Upstream & TCS Discuss Complexities of Cybersecurity Assurance
so hi sandeep and welcome to upstream's tech talk series i'm faye from upstream security and we offer the first cloud-based cybersecurity solution that's purpose built to protect connected vehicles and smart mobility services from cyber threats and misuse through the use of data i'll be the host of this upstream tech talk and just wanted to you know offer you the mic to introduce yourself thank you faye i'm sandeep right and currently i had the cyber security services practice for tcs uh tcs as you know is a a large and well recognized system integrator with revenues last year of in excess of 22 billion usd we have large cyber security practice and we have been seeing increased interest these days in potty security and of course in the area of automotive security with with all the stuff that's happening with the autonomous vehicles and we're very excited about that area and would like to speak with you about this so you know i've known kind of tcs when it comes to the i t space so traditionally i've recognized that you guys do you work with it with the with their cyber security elements and this shift now to ot with these advent of connected vehicles with admin of connected um you know operational spaces where do you see more added or shifting complexities when it comes to uh those spaces and specifically my interest is the automotive space what are some of these complicated elements of securing the connected vehicle and the automotive ecosystem fake tcs has always had a very strong engineering services uh offering and we've been doing that for many customers in the automotive space in the telecom space so we really have been partnering with them to evolve their products the thing that's happening today that's uh this is a general global trend that we're seeing something which i like to call the softwareization of everything so we're saying more and more custom built hardware being replaced by let's say a commodity compute platform and the functionalities are now being realized in software so this softwareization of everything produces tremendous benefits but it also brings in the well-known software support and i.t systems support maintenance and evolution problems and issues that we have known about in the traditional mighty world and we see that playing out here and we think these issues need to be addressed with focus and firmly but we also think that our customers need help here because the traditional engineers they've done a lot of software to be sure and they're the people who are leading the software realization of everything but we have lots more experience in how to you know evolve support and maintain huge amounts of software so that's where we can bring in our learnings and really partner with our customers to make sure that we now produce things that are secure and they're sort of let's say associated with a certain level of security assurance so that assurance you know i mean assurance within the cyber security space is a really difficult concept to understand because how how do you how would you explain that to to tell someone can they be 100 confident that all of their elements within their ecosystem are cyber secure what does that assurance mean could you explain that a little bit yeah yeah so just to go back uh very very briefly into the history of the evolution of cyber security within 90 classically but it started off with you know i.t itself evolving and in the initial days the threat would be viruses and then we had networking so we had firewalls there was a lot of focus on point security solutions and the first of which probably has been the user id password which is the venerable user id password so we have evolved there from having point solutions to new problems that have come up as we've increased the deployment and at some point there's been the realization that we have to manage this issue manage the issue of security as a management issue and we need a framework in which to do this and the first such framework that became really popular was you know the british standards institute bs7799 which later was adopted by the iso and became iso 27001 so that evolution in terms of having a framework in which we look not only at the point security solutions but the whole ecosystem the whole gamut of people process and technology and apply that to generate some kind of assurance that we are dealing with cyber security issues systematically organizationally and over the over the whole ecosystem so would you say that the implementation let's say when it comes to the regulation the csms regulation would you say that the implementation of that process of that cyber security management system that in and of itself is a form of assurance and assuring cyber security elements are in place yes i think that is the most important element and it is it is forward-looking of uh the un and the regulators to adopt the approach that they would just say you know enshrined in their unec wp.29 as well as the iso and the sae coming together and coming out with the new draft international standard you know dis-21434 so the philosophy here is let's first address the assurance piece let's have the organization and its processes certified before we permit the certification of any of their products so they've really taken that learning because if you look at the regulators if you look at consumers or the public at large they want to know what is it that's being done to address cyber security which seems to have so many myriad facets is the issue of autonomous driving okay as the issue of a third party supplier that would supply me a component does that have a back door this is the issue of updating software it does is that done properly or you know could an update start when i'm actually driving so there's a lot of different things that need to be done and you do need a framework in which to manage it and i think this is really forward-looking and this is where we can bring our experience on delivering the assurance that cyber security is being addressed systematically right and it seems that that assurance goes through both let's say within the automotive space the oems their suppliers all the way down to the user and the end you know the driver of the actual vehicle itself each one of those elements each one of those different players within the space need that assurance in and of in and of themselves in order to feel confident and comfortable and and you know also to comply with the regulations themselves as well now when it comes to you had mentioned this earlier is the complexity when it comes to this cybersecurity assurance where do you see the ot space and cyber security within the automotive space being more complex than what others typically know of cyber security through the i.t space what are some of the added complexities and whether that you know has to do with the multi-cloud system whether that has to do with the amount of data that is being produced where do you see are some of the more complex issues that need to be focused on when it comes to the automotive cyber security well okay so uh the ot all industries that you know have dealt with critical ot they do have a safety culture there's a strong safety culture so they are used to following processes and doing extensive documentation so that's a plus that is a trait that helps them to deal with the complexity that will come out of implementing yet another security assurance system now while they are while they are good at following procedures and processes and is kind of ingrained in them there is a certain level of shall i say combinatorial complexity with i.t
