The video highlights the intricacies of connected vehicles, explaining that modern cars are essentially complex computers with the potential to be hacked. There are significant cybersecurity risks as cars now host numerous onboard computers and millions of lines of code. The speakers stress the importance of addressing these vulnerabilities, especially as connected vehicles continue to become more prevalent worldwide, with an estimated 367 million vehicles by 2027.

The discussion also touches on the myriad of challenges in securing these vehicles, including the aging of vehicles without frequent updates, the increasing complexity of onboard and external technology, and the need for automakers to adopt secure-by-design practices. Emphasizing cybersecurity in the early stages of car design—rather than as an afterthought—appears crucial to ensure safer systems that can cope with threats and protect user privacy.

Main takeaways from the video:

Please remember to turn on the CC button to view the subtitles.

Key Vocabularies and Common Phrases:

1. cybersecurity [ˈsaɪbərˌsɪˌkjʊrɪti] - (noun) - Protection of computer systems and networks from information disclosure, theft or damage. - Synonyms: (information security, IT security, network security)

And what we know from cybersecurity is that every computer can potentially be hacked.

2. vested interest [ˈvɛstɪd ˈɪntrəst] - (noun phrase) - A personal stake or involvement in something for financial or other personal reasons. - Synonyms: (stake, concern, involvement)

So we have a very personal, vested interest in this technology and making sure it succeeds.

3. end point [ˈɛnd pɔɪnt] - (noun) - A remote computing device that communicates back and forth with a network. - Synonyms: (terminal, node, connection point)

Every one of these things is an endpoint, and every single one of them increases the attack surface.

4. attack surface [əˈtæk ˈsɜrfəs] - (noun phrase) - The sum of the different points where an unauthorized user can try to enter data or extract data from a system. - Synonyms: (exposure area, vulnerability zone, breach point)

Every single one of them increases the attack surface, making it easier for a bad guy to do whatever it is he wants to do.

5. telematics [ˌtɛləˈmætɪks] - (noun) - Technology involving long-distance transmission of computerized information. - Synonyms: (remote information, telemetry, communication technology)

There are tcus, those are telematics, control units for managing the telecoms and the data services in the vehicle.

6. hyperscaler [ˈhaɪpərˌskeɪlər] - (noun) - Large-scale cloud service provider capable of delivering compute, storage, and networking resources on a massive scale. - Synonyms: (cloud provider, cloud service, data center)

And one sort of platform and service is a hyperscaler.

7. generative ai [ˈʤɛnəˌreɪtɪv eɪˈaɪ] - (noun) - Type of AI technology that can generate data similar to the input data it was trained on. - Synonyms: (creative AI, machine learning model, AI generator)

So generative ai is a consideration here, but how?

8. defense in depth [dɪˈfɛns ɪn dɛpθ] - (noun phrase) - Security strategy that involves multiple layers of defense to protect data and information. - Synonyms: (layered security, multiple safeguards, security in layers)

It's one that has the defense in depth capability.

9. principle of least privilege [ˈprɪnsəpl əv list ˈprɪvlɪdʒ] - (noun phrase) - Security practice where users are given the minimum levels of access – or permissions – needed to perform their job functions. - Synonyms: (minimum access, restricted access, need-to-know)

We have multiples. It's one where we're implementing the principle of least privilege.

10. secure by design [sɪˈkjʊr baɪ dɪˈzaɪn] - (adjective phrase) - Designing systems to be secure from the ground up, rather than adding security features later on. - Synonyms: (built-in security, integrated protection, default-safe design)

A secure by design car would be one that fails safe instead of fails open

Autonomous Revolution - The Intersection of AI, Cyber Security, and Connected Cars

The modern car is essentially a computer that takes you places. In fact, it's likely to contain between 71 hundred on board computers and a hundred million lines of code. And that doesn't just mean high tech electric vehicles. That's all cars these days. And what we know from cybersecurity is that every computer can potentially be hacked, which means potentially every car can be hacked. Rest well with that idea. Right?

And that's why a recent IBM Institute for Business Value report drew our attention. We both drive AI powered, self driving electric cars. In fact, we both got to the studio today in them. So we have a very personal, vested interest in this technology and making sure it succeeds. No doubt you've seen Martin's great videos on the IBM technology channel on AI, and hopefully you've also seen some of Jeff's videos on cyber security. So this whole subject of securing connected cars is right in the sweet spot for both of us, professionally as well.

