Cybersecurity Expert Says Crowdstrike and CDK Global Incidents Serve as Wake-Up Calls

Upstream Security VP says many dealers just don’t have robust IT teams.

While the Crowdstrike incident was not the result of hacking, the effects on the public were the same, said Upstream Security's Boaz Hartal. (Kvistholt Photography)

When cybersecurity firm Crowdstrike’s platform went down in July, it became the most significant outage in the history of information technology, according to The Guardian. About 8.5 million Microsoft operating systems were affected, including almost every sector of the economy.

Upstream's Boaz Hartal says that while state actors are sometimes involved, the vast majority of of hackers are motivated by money. (Scott Fosgard)

In the wake of the crash, which was traced to a faulty software update pushed by Crowdstrike, the automotive business is among those developing new policies to avoid repeat incidents.

During the Center for Automotive Research’s Management Briefing Seminars this month, SAE Media spoke with Boaz Hartal, VP of mobility and operations with automotive cybersecurity firm Upstream.

“When you look at Crowdstrike, it wasn’t a cybersecurity event. But it looks exactly like that in the world,” he said. “But we can look at it as a glass-half-full event” because it wasn’t a malicious attack, he said.

Still, it raises questions that must be answered, especially for companies that did not have a playbook for the event. Hartal said that Upstream has a step-by-step process for determining the cause and scope of any given problem, as do many companies. “But if they didn’t have a protocol before Crowdstrike, they will have a protocol, that’s for sure,” he said.

He said Upstream’s 17+ automotive clients were not affected, largely because their operating systems are not versions of Windows.

Hartal drew a contrast with the CDK Global incident, in which thousands of U.S. and Canadian dealerships were taken offline by what was a malicious ransomware attack. Comparing the IT practices of large corporations and automakers to small family-owned dealerships or dealership chains, “they don’t necessarily have the best IT,” he said, adding that “some of them rarely update their systems” even when updates are available.

There is a lot of cyber regulation standardization, including ISO/SAE 21434 and the EU’s R155, but “it is not enough, to be honest with you,” he said. “We see different approaches regarding cybersecurity. [All this means is that] you can comply with the regulations totally, but not be secure at all.”

Hartal said Upstream will remain focused on threats to vehicle systems since that is where the biggest danger is. “It’s a different moral we face now; these groups [force us to] really work on the deep and dark web with our customers to understand exploits that these groups are trying to find. The groups are highly sophisticated and highly equipped with better computers,” he said, which means they can earn more money with them. They are looking for the weakest link, and wherever they can get the biggest ransom payment and threaten the most damage.

Asked about the developing edge-computing technology that many feel will be necessary to enable higher levels of autonomous driving beyond SAE Level 3, Hartal said that kind of computing, which takes place on-board the vehicle in a closed system, would be more secure for some vehicle data, but not all.

But, he said, there will still be apps and other software that make up the software-defined vehicle that will have to be able to take over-the-air updates. And that means the security threat will remain. “This is a place that you can get in and get your malicious code into [a vehicle or system].”