March 21, 2024

EP 48 – What’s Driving the Future of Automotive Security

CyberArk Podcast

In this episode of the Trust Issues podcast, Kaivan Karimi, Global Partner Strategy and OT Cybersecurity Lead Automotive Mobility and Transportation at Microsoft, discusses with host David Puner the complexities of the automotive cybersecurity ecosystem, and they explore the challenges and considerations facing the industry. Karimi shares his insights on the role of identity security in automotive cybersecurity and how it helps ensure that only authenticated entities have the privilege to engage in the high-speed exchange of information. He also talks about the importance of data sovereignty, data privacy and compliance in the automotive industry. This episode provides a fascinating look into the present and future world of automotive cybersecurity and the measures being taken to protect against cyber threats. 

Take the audio ride!  

Title: Trust Issues Podcast with David Puner and Kaivan Karimi on Automotive Cybersecurity

Introduction:

David Puner (0:00): You’re listening to the Trust Issues Podcast. I’m David Puner, Senior Editorial Manager at CyberArk, the global leader in Identity Security. I don’t need to tell you that today’s connected cars and trucks are essentially software on wheels. They’re everywhere around us, as is their data. And as our vehicles evolve amid a period of massive tech innovation and new vehicular engineering, cybersecurity has emerged as a critical consideration for all sorts of vulnerabilities, from on the assembly line to on the road and beyond.

Identity Security, of course, plays a crucial role in automotive cybersecurity by helping ensure that only authenticated entities have the privilege to engage in the high-speed exchange of information. Identity Security serves as a staunch defender at every digital junction, ensuring that every entity, human or machine, is thoroughly verified, authenticated, and monitored. This is critical in safeguarding the integrity of data exchange and protecting against cyber threats in the auto industry, which can help to seamlessly protect an intricate and interconnected network and in turn foster consumer trust.

Our guest today is Kaivan Karimi, Global Partner Strategy and OT Cybersecurity Lead for Automotive, Mobility, and Transportation at Microsoft. In his role, Kaivan’s focused on, among other things, Identity Security, and safeguarding the integrity of data exchange, and protecting against cyber threats in the vehicle manufacturing network.

And in our conversation, we delve into the complexities of the automotive cybersecurity ecosystem and explore the challenges and considerations facing the industry. Here’s my conversation with Kaivan Karimi.

Interview:

David Puner (1:40): Kaivan Karimi, Global Partner Strategy, and OT Server Security Lead Automotive, Mobility, and Transportation at Microsoft. Thank you for coming on to Trust Issues.

Kaivan Karimi (1:50): Thank you for having me, David.

David Puner (1:53): Appreciate it. I know you’ve got traveling later on in the day. So thank you for squeezing us in. I guess to start with, you’ve got a really interesting job title and a really long job title. What’s it mean to be the Global Partner Strategy and OT Server Security Lead Automotive Mobility And Transportation at Microsoft?

Kaivan Karimi (2:10): The last 17 years-ish have been focused on automotive, transportation, some manufacturing. It was, I started with the early days of functional safety, but then through a transition to a different company, it was all in on functional safety and then later on based on the products mix and my previous background and interest, then focus on cybersecurity, and then the rest is history. I witnessed how when cars were not connected and the cultural transformation that the automotive industry had to go through because when cars aren’t connected. Security means, you know, how good are your locks or things that are proximity related. Whereas when they become connected and now all of a sudden they become networked, then you start worrying about similar networks cybersecurity issues that the networking side has been dealing with telecom, IT has been dealing with for many, many years, except you know, when very few instances that when IT gets compromised, damage can be so large.

You know, these are I I don’t know. 4 to 6 £6000 entities that you’re driving. And when somebody takes over remotely, or tries to do something malicious to them, the repercussions are dangerous. These are really mission-critical applications. And so people’s lives are dependent on it. So anyway, so combined with the fact that industry had to come up from a cultural perspective and feeling the need for it and then the regulations that got passed. So quickly, if you look at how long we took in the IT side for things to get standardized versus how long it took in automotive. Automotive right now. It’s drastic changes in the last 4 to 5 years across many different categories, but cybersecurity included. It’s been a great eye-opening ride for me.