In this video, we're going to take a look at the challenges in this emerging space and see what we can do to mitigate the risks. So let's talk about some challenges. And the first challenge, I think, is that connected cars run on a lot of data, lots and lots of data. Connected cars have always on network connections and used for all sorts of purposes, like shared mobility, assisted driving and autonomous features. Now, according to Juniper research, the number of connected cars is quite large. It's projected to be something like 367 million vehicles by 2027.

Now, that sounds a lot, but we're not just talking about self driving vehicles here. Many of today's vehicles are considered connected vehicles. So today there's something like 200 million connected vehicles. So I wonder, with all of this data, it doesn't represent any kind of security concern, does it, Jeff?

Oh, contraire, Martin. Every one of these things is an endpoint, and every single one of them increases the attack surface, making it easier for a bad guy to do whatever it is he wants to do, because now he's got a million different targets, hundreds of millions of different targets that he can aim at and potentially attack and create all kinds of havoc. So that becomes an additional threat that we have to consider. Another thing also. If you've got a ten year old laptop, probably it's getting toward the end of its life, and you're going to chuck that thing and get another one.

And certainly you wouldn't want to use one that hasn't had software updates in ten years. It's going to be slow. It's going to have all sorts of security bugs in it and things like that. Well, guess what happens with vehicles. Most people hang on to them either for ten years or more, or they get rid of them and somebody else inherits that car.

But the point is, it's out on the road for decades and we're not used to supporting software and vulnerabilities for that long a period of time. What's the business model? What's the incentive for the carmaker to keep supporting software updates in vehicles that they're not making any more money from? That means we have lots of security holes sitting out there riding on the highways. You know, ten years is amateur hour. My wife has had her car for 14 years.

You're making my point exactly. Right now let's talk about another concern I think many of us have, and that's about another increase in something, the increase in complexity. So a connected vehicle is loaded with all sorts of onboard capabilities. Now, there's some obvious ones, like cpu's of course, for processing, but there's probably GPU's as well that are powering the infotainment system. There are tcus, those are telematics, control units for managing the telecoms and the data services in the vehicle, like gps navigation.

And one we're both very familiar with, Jeff, I think is Ota over the air. I'm waiting for one right now. Love the OTA updates. Yeah, we can't wait for those. So there's also lots of things that happen outside of the vehicle as well, out car technology as well.

So for example, there is cloud technology for workloads that don't run on the vehicle. Now that's also known as cloud VSOC, meaning virtual Security operations center, and that has various applications and data platforms that monitor, manage and respond to cyber security threats and incidents. So yes, it's a lot of complex stuff.

It is complex. And what I know for sure is that complexity is the enemy of security, because the more complex a system is, the harder it is to assure that it's going to do exactly what we intend for it to do. So all of this great stuff that gives us these new features also represents a complexity which then represents a threat to security as we see security decrease as a result of these things if we're not really careful.

Now, what a lot of organizations do with software in general, and this applies to cars as well, is they tend to look at security as an afterthought. It's a bolt on, as opposed to something that's baked in from the start. If you bake it in from the start and use the right design principles, you've done security by design.

A secure by design car would be one that fails safe instead of fails open. It's one that has the defense in depth capability. So we're not relying on a single security mechanism, but we have multiples. It's one where we're implementing the principle of least privilege so that systems can't do more than they were supposed to be able to do. They can only do exactly what they were designed to do and no more.

So we need to be able to implement these kind of processes and architectures in the vehicles themselves. And I have a down arrow challenge as well. I'm just going to call this lack of. Because traditionally, in car security is managed by an OEM's product development organization. And the outcast security stuff is the shared responsibility between probably research and development and the it department.

And that leads to a lack of stuff. So there is a lack of shared resources between these teams. There's probably also a lack of common tools, and there's probably a lack of common skills between these organizations as well.

Now, in fact, the IBV study reported that well over 50% of automotive execs reported lack of all of these things. Yeah, no doubt. And that really sums up the conclusion that threats will increase. As we add all of these things, the threats on the road will continue to increase. Now, some people will ask the question, is this a real threat, or is this something you guys are just hyping? This is hypothetical.

Well, no, it's real. In fact, it's been around for a while, even though you might not have been aware of it. Back in 2015, a couple of white hat hackers, guys who hack, but they expose the information that they find to the car makers. So they're nothing damaging anybody. They're actually looking for security vulnerabilities in order to make the system better.

