– Hi, Sundeep and welcome to Upstream’s Tech Talk series. I’m Fay from Upstream Security and we offer the first cloud-based cybersecurity solution that’s purpose built to protect connected vehicles and smart mobility services from cyber threats and misuse through the use of data. I’ll be the host of this Upstream Tech Talk and just wanted to offer you the mic to introduce yourself.
– Thank you, Fay. I’m Sundeep Oberoi and currently I head the Cybersecurity Services Practice for TCS. TCS, as you know, is a large and a well-recognized system integrator with revenues last year of in excessive 22 billion USD. We have large cybersecurity practice and we have been seeing increased interest these days in OT security and of course in the area of automotive security with all the stuff that’s happening with autonomous vehicles. And we’re very excited about that area and would like to speak with you about this.
– I’ve known TCS when it comes to the IT space. So traditionally I’ve recognized that you guys do your work with IT with their cybersecurity elements and this shift now to OT with this advent of connected vehicles, with the admin of connected operational spaces, where do you see more added or shifting complexities when it comes to those spaces? And specifically my interest is the automotive space. What are some of these complicated elements of securing the connected vehicle and the automotive ecosystem?
– Fay, TCS has always had a very strong engineering services offering and we’ve been doing that for many customers in the automotive space, in the telecom space. So we really have been partnering with them to evolve their products. The thing that’s happening today, this is a gender global trend, that we’re seeing something which I like to call the softwarization of everything. So we’re seeing more and more custom built hardware being replaced by, let’s say, a commodity compute platform and the functionalities are now being realized in software. So this softwarization of everything produces tremendous benefits but it also brings in the well-known software support and IT systems support, maintenance, and evolution problems and issues that we have known about in the traditional IT world. And we see that playing out here and we think these issues need to be addressed with focus and firmly but we also think that our customers need help here because the traditional engineers they’ve done a lot of software to be sure and they’re the people who are leading the softwarization of everything but we have lots more experience in how to evolve, support, and maintain huge amounts of software. So that’s where we can bring in our learnings and really partner with our customers to make sure that we now produce things that are secure and that they’re sort of, let’s say, associated with a certain level of security assurance.
– So that assurance, assurance within the cyber security space, is a really difficult concept to understand because how would you explain that? To tell someone, can they be 100% confident that all of their elements within their ecosystem are cyber secure? What does that assurance mean? Could you explain that a little bit?
– So just to go back very, very briefly into the history of the evolution of cybersecurity within 90 classically. It started off with the IT itself evolving and in the initial days the threat would be viruses and then we had networking so we had firewalls. There was a lot of focus on point security solutions. And the first of which probably has been the user ID password which is the venerable user ID password. So we have evolved there from having point solutions to new problems that have come up as we’ve increased the deployment. And at some point there’s been the realization that we have to manage this issue, manage the issue of security as a management issue and we need a framework in which to do this. And the first such framework that became really popular was the British Standards Institute, BS 7799 which later was adopted by the ISO and became ISO 27001. So that evolution in terms of having a framework in which we look not only at the point security solutions, but the whole ecosystem, the whole gamut of people processing technology and apply that to generate some kind of assurance that we’re dealing with cyber security issues systematically, organizationally, and over the whole ecosystem.
– So would you say that the implementation, let’s say when it comes to the regulation, the CSMS regulation, would you say that the implementation of that process, of that cybersecurity management system, that in and of itself is a form of assurance and assuring cyber security elements are in place?
– Yes, I think that is the most important element and it is forward looking of the UN and the regulators to adopt the approach that they would just say enshrined in their UNECE WP.29 as well as the ISO and the SAE coming together and coming out with a new Draft International Standard, DIS 21434. So the philosophy here is let’s first address the assurance piece, let’s have the organization and its processes certified before we permit the certification of any of their products. So they’ve really taken that learning. Because if you look at the regulators, if you look at consumers or the public at large, they want to know what is it that’s being done to address cybersecurity which seems to have so many myriad facets as the issue of autonomous driving, as the issue of a third party supplier that would supply me a component, does that have a backdoor? There’s the issue of updating software. Is that done properly or could an update start when I’m actually driving? So there’s a lot of different things that need to be done and you do need a framework in which to manage it. And I think this is really forward looking and this is where we can bring our experience on delivering the assurance that cybersecurity is being addressed systematically.
