Growing a 15,000 strong automotive cybersecurity group with John Heldreth

The furry in which the automotive community pried, prodded, and eventually outsmarted existing functions that are software-driven is nothing short of horrifying.

While it seemed like automotive cybersecurity would never outpace these modern laptop-wielding gearheads, John Heldreth, Head of Car Security Operations at Volkswagen AG, had a different idea. Instead of trying to find solutions in a siloed manner, the automotive industry should have a place to collaborate, network, and take action against the rise in cyber threats targeted at their vehicles. This flourished into ASRG and an upcoming conference, Secure Our Streets.

Building on his prior experience at brands such as Porsche and Bosch, he shared with the Left to Our Own Devices podcast about the early days of this problem. It truly hit home while developing networks for software-defined vehicles that had no cybersecurity precedent.

John walked us through that moment of development when he and his team had to face this challenge dead in the eye. “How should we divide up the networks? How should we figure out who is doing which function and which electronic control unit (ECU)? Through this we started realizing that we had to start thinking about security too, as one of the design aspects. Not only how it should function, but how someone might attack it or manipulate it to do something that it shouldn’t.”

Taking a unique approach, John offers another way to view cybersecurity. Unlike the technical approach of diving into the details of vulnerabilities, he views it as a subset of overall security. Just like with securing any device, practitioners must ask the same questions:

• What is the integrity of the data being transferred?
• Is it continuously available?
• Is the receiver getting data with the same integrity in which it was sent?
• Are the data packets being delivered reliably and in a time frame that cybersecurity teams can act or react to?

Addressing this issue has been years in the making. The threat of recalls due to software problems demands that vehicle manufacturers, or OEMs, can address cybersecurity issues remotely.

Once developed, this technology needs to be integrated into future designs in order to keep drivers safe without hurting the bottom line. What’s more, this must be done in a manner that is forward facing and can protect vehicles from threats that are yet unknown.

However, many of the vulnerabilities that make their way into vehicles began in the software supply chain long before it ever was delivered to the vehicle manufacturer. “We’re slowly seeing this awareness from the OEMs coming down into the supply chain and then into the second tier and third tier companies who supply them,” said Heldreth. “They all have decided cybersecurity is awesome. We need to do this. It’s something that we’re starting to work on. Let’s go for it.”

The heightened awareness of vehicle vulnerabilities from years past has led to a more mature industry today. This can be seen in the evolution of electronic features from years past into the cybersecurity-ready cars rolling out of the plants. It is also bringing an age of collaboration that was previously unfathomable. This is only possible because the OEMs came together and collectively acknowledged that siloing automotive cybersecurity data wasn’t beneficial to anyone.

“It used to be that Mercedes-Benz or Volkswagen or BMW didn’t communicate with one another. They didn’t share common ground. But with cybersecurity in automotive products, we all have the same issue. We all have the same goal,” said John. “We want to make products, our vehicles, more safe and secure for customers.” Today, organizations are working with their suppliers to develop a culture of collaboration– suppliers working with OEMs and OEMs working with one another – which didn’t happen in the past.

Ultimately, it’s all about finding that common ground and that is found by understanding risk. “What we’re trying to do, of course, is to reduce any risk to our customers,” said John. “We don’t want people’s data to get hacked. We want the functions of the vehicle to be secure. We don’t want the influence from any external attackers or something to be possible. To do this, we have to put things into either quantitative or qualitative risk assessment.”

By taking a risk management approach, it changes the conversations of OEMs from hoarding their data to wanting a community that helps them solve their problems. “For me this means bringing all of those different systems together into a centralized place where you can organize, identify by time or by product, by asset, and so on, so that you can understand the full picture,” said John. “Then, when you have this all in a centralized system, you can use this information to make better decisions.”

Recognizing this need and wanted to make a difference, John created a small group from various ecosystem players to come together and collaborate towards more secure vehicles. He created ASRG with a group of 15 others and decided that knowledge, networking, and collaboration would be at their core.

What started as a grassroots organization in August 2016 quickly grew to 15,000 members across 57 locations. Each operates with communication at the heart of what they do, foregoing NDAs and understanding that it’s not about helping one company or another. Everyone is in this together. “We can’t do this alone. It doesn’t matter if you’re a supplier. It doesn’t matter if you’re an OEM. It doesn’t matter if you’re a service provider. We need competencies from people that have the knowledge we need,” said John. “Rely on your supply base, participate, have a healthy supply base. These relationships are key. They will help you deliver on time.”

For fina takeaways, Heldreth has three practical non-technical tips for today’s product security professionals. They are: have patience, understanding, and keep an eye on the collective goal.