WARREN, MI – After nearly nine months studying the most nefarious corners of cyberspace, General Motors executive Jeff Massimilla says, remarkably enough, he’s not having nightmares.
“I do sleep well at night,” laughs Massimilla, the automaker’s global chief product cybersecurity officer. “If there is one thing that does keep me up at night, it is the energy I have around this role.”
As head of GM’s product cybersecurity organization, which the automaker formed in September 2014, Massimilla is responsible for the end-to-end safety and security of the company’s connected vehicles and services. In other words, it falls to his group to defend the automaker’s cars and trucks, as well as services such as OnStar and the emerging RemoteLink smartphone app, from hackers bent on wreaking havoc.
It is a job that thrusts Massimilla, a onetime design-release engineer at GM who most recently led product cybersecurity, into one of the industry’s leading roles as vehicle connectivity explodes and new forms of autonomous and shared mobility emerge. But while connectivity and new mobility promise safer, more efficient and satisfying driving, it also presents the transportation industry as a new treasure for thieves hoping to profit, or merely gain notoriety, by hacking into sensitive vehicle software.
NHTSA defines automotive cybersecurity as the protection of vehicular electronics systems, communications networks, control algorithms, software, users and underlying data from malicious attacks, damage, unauthorized access or manipulation.
According to the consultancy Frost & Sullivan, 50 vulnerable attack points exist on a modern vehicle, and buttoning up those areas is costly to OEMs because it cannot be sold to customers as an option. The consultant estimates cybersecurity accounts for upwards of 5% of the cost of vehicle electronics.
Although the automotive industry has not seen security breaches at the levels banking and retail have witnessed, it has not been incident-free. Reports recently emerged of thieves using laptop computers to break into and steal Jeeps in Houston, while last year a pair of software engineers remotely hacked into a Jeep Cherokee to take control, an incident that led to the recall of 1.4 million FCA US vehicles.
GM has been victimized, too. A hacker figured a way last year to slip through the security of the automaker’s RemoteLink app, which operates through GM’s OnStar telematics unit, to perform functions such as remotely starting a vehicle. The hacker was a researcher rather than a thief, but GM nonetheless devised and deployed a patch within 24 hours.
Trim, enthusiastic and most certainly energetic, Massimilla talks less like a University of Michigan-trained electrical engineer and more like an intelligence agency director.
“At GM we are taking significant action internally to deploy defensive measures in layers, monitoring detection and the ability to respond before we actually have a bad actor in our environment,” says Massimilla, who also serves as vice chair of the newly formed Auto-Information Sharing and Analysis Center, an industry group tasked with advancing cybersecurity protection among automakers and suppliers.
“We are doing this when the white hats and the researchers and other people are looking at our products and connected services before we have a fielded cyber incident,” he says during an interview at GM’s technical center here.
GM is wasting no effort to keep from becoming the first automaker to suffer a security breach to its products at the consumer level.
Massimilla’s group comprises about 80 professionals globally, he says, including security architects, cryptologists, mathematicians and a dedicated “red team” that emulates the employee groups of intelligence communities assigned to challenge organizational assumptions. A handful of program managers serves as a bridge between his experts and GM’s design, engineering and manufacturing groups.
“My organization has received a tremendous amount of support from the board of directors and the most senior leaders in the company,” Massimilla says. “We are a well-resourced, well-funded organization.”
A United Front
The group’s formation brought together capabilities GM previously had deployed in a number of areas, such as OnStar, which for two decades has been operating in the long range, wireless capacity that can open a door to hackers. As the automaker’s connected-car services began to evolve with the outburst of mobile devices, along with the advent of next-generation infotainment systems incorporating in-house and third-party software apps, GM felt it necessary to bring its cybersecurity operations under one roof.
“We recognized the need to take a few different organizations that were looking at the cybersecurity postures of OnStar or the vehicle platform or other R&D cybersecurity work, under a single umbrella,” says Massimilla, who reports to Executive Vice President Mark Reuss, head of product development and supply chain. “It was no longer an effort you could look at in pieces, because of the evolution of the connected vehicle.”