– And it seems that that assurance goes through both, let’s say within the automotive space, the OEMs, their suppliers, all the way down to the user and the driver of the actual vehicle itself. Each one of those elements… Each one of those different players within this space need that assurance in and of themselves in order to feel confident and comfortable and also to comply with the regulations themselves as well. Now when it comes to, you had mentioned this earlier, is the complexity when it comes to this cybersecurity and assurance, where do you see the OT space and cybersecurity within the automotive space being more complex than what others typically know of cybersecurity through the IT space? What are some of the added complexities, whether that has to do with the multicloud system, whether that has to do with the amount of data that is being produced, where do you see are some of the more complex issues that need to be focused on when it comes to the automotive cybersecurity?
– All industries that have dealt with critical OT, they do have a safety culture. There’s a strong safety culture. So they are used to following processes and doing extensive documentation. So that’s a plus that is a trait that helps them to deal with the complexity that will come out of implementing yet another security assurance system. While they are good at following procedures and processes and it’s kind of ingrained in them, there is a certain level of, shall I say, combinatorial complexity with IT. With traditional manufacturing you can specify a component relatively easily. A two or three page specification really pins down exactly what some mechanical or electrical component would do. But writing a specification for software can be tremendously tricky and it has proven so difficult to deal with that if you’re looking at the licenses that software manufacturers or software producers actually deliver their end customers, they accept very little liability. In the software domain where you’re operating with almost no liabilities, bringing that in to a domain that has operated on strict notions of product liability. Now the automotive industry is going to have to get used to delivering assurance where the suppliers of their subsystems, by virtue of having so much software in them, are limited in their ability to deliver assurance.
– The regulation also just very specifically says that it is the OEM’s responsibility to ensure that they have a secure supply chain. And it is complex especially because so much of that supply chain is software based. It’s quite incredible to, I would say, see cybersecurity technologies like Upstream dealing with that complexity. I know that something that we heavily focus on is recognizing that while there are so many different software components, there could be so many different ECUs in a vehicle, there is still a way to be able to take the data that is being produced. And one of the benefits of connected vehicles is that there is information being spread throughout the vehicle itself, through its communications with the mobile devices or different smart mobility service providers. There is data that is being driven back and forth. So there is a way. It may not be a way to write the exact, as you had mentioned, the specification of what the software can do, but there is a way of analyzing that and being able to recognize because it is connected, the cyber threats that do come from that space. Which is something I would say is both the pros and cons of the connected vehicle ecosystem, is the ability to find the threats but then again the increase in threats because of that, because of the connected sphere. Sorry, go ahead.
– Also, in the mechanical and electrical industries, there’s been a culture of actually making sure that systems and subsystems perform very tightly to their specifications. So it’s very clear what, let us say, a battery should do or should not do. It’s very clear what is the performance that a turbine should deliver and if it fails it’s clearly a liability on the part of the manufacturer and the consequences are also pushed on. Now, an industry that’s been used to working with this ability to have strict liability pushed down at supply chain, will now have to work in a situation where there’s so much software and the software manufacturers are really not in a position to give those kinds of guarantees. So that’s one complexity. How do you deal with this? What is your mindset in terms of how you did your assurance, the legal aspects, who will be responsible for what, that’s surely a legal as well as mindset and a culture complexity? The other thing is that many of the equipment that is mounted, let’s say on mobile platforms, by virtue of its location in a mobile or let’s say, for the lack of a better word, a hostile environment, high temperatures, low temperatures or dust, et cetera, it sometimes has limited computational capabilities to run very sophisticated protection mechanisms. Also since these vehicles are mobile, they’re amenable to being accessed by all kinds of people who have physical access and that’s different from a data center or other IT equipment where people can use various forms of physical access control to deny physical access. So that’s another complexity. You’re on the road and you don’t know who has access.
