Ikjot Saini speaks on the cybersecurity intricacies of autonomous cars, the importance of standards and regulations, working as a team, and thinking outside the box when it comes to automotive security.
Ep. 14 | Reimagining Cyber | Connected Vehicles and the Cyber Equivalent of Seatbelts and Airbags | Ikjot Saini
Ikjot Saini 0:03
With respect to a customer acceptance or user acceptance rate for connected vehicle technology itself, it is declining still in the stats. The reason behind that is the customer are not fully confident about this technology to disclose their personal information. So with respect to privacy, we are going to see more of the regulations or the acts coming out. And the auto sector has to be compliant with it as soon as they can. But overarching idea is to have the privacy, security and safety balanced for these CB technologies in future.
Rob Aragao 0:43
Welcome to the reimagining cyber podcast where we share short to the point perspectives on the cyber landscape. It's all about engaging in casual conversations and what organizations are doing to reimagine their cyber programs while ensuring their business objectives are top priority. With my co host, Stan wisdom and head of security strategist, Robert riego, chief security strategist. And this is reimagining cyber.
So Stan, who do we have joining us for this episode?
Stan Wisseman 1:13
Robert guest today is dr. john Sahni, Assistant Professor at the University of Windsor. Her research focuses on connected and autonomous vehicles covering the security and privacy of vehicle to everything or V to x. And in vehicle security. She's published many research papers including v Tex privacy schemes and engineering privacy attacks for equitable assessment. Thanks for taking the time to speak with us today. So can you expand on your background for audience, please,
Ikjot Saini 1:41
and thank you so much for having me here. Yes, I worked with my way to x expertise in I think for seven years now. And that was something that got me interested because it was tangible, it impacts people and then you can work with something cool, which is security. Now I'm very few hats were chairs, along with being a professor, assistant professor at University of Windsor. I'm also the Academic Director for aura security research group. And the another hat that I wear is the academic chair for women in cybersecurity professional affiliate for Ontario. And the role there is to bring them in, in the cybersecurity from different academic institutions, we want to build more student organization surrounding on the focus of the women in cybersecurity. And then since the end, this is the topic of internet of vehicles, which is a subset of the Internet of Things, which got me to one of the one of the stream honors with that aggregate intellect and they focus mainly on the AI solutions and discussions. And I am the stream on there for IoT net security. So we want to really work on the discussions and so that we can cultivate a culture around these specializations. And since autonomous vehicles are going to be part of this whole ecosystem with the high level of autonomy. So that's another hat that I have here.
Rob Aragao 3:15
Well, one of the things I know is in January, the University of Windsor announced that it will host the shield automotive cybersecurity Center of Excellence. And it will aim to support development of skills, innovation and policy that address hardware and software vulnerabilities in connected autonomous vehicles. And as the co founder of shield, can you expand on the purpose of the Center of Excellence, and also what serves as your motivation to create it.
