Remarks at SAE/NHTSA Cybersecurity Workshop

SAE /NHTSA Cybersecurity Workshop

Heidi King, Deputy Administrator, NHTSA

Tuesday, January 23, 2018

 

Here we are in a new year and already news brings us high profile cybersecurity breaches, attacks, and threats:

• Silicon vulnerabilities: Chip manufacturers vulnerable to Meltdown and Spectre bugs impact just about every processor sold over the past two decades. Users responsible for updates? I think on our recall experience;
• Infrastructure Security vulnerabilities: Trisis’s zero-day vulnerability in Schneider Electric’s Triconex Tricon safety controller firmware, allowing privilege escalation permitted the hackers to manipulate emergency shutdown systems;
• Ransomwear attacks on hospitals;
• User-driven vulnerability Dark Caracal, a multi-platform cyber-espionage campaign relying on basic social engineering. The group used malicious smartphone applications and websites to steal passwords and eavesdrop.

The good news is that we are here discussing issues, learning from one another in anticipation of protecting automotive safety.

 

NHTSA’s Mission and Cybersecurity

 

I am here because NHTSA’s mission and passion is safety: saving lives, preventing injuries, and reducing the economic costs associated with traffic collisions.

Most of us in the transportation community have heard that most traffic collisions are the result of human error and choices; cars are becoming safer, but drivers sometimes fail to wear seat belts or make the bad choice of operating a vehicle while impaired.

We at the Department of Transportation are working together with the emerging technology community for the safety benefits the new technologies offer: the potential to reduce the loss of life resulting from human errors and choices.

But we are aware that it’s not as simple as replacing human decision with code. Secretary Elaine L. Chao told me of a recent conversation, during a visit to Stanford just after the holiday: one of the experts commented to her that we aren’t eliminating human error, we are shifting it from driver error to programmer error.

As digital systems grow increasingly core to automotive safety systems, cybersecurity has risen in our priorities. It has also risen in public awareness, particularly as we consider the testing and deployment of automated driving systems.

NHTSA’s interest around vehicle cybersecurity is in the potential safety issues.

The theme I share with you today is that cybersecurity is not only the responsibility of programmers and the tech community, of designers and electrical engineers.

I believe that it is also the responsibility of users, consumers, and communities. We must build a culture of awareness and safe practices. And we must start now.

 

Vehicle Evolution and Cyber threats

 

Our cars today are among the most complex computerized consumer products ever deployed.

The public is rapidly becoming aware of the importance of auto cybersecurity as they consider the potential for Level 3 – 5 vehicles on our roadways.

But does the public recognize its responsibility in cybersecurity? Are they ready?

Many think of cyber threats as external: organized crime and state-sponsored crimes.

Cyber threats are often internal: phishing or data security practices.

But consumers present challenges too: modifying equipment or code, or failing to prioritize security.

In a recent interview, Marco DeMello, founder and CEO of PSafe, a mobile-focused security and privacy company known for work to acquire Hotmail for the tech giant Microsoft, said he learned that consumers don’t think about security until something bad happens. They lock their homes and cars, but don’t think that normal digital behaviors are associated with security risks.

At the same time, we know that consumers are nervous about relinquishing operational control of a vehicle to a digital decisioning system.

One of the challenges that the automotive industry faces is the challenge of mixed perceptions as the technology evolves.

We are not alone in this endeavor; our work will engage and influence others outside this room. It is critical that we adopt, encourage, and communicate strong risk management best practices in the area of cyber security for our automotive transport systems.

 

Risk Management

 

Risk Management in a rapidly changing environment requires creativity and curiosity, vigilance, and a risk management mindset, including tone at the top.

It requires robust processes that work: frameworks and good design.

And successful risk management also requires a strong risk management culture.

Without a strong risk management culture, the processes that appeared robust on paper may not produce the results they were intended to produce. Processes cannot assure creativity and curiosity.

As the automotive community leads on the cybersecurity journey, we should together build and support a cyber security risk management culture for the automotive industry that can serve as a role model to others.

Our national automotive safety depends on it.

 

Elements of a Strong Risk Culture

 

We are building this culture here.

A strong risk management culture is characterized by key elements:

• Common commitment to values and ethics: The extent to which individual interests, values and ethics are aligned with the group’s risk strategy, appetite, tolerance and approach
• Adoption and application: Risk should be considered in all activities, from strategic planning to day-to-day operations, in every part of the organization.  I relate this to the frameworks we develop – are they integrated, or just a task to be completed and set aside until next time they are due?
• Continuous improvement: Does the organization seek and demonstrate that it is continuously improving?
• Communication: Transparent, timely and forthright communications are key:  People should be comfortable talking openly and honestly about risk, using a shared vocabulary in pursuit of shared understanding.
• • General Becky Halstead, retired U.S. Army Brigadier General in the Iraq War, first female graduate of West Point to attain general officer shares the advice: “Be a good bad news taker.”
     

Steps toward building Risk Culture

 

• Tone at the Top. Risk culture requires a commitment from leadership, from me, from your leaders, from all of our executives.
• Awareness:  Do our colleagues, teams, customers, suppliers consider the importance of risk management culture? Does the awareness evolve with the risks?
• Constructive Challenge: Do we encourage challenge to happen? Is it rewarded?
• A culture of Continuous Improvement:  We should all strive to become better, and recognize that we are never “done” but rather vigilant.
   

Success in this venture will require some Humility

 

Just because we know more than others doesn’t mean we aren’t vulnerable.

I’ll give you an example from my own life: I recently read about a vulnerability in internet-connected home audio systems like the one in my home, allowing hackers to penetrate the network and obtain passwords.  I checked my firewall to ensure that I was protected from external hacks. But then, within a month, I was hacked—not by external intruders, but by a houseguest who tried to customize my system! My friend—not a techie, and not an audiophile—innocently and accidentally disabled parts of the system.

Someone in our industry said to me, they did not need to share data because they felt they were already in a stronger position than competitors. It doesn’t work that way—we are all vulnerable.

We must learn from one another and support one another. Because one company’s vulnerability—one customer’s vulnerability—is all of our vulnerability.

 

Auto Information Sharing and Analysis Center

 

I saw some of you last month at the first annual meeting of the auto ISAC. I hope someday to see that body become enthusiastic collaborators in risk management, sharing vulnerabilities and risk mitigation strategies. In an industry that shares suppliers or components, in an increasingly connected industry, an attack on one of us is an attack on all of us.

I have confidence that the members of Auto ISAC understand and will act. 

One of the examples of data sharing that impresses me the most is the nuclear submarine fleet.  I’m told that in that fleet, individuals actually compete to tell the story of their mistakes or near misses—and that they share their stories to improve the performance of others. Can you imagine a world in which all of us share our risk stories to make one another stronger?

 

Safety and Cybersecurity Risk Management

 

Already in 2018 we’ve had the chance to consider lessons learned from other sectors.

It’s prudent to assume that anything is hackable, given enough time and resources.

We ask ourselves, how can our collaborative efforts be directed?

Of course we must consider security when making design and architecture choices, and to make informed decisions about how and to what extent to employ different countermeasures.

We know we must facilitate containment and rapid recovery from incidents in a safe manner, but that may not be enough.

There should be advanced preparation and plans in place for timely detection and rapid response to incidents in the field, battle tested before a critical incident is encountered.

During a crisis is not the right time to figure things out.

We must strive for a culture of risk management, accelerating implementation of lessons learned across the industry through effective, constructive challenge, continuous improvement, and information sharing.

Meetings like this—the work of SAE—will be critical to ensuring a safe automotive future.