David Puner (3:45): One of the things that I noticed today was a story. It’s not breaking news or anything like that, but we’re around the UN regulation that takes fraud effect later this year. And 53 countries are going to be held to this standard. What is your perspective and your understanding of the regulations that are gonna take place when it comes to cybersecurity and automotive and what it means for the industry.

Kaivan Karimi (4:05): There are 2 camps for all kinds of regulations in the industry. Mhmm. One is the countries that have a formal homologation process. Formerly, they have to get a certificate for whatever claim they make. Functional safety when someone says, hey, I’m level 2 autonomous, right, I’ll pass level 2 or I pass whatever level it is, they have to be able to prove it. That’s the countries that follow Unikey and they’re following this WP 29 deregulation that you just mentioned. Mhmm. Then there is North America, Canada, China, and some other countries in the US, you don’t necessarily need to have that. A lot of the regulations are functional self-certification. Self-certification is the other word for Lucy Gucci, you may call it. It’s, let me put it this way. You don’t hear certain EVs getting to accidents, fatal accidents on the ad based on the claims of, I’m capable of doing level x autonomy.

Today, as we speak, the most advanced autonomous functionality in a vehicle is level 3a half by Mercedes. And they have gone through the homologation process because it’s Europe. Mhmm. In North America, however, lots of people claim that they have different levels of autonomy, which in reality they can’t prove. So there are the 2 camps, even on functional safety. Now, most of the industry, especially traditional players, they avoid raising unnecessary noise related to their capabilities.

David Puner (5:15): And why is that?

Kaivan Karimi (5:17): Because they’re in it for the long haul. It’s a we win or lose as an industry together if the public loses their trust. Autonomous cars level, whatever, then they’re not gonna buy it. If the public loses their trust, that, hey, every time I’m getting in a car, I don’t know if I’m driving or somebody else is behind the wheel because I got hacked. They’re not gonna use it. As an industry, we win or lose. It’s not a particular brand. And if you’ve been an automotive guy for a long time, you know that. You’ll live that. If you’re a tech guy who just jumped into automotive, you don’t necessarily know. You treated consumer ish, and this isn’t a consumer ish type of stuff, even though it has all kinds of thick gadgets from consumer in it. Back to the cybersecurity, the implication is that countries that have adopted WP 29 and They have to go buy it. They actually have to pay attention. This is in self-certification. This is you have to go and show that indeed, it requires for you to have built security in. You said, buzzword, we say in tech. You say shift left. Right. Building security into the design and development process, then you have kept your manufacturing process secure as if going through the shop flow. And the security posture stayed intact. And once you came, they zero off the lot, that security posture now needs to get managed. For the life cycle of that moving entity on the road, whether it’s a car or a truck or a bus doesn’t matter. For the 15, 20, 30 years that it’s on the road.

David Puner (6:35): Right.

Kaivan Karimi (6:37): And that is a tall task. That’s fundamentally if you think about it, it’s the same hardware. Now you say, okay, your security for the same existing hardware needs to stay intact in 5 years from now, 10 years from now, even if you’re managing it remotely, there are so many different kinds of unknowns from the technology pieces that can come in play. So that is a meaningful step function change that the automotive industry needs to respond to.

David Puner (7:00): We haven’t actually talked yet about what automotive cybersecurity is. And while much of our audience may already know, It seems like something that a wider audience may not be completely aware of. So what is automotive cybersecurity and how does it figure into the whole equation when it comes to automobile manufacturing and considerations for automobile manufacturing of the future?