– Yeah. We actually see that the majority of cyber attacks or cyber threats over the past year, majority of them have been remote attacks. They have been those that have not been directly connected to the car. And that is one of the biggest fears of automotive or remote fleet wide attacks with the ability to get into a server and control vehicles remotely. A malicious actor taking control over a fleet is something that you see in the movies but it’s something that as the vehicle becomes more connected and as more OEMs shift down that path is something, unfortunately, that has the potential to happen is that remote access because of the connectivity of the vehicle itself. I wanna just kinda shift a little bit of a head. With these complexities and with this process and the assurance that you as an SI say corporations or OEMs need to take into consideration, where do you see that demarcation point between you as an SI, let’s say Upstream as a technology provider, that cybersecurity provider, where do you see that collaboration and cooperation working?
– As an SI we have always traditionally worked with the best players who own or produce certain technologies. So for example, maybe Dell or any other manufacture intel. And these are the guys who make top of the line technology in their own areas. They have a particular role to play and we as SIs have another role to play. We work with a lot of major software players, SAP, Oracle. So we look for partners that have excellence in their own areas and we compliment each other. There are people who are so specialized in a particular area and have spent so much work producing that solution and it’s a recognized as a absolutely leading solution. But as we are able to take all these components, put them into a system, bring in the management processes that are required and make sure that all these things operate within the compliance and regulatory frameworks that they’re supposed to and thereby not only contribute to running their operations but also in delivering that level of assurance which they need.
– Fantastic. I think that’s really where this is all coming to is the collaboration of partners of experts within their individual fields because of how fractured the space is. You need people that really know their individual space and know their individual expertise, which I think is fantastic. So I just wanna say thank you so much for joining me today. Is there any last things that you wanna add that we didn’t touch upon?
– Yes. There is one last thing that I would like to touch upon. In the autonomous vehicles, there is an increasing reliance on systems that try to do what human cognition systems do. Vision, for example, reliance on AI. And recent work and research has shown that these systems are vulnerable. So there is well publicized work. If you have an image, you will be able to tamper with a few pixels in that image and an image recognition system will be completely fooled into thinking something else. I’ve seen examples of a stop sign being recognized as a stop sign. And then you hang a small postcard on the stop sign or you make some changes somewhere–
– There was recently a Burger King sign, I think, that was detected as a stop sign somewhere. And it was like the autonomous vehicle must stop for the burger.
– That would probably not be as bad a thing as if the stop sign was recognized as maybe something else and the car didn’t stop. So this is a new area and the assurance that our machine learning and AI systems, one thing is bias. And there’s enough discussion on the issue of bias in algorithms which is the well publicized examples of what would you do? What would an autonomous vehicle do if it suddenly found some pedestrians on the street? Would it swerve off the street risking killing the occupants or would it hit the pedestrians?
– Philosophical questions that are being brought into practical to the hands of the engineers.
– Yes, but that’s still bias. Now, there could be malicious uses of AI where somebody deliberately hang something on a stop sign so that it is not recognized. So our assurance will have to cover our AI and machine learning systems as well. And I think that’s a significant area that we will have to address. And we have begun to make some steps in this area. We have some offerings which we can take to our customers but I think this is an important complexity that we will have to grapple with as well.
– Most definitely. As we’ve seen with the CSMS regulation that’s recent, there will probably be additional regulations that will come into place and OEMs will have to reconsider or consider different approaches when it comes to autonomous vehicles as well in the future and have to implement cybersecurity elements within that entire system and process as well. So that was a very, very valid point. Thank you again for joining me today. I really appreciate. This is a great conversation. I enjoyed it. I think we meandered our way through a lot of different topics which I think are really fascinating. And I hope those that will be listening to this will enjoy our wide coverage of a conversation.
– Thank you, Fay.
– Thank you.