Ikjot Saini 3:38
One person cannot build the ecosystem and cannot bring bring the entire community together. So you need more people to work on the solutions and even to build the network and knowledge transfer channels. So doing it in a way which is more methodical. And for Canadian specific solutions. If you want to have an ecosystem within Canada, we wanted to have a discussion going on. And that's actually what we did. We along with am the co founder Dr. Mitra, Maharani from Department of Electrical and Computer Engineering at University of Windsor. She's also the co founder. So she and I had the same sort of motivation, but her work was on the hardware security and I was working in more of the Internet of Things and connected vehicle security space. So we had different types of understanding, but we had when we talked to the domain people in the auto sector, they would have no clarity between the or differentiation between the it versus ot security and auto security. So that got us into discussions for to around two to three years. And that was kind of a motivation behind this because there was there was a need for having concrete idea about our security which is separate from it and ot security and we want To make it very clear that we need to pay attention on this ecosystem, which is going to impact this new cyber landscape, that's how I call it a new cyber space for auto, auto sector. And you should not try to overlap it with what is existing threats in the internet we are seeing. So we need to come up with new solutions, new mindset to solve these issues, or threats or risks. And that was the motivation. And that's how we started bringing partners together to a PMA, which is Auto Parts manufacturing Association. So the partner started to disk has started a committee and there was a discussion going on. And there are people who would come from the sector itself, who are building these manufacturing parts as in supply chain involvement. You also want to address the industry 4.0 issues. And because all of these components or aspects are part of the big ecosystem, and then you would be able to see, okay, there are so many blind spots, if you are just working in silos, so you need to break them and then work them collectively,
Stan Wisseman 6:07
have you been able to get the cooperation and the interest, for example of the automotive manufacturers to participate or to to consume what you're producing,
Ikjot Saini 6:18
you have to like test the waters first, where everybody stands, and what's happening, how the market is understanding, and especially if you are taught it is the sector for auto, the suppliers and tier one, tier two and the guys who are functional, like putting them together and assembling and there is a whole ecosystem with the auto sector. So are they ready to understand what we are trying to say for security? So are there certain guidelines which which are at sea level or C C suite? level? They do they have such a prerequisite to even understand what security is, and do they need to implement such protocols within their system today, and you don't find anything. And there's a recent survey with KPMG. And FEMA did that. And throughout that survey, you would be able to see very clearly that the understanding of the responsibility of the security threats, or if there is a attack, security attack it the responsibility is always or the fingers of is pointed to the IT guys or the IT department, which is exactly the issue. Because if you start seeing all the issues, only the responsibility is not for the it or operational aside, but also for the people and within those intrinsic processes. Are you paying enough attention? What's happening? And are you having safeguards around around all of those as well? And when I start thinking about the electric vehicles and the autonomous vehicles, it's making the decisions based on the data? And who is feeding the data and how you creating these algorithms. So if you think a little bit futuristic, and then you start seeing more problems, if they are not addressed today, when we are not having that kind of autonomy, then I think it's it's a huge gap that we would have, and we would never be able to fill that up.
Stan Wisseman 8:06
You mentioned the tier one and tier two suppliers. Right. And, and let's face it, supply chain risk has been heightened by solar winds in general, right. But if you think about this, the dependency that these auto manufacturers have on on, you know, all these different components that make up a vehicle, and the potential risks that some of those components could introduce into these vehicles. And there's now an information security platform, and then you talk about the long lead time to actually get these vehicles to market and the potential embedded risks that could be in those vehicles as they are in design. You know, how do you mitigate effectively that supply chain risk, as well as be able to pit it if you discover something late in that lifecycle, up to ultimate vehicle deployment?
Ikjot Saini 9:03
You just mentioned what I always worry about as well the life cycle issue. And also the life time of a vehicle is longer than other devices that we use, and they don't have the safety critical issues to deal with like the laptop or the other devices we use. I think the supply chain overall what I think you had many points that I need to cover a few of those, I think if I have to think and tell him one way that the international harmonization of the regulations must happen. And finally, we started to see some of those happening with WP dot 29 regulations that started happening. And since you mentioned the electronic components, I would say the specific compliance is required for those components. And that is also coming up as the standards with ISO 21434. And when we see these coming out now I just want to take an analogy With the since we're talking about auto sector, it's about safety. If you want to make a good vehicle, you also need to have the safety compliance. And that's how the your grading increase or decrease, right the based on how safe your vehicle is, it's going to be same thing because security is going to be your next safety or new kind of safety. So there