Kaivan Karimi (7:20): Fundamentally, it’s the same as what cybersecurity is for anything else that you wanna, protect. There is a network of electronics. And today, a lot of things are a mix of on-prem is the wrong word for it, but, it’s a, proximity based. Right? It’s a, you know, short wireless range big thing that driving a lot of car theft is car thieves sitting around with sniffers and picking up on fobs and then reprogramming it and then stealing the car. It’s actually quite inexpensive. You can buy those things for less than 50 bucks on eBay. Over time, all of those are getting fixed. Over time, when you say automotive cybersecurity, it means There are all these attack surfaces. There are all these elements that are interacting with the car as it’s moving around. And part of it could be that cellular communication that you have with your car. There is a man in the middle that comes and tries to attack. There are people who can spoof or, you know, when you were talking about autonomous drives or ADAS for that matter, there are various sensors that you have, radars, lidars, other types of sensors and cameras. And then someone could jump in and spoof it. And so you are sending and you think you’re receiving the right accurate information for that radar. Mhmm. But really, the item is either closer or farther. There are a variety of interaction and and And in fact, if you think about when you’re trying to protect the network, it’s stationary. You know, it doesn’t move around and come in contact with so many different things. So many different points of entry.

David Puner (8:35): Right.

Kaivan Karimi (8:37): Bottom line is it’s many different attack points for the car. And so Whether it’s proximity-based or whether it’s remote because anything that’s connected, just like any other network thing, And so cybersecurity means how do you protect the functionality of the car especially for those functionalities that are mission critical means the operation of the car impacts human lives. How do you protect it from the bad actors with malicious intent?

David Puner (9:00): And you’re not just talking about autonomous vehicles, which are maybe, what, a decade and a half away from mass adoption, maybe a little bit more. You’re talking about today.

Kaivan Karimi (9:10): Well, I’m talking today. It’s like anything else when we’re talking about, you know, moving away from analog to digital and digital transformation. And visibility and you say, okay. Now from a physical, you went to digital. So some entity, whatever that is, if it’s an ECU in a car or if it’s anywhere else. It becomes visible. Visibility is a double-edged source. You can once something becomes available, you can use the data generated and or associated with it to optimize its operation. But at the same time, that visibility means somebody knows it exists. And so how do I go in? Try to attack it. And somehow, if I have a mal intentions, how do I exploit And so that’s fundamentally. That’s what I mean.

David Puner (9:45): I read in an article you wrote that cars are now the most significant threat surface in the world. So that being said, what are the biggest cybersecurity challenges when it comes to automotive at this point? And then how does Identity Security figure into the equation?

Kaivan Karimi (10:00): The reason cars are the largest threat surface is because an average midsize sedan now has over 115,000,000 lines of code. Wow. That’s orders of magnitude larger than the space shop.

David Puner (10:10): Okay. Right.

Kaivan Karimi (10:12): And the way cars are brought together, if you look at an ice engine. It’s about 30,000 ish parts. And when you look at an EV, it’s about 15,000 ish parts. They come from literally thousands of suppliers from around the world and across multiple tiers. And so then the automotive manufacturer pulls all these pieces together and turns them into a car. And so now when you say cybersecurity, all the parts that physically or especially when we’re, but most of the time we’re focused on the software side of it, all those processors that they have any software in. Most of them being shipped in binary format, and then you stitch them together, and you wanna make sure that They’re secure. A lot of things that even in networking today.

David Puner (10:50): Mhmm.

Kaivan Karimi (10:52): Big part of our supply chain goes through Southeast Asia. And a lot of the gray market, which backdoors embedded in them, comes from Southeast Asia. And so you wanna make sure that when you issue that birth certificate to the car, indeed, it doesn’t have any back doors in it. When you’re talking about levels of autonomy, there are 5 levels of autonomy. Right. Levels right now, it’s industries around two and a half to three and a That’s where best in class is, and that’s what they’re focused on. From 3 a half to 4 becomes very difficult. And then moving from 4 to 4, well, 45, which is full autonomous. Today, that’s, you know, you typically look at it as 2000 and 35, 2 1040 because It is not just the car and the technology associated with the car. It also means what percentage of the cars around it can communicate with it, how much of it is greenfield versus brownfield, all the insurance and liability laws need to have been settled all the legislative stuff needs to have been taken care of. So if you think about how long that all of that takes, it takes a long time for full autonomy. The issue of identities when you look at autonomous cars, level 4, 5, you’re talking about now that technology is sophisticated enough that you’re looking at, I don’t know, level 5, they say over 2000 credentials. So if you’re on that path, and certificates that you need to manage. And so the issue of identity at that level and, you know, in that process right now It’s not just people. For today, for in an IoT domain, for every one person, there is forty some 45, 46 different machine identities that are involved. When you move in those processors, when you were talking about multiple processors, okay, it’s the identity of each of those VMs that we’re talking about. And then when you go to central compute type of topology, now you’re talking about identity of processes And so role of identity management then evolves. Then it becomes authentication of that identity then authorization. For the period of time for the session that the process is authorized to do something, and then that token gets taken away. And so role of identity management and authentication and authorization will explode because of the way cars will operate. And remember, every car is a the reason I also consider this as one of the largest cybersecurity threats in the world is You know, we talk about largest threat surface from a number of codes and all of that, but and the fact that this thing gets exposed to so many different vulnerabilities. But you gotta also realize that each car is unique. That whole big thing is unique based on the software load and who drives it and where they drive it and all those things. So all of those separately now need to get managed car by car basis and managed all that identity we talked about per car remotely.

