Cybersecurity Expert Says Crowdstrike and CDK Global Incidents Serve as Wake-Up Calls
Upstream Security VP says many dealers just don’t have robust IT teams.
When cybersecurity firm Crowdstrike’s platform went down in July, it became the most significant outage in the history of information technology, according to The Guardian. About 8.5 million Microsoft operating systems were affected, including almost every sector of the economy.
In the wake of the crash, which was traced to a faulty software update pushed by Crowdstrike, the automotive business is among those developing new policies to avoid repeat incidents.
During the Center for Automotive Research’s Management Briefing Seminars this month, SAE Media spoke with Boaz Hartal, VP of mobility and operations with automotive cybersecurity firm Upstream.
“When you look at Crowdstrike, it wasn’t a cybersecurity event. But it looks exactly like that in the world,” he said. “But we can look at it as a glass-half-full event” because it wasn’t a malicious attack, he said.
Still, it raises questions that must be answered, especially for companies that did not have a playbook for the event. Hartal said that Upstream has a step-by-step process for determining the cause and scope of any given problem, as do many companies. “But if they didn’t have a protocol before Crowdstrike, they will have a protocol, that’s for sure,” he said.
He said Upstream’s 17+ automotive clients were not affected, largely because their operating systems are not versions of Windows.
Hartal drew a contrast with the CDK Global incident, in which thousands of U.S. and Canadian dealerships were taken offline by what was a malicious ransomware attack. Comparing the IT practices of large corporations and automakers to small family-owned dealerships or dealership chains, “they don’t necessarily have the best IT,” he said, adding that “some of them rarely update their systems” even when updates are available.
There is a lot of cyber regulation standardization, including ISO/SAE 21434 and the EU’s R155, but “it is not enough, to be honest with you,” he said. “We see different approaches regarding cybersecurity. [All this means is that] you can comply with the regulations totally, but not be secure at all.”
Hartal said Upstream will remain focused on threats to vehicle systems since that is where the biggest danger is. “It’s a different moral we face now; these groups [force us to] really work on the deep and dark web with our customers to understand exploits that these groups are trying to find. The groups are highly sophisticated and highly equipped with better computers,” he said, which means they can earn more money with them. They are looking for the weakest link, and wherever they can get the biggest ransom payment and threaten the most damage.
Asked about the developing edge-computing technology that many feel will be necessary to enable higher levels of autonomous driving beyond SAE Level 3, Hartal said that kind of computing, which takes place on-board the vehicle in a closed system, would be more secure for some vehicle data, but not all.
But, he said, there will still be apps and other software that make up the software-defined vehicle that will have to be able to take over-the-air updates. And that means the security threat will remain. “This is a place that you can get in and get your malicious code into [a vehicle or system].”
Top Stories
INSIDERMechanical & Fluid Systems
Starliner to Perform Uncrewed Return Flight From International Space Station...
INSIDERDefense
Archer Delivers First Midnight eVTOL to US Air Force
INSIDERAerospace
ESA to Test Canadian Startup's Diamond Quantum Sensors in Space
INSIDERAerospace
EA-37B Compass Call: The US Air Force's New Electronic Attack Aircraft
INSIDERAerospace
Modern Commercial Jets Create Longer Living Contrails Than Older Aircraft,...
INSIDERManufacturing & Prototyping
Anduril Takes Software-Defined Approach to Hyperscale Defense Manufacturing
Webcasts
Automotive
Mitigating Risks, Ensuring Reliability: Deep Dive into Automotive...
Automotive
Accelerating Time to Market: Tackling NVH Challenges in Electric...
Communications
Space Communications and Navigation Summit 2024
Electronics & Computers
Utilizing Model-Based Systems Engineering for Vehicle Development
Software
Meeting the Challenges of Software-Defined Vehicles With...
Software
Automotive Hardware Security Modules: Functionality, Design, and...