They actually did a proof of concept where they were able to take over one of the very popular vehicles on the road that day, in those days, and they were able to control brakes, they were able to control the infotainment system, the steering, the engine speed, a lot of different things like that. That could be disastrous in the hands of an attacker. And they were able to do it, and it caused, as a result, a recall of 1.4 million vehicles that had to be changed, their software updated, and so forth. And back then, we didn't have over the air updates, so these vehicles had to be brought into the shop in order to be. To be updated.

So these are real threats that we see already imagine when we start introducing all of these kind of capabilities, how much more that is, in fact, going to increase. Yeah. So that's a real threat to security. But another one of my concerns is privacy. What about privacy?

Yeah, that's a really good one also. And as a driver, a consumer of this technology, you should care about it as well. Privacy. Well, your car is collecting lots of information about you. It's a computer that takes you places.

You know, your computer is collecting lots of information about you. And a lot of that information is used to improve service for you to give you a more customized experience. But how is that information used and where is it sent? We know it's being sent off into a cloud someplace else. What are they doing with that information?

Do we know? Can they change their terms of service? So this is a threat to consumer privacy, and most people are not aware of it. They go ahead and consent when they get the car so that they can drive it. When those terms of service come up, nobody brings their lawyer along to read through the whole thing before they take delivery of the vehicle.

You just go ahead and accept it. And by the way, that stuff changes. So we've got threats, both real and theoretical in the security space as well, in the privacy space. All right, Jeff, we've covered the challenges, but what can we do about them? So let's talk about some recommendations.

Yeah. In fact, Martin, let's take a look where you cover the automakers and what they can be doing to improve security. And I'll talk about what the drivers and consumers can do to protect themselves. Okay, so on the automator front, there's a couple of things that we can do. So manufacturers need to embed security and privacy in the entire product lifecycle, and they can start with building core platforms and services.

And one sort of platform and service is a hyperscaler. Now, what is that? It's a large scale cloud service provider capable of delivering compute, storage, and networking resources on a massive scale. And that extensive amount of compute can take advantage of data insights to design a robust and secure infrastructure. And, Jeff, I'm sure you knew we couldn't get through an entire video without me talking about Genai.

Apparently that's a thing. It is a thing, yes. So generative ai is a consideration here, but how? Well, it can be used to automate the monitoring of compliance with security standards across the supply chain. It could be used to generate contracts and reports and create models that predict future risk based on historical data as well.

The key here is, though, to use common tools and standards to encourage security and compliance and transparency across the entire ecosystem. I want one other thing for manufacturers to consider from the start, and it's something you've already mentioned, Jeff, that is SBD secure by design.

Yeah. If you don't build the security in from the start, then trying to add it on later is more expensive and actually more dangerous. So, in fact, if you don't get this stuff right as an automaker, it could represent an existential threat to the company because of damage to your brand, reputational damage. So get that stuff right for sure.

Now, on the consumer side, what can you do? Well, I think it starts off with education. So learn as much as you can about this technology, about what your car is intended to do, what it's not intended to do, how you can use the capabilities best in a safe way, and don't do things that avoid the way the car was designed to operate.

Another thing that you can do, like with all systems that are computers, and again, these are computers that take you places, there's software on there, you need to make sure that the software is updated. Now, if you get over the air updates and you maybe don't want to apply it the very same day that it comes, that's understandable. But don't go weeks or months. For sure, don't go months not applying these updates.

And if you have to take the car into the shop because there's no way to do an over the air update, well, then that's what needs to be done. Because if you don't do this, then there are latent security bugs in your car and you're driving around now what could be a ticking time bomb. You want to make sure that's not happening in your case.

And then the one thing you definitely do not want to do, jailbreak the car. Jailbreaking means you modify the software in a way that the automaker didn't intend. And when you do that, you violate the security model. And we have no idea what's going to happen at that point. We all are impatient, especially me.

I want those updates quickly. But don't do this to try to get them because that will put you at far greater risk. Look, Jeff and I, we are both real fans of connected vehicle technology and what AI can bring to the driving experience. Exactly. We just need to make sure that the security challenges are mitigated so that we can sit back and enjoy the ride.

Cybersecurity, Technology, Innovation, Connected Cars, Threat Analysis, Iot Security, Ibm Technology