David Puner (12:40): So would a session be something like a like a trip from a to b, or would a session be more like, a stop sign to a stop sign? Kind of a length of a trip.

Kaivan Karimi (12:50): Well, session is, hey, I’m now gonna be pulling the car into a car wash. So there may be somebody else So, it may be that access to the engine is based on the footprint that you’ll have when you sit in the car and you start driving. And by the way, the way where you hold your hands on the wheel, the way you move your feet from going from pedal to pedal, most of the things that you’re not aware of, they have patterns associated with them. And so an AI can easily pick up that, you know, just based on those patterns and what it senses, whether it’s you, you, or FAQ, or you’re giving it a key for a session for the next 2 hours because I’m taking it to a car wash. A session could also be, hey, it’s a software download, software upgrade for this functionality. So this particular area of the memory is this particular, process is authorized to be able to access that so they can make changes to it because I’m updating the software for a particular functionality.

David Puner (13:35): So much going on here. I have a very important question for you that came to mind while you were just answering that question, which is can all of this actually bring back or mark the rebirth of a manual transmission. It’s very important to cybersecurity and to me.

Kaivan Karimi (13:50): I I don’t know. I have friends who love their stick shift, and they’re moving away from it. I hope for the time that the culture of security gets to a point that when people build products, They have security in mind. We have the technology in place to make sure at least, you know, we’re a step too ahead of the bad guys. All the right things were put in place. So you don’t wish for the days that things were manual. Any that applies here. It’s like, you know, my my wife is telling me why am I so hesitant on adopting all the innovations related to smart homes. You know, that market is really, really asking for it for implementing some stuff that are you assume they’re common knowledge in cybersecurity, and some of them do, by the way. Don’t get me wrong. A lot of them don’t. And and so your Again, it’s I don’t think we’re gonna go backward, especially in automotive, but it it it is very careful steps forward going forward with all with security mindset. Security and functional safety. And by the way, they go hand in hand that you can separate.

David Puner (14:40): Mhmm. Right. Right. Are you a car guy?

Kaivan Karimi (14:45): Sort of. It depends. I was never a muscle car guy, but, I have friends who are muscle car guy. Uh-huh. But I keep track of things and I appreciate the new functionality, especially on the tech side of it on on the car.

David Puner (15:00): Is there anything, do you have anything special in your garage, or do you have some law favorite car that you

Kaivan Karimi (15:05): of EV versus not. I’m I’m waiting for my next generation of my car, which is an SUV to come in hybrid because believe that’s a real, you know, talk about carbon footprint. It’s not easy. It’s actually hydrogen Uh-huh. Based fusion-based at some point in time. But it’s best of both class. So that’s that’s what I’m hoping for right now.

David Puner (15:20): Throughout history, the cost of cars obviously, you keep going up. But now with more and more tech, and then, of course, the security needs to protect that tech. How can we keep the costs of infusing proper tech and support systems into the product while keeping the price tags within reach of consumers?