is going to be a lot of compliance required. But for those compliance, you now need more than ever more regulations. And now it depends on is it going to be more self regulated? Or is it going to be? What kind of industry it's going to be like? I'm not sure, we are not in the place to answer that. But we are still seeing a lot of international harmonization efforts happening around the world. And I think right now we are having 60 countries, or 60 plus countries for wp 29. And it's still in the European side and not in North America. And as soon as we will see the rolling out and most of the countries start having compliance with those regulations, we will see us a chain of trust, because with the solar wind that you mentioned, I think that that chain of trust was broken. And you just need to build it from scratch when you're building this entire sector or new landscape. I always think in terms of internet and internet threats, because that was my background network security. But then I think about the electric vehicles and the line of codes. And then software development happening for those electric components. And the embedded system, I see a complete run a new realm of security threats, because you have never thought of testing a little piece of code when you're like writing it. And now you need it. And it's more so ever required. Because now this little component can turn all the little other security threats on because you were not making sure it in the beginning in the design and development phase, rather than you were testing it later on. And that gap or the evaluation time or the development time will, we'll be having a lot of impact. And the another thing that I'm hearing nowadays, it's not from my expertise, but in the autonomous vehicle experiments, they have analyzed that there are problems with the auto grade software development for autonomous vehicle that we are seeing. Because some of the components are in the supply chain or not. They might be counterfeit as well. So now you're dealing with a different kind of a problem, right. So that's why it becomes so much essential, unmanned, kind of a mandatory and a compliance based or the regulations around the supply chain. More software needs more of the compliance and also some changes required in the lifecycle of the software development for these,
Rob Aragao 12:58
when you look at some of the different auto manufacturers that are, you know, starting to really truly pay attention and realize how important this area of security is, are they coming at it from that level of you know, the way they kind of compete when it comes to the safety of their vehicles and understand that this is kind of a new area that have to encompass. And add on top of that the issue of privacy right with the connected vehicle a chip of actual information that's contained within that vehicle relative to you as the consumer. So are they looking at kind of expanding that scope of safety to encompass the privacy and security from what you're hearing out there?
Ikjot Saini 13:34
I would want I would say one thing, if they won't consider privacy today, they will lose their customer base. Because with respect to a customer acceptance or user acceptance rate for connected vehicle technology itself, it is declining still in the stats. The reason behind that is the customer are not fully confident about this technology to disclose their personal information. So with respect to privacy, we are going to see more of the regulations or the ACT coming out. And the auto sector has to be compliant with it as soon as they can. But over arching idea is to have the privacy, security and safety balanced for these CB technologies in future. So right now the focus is more on security, try to handle and de risk as much as you can in this entire ecosystem. And the first thing to do for that is to first of all identify all sorts of potential threats. The legacy systems are going to make it worse because we are seeing more of the new winter's coming out and they are working on the new concepts. And I think most of the time it's Tesla which is used as a key example for electric vehicles or new kind of futuristic vehicles there are so many more. But what I say the key difference is if you want to build something new and you would not Have some of the problems which we have had in the legacy systems and why I'm picking on this, because that's what happens in the technology itself, when you are trying to patch, you keep adding band aids, individually. But when you come up with a completely new idea, you can start working with a completely new methodology. And you don't have to now put the bandages, you already had the bubble wrap around that so you can work carefully.
Stan Wisseman 15:27
And I think that actually resonates with some of the things that we have in the context of building and resilience, you know, you need to be able to anticipate and withstand attacks. And part of that is you have to build it in and into the design, you have to be thinking of that threat. space that threat modeling has to be considered as you're building into the system. Now, let's think about this. Some of the realities we're already seeing as far as the vulnerabilities being exploited, we have the classic example that wire did with the security researchers. And they showed how the Jeep Cherokee can be taken over. We have more recent examples, I'm worried specifically about these mobile keys, keyless entry with a mobile phones, right, and those apps and I was like, knowing how insecure mobile applications are, I'm really not really comfortable with having the, you know, the ability to open up anybody's car with that with application. And then you have these info systems, right, that are, you know, enabling Apple and Android apps to run on them and interdict introducing potentially, malware, we already having challenges with those apps, much less thinking about it on this, you know, connected vehicle or autonomous vehicle, right? Granted, building security and from design is the way this Dart. But even in those situations, you'll run into situations where you have vulnerabilities you have to deal with, what do you think, is the right way of handling that?
