Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security

9/26/2017
03:43 PM
Simon Marshall
Simon Marshall
Simon Marshall
50%
50%

Safety Starts With Data: An Interview With GM's Head of Product Cybersecurity

An insightful Security Now interview with Jeff Massimilla, vice president global vehicle safety and product cybersecurity at General Motors.

Jeff Massimilla is vice president of global vehicle safety and product cybersecurity at General Motors, and also vice chair of the Auto Information Sharing and Analysis Center (ISAC). Security Now's Simon Marshall conducted a telephone interview with Massimilla as part of our ongoing coverage of security in the connected and self-driving automobile industry. The interview that follows has been edited for clarity and space.

Simon Marshall: How has cybersecurity at GM changed over time?

Jeff Massimilla: We have been working with cybersecurity for years really, but it was all siloed. We had Onstar security, we had corporate IT security, we had R&D, we had some vehicle-based security activities. As vehicle security posture become more important, given my knowledge of execution on the primary attack surface of the vehicle -- infotainment -- in 2014 I took on the chief product responsibility in the firm for security. Having individual people looking at cybersecurity was no longer appropriate. We replaced that with me owning everything that touched the product or the customer ecosystem. Cybersecurity today is really all about keeping our customers safe, and so we recently combined global vehicle safety with the product cybersecurity safety organization. Now I'm head of a single organization.

SM: For what reason were the two groups moved together? Improved physical safety of the car?

JM: We have big sets of data on the vehicle safety and the cybersecurity side. A lot of the same data is used throughout our analytical processes. If you look at regulation and legislation, the safety and cyber aspects are very closely tied together. Car recalls, crash and safety worthiness will remain, but there'll now be my security specialists, there will be my red team of hackers, working on these tasks too. Then there's incident response where groups can learn from each other, and so we've also aligned the safety and cyber response approach to more effectively find any anomalies.

SM: Do you collaborate with external cybersecurity organizations?

JM: Absolutely... any company that can talk about their cybersecurity effectiveness will talk about collaboration. We have to be right 100% of the time but the bad guy has to be right only once. When you're up against those odds, the only way to beat them is through a significant collaboration. We work with industries including aerospace, defense, consumer electronics, the armed forces and other government agencies. We also pay contractors to find new solutions, we may want a third-party review of our procedures, and also, I may hire an external third party red team. That's because we want to learn from them or have them teach us things too.

SM: Do you employ hackers?

JM: I have 85 people working in our connected security ecosystem. I have a full-time red team of ten people, which are all hackers to some extent, they're certified ethical hackers. Some are from other walks of life that have entered our organization. In terms of a bug bounty approach, we have put the welcome mat out there, and asked 'please tell us what you find in our environment.' We haven't talked much in public about this yet, but we don't really want a public bounty program because maybe then you aren't incentivizing at the level where you would get the best people looking at your stuff.

Through our relationship with Hackerone, we offer private bug bounty programs where we encourage people we have a relationship with to compete with each other, and we give them access to assets they wouldn't normally be able to get ahold of.

SM: What threats are you facing today that weren't there five years ago?

JM: It's great the industry is getting out in front of this before we see any incidents in the field. The potential adversaries that we see are hacktivists, criminals, the nation state, but they haven't taken a focus on our ecosystem yet. But we all know it's a matter of when, and not if.

SM: Are you worried that hackers are out there already, gathering information unobserved?

JM: Worried is not the word I would use. People who have encountered zero-day exploits in any cyber environment of any industry know that threats don't just fall from the sky, they take time. So realistically, there are activities that are happening out there right now.

SM: You're designing an autonomous vehicle (AV). Is it ready?

JM: The security posture and learnings from our regular vehicles are the foundation of what we'll deploy in our autonomous vehicle. But we're not ready to stick an AV on the road today. Do we believe we're ahead of the other manufacturers? Of course. But our launch timing will be dictated by how successful our testing is.

SM: How are you testing?

JM: If you depend on just red team testing, you'll only find all the issues at the end, and then your ability to keep product launches on time is challenged. Instead, red teaming should really be a confirmation that we ran a truly secure process during the development of the vehicle.

When we do red team testing, we do a combination of white, grey and black box environments. We have an internal or external red team. At the end, their findings are then shared with the blue team to make sure that we're learning from them. Obviously, we need to keep the two teams separated, but when you're doing white box, for example, you're telling the red team everything you possibly can about the car's development, so they can take that and try to find a new attack surface or methodology to get in.

SM: A lot of threats out there in other industries apply to automotive. But it's not often that a security attack results in actual bodily harm. That's a very real possibility with AVs isn't it?

JM: This is not just specific to AVs, I'd argue that with any connected vehicle, harm could be the objective of an adversary. Unauthorized access of vehicle control and safety systems could be their primary motivation. And it's our primary motivation on our side to protect customers.

SM: Explain how you're protecting specific devices on an AV, and computer control systems on connected cars.

JM: We look at the entire attack surface of the vehicle. Weaknesses could be wireless or wired, or they could be devices brought into the vehicle. We have to look at all threats. And then we appropriately apply controls and capabilities to systems, subsystems or individual components to prevent unauthorized access or control. An example would be how we authenticate a sensor to make sure it's the appropriate sensor for that vehicle, is the intended design, and that it's the same part that was tested and validated during production. These systems are really no different from digitally signed software, it's just that they're applied to vehicles. We have to make sure that nothing else can be added onto the vehicle that would represent a weakness. This is a good example of how we view the attack surface.

SM: Do you have a secret sauce?

JM: No! I wish it was as simple as having a secret sauce. But from my perspective the secret sauce is the capability of the team. There's the great challenge of cybersecurity -- it's exciting and motivates people. Also, many people think that automotive is a very sexy industry. I put the two together and I say to team candidates 'I'd love to offer you a job to work on the red team to hack a Camaro,' and people are very, very motivated to do that work. The only way we can be successful really is through great talent.

SM: Characterize how much of a priority security threat management is throughout the entire GM organization.

JM: I'm a very well-funded and resourced organization within the company. The work that we do is on the critical path, and represents future technologies that are going into a secure environment. If we're not ready with cybersecurity on our cars, we will not launch them. I have regular interaction with Mary (Barra) and the board, so this is all at the highest level of priority for the company.

SM: How many hours a week do you work?

JM: The best way for me to answer is that I make it a huge priority to have dinner with my family and young children. I'm highly dedicated to the mission and the role but it's a big priority for me to have family time too.

Related posts:

— Simon Marshall, Technology Journalist, special to Security Now

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...