How Visteon Is Building Security Capability Against Cyber Attacks

Taking Stock July 2018 Visteon
How Visteon Is Building Security Capability Against Cyber Attacks

In the past few years, the world has seen cybercrimes of varying degrees across various sectors – hacking of emails, bank accounts, utilities and cars, or even leak of confidential documents. With connectivity between cars or with the infrastructure increasing, the threat of cyber attacks too is on a rise. This is where the industry is putting its efforts on building robust solutions. One such company is Visteon.

By 2020, the global car market is expected to break through 100 mn in sales, and almost every new car produced is expected to be connected by that time. This puts the current structures within manufacturers under enormous pressure to find answers to the risks posed by potential cyber attacks. There has also been a lot of hype around the emergence of autonomous or driverless cars in the past few years, leading to further questions and complications around cybersecurity.

Vehicle makers as well as Tier 1 suppliers are currently working on end-to-end security for the future networked car, and are developing solutions to ensure safety of the vehicle occupants as well. In fact, in a highly connected world, safety and security remains the most critical concerns that the industry needs to address.

There is increased convergence between the automotive sector and ICTs (information communications technologies), leading to new threats from new areas, almost all the time. The industry is aware it needs to develop stronger security procedures and protocols to thwart any unintended attack on the vehicles and systems they build.

With a larger threat perception and increased awareness about the susceptibility with cyber attacks, automotive organisations have been investing huge sums on research, development and innovation with regards to cybersecurity. By one estimate, the overall automotive cybersecurity market is likely to grow at a CAGR of 13.2 % between 2016 and 2021, increasing the industry valuation from $ 16.5 mn to $ 31.8 mn. Another study forecasts a higher growth rate of 28 % over the next three to four years.

With products getting more complex by the day, what with an ever increasing number of ECUs and lines of code in modern vehicles, finding solutions to potential attacks haven’t come easy for experts in the trade. It’s like peeling an onion one layer at a time, without knowing how big the onion is, said Srini Adiraju, Director, Cybersecurity and SmartCore Product Management, Visteon.

WHAT’S THE FOCUS?

Visteon is one of the companies leading development in this area. Since about 2016, the company has been building its cybersecurity capabilities and has set-up a white hat research centre in Bengaluru. The company has transformed its engineering process to conform to the SAE J 3061 standard, which is a comprehensive framework looking at technologies inside the device as well as their work processes.

About a year back from now, Sachin Lawande, President and CEO, Visteon Corporation had told us about the changes the organisation is going through, where it has taken a holistic approach to cybersecurity. He said the company was entering a stage, where cybersecurity will become a very necessary component of its existence; an integral part of the organisation’s thought process. Today, cybersecurity is at the core of the company’s technology and product development.

The warning call for the company was the incident from July 2015, where security researchers Charlie Miller and Chris Valasek demonstrated that a Jeep Cherokee could be hacked remotely. That was the first instance of a running vehicle being hacked over-the-air (OTA). Earlier, hacking required proximity to the vehicle, where one could enter a vehicle system through the tyre pressure monitoring system (TPMS) or the on-board diagnostics (OBD) port, for instance.

Lawande sensed the challenge fairly early. In early 2016, he roped in Srini, a veteran software development expert for real-time products and systems software, to lead Visteon’s cybersecurity practice. For 14 years prior to that, Srini was in the gaming industry developing slot machine platforms for casinos. Slot machines are highly prone to cheating and hence cybersecurity was very important.

With that experience to boot, Srini went about his job by investing in two things – developing cybersecurity solutions and cybersecurity processes. Cybersecurity, he said, is a combination of technology solutions, manufacturing and development processes. It’s about building a solid and secure foundation for a product.

So, can a product or system be 100 % secured, we asked. Visteon doesn’t have Automotive Safety Integrity Level (ASIL) for cybersecurity yet, but it has developed a whole bunch of solutions that offer 99.99 % security, said Srini. The solution approach is also different for different products. For instance, a low-end cluster, which doesn’t have Ethernet or Wi-Fi, is dealt with in a specific way. That is very different from the way they approach a domain controller that combines infotainment and autonomous platforms, which demand the highest level of security. The company has taken the J 3061 standard and merged that into its processes and solutions.

Visteon's SmartCore Cockpit domain controller

COMPREHENSIVE SOLUTION

Visteon is developing comprehensive solutions to deal with cybersecurity that takes care of the entire vehicle, and that includes TCUs and autonomous driving SmartCore domain controllers, for example. Solutions are developed depending on the threat surfaces. Infotainment systems in the past, for example, didn’t have Wi-Fi but now they are common along with Bluetooth. For every new profile, additional mitigation techniques are needed to be deployed, explained Srini.

Work begins at the lowest level – the hardware. It is made sure that the chipsets used have the right capabilities and conform to the secured hardware extension (SHE) standards. No one likes a delayed boot time in the infotainment system, he reasoned. It is then taken to the next level by verifying the software that is running on the system. That gives the system a 70-80 % security, he said.

Multi-layered security solutions

At Visteon’s Bengaluru centre, 80 % of the employees are certified ethical hackers. The company has formed two teams – one developing solutions that are reusable across different product lines and another that focusses on penetration testing. These apart, the teams also look at the national vulnerability database and what’s happening in the open source, as the car today is increasingly becoming an open source platform.

From that perspective, let’s consider the autonomous car scenario. Be it internal networks that are linked to multiple sensors, radars, cameras and LIDARs or driving-related activities such as steering, braking or accelerating – on the face of it, autonomous vehicles, clearly, are extremely complex systems. However, Srini noted, if all of these are cut down into smaller chunks, they are still at a level, where each one can be protected very easily. That is where the industry is moving to – protecting each ECU, domain or link that is being developed within the domains. Things do not get easy with sensor fusion either. On the contrary, sensor fusion makes it a “little bit more challenging” from the ADAS perspective, Srini said.

Visteon doesn’t have Automotive Safety Integrity Level (ASIL) for cybersecurity yet, but it has developed a whole bunch of solutions that offer 99.99 % security

FUTURE

The future objective or direction is to ensure that every ECU Visteon makes is most secured. Secondly, the company is looking at developing its ethical/ white hacking team to be a service oriented organisation, to help others make their products more secure. As a company, it believes it is at the top-end of the spectrum when it comes to working on cybersecurity solutions for the automotive industry. It wants to leverage that position to become a service provider, a consultant or guide to the industry, to ensure that everyone in the ecosystem gets it right from start to end.

TEXT: Deepangshu Dev Sarmah