Ikjot Saini 16:57
So one thing I just want to mention, security by design and privacy by designs are really good to deploy right now at this point for the upcoming or emerging technologies, so that we don't face the issues, or the challenges that we have seen previously in past two decades. I agree. Yes. And then again, the problem that you mentioned, okay, well, the security by secure by design and privacy by design principles for the new new ones, but then you can you want to incorporate because it's me to x, all the vehicles are going to connect with the nearby infrastructure nearby homes nearby. I don't know everything, it is actually a revenue to outwards everything right? Yeah. So at and the simple form of this inter vehicle communication issue is, it is the internet. So the primary question should be have we solved everything, all the security issues in the internet, that we are now thinking about putting internet in little, little things around us, and then also with these safety critical objects like a vehicle, that means we are going to set an asset and then we want it secure, because we want to be safe. And that makes it a little bit scary, too. But the thing is, as soon as you connect your vehicle with for the convenience, you would choose to connect it with the parking meter maybe or with the toll system, or maybe it's mandated in future, but then then you actually should think about if it's sharing information, then based on information, also, there are a lot of data breaches, there's a whole idea of information security as soon as you connect with internet, but there is when you connect your vehicle with the internet, I think the it becomes more critical because the information is also coming to the vehicle, which was not the case earlier. So as soon as it enters your vehicle, is it making any changes in your current operations within the vehicle, which is in vehicle security? And how does that impact and the example that you have taken for Jeep Cherokee, that was the simple example with the infotainment system that was limited with the kind of radios that he uses. And you mentioned key fob using that, that brings the another issue of encryption, the kind of encryption that we're using, and the radios you're using. So these issues I think, are encompassing a very large landscape. And we if and how we are seeing it the simple way to envision the problem of security with the vehicle says as soon as you connected with internet, you now allow the information to be fed into the vehicle. And it's going throughout the internal Ethernet that it has or the internal network of the vehicle. Now it can manipulate change, you know the malware or the other threats with what can be done within the internet itself. Now think about the internal network of vehicle, the vehicle on the highway or the road, what its gonna do, we don't know, it's you cannot even anticipate what's going to happen.
Rob Aragao 20:09
Now picture one of the things I like to pivot towards is a new introduced as kind of a, another passion of yours, right is women cyber, and women in tech in general, that's something that you've been very passionate about, you've done some great things there at the university and elsewhere, can you take a minute to share what you've actually gone and focused in to help in very short time, by the way, and some of the accomplishments,
Ikjot Saini 20:31
I started the first Canadian student chapter of women in cybersecurity. As a female, I can just second any anybody who is saying that females need to have a sense of community, we seek that and insecurity. I even experienced that lack of community or the lack of sense of that community. And that was the reason that I started the first Canadian student chapter at University of Windsor, I actually was fortunate to announce it in a way and bring people together to make them passionate to make them see the things about cyber, you don't have to be in cyber, you can start in cyber, I think it just gives a sense to all the female students in computer science and engineering that, yes, this is something we belong, and we can talk we can learn.
Rob Aragao 21:21
Well, thank you very much for sharing your passion and multiple fronts. But especially I think we're just at the infancy right, as it relates to the connected vehicle, and where we're going from here. And just the things that people aren't even considering at this point time that you're bringing up to the to the foreground, the work that you're doing with shields, I think will help hopefully alleviate a lot of that and get people to realize what else has to be thought about. And also your women in cyber focus and push and getting people to really be more motivated and build a passion for cyber security as a whole. So again, we really appreciate having you on today. And hopefully, we can speak with you again in the future. Thank you so much for having me. Thank you, john. Thanks for listening to the reimagining cyber podcast. We hope you enjoyed this episode. If you would like to have us cover a specific topic of interest, feel free to reach out to us and you can find out how in the show notes. And don't forget to subscribe. This podcast was brought to you by cyber rez a microfocus line of business where our mission is to deliver cyber resilience by engaging people process and technology to protect, detect and evolve.