Everyone in the automotive industry is thinking about cybersecurity. We got the opportunity to speak to not one but two thought leaders in the space — live from the OESA Summit in Novi, Michigan.
“When you have software or technology plugging into the vehicle in a totally new and different way, understanding how all of the systems around you and those specifications work is absolutely mission critical to launch,” says Jennifer Dukarski, known as “The Geek Lawyer.”
VP of Autocrypt Martin Totev sees digitalization reshaping automotive firsthand. “The auto industry is going to experience what the phone industry has experienced for the last 20 to 30 years,” he explains.
Themes discussed on this episode:
Name: Jennifer Dukarski
Title: Shareholder, Butzel
About: Affectionately known as “The Geek Lawyer,” Jennifer is a recognized thought leader in the emerging tech media, IP privacy and cybersecurity spaces. As a “recovering engineer” — albeit, as she says, “one never truly recovers” — she brings “engineering sensibility” to legal issues within the automotive supply chain.
Connect: LinkedIn
Name: Martin Totev
Title: VP, Autocrypt
About: Autocrypt is a mobility cybersecurity provider dedicated to the safety of new transportation. With increasing cyber risks, Autocrypt works with OEMs and suppliers to offer cybersecurity solutions to the automotive industry.
Connect: LinkedIn
Timestamped inflection points from the show
[1:28] Recovering engineer: From engineering to the legal world, Jennifer brings her prior experience into emerging new tech-driven spaces.
[2:14] Automotive supply chain prophecy: What’s on the horizon for automotive? A lot of exciting technology to modernize your supply chain.
[3:03] Big challenges: Automakers have to contend with the risks of software, as well as benefit from its upsides.
[4:47] Jennifer’s one thing: Terms and conditions and engineering specifications really matter when improving the supply chain — Jennifer explains how.
[6:02] Where cybersecurity and automotive collide: Cars are growing more digitized by the day. With this trend, Martin explains, comes an increasing number of cyber threats.
[6:56] ISO alignment: Along with ISO 26262, there are published industry standards like ISO 21434 and cybersecurity regulations like WP.29 to which companies need to adhere. But it’ll be a few years yet before everyone is fully compliant.
[8:24] View from the supply chain: Martin explains how cybersecurity looks inside the car. Pressing a button to engage breaks is one of many new innovations that require manufacturers to assess different, new risks.
[10:12] Change the program: Program management in organizations is in for a wild ride. The traditional way no longer works. Autocrypt engages OEMs to help prepare with the WP.29 and other new regulations.
[11:57] Who owns cybersecurity?: OEMs and suppliers need to be aware of their responsibilities in this new world. This may include acquiring the necessary qualifications and considering how to mitigate vulnerabilities if (and when) they appear.
[13:28] Martin’s one thing: Consumers need to accept updates to benefit from better cybersecurity. Martin explains how safety is the number one priority and where the balance can be struck.
[2:15] Jennifer: “There's a lot of exciting things on the horizon and a lot of them really do come from technology: components [for] the supply chain, [and] new areas like software, artificial intelligence sensors, electrical vehicle batteries — so many different new technologies. But at the same time, a lot of these technologies, software and AI can all be used to truly bring your supply chain up and into the modern era of manufacturing. I see technology as the place to be because it can help with the actual workload, and it can help with the product that we're creating [and] your engineering.”
[4:47] Jennifer: “To truly improve the supply chain, understand your terms and conditions [and] include your engineering specifications. When we go and negotiate terms and conditions, we don't always look at everything underneath that agreement — we need to know and make sure we're understanding what the quality and test requirements are. Moreover, when you have software or technology plugging into the vehicle in a totally new and different way, understanding how all of the systems around you and those specifications work is absolutely mission critical to launch [and to make sure] it's going to be successful, have great delivery and quality, and also make consumers happy.”
[12:49] Martin: “How we update our phones these days — every few months — I believe cars are going to be also updatable in a very similar manner. It’s the future: Digitalization is happening everywhere, and the auto industry is going to experience what the phone industry has experienced for the last 20 [or] 30 years.”
[13:28] Martin: “When it comes to regulation, there should be a middle ground as to [asking] for permission from the driver and [when] the OEM [should] push it [out] themselves. If it's security and safety related, the OEM should not require any action from the drivers. … I hope that the regulation authorities are on the same page as myself, because safety of course is the highest priority.”
[Transcript]
[:We really can't predict the future because nobody can. What we can do though, is help auto manufacturers recognize, prepare for in profit from whatever comes next. Auto Supply Chain Prophets gives you timely and relevant insights and best practices from industry leaders. It's all about what's happening now in the automotive supply chain and how to prepare your organization for the future. Because the auto supply chain is where the money is.
Jan Griffiths:Hello, and welcome to another episode of the Auto Supply Chain Prophets podcast. And today, we're going to focus on software and cybersecurity to issues on everybody's mind in the auto industry. This episode was recorded live from the OESA supplier summit and Novi, Michigan. And today we are bringing you not one but two thought leaders in the space. Our first guest is Jennifer Dukarski. She is affectionately known as the geek lawyer and the recognized thought leader in the space of emerging tech, media, IP, privacy and cybersecurity. Jennifer, welcome to the show.
