Ian Yip: ‘The need for in-built security capabilities to mitigate cyber-attacks will only increase in the future.’

As high levels of connectivity inside cars make them computers on wheels, integration of the vehicle’s system and software renders the vehicular network more vulnerable to cyber-attacks. Ian Yip, Chief Technology Officer, Asia Pacific, McAfee, speaks on the company’s capabilities of providing holistic cyber threat and data protection from device through to the cloud.

With the current level of electronics and digitalisation, what are the prevalent threats to a vehicle’s ecosystem from cyber-related attacks?
Inter-connected and semi-autonomous cars are now seeing rapid adoption across many countries. Modern cars are equipped with advanced features such as remote controls and driver assistance technologies, connected through the driver’s personal devices, in addition to the manufacturer’s own network. This integration of the vehicle’s system and software renders the vehicular network more vulnerable to cyber-attacks.

As many connected cars are keyless today, hackers can use jammers to disrupt electromagnetic waves to block communication with the vehicle and perpetrate key fob hacking for car theft. Another route for cyber criminals to hack the network is by breaking into the car’s controller area network (CAN). A CAN is used by vehicles to communicate with their electronic control unit (ECU) which controls sub-systems such as anti-lock brakes, audio systems and even the engine.

With modern cars using On-Board Diagnostic Version 2 (OBD-II) port for mechanical diagnosis, this external device can be used to feed commands and disable the Wi-Fi connection or control the internal operations.

An exponential rise in digitally connected features inside cars demands a safeguard mechanism against hacking and cyber-attacks

With internet access fuelling the penetration of third-party apps for increased connectivity and convenience, hackers are leveraging new attack vectors to spread malware in the infotainment system or extract the personal data exchanged between these apps. This reduces the need to access the ECU to carry out malicious activities.

How do you view the growth curve of digitalisation and connectivity in a vehicle’s basic architecture?
Automotive infrastructure is undergoing rapid change, with technology taking centre-stage in improving capabilities of vehicles. Initially, the embedding of software was restricted to enhancing the internal functions of the car. Today, the use of an IoT-enabled vehicle not only improves the in-car experience, but it also provides sophisticated assistance to drivers.

With consumers opting for a connected lifestyle, car connectivity and technological features are becoming an important factor when making buying decisions. The proliferation of IoT technologies in the automotive industry, while widely implemented, is still at a nascent stage. A PwC report mentions that 65 million autonomous cars will be on road by 2025. Many manufacturers are incorporating semi-autonomous driver assistance in their new models. In the coming years, ‘cyber-physical’ features such as Advanced Driver Assistance Systems (ADAS), real-time telematics, vehicle-to-infrastructure communications and smart intersections will complement the traditional capabilities of the vehicle. This will result in the exchange of large volumes of data, much of which will contain sensitive information as well as control parameters which, if compromised, could have some real safety implications. The need for in-built security capabilities to mitigate cyber-attacks will only increase.

What is India’s pace of adoption of these technologies relative to the world? Is India also moving ahead in terms of Industry 4.0?
The Indian automotive industry is picking up pace. While certain connected features such as infotainment systems and GPS navigation are now widely present in cars, fully autonomous cars are still a long way from being introduced on Indian roads. India’s demographic, current infrastructure and socio-economic factors will play a huge role in determining the future of autonomous vehicles and industry players will be required to take bigger strides and embrace IoT innovations to build a connected vehicular ecosystem in India.

In terms of industry adoption, fleet management and vehicular tracking have already been introduced in the market and V2V (vehicle-to-vehicle) and V2I (vehicle-to-infrastructure) could take hold first.

Fifteen of the most hackable and exposed attack surfaces on a next-generation car. 

Consumers’ preferences for greater connectivity in their vehicles are pushing manufacturers to adopt internet technologies and embrace advancements in Industry 4.0. The Indian government’s push to make and build in India is promoting ‘factories of the future’. The Indian automobile industry is fast adopting emerging technologies such as robotics, AI and IoT to better optimise a complex value chain.

What will be the perceived threats in the scenario of enhanced vehicle connectivity and what are McAfee’s solutions to counter that?
Currently, up to 100 electronic control units (ECUs) are being incorporated in cars and in a bid to reduce this number, the industry is moving towards integration to reduce the number of ECUs which requires a complex software infrastructure. The attack surface for connected vehicles is expanding and is being further exposed to cyber-attacks due to use of external networks, Wi-Fi and internet-enabled service garages, toll roads, and rapidly growing aftermarket automotive applications. This paradigm shift in vehicular infrastructure demands a comprehensive security system equipped with tools ranging from encryption of critical or private data to isolation of software components by function, combining hardware and software functions.

Sensing the need for increased security for connected vehicles, back in 2015, McAfee formed the Automotive Security Review Board (ASRB) comprising of top security industry talent in cyber-physical systems to address the security needs for connected vehicles. With ASRB, we work with the automotive industry to build a safe ecosystem for the connected transportation fleet. We provide in-built security features into automotive products from the manufacturing stage which are divided into three layers of security: hardware modules, hardware services and software security services. Hardware security provides cars with required cryptographic performance, allowing safe V2V communication while software security allows for active scanning of suspicious activity.