Kaivan Karimi (15:35): Today, if you look at all OEMs, they have groups that are focused on, how do they bring in differentiating services to the car, how did they leverage the data generated by the car for a variety of different applications and do it anonymously. It it is not about the identity of the person and what am I gonna advertise to them? It’s actually the data that you’ll have an entity that absorbs traffic, absorbs microclimate, absorbs interactions with the type of users that it costs, etcetera, etcetera. How do I monetize that data is? And if you look at some of the announcement by CEOs of the car companies, they’re planning on making double-digit 1,000,000,000 of dollars within the few years out of that data economy. So it’s protecting integrity of data that data and security of that data and sovereignty of that data and compliance, really. So some of it will subsidize because in essence, this will generate additional revenue and you wanna make sure that it’s operational. Some of it will get subsidized. Some of them will not. Today, you can call up a certain EV. You call a company and say, hey. This weekend, I’m going to a racetrack. Can you change up my suspension system? Well, I’m gonna be pulling it both. Can you change my suspension system? And users pay for. It’s a, hey. Of course. I heard it was a there was another company in Europe that said for cold days, people could call up and pay for heating inside of the seats. But that wasn’t a standard feature, but it was built into the car. So Again, there are a variety of models that are being explored to see how the tech becomes an enabler for additional surfaces that then can be monetized and subsidized the addition of that tech.

David Puner (16:55): And so you’re also then looking at a whole new lifespan or continuation of a lifespan for the protection of that data.

Kaivan Karimi (17:00): Absolutely. And so this is something that we actually take very seriously. And to me, it’s a, when you say security, and this is something that in Microsoft, we pay a lot of attention because Microsoft runs and trust. And so in fact, the genai is, one of those areas that brought this to light is who are the companies that they have the guardrails in place to protect the data, and it’s not protecting the data for their benefit, no, to sovereign data, protecting your customer’s data. Don’t ever touch that data to feed the NII models. Don’t use your customer data. Again, that brought it to light, and now there were some activities in the US in in Europe. It’s, again, just as the home allegation process for functional safety and people not claiming levels of autonomy they can’t do in Europe. It’s the same thing. There is data governance. They just pass the data act 3 weeks ago or 4 weeks ago, it shows over there, Anna. So if you go and look at companies, tech companies from the US, who are carrying data fines, GDPR data fines. You’ll see who they are. We’re not one of them, and that is a huge thing. Because it’s your data is your data. You own it. You should be able to treat it any which way you want, and it should be protected.

David Puner (17:45): You’ve mentioned generative AI a couple of times in this conversation. How is generative AI adding or subtracting to automotive security challenges?

Kaivan Karimi (17:55): The cybersecurity is an asymmetrical war.

David Puner (17:58): How so?

Kaivan Karimi (18:00): Average consumer doesn’t have the tools or the knowledge to protect them the same way that the bad guys have access to very sophisticated tools in the dark web very inexpensively. And so far, it’s always been a reactive motion. If somebody comes and hits you, It takes you on average a 120 days to figure out, oh, I got hit. Then another 2 or 3 weeks to figure out how to mitigate. Which other war are you involved that you’ve seen that it’s always one-sided, and there was a delayed motion on you going and protecting yourself. Doesn’t add up. And so there are NAI has been around, not not as readily accessible, but generally has been around for a long time. At least the last handful of years, and there are examples of how they, bad actors have been using them. And there are now published libraries on the dark web associated with things that Genai related. They sell. I’ll look at that Jennai actually are the first time that we can turn things around. Is for the genai to come and, hey, I go and study the entity that I need to protect. Look at the security posture. When you’re talking about the car, look at the code base, look at that 150,000,000 lines of codes, the CVs, then the levels of the CVs. Is look at the open source in there and look at the good, the bad, the ugly. And so here’s what I’m trying to protect. And it could be not the car. This is the house or this is whatever entity. It’s fundamentally, it’s what is it that I’m trying to protect? Let me study it really well. And Microsoft, because of how pervasive the digital footprint is around the world. A lots of people use windows and use office products. And dynamics and etcetera, etcetera. So we have a unique approach. We receive about 65,000,000,000,000 with a key threat signals per day. So far, we were focused on the part of it that, was you know, we have an adversarial approach to threat intelligence, and we follow 300 plus threat actors. And so formation states and gangs and etcetera, etcetera. But now we have the introduced security code it hasn’t been a year yet, but 9 months. Good results so far from whoever adopted it.

