San Francisco – The title of the keynote presentation at RSA by Mary Barra, Chairman and Chief Executive Officer of General Motors, aptly describes the reality for anyone who is a driver or passenger in a vehicle, airplane, train or ship: “The Future of Transportation Relies on Strong Cybersecurity.”
During RSA, I had the opportunity to interview Kevin Tierney, Vice President of Cybersecurity for General Motors, one of the industry’s leading voices in-vehicle cybersecurity. Kevin and his team are responsible for creating and executing a culture of cybersecurity throughout General Motors – an effort that includes their manufacturing plants, over 25,000 suppliers, and more than 200,000 employees across 140 countries.
An important aspect of Kevin’s role is to coordinate efforts among the technical experts of various systems to ensure that they understand the security and that they also understand the challenges facing the plants, manufacturing and IT systems: “It’s really important that we have the right people in each of those areas handling security, because there is a lot of cross coordination required as these systems talk to each other in major ways, so we can’t look at things in a vacuum and that’s one of the things that I think GM has gotten really right”.
He continued, “We’ve realized that this is an interconnected ecosystem and that we can’t just look at it in silos. We’ve got to look at cybersecurity across the entire enterprise and not just from a technology perspective, but from a business perspective as well, because we’re supporting high-level business decisions, including mergers and acquisitions or doing a deal with a tech company.”
Kevin added, “…a typical new automobile has more than 100 million lines of code and that number may be much higher depending on the specific vehicle requirements. It’s not just metal anymore…vehicles have radically changed and they’re really computers. It’s not just the product anymore, but all of the connected services such as mobile devices, WiFi and other services must be taken into consideration. Mary [Barra, CEO of GM] realized that we had to change how we looked at vehicles, adopting a holistic view and then, how we looked at cybersecurity. We’ve built up our global cybersecurity team from a few people in 2012 to more than 500 people across the globe today”.
One of the most challenging aspects of creating a culture of cybersecurity is motivating people to adopt new behaviors. “We want to keep the plants running all of the time, and sometimes that can be at odds with security.” Kevin posits, “How do we strike that balance? How do we update some of that machinery? How do we make sure that we maintain the safety and the ongoing capacity of our plants?”
This becomes exponentially more difficult when dealing with over 25,000 suppliers and the associated cybersecurity risks. Kevin applies the 80/20 rule, where their team focuses on the fact that the majority of vulnerabilities and risks are with a relatively small group of suppliers. As if the VP position isn’t complicated enough, he is also responsible for the cybersecurity of a major financial institution: GM Financial.
Additionally, Kevin serves as chairman of the AUTO-ISAC, an industry-driven community to share and analyze intelligence about emerging cybersecurity risks to the automotive ecosystem and to collectively enhance vehicle cybersecurity capabilities across the global automotive industry, including light-and heavy-duty vehicle OEMs, suppliers, and the commercial vehicle sector.
The AUTO-ISAC is sponsored by the Department of Homeland Security, as well as other participants throughout the transportation sector. It is a non-competitive, open sharing environment within an industry where competitors often don’t want to share a lot of information. Kevin remarked, “We’ve all realized that to get ahead of cyber, it’s really a team sport. And so we stood up the AUTO-ISAC almost five years ago.”
“The executive director of AUTO-ISAC is Faye Francy, and I became the chairman of the organization. Faye and her team pull the industry together. We have the majority of the OEM’s (Original Equipment Manufacturer) here in North America and most of the global ones as members. Our members include many tier-one companies within the industry’s supply chain and other technology partners that are critical to the automotive industry.”
“The mission is information sharing and learning, right? It’s sharing what we’ve done at GM regarding information that may be coming in through our threat intel sensors that might be relevant to other OEM’s because we really look at it as non-competitive. If, for example, someone gets attacked, it’s not good for the industry and it is not good for new technology. So we really are approaching this collaboratively and that forum allows us to get together. It’s a big cultural change,” he added.
When asked to address or dispel myths about vehicle safety around cybersecurity and hacking, he said, “I would dispel the myth that the industry is not doing anything about the issues. Sometimes you see these articles that are repeated over and over again showing the viewer that a vehicle can get hacked. The auto industry has been extremely focused on safety for many many decades. We see cybersecurity and safety as synonymous. Due to the alignment of safety and cybersecurity, the industry is really changing the culture. For example, we’ve made it very hard for an attacker to traverse the vehicle system.”
Kevin also described the GM Vehicle Intelligence Platform: “The VIP is our brand new data architecture that establishes that vehicle cybersecurity is a cornerstone of everything we do.”
Our new VIP enables the technologies for the vehicles of tomorrow. This technology is critical for GM to progress toward our vision of a world with Zero Crashes, Zero Emission, and Zero Congestion. It enables our electric future and the advancement of automated driving while enhancing cybersecurity and expanding over-the-air update capabilities.
Before concluding our conversation, I asked Kevin what keeps him up at night. “There’s so much understandable concern around IoT and vehicle theft. We’re in this pivotal transition period toward autonomous vehicles and electric vehicles. The safety of our vehicles is the most important. Data privacy is always a concern. So really it’s all of those sorts of things together and the scale of our enterprise and of the industry that keeps me up at night. But the thing that gives me solace is that we have a great team of almost 500 men and women across the world. Therefore, I think that I sleep pretty well in general.”
Gary Berman, Cybersecurity Reporter
Gary Berman is a contributing reporter for Cyber Defense Magazine. He was the victim of a series of insider hacks for several years until he made the pivot from victim to advocate. He is creator and CEO of The CyberHero Adventures: Defenders of the Digital Universe, a groundbreaking comic series that distills complex cybersecurity information into entertaining and educational superhero stories, making cyber hygiene accessible for non-technical people.
Olivier Vallez, JD, MBA – Lead Writer/Cybersecurity Reporter
Olivier Vallez is a contributing writer for Cyber Defense Magazine, covering various cybersecurity topics and events. He is the Head of Business Development at The CyberHero Adventures: Defenders of the Digital Universe, a groundbreaking comic platform that distills complex cybersecurity information into a fun and engaging superhero stories and makes cyber hygiene easy-to-understand for non-technical people.