What different solutions do you offer for securing smart manufacturing and its associated supply chain?
With IoT becoming the backbone of manufacturing industry, it is imperative to get real-time visibility and early detection of possible threats entering the network.

As traditional industrial environments become more connected, they will increasingly become part of the core technology infrastructure of the organisation, as opposed to a separately managed, disconnected set of components. As such, it is important for organisations embarking on smart manufacturing initiatives to approach cybersecurity holistically, but at the same time understand that their attack surface is likely increased due to networks that were once cut off are now becoming connected to the corporate network and the internet.

At McAfee, we focus our efforts on providing holistic cyber threat and data protection from device through to the cloud, allowing our customers to take a risk-based approach, and increasingly implement automation and orchestration capabilities that streamline and integrate security operations and controls. Increasing visibility of threats and integrated components within the complete infrastructure will also help reduce supply chain risk.

McAfee has a three-layered security blanket — hardware security modules, hardware services and software security services — to protect vehicular architectures from suspicious malware 

Above all else, organisations should take an approach that assumes their environment already contains cyber threats. It is thus essential that visibility into potential malicious activities be properly implemented to allow organisations to detect and respond to cyber incidents in a way that reduces the impact to the business.

Will vehicle autonomy call for a completely different set of data encryption altogether? What is your progress on that front?
Vehicle autonomy and data encryption are independent of each other. If the strongest data encryption algorithms are deployed by the manufacturer, there is no need for a completely different set of encryptions.

There is a line of security at the hardware level as well. What role does software-based security have to play in the overall scheme of things?
Cyber-physical vehicular systems require a defence-in-depth framework which essentially provides three-layered protection – hardware security modules, hardware services, and software security services. This multi-faceted approach will help create a security blanket which lays a multi-level solution across automotive components. Starting at the ECU level, it creates a trusted execution environment and acts as a security enabler and enforcer. Further, hardware security services built over the hardware security layer enable device identification, authentication and fast cryptographic performance.

Earlier, hackers found it difficult to break into automotive networks and control units, only reachable by physical contact inside the car. ECUs linked by common protocols have expanded the attack surface, providing vehicle access to attackers and are making it difficult or even impossible to deploy hardware security capabilities in them. Anomalies in the software can also be leveraged for car theft, tracking of vehicle by hacking into the GPS or to lock the system through ransomware. We, therefore, require co-operating processors and software-based security solutions. Adding another layer of software security improves malware and anomaly detection, secure over-the-air updates and upgrades the overall capabilities of the vehicle network.

Can you cite any example where McAfee’s data security techniques are at play to ensure fool-proof vehicle architecture?
The data security aspects aren’t typically the key concern within the boundaries of the actual connected car. However, shielding these systems and maintaining data integrity will play a key role in developing consumer confidence as the connected vehicle ecosystem evolves. Automotive and cybersecurity ecosystems need to engage and develop best practices for designing, developing, and deploying security solutions.

McAfee is a part of a large ecosystem delivering components to the automotive industry including hardware, software and security processes from device to cloud and from design to driveway.  Our integrated solutions help in preventing data loss, securing endpoints, and safeguarding network systems from compromise, while providing real-time security intelligence and countermeasures.

Cyber incidents in vehicles can occur due to various factors, from negligence in the manufacturing environment to lack of security controls on the user’s personal devices synced with the vehicle’s operating system. By creating an overarching and robust security environment, the industry can together address challenges of next-generation vehicles.

What role does India play in the development of these advanced technologies for the vehicles and industry of tomorrow?
India is fast earning a reputation of being an automotive hub and is already a base for many global technology companies. Global manufacturers are turning to India to set up their R&D centres due to availability of skilled workforce and low labour costs. This is further aided by the Indian government’s push towards Digital India and Make in India initiatives. Companies are leveraging the knowledge of Indian engineers to develop applications of the future.

Further, huge investments by enterprises in emerging technologies are accelerating innovation. Technology innovations in mobility, passenger safety, electric and hybrid cars will pick up pace in the coming years.

How big is McAfee's developmental team in India and how is the focus divided on projects for India as compared to global markets?
In India, we are present in Mumbai, Bangalore, Delhi and Hyderabad with a state-of-art research and development facility in Bangalore. It is the largest McAfee development facility across the globe
with close to 2,000 employees and over 1,500 engineers. We cater to customers ranging from government bodies, start-ups, large enterprises and home users. Our belief in fostering a culture of innovation has resulted in more than 50 patents and over 20 product releases from the McAfee India Centre.

In your opinion, should there be control over the pace at which technology is advancing and percolating down to everyday use? Is there too much of a risk of redundancy?
Technology is a rapidly evolving field and the pace is only accelerating with every innovation, laying the groundwork for the future. Today, technology has increased productivity and lowered the risk of failures across the automotive industry. In addition, technology-enabled cars, such as hybrids and electric cars, are beneficial for the environment.

Innovations such as smart TVs, smartphones or even smart mattresses today touch every part of our lives. However, technology can also be a double-edged sword — while being overly focused on the innovation aspects, we forget to address the inherent risks that it can bring.

As regards connected cars, it is the increased exposure to cyber-attacks. We are collaborating across industries, working to enhance the security capabilities and have made progress — identifying threats brings us one step closer to finding the solution.

(This interview was first published in the June 1, 2019, issue of Autocar Professional)