Massimilla says his group uses a risk-based approach to cybersecurity, applying a methodology to assess the risk, determine the motivation of the attacker, what the attacker may be able to achieve and then put controls in place to lock up the product or service. It is holistic approach, too, regardless of the product, service or region.
“The important thing is we don’t look at any of those as different company priorities,” he says. “Car-sharing, ride-sharing, autonomous vehicles, automated controls…they all fall into the same scope of requirements from a cybersecurity perspective.”
The group distributes cybersecurity risk into two buckets: customer safety and data privacy. The first would apply to the potential takeover of a single or multiple GM vehicles, and the latter the data the owner or operator brings into the car with a mobile device.
“And these are two unique risks, but from a cybersecurity perspective, it is the same defensive measures in layers, being able to understand when someone is in your environment, and then being able to respond,” he says.
Different parts of the world assign different degrees of importance between safety and privacy, Massimilla says, although while privacy tends to rank higher with customers it is safety that gets the splashy headlines. But as the Jeep Cherokee incident shows, the capability exists among hackers to take over a vehicle remotely.
“The hardest question is when the automobile might become the target of a bad actor,” he says. “I don’t think anyone can answer that. So the important thing is to get in front of this now, apply the right controls and capability, before that happens.”
While each major OEM operates a cybersecurity unit, Auto-ISAC serves as the tip of the spear for the industry. Auto-ISAC was launched in January and at Friday’s first-ever global cybersecurity conference in Detroit, where Massimilla will speak alongside GM Chairman and CEO Mary Barra and other industry and government leaders. The group’s first batch of best practices will be a key focus.
Other members of the Auto-ISAC include Ford, FCA, Toyota, Honda, Hyundai, BMW, Kia, Mazda, Mercedes-Benz, Nissan and Volkswagen.
“Each OEM, or supplier, will make their determination of when and how they will adopt, and to what extent adopt, (Auto-ISAC) best practices,” Massimilla says. “But the intent is the OEMs and suppliers will adopt them.”
Cracking Hackers
GM’s potential response to a hacking incident is somewhat similar to the war rooms the automaker might put together to tackle an interruption to its supply, where even the slightest hiccup to just-in-time parts deliveries can cost millions of dollars in lost production. An incident-response plan exists at GM for dealing with a hacking incident, but it is an ever-changing strategy that gets updated as Massimilla’s group routinely tests its effectiveness.
The tests include tabletop exercises, where an incident is simulated in a classroom setting. There are war games, too, which stage a prolonged siege and can pit a red team group of attackers against another group of responders.
Suppliers and other critical partners often join GM in the exercises.
“It may not be as motion-picture-like as you can imagine, but it is a very well-coordinated and important activity,” Massimilla says, calling the potential execution of the plan a last resort. “You want to be positioned up front so you don’t invoke incident response, but it is a key portion of what you have to be ready to handle.”
Response actions can take a number of paths to the vehicle or connected service, Massimilla says, including the old-fashioned recall where an owner visits the dealer for a security update. However, in the future he expects to conduct more security enhancements over-the-air (OTA), where updates are remotely deployed through a wireless connection.
“From a cybersecurity perspective, OTA is a critical response mechanism for us. We have used it on OnStar systems quite a bit over the past several years,” he says, citing the RemoteLink incident as one case. “But the ability to do it more prolifically throughout the vehicle also is a priority for the company.”
In January, GM launched a cybersecurity vulnerability disclosure program with HackerOne, a San Francisco startup seeded by Facebook, Microsoft and Google. HackerOne solicits hackers for security information related to cybersecurity vulnerabilities at corporations. In return for the information, as long as it meets certain guidelines, companies agree not to prosecute the hacker.
GM was the first automotive company to join HackerOne. FCA has since made a similar move with a crowd-sourced cybersecurity firm called Bugcrowd. Other HackerOne customers include Yahoo!, Uber and Twitter.
According to the HackerOne website, GM as of July 15 had resolved more than 100 vulnerability reports from research-oriented hackers. A thank-you page singles out the researchers for their work.
“It has proven to be extremely beneficial, so now we are developing great relationships with researchers so we can identify as much vulnerability as we can,” he says, adding a sober caveat. “But we have to be right 100% of the time. A hacker only has to be right once.”
