Cybersecurity Expert Says Crowdstrike and CDK Global Incidents Serve as Wake-Up Calls
Upstream Security VP says many dealers just don’t have robust IT teams.
When cybersecurity firm Crowdstrike’s platform went down in July, it became the most significant outage in the history of information technology, according to The Guardian. About 8.5 million Microsoft operating systems were affected, including almost every sector of the economy.
In the wake of the crash, which was traced to a faulty software update pushed by Crowdstrike, the automotive business is among those developing new policies to avoid repeat incidents.
During the Center for Automotive Research’s Management Briefing Seminars this month, SAE Media spoke with Boaz Hartal, VP of mobility and operations with automotive cybersecurity firm Upstream.
“When you look at Crowdstrike, it wasn’t a cybersecurity event. But it looks exactly like that in the world,” he said. “But we can look at it as a glass-half-full event” because it wasn’t a malicious attack, he said.
Still, it raises questions that must be answered, especially for companies that did not have a playbook for the event. Hartal said that Upstream has a step-by-step process for determining the cause and scope of any given problem, as do many companies. “But if they didn’t have a protocol before Crowdstrike, they will have a protocol, that’s for sure,” he said.
He said Upstream’s 17+ automotive clients were not affected, largely because their operating systems are not versions of Windows.
Hartal drew a contrast with the CDK Global incident, in which thousands of U.S. and Canadian dealerships were taken offline by what was a malicious ransomware attack. Comparing the IT practices of large corporations and automakers to small family-owned dealerships or dealership chains, “they don’t necessarily have the best IT,” he said, adding that “some of them rarely update their systems” even when updates are available.
There is a lot of cyber regulation standardization, including ISO/SAE 21434 and the EU’s R155, but “it is not enough, to be honest with you,” he said. “We see different approaches regarding cybersecurity. [All this means is that] you can comply with the regulations totally, but not be secure at all.”
Hartal said Upstream will remain focused on threats to vehicle systems since that is where the biggest danger is. “It’s a different moral we face now; these groups [force us to] really work on the deep and dark web with our customers to understand exploits that these groups are trying to find. The groups are highly sophisticated and highly equipped with better computers,” he said, which means they can earn more money with them. They are looking for the weakest link, and wherever they can get the biggest ransom payment and threaten the most damage.
Asked about the developing edge-computing technology that many feel will be necessary to enable higher levels of autonomous driving beyond SAE Level 3, Hartal said that kind of computing, which takes place on-board the vehicle in a closed system, would be more secure for some vehicle data, but not all.
But, he said, there will still be apps and other software that make up the software-defined vehicle that will have to be able to take over-the-air updates. And that means the security threat will remain. “This is a place that you can get in and get your malicious code into [a vehicle or system].”
Top Stories
INSIDERManned Systems
Are Boeing 737 Rudder Control Systems at Risk of Malfunctioning?
NewsPower
Off-Highway Hybrids Are Entering Prime Time
INSIDERAerospace
Designing Next-Generation Carbon Dioxide Removal Technology for Better Life in...
INSIDERWeapons Systems
Barracuda: Anduril's New Software-Defined Autonomous Air Vehicles
NewsManned Systems
Truck OEMs Invested in Infrastructure
INSIDERWeapons Systems
Webcasts
Automotive
The Testing Equipment You Need to Keep Pace with Evolving EV...
Automotive
Advances in Zinc Die Casting Driving Quality, Performance, and...
Automotive
Fueling the Future: Hydrogen Solutions for Commercial Vehicle...
Defense
Maximize Asset Availability in the Aerospace and Defense Industry
Aerospace
The Inside Story on Space Grade Silicones
Automotive
A Quick Guide to Multi-Axis Simulation and Component Testing