with traditional manufacturing you can specify a component relatively easily a two or three page specification really pins down exactly what some mechanical or electrical component would do but writing a specification for software can be tremendously tricky and it's it has been it has proven so difficult to deal with that if you look at the licenses that software manufacturers or software producers actually deliver their end customers they accept very little liability now in in the software domain where you're operating with almost no liabilities bringing that in to a domain that has operated on strict notions of product liability so now uh you know the automotive industry is going to have to get used to delivering assurance where the suppliers of their you know subsystems uh by virtue of having so much software in them are limited in their ability to deliver assurance yeah know the regulation also just very specifically says that it is the oem's responsibility to ensure that they have a secure supply chain and and it is complex especially because so much of that supply chain is software based and it is it's it's quite incredible to i would say see cyber security technologies you know like like upstream dealing with that complexity i know that's something that we we heavily focus on is recognizing that while there are so many different software components there could be so many different ecu's in a vehicle there is still a way to be able to take the data that is being produced and one of the benefits of connected vehicles is that there is you know information being spread throughout the vehicle itself through its communications with the mobile devices or different smart mobility service providers there is data that is being you know driven back and forth so there is a way it may not be a way to write the exact um you know as you had mentioned the specification of what the software can do but there is a way of analyzing that and being able to recognize because it is connected uh the cyber threats that do come from that space which is which is something i would say is both the pros and cons of the connected vehicle ecosystem is the ability to find the threats but then again the the increase in threats because of that because of the connected sphere now sorry go ahead yeah yeah so also you know in the mechanical and you know the electrical industries there's been a culture of actually making sure that systems and subsystems perform very tightly to their specifications so it's very clear you know what let us say a battery should do or should not do it's very clear what is the performance that a turbine should deliver and if it should if it fails you know it's clearly a liability on the part of the manufacturer and the consequences are also pushed on now an industry that's been used to working with this ability to have strict liability push down its supply chain will now have to work in a situation where there's so much software in the software manufacturers are really not in a position to give those kinds of gun things so that's one complexity how do you deal with this what is it your mindset in terms of how you did your assurance the the legal aspects who will be responsible for what that's surely a kind of a legal as well as mindset and the culture complexity the other thing is that many of the equipment that is mounted let's say on mobile platforms by virtue of its uh you know it's it's location in a mobile or let's say for the lack of a better hostile environment high temperatures or low temperatures or dust etc it sometimes has limited computational capabilities to run very sophisticated protection mechanisms also since these vehicles are mobile they're amenable to being accessed by all kinds of people who have physical access and that's different from you know a data center other i.t equipment where people can use various forms of physical access control to deny physical access so that's another complexity you're on the road and uh you don't know who has access yeah you know we we actually see that the majority of cyber attacks or cyber threats over the past year the majority majority of them have been remote attacks they have been those that have not been directly connected to the car and that is one of the biggest fears of automotive you know or fleetwide remote fleet wide attacks with the ability to get into a server and control vehicles uh remotely uh malicious actor taking you know control over over a fleet is something that you see in the movies but it's something that you know as the vehicle becomes more connected and as more oems shift down that path is something unfortunately that has the potential to happen um is that remote access because of the connectivity of the vehicle itself i want to just kind of shift a little bit of ahead and you know with these complexities and with this process and the assurance that you as an si say corporations or oems need to take into consideration where do you see that demarcation point between you as an si let's say upstream as a as a technology provider the cyber security provider where do you see that collaboration and cooperation working see as as an si we have always traditionally worked with the best players who are let's say who own or produce certain technologies so for example you know maybe dell or any other manufacturer intel and these are the guys who make top of the line technology in their own areas they have a particular role to play and we as a size have another role to play we work with a a lot of major software players sap oracle so we look for partners that have excellence in their own areas and we complement each other there are people who are so specialized in a particular area and has spent so much work producing that solution and it's recognized as a absolutely you know leading solution whereas we are able to take all these components put them into a system bring in the management processes that are required and make sure that all these things operate within the compliance and regulatory frameworks that they're supposed to and thereby you know not only contribute to running their operations but also in delivering that level of assurance which they need it's fantastic yeah and i you know i think that's really where this is all coming to is the collaboration of partners of experts within their individual fields because of how how fractured the space is you need people that really know their individual space and know their individual expertise which i which i think is fantastic so i just want to say thank you so much for joining me today is there any last things that you want to add that we didn't touch upon yes yes uh there is one last thing that i would like to you know touch upon there is in in the autonomous vehicles there is an increasing reliance on systems that sort of try to do what human cognition systems do vision for example or reliance on ai and recent work and research has shown that these systems are vulnerable so there is well publicized work in you know if you have an image you will be able to tamper with a few pixels in that image and an image recognition system will completely fold into thinking something else so there are you know i've seen examples of a stop sign being recognized as a stop stein and then you hang a small you know postcard on the stop sign or you make something there's a reason somewhere recently a burger king sign i think that was detected as a stop sign somewhere and it was like the card on you know the autonomous vehicle must stop for the burger yeah and well that would probably not be as bad a thing as if you know if if the stop sign was recognized as maybe something else and the car didn't stop so this is a sort of a new area and the assurance that our machine learning and ai systems you know one thing is bias and there's enough discussion on the issue of bias in algorithms which the well-publicized you know examples of what would you do what would an autonomous vehicle do if it suddenly found some