David Puner (19:25): In the automobile?

Kaivan Karimi (19:27): Not in the auto industry. We have partners that now are looking at it for auto, but this is for IT.

David Puner (19:32): Because if I could get a copilot, I could help me tell other drivers to use their signal and and such. I would sign up for a beta test.

Kaivan Karimi (19:40): There was actually really good stuff happening on behalf of partners that are working on different angles helping the automotive industry and part of it is security-related, and they press releases to come, but with the use of Copilot and genai.

David Puner (19:55): Okay.

Kaivan Karimi (19:57): That genai can, in a meaningful way, 1st, change it from a reactive motion to a proactive motion to address the gap because that machine speed, you’re not gonna miss what human beings miss, and you get to the bottom of it. And so I’m just a personnel gap. And then make the defense more efficient. And it’s a self-learning process. So over time, it becomes predictive. It’s not just proactive but becomes predictive. And so you can, in a way, turn the table on the bad guys because they already have access to it. The question is, how about the rest of us? How do we get the rest of the industry to be able to respond to the threats that we receive? So I’m I’m I feel very good about it. Again, I have a unique pitch because of through an automotive and manufacturing, we have a lot of partners that they’re developing innovative products for using Azure OpenAI. And I see so many step function changes for the good. Now specific to cybersecurity. This is just a fantastic. When you’re doing anomaly detection and you have that machine speed, something that can monitor the behavior of the car, the behavior of the VMs, the behavior, all of those functionalities, real-time and correlated things that you and I will miss and then put a mitigation plan in place. Hey. Pull the car to the side. This disabled the function to take it to the dealer or whatever that function may be, but somebody else to look over this, someone who has digested all these threats that have been experienced the previous day or previous week or whatever, all that knowledge automated and then it’s protecting me. I feel good about it.

David Puner (21:15): There’s so much we could talk about, and we could do another hour on this easily, probably 2, 3 more hours, but we need to wrap at some point today. So What we’ve really been discussing here, it’s a transformation story. There are so many different wrinkles to this transformation story. Thinking in terms of that, what can enterprise organizations in general, learn from the automobile industry’s current transformation, and how are other industries potentially affected by autoist transformation. Is there anything they need to do to prepare for the mass rollout of autonomous vehicles, for instance, or What are the other considerations?

Kaivan Karimi (21:50): Well, right away, the manufacturing industry and all the car companies their shop floor needs to be secure. That’s a part of the homologation process. And everything that goes inside of the car is now being looked at very rigorously. Hopefully, the same level of rigor will go into Again, I can’t overemphasize the cultural transformation that everybody needs to go through. It’s a work in progress in automotive also, but they have learned to be more responsive Right. Security is a shared responsibility. Uh-huh. And cultural transformation to engrain how collectively as a whole you can respond to it. Job number 1. Remember, ransomware, 80% of what what happens for the organizations, The threat came in to employees, clicking the wrong link, answering the wrong survey, or bad players, but bottom line is If you need to cut it off, that cultural transformation reduces that 80% to much lower levels, you need to again, that’s that. To me, that’s step 5. Across world Industries.

David Puner (22:35): Kevan, Karimi. Thank you so much for your time. This is so endlessly interesting. And, would love to continue this conversation about automotive and have you come back and talk to you about trains, planes, and everything else in between. So thank you so much. Have a safe trip today, and, really appreciate your time.

Kaivan Karimi (22:55): Really appreciate the opportunity. Thank you.

David Puner (22:58): Thanks for listening to Trust Issues. If you liked this episode, please check out our back catalog for more conversations with cyber defenders and protectors. And don’t miss new episodes. Make sure you’re following us wherever you get your podcasts. And let’s see. Oh, oh, yeah. Drop us a line if you feel so inclined. Questions, comments, suggestions, which come to think of it are kind of like comments. Our email address is [email protected]. See you next time.