifecycle risks

However, any day now, the auto industry will have to direct some of its attention to the question of how to keep autonomous systems secure in a dynamic environment over the longer haul, says Jennifer Tisdale, director of connected mobility and infrastructure at Grimm.

Our smartphones and laptop computers generally become obsolete and get replaced by more secure versions every 24 months. However, cars today stay on the road for 150,000 to 200,000 miles, typically changing owners multiple times, Tisdale observes.


“We have to look at security through that entire lifecycle of the car because there is a lot at stake,” Tisdale says. “If you’re an adversary, you’re not going to hack a car during the R&D phase, because you don’t typically have access to it. But the longer the car is on the road, the more time people will have to tinker with it and gain an understanding about how vehicles are networked together.”

So who will end up with the burden of keeping car systems patched? And who is going to get hit with fines related to privacy breaches tied to self-driving cars, especially if more states follow California’s lead and implement European-style data protection rules.

“There are a number of privacy concerns related to the sheer amount of information some of the new platforms will be storing, and that may become somewhat of an aftermarket need,” Tisdale observes.

Autonomous transportation is coming. A lot of technical and societal issues still need to be resolved. All of that said, it is clear that the earlier, and deeper, security and privacy gets baked in, the better for us all. The future of transportation relies on achieving consensus among all stakeholders and doing what needs to be done to preserve security and privacy as our world becomes ever-more connected

Michigan has led the way in standing up public-private partnerships that promote cybersecurity readiness on several fronts. This is very encouraging and provides a roadmap for others to follow. Carry on Michigan.

(Editor’s note: LW has supplied consulting services to MEDC.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone