MOTOR Magazine

A MOTOR Magazine Newsletter
October 25, 2016

Contributed by Bob Chabot
Shop Cybersecurity Gains Traction

NACE|CARS 2016 shows cybersecurity is now becoming everybody's business

Technological complexity, connectivity and the push toward autonomous driving have put automotive cybersecurity squarely in the industry's sights. This was a central theme at NACE | CARS 2016 this summer, in particular during two half-day forums — the Service Repair Leadership Forum (SRLF) and the Technology and Telematics Forum (TTF).

Each forum featured several panels in which emerging physical security and cybersecurity needs were addressed. From recruiting new talent; to hack-proofing service repair shops; to safeguarding replacement parts, connected tools and equipment; to securely servicing the vehicles our customers trust us with — cybersecurity has become everybody's business.

Rethink How, Who and Where We Recruit New Talent
Automakers are now transitioning to building more secure, software-defined vehicles. It's not just about downloading new apps. Rather, it's about letting the car's function be defined by software components that stitch together the environmental sensors, safety systems, mechanical linkages, and visual interfaces to build a vehicle where the function can be redefined even after it has shipped. That's impacted new hiring by automakers first, but the new skills required to service, repair and safeguard these new technologies will soon impact the service repair industry.

Recruitment of new talent has always been a challenge, but connected technology and associated security concerns have compounded the quest. Increasingly pervasive technological complexity, not only in vehicles, but also in service practices and other resources used to fix has created the demand and need for new skills. "But redirecting inertia is problematic," stated Jeff Peevy, president of the Automotive Management Institute. "As an industry, we need to shift recruitment, student education and aftermarket training from an Industrial Age mindset to a Technological Age mindset. We must strive collectively to be caretakers of our culture by participating in shaping those we attract. No longer can we leave it to default or archaic practices."

"Parents, guidance counselors and students in academic programs don't understand our changing automotive world well enough," noted Trish Serratore, the ASE vice president responsible for the National Automotive Technicians Education Foundation (NATEF) and Automotive Youth Educational Systems (AYES) programs. "To attract the students the industry needs today, we need to do a better job of approaching them face-to-face with a compelling message: Automotive education is the original science, technology, engineering, and mathematics (STEP) program, and we need students who can tame the challenges our industry faces."

Chris Chesney, senior director of Customer Training at Advance Auto Parts (which now owns CARQUEST) agreed. "Our industry has never defined what it is or does well enough. Nor have we resolved the longstanding concern that counselors are sending certain kids into our votech programs. These challenges must be addressed at an industry level, not just a personal or corporate level. We must find ways to help make schools, parents and students understand what our industry does and why it is worth entering. It's also critical that employers have a career and development path for every employee — existing or new hire. One way to do this is to have a Learning Manager on staff who makes needed learning happen."

"We need to be able to (1) differentiate between knowledge, skills and technologies; and (2) deliver those to recruits so current and future industry needs can be met," suggested Bob Augustine, technical training director for Christian Brothers Automotive Corp. "To be an automotive professional, we must have a solid grounding in all three that enables us to sell the value of the products and services that shops and other automotive firms offer."

"With regards to emerging technologies and security needs, we must also consider recruiting from nontraditional sources," added Bob Gruszcynksi, the onboard diagnostic communications expert for Volkswagen of America. "We must not limit recruiting to just the conventional automotive educational programs. Software skills are just the tip of the iceberg; we also need to attract recruits with cybersecurity expertise — the aptitude, skillset and understanding of protocols and procedures necessary to meet the threats that telematics, connectivity and autonomous driving present. Those aren't readily found in the conventional recruitment tracks."

Developing Tomorrow's Cybersecurity Experts
"Although the field of automotive cybersecurity is barely five years old, it's clear the complexities of defending a vehicle's software from hackers are daunting," says Karl Heimer, senior technology advisor on cybersecurity for the Michigan Economic Development Corp. (MEDC). To address this emerging need, the MEDC has launched two programs: (1) define what's needed; and (2) attract and develop tomorrow's cybersecurity experts. (Video — Auto Beat Daily)

Employing IT-Savvy Technicians or Specialists Will Be Essential
"Vehicles, tools and equipment are being made more secure, from external as well as internal threats," explained Mohan Sethi, MAHLE Aftermarket's cybersecurity expert. "But the last mile of security — physical and cyber — is the service repair facility. You have to have a solid and secure shop. You have to use best practices to secure the shop. Though not yet abundant in our industry, we are beginning to move towards developing the people with them."