Cathy Fisher:So Jennifer, tell us a little bit about yourself and your organization.
Jennifer:My name is Jennifer Dukarski. I am a recovering engineer first and foremost. Now I say that I'm a recovering engineer because one never truly recovers. But I did switch over and more than 10 years ago, jumped into the legal realm. So really who I am and what I do, I bring a little bit of that engineering sensibility into the realm of legal issues with the automotive supply chain. I'm happy to be a part of butzel long. Butzel is we've been here for well over 150 years and have been instrumental in all things automotive, we are really the leaders in the best when it comes to terms and conditions. And looking at emerging technology in the vehicle.
Cathy Fisher:What is your perception of or vision of the future of the automotive supply chain?
Jennifer:Well, I think there's a lot of exciting things on the horizon. And a lot of them really do come from technology. It's either the components that are going into the supply chain, all of these new areas with software, artificial intelligence sensors, electrical vehicle batteries, just so many different new technologies. But at the same time, a lot of these technologies, a lot of the software, a lot of the AI can all be used to truly bring your supply chain up and into the modern era of manufacturing. So I really see technology as the place to be because it can help with the actual workload. And it can help with the product that we're creating.
Cathy Fisher:With your engineering background. What are the big challenges that automakers are facing relative to software?
Jennifer:Well, I think you can take a look at what NITSA has been doing lately, to get a good sense of at least software in the car. We've had several recalls recently that have dealt with software. And even in the artificial intelligence area, there was the very recent cruise recall, with automated systems that came down to a decision made by AI. So I think when you look at it, the most important thing is to understand what your software if you're talking in vehicle software, what it's doing, and making sure that we're following safety protocols, because the risks are out there. And I mean, there's the risk of it not working properly, not meeting Federal Motor Vehicle Safety Standards, when there is a safety standard involved in the system. And there's always that perennial fear of a cyber attack. And I don't think that ever is going to go away.
Cathy Fisher:No, and I think it's gonna get even more complex as we move towards autonomy. Oh, yeah. And now we are trying to build that infrastructure where the vehicle is communicating with the infrastructure, as all going to be through software as well.
Jennifer:When you stop and think about those creative folks who have hacked the roadside units to put up zombie apocalypse. And you think those are the type of systems that the car is going to be talking with. That leaves you with an interesting image. And again, as much as I like to joke about it, I'm just waiting to get the phone call from somebody in my family saying, what is ransomware mean? And why won't my car start, but I'm hoping for the best because we have some amazing people in the security realm who are doing a very good job trying to find these vulnerabilities. And that's really where we're headed.
Terry Onica:If you had to give one piece of advice. What would that be to help improve automotive supply chains?
Jennifer:I think to some to truly improve the supply chain. It's understand your terms and conditions include your engineering specifications. It's something that when we go and negotiate, terms and conditions we don't always look at everything underneath that agreement. We need to know and make sure we're understanding what the quality requirements are. We need to know what those test requirements are. And moreover, when you have either software or some piece of technology that's plugging into the vehicle in a totally new and different way, understanding how all of the systems around you work, and those specifications is absolutely mission critical to getting a system that's going to launch. It's going to be successful, it's going to have great delivery, great quality, and also make the consumers happy. And also don't forget those supply chain requirements as well. Oh, that you can never forget. Absolutely.
Cathy Fisher:Thank you so much, Jennifer for sharing vision of the future of the automotive supply chain with us.
Jennifer:It's an exciting place and I'm glad to be here.
Jan Griffiths:Our second guest today is Martin Totev. Martin is the VP for auto crypt. Auto crypt, is a mobility security provider dedicated to the safety of new transportation. Martin, welcome to the show.
Martin:Pleasure to meet you. And thank you for allowing me to join this conversation. We are a company that provides cybersecurity software and solutions to the automotive industry. And especially now with the advancement of technology in the automotive industry. We can see more and more our cars becoming digital. And with this, of course, comes all the different potential threats that the internet and digital technology could bring. What we do is we work together with manufacturer of vehicles or with the manufacturer of equipment for vehicles to provide the necessary cybersecurity consulting services or software that can prevent any potential threats.
Cathy Fisher:Martin, you are talking about the nature of cybersecurity work that you're doing? Is this aligned with ISO 26262? And terms of the cybersecurity requirements for software like that?
Martin:Yes, ISO 26262 is just one of the recently published standards that are coming out. And we also have do we have 21434 as well, which is another standard that is highlighting the bolts of cybersecurity in vehicles. We also have, especially for Europe, there is this the United Nations Economic Council for Europe that is also has a working group inside it that affects the different manufacturing process. Wb 29 also has a cybersecurity regulation that was published I think two years ago. And I know that OEMs and different suppliers are going to be required to to have a certain process for cybersecurity. So they can say so they can track him they can listen to different potential threats they are how are they going to mitigate them. And of course, there's going to be pretty much a trickle down effect that if the oh if Alexei annoy me has to be compliant with that standard. He's going to request everybody who's flying the different parts to to the company to build to be compliant and to provide such information. It's great to see that there's more interest cybersecurity, but there should be a little bit more maybe, because regulation just coming out. And the I guess the effects are going to take some time until they're fully compliant maybe like two, three years.
Terry Onica:So what does the supply chain look like for you are used to parts but what is the supply chain look like for cybersecurity in the car.
Martin:So the supplying chain from a cybersecurity perspective is some suppliers are not really affected by any cybersecurity or potential cybersecurity threats. Because we have manufacturers of different hardware we have like the chassis manufacturers, which don't have any type of digital communications inside them. But then we have, we like to call the tier one suppliers that are the companies that provide the whole package and more and more parts in the vehicle becoming digital. And these parts are going to be very affected by how are we going to handle firmware updates, for example, because sometimes a simple solution or a simple problem can be fixed just with a simple update. And now we have the different devices that are going to try to control how updates are going to happen over the air updates. And I was fascinated just to dome on the drive here today. I never realized how how digitalized the car became the car was driving. I'm always used to have a side brake that is portable with just a simple lever. And now it's just the button and then realize it just because it's a button. It does not have anything analog in it, it just you click rate, it sends a signal somewhere, and then the brakes engage. So what happens if potentially somebody taps into a connection? So who's going to be responsible reason? Is it the manufacturer of the vehicles responsible for it? Is it the driver responsible because usually the driver expects to sit down drive the car, all the current debts, because when you buy a car, you expect to just sit down and just use the car so I guess more of the responsibility is going to be on the manufacturer side and the OEM side. In citing this way, we have these regulations coming out so so we can prevent any potential problems from coming up.
Cathy Fisher:I was just sitting here thinking to myself, the implications of this traditional automotive program management are completely blown out of the water, because traditionally, we've launched a vehicle, and then that's the program. So we're going to run that vehicle for five, seven years. We may be doing updates that are maybe associated with improving performance or addressing deficiencies in the product design. But the cybersecurity piece is huge, because it's a constant threat. And there's always new threats. So that's going to completely change the complexion of how organizations do program management. Are you folks working currently with manufacturers in terms of that overall landscape of program management and how to manage cybersecurity for the long term?
Martin:So yes, we are engaged with some OEMs regarding the topic, because it's it's one of the services we do is the consulting services regarding the compliancy with the with the WB 29 regulations that are coming up. And because we engage with them, we can we help them prepare their organization. And also we help them prepare any other records that might come up because some vehicle manufacturers, let's say they have an already established system in they just need a legislative station to it, or other manufacturers, they might need a little bit more. So that's a little bit inevitable, but we consulted them. And then if it's necessary, we provide, of course, our software solutions that are made for different in vehicle security or different components security, it's also required by by upcoming standards,
Terry Onica:in this new world who's responsible for cybersecurity? Is it me as the consumer? Or is the OEM? Or is it going to be both to make sure I don't get hacked, even the supplier of the parts? Yes, who owns that now in this new world?
Martin:So because the regulations are constantly evolving, those topics are still being defined, but at this point, the OEMs and the suppliers are pretty much response to. For this way, they are required to have a cybersecurity management system. And this is something similar like having an ISO certification, like let's say for 9001, or 27 001, which is if you have a system if you have the necessary resources inside the company that can manage the different cybersecurity topics. And this also includes requiring your suppliers to provide you with information on let's say, if the party itself is vulnerable to any cybersecurity threats, or if there is any vulnerability, how it can be mitigated, but over the air updates are going to be and are actually the best way to prevent any new and upcoming cybersecurity threats. Like how we update our phones these days, with pretty much every like few months. I believe cars are going to be also updatable in a very similar manner. And yeah, it's just the future. digitalization is happening everywhere. And I don't want you to see is just going to experience what the phone industry has experienced for the last 2030 years, maybe.
Cathy Fisher:There are some people that don't want to do updates because they don't rust what's behind that. How do we help especially consumers understand the importance of accepting those updates, because many cases there's usually some cybersecurity support that's being embedded in those updates.
Martin:When it comes to regulation, I believe there should be a middle ground as to what we can ask for permission from the driver itself and what we have to from the OEM push it themselves. If it's something security and safety related. I believe that the OEM should not require any action from the divers, they should be pushed because it's safety and security related. When it comes to like let's say updates to like the navigation system or something that's coming into the infotainment system may be because it affects how the user interacts with the device itself with the car itself now becomes a device. But then when it comes to safety, it's just unable to eat it has to be pushed by the OEM. And that's my personal opinion. And I hope that I believe that the regulation authorities and the people responsible for the different regulations are on the same pages myself because safety of course is the highest priority.
Cathy Fisher:Thank you so much.
[:Are you ready to find the money in your supply chain? Visit www.autosupplychainprophets.com To learn how, or click the link in the show notes below.