Meet Issak Davidovich, Vice President of Research and Development at C2A Security. He has more than 16 years experience of leading embedded security teams. He joined C2A Security as Vice President of Research and Development in 2018, leveraging his extensive background in embedded devices and the complexities of automotive cybersecurity solutions on both client and cloud applications.
Davidovich is leading the development efforts of the company's embedded cybersecurity solutions, taking a multi-layered approach to cybersecurity to provide automotive-relevant protection and safety compatibility.
According to Davidovich, the implementation of driver assistance technologies and cybersecurity goes hand-in-hand, and the auto industry is taking its first steps on creating in-vehicle security standards. Here, we talk to him about what this means for automotive cybersecurity.
Security magazine: The auto industry is taking its first steps on creating in-vehicle security standards. Can you explain why this is a foundational time for the field of automotive cybersecurity?
Davidovich: In the last few years we’ve seen some significant changes in the automotive industry. There are many new, advanced features that OEMs add to modern vehicles - starting with connectivity. The vehicle is connected, continuing to improve the user experience with technology and expanding advanced safety and monitoring capabilities. These features have a high level of software complexity. Some analysts compare the transition of the automotive industry that is happening now to the transition in the mobile phone industry when the phone became a mobile data center; the vehicle became a data center on wheels. However there is one key difference: the vehicle is a safety device, so software errors and cyber incidents may lead to devastating results.
Therefore, there is a great need to protect the vehicle against cyber security related incidents. When we come and ask the question, “how can we protect the vehicle against cyberattacks?” the answer is not simple. The automotive supply chain is very complex; the vehicle architectures and components may vary between OEMs and even between car programs within a single OEM. For example, software of a single Domain Controller Unit may contain software modules from 5-10 different suppliers!
All of the above lead to the understanding that in order to reduce cybersecurity risks, OEMs and their major suppliers need to define a common standard that the industry can follow.
Security magazine: Why is the creation of ISO 21423 significant?
Davidovich: ISO 21434 is the first time that OEMs, Tier-1s , Cyber Security suppliers together established processes that are agreed upon by all parties. The standard describes the processes and conclusions from which the security architect can define the security requirements for the car program (similar to the way that ISO26262 defines safety requirements).
Security magazine: What are the largest challenges facing automotive cybersecurity teams?
Davidovich: The largest challenges are:
1. How to control and protect a complex system in which so many parties deliver their software modules.
2. How does the OEM perform fast risk and threat analysis when an incident happens - how can the OEM deduct the actual damage that the cybersecurity incident can cause?
3. How can the OEM protect vehicle components against cyberattacks in a safety environment with low-resource MCUs and increased traffic load?
Security magazine: How can the automotive industry address these challenges?
Davidovich: The OEMs will need to own the cybersecurity life cycle of their car programs. In order to do that they will need to adopt modern methods that are tailored to the automotive needs. For example, managing all your software/hardware assets in such a way that the OEM’s security team can get an answer to the question "What ECUs and Networks are at risk due to a publication of a new vulnerability in one software library?" in just a few minutes. The next thing the OEM needs is a method to derive the possible damage and ACTUAL risk level of this incident. Finally, if needed (actual risk can not be neglected), deploy the specific cybersecurity countermeasure that can protect the vehicle in the case that an incident happens in the field.