"All insurance, OBD code readers, and other underdash dongles can be hacked," stated Josh Meyer, chief innovation officer for Bosch USA. "I have as big a collection of dongles as anyone. Each has security risks, each is an attack vector to critical vehicle data. In addition, communication networks also need better security. For instance, the Controller Area Network (CAN) mandated for ODB-II communications is also accessible via the underdash port. Yet CAN is the least secure of all vehicle communication networks. This leads me to believe we need to eliminate attack surfaces such as the underdash port."

"The ecosystem for providing service information and parts to service repair shops is fractured," advised Jay Burkhart, vice president and chief strategy officer for the Automotive Aftermarket Suppliers Association (AASA), the light vehicle aftermarket division of the Motor & Equipment Manufacturers Association (MEMA). "Expect parts makers and suppliers to take on a more active role in safely providing service repair professionals with parts, service information and other resources. In fact, many manufacturers are already collaborating to implement better-secured ways to provide information, scalable digital products and services directly to the shops on the street. But those may come with new security-related protocols shops and their employees will have to adapt to."

Enabling the Software Defined Vehicle
The software-defined automobile is a result of the convergence of scalable over-the-air software management, cybersecurity, and big data analytics. (Video — Movimento Group)

Cybersecurity Must Be Built-In Everywhere, From The Beginning
The Telematics and Technology Forum featured two experts who addressed cybersecurity from different perspectives. Craig Smith, the founder of Theia Labs and Open Garages, and the author of the Car Hacker's Handbook, specializes as a "white hat" hacker. Mahbubul Alam, the Chief Technology Officer of Movimento Group, works with automotive firms to defend against and prevent hacking.

"Attackers only have to be right once, whereas defenders have to be right all the time," explained Smith. "That doesn't mean hacking is easy, but it does show how enormous the task of defending is for the automotive industry. Complex encryption protocols will become a primary defense mechanism, as vehicles become more software-defined with the advent of telematics, advanced safety systems, connected transportation systems and ultimately, autonomous driving. For instance, modern cars typically have 100 million lines of software code embedded. Connected, self-driving cars in the next decade will have 500 million lines of software code. That's a lot to defend."

"That helps explain why cybersecurity must be built-in from the beginning, and be continually maintained and upgraded thereafter," replied Alam. "Vehicles, systems, connected tools and shops must be compartmentalized. Each must have different security requirements, encryption measures capable of preventing or allowing access to vehicle data, including what level of access. We need a mentality that the vehicle security is never completely done. This concept of "never done" is new to the auto industry. But with software becoming pervasive — it will soon represent 60 percent of the value in a vehicle — we need to have a "loopback" methodology when launching security solutions that requires us to keep testing defensibility long after a vehicle is built and sold."

"Shops also need to be cognizant that growing IT security issues are changing how things are done in our industry," Gruszcynksi emphasized. "From automakers to parts suppliers to service repair facilities, being competitive and secure will require employing IT-savvy technicians or specialists. For example, automobile communications, for both servicing vehicles and other needs, are on the cusp of major change."

"It's clear cybersecurity is fast becoming a shop issue," summarized Donny Seyfer, the facilitator of the two forums and chairman of the Automotive Service Association. The service repair world is changing exponentially. Shops need to understand and must acquire cybersecurity expertise. The ASA and other industry organizations are actively developing the best practices and other necessary resources to help shops do so.

[Editor's note: Visit MOTOR for the latest diagnostic and service insights.]

Important Links
MOTOR Current Issue
MOTOR Current Issue
MOTOR Magazine

MOTOR Information Systems • 1301 W. Long Lake Road, Suite 300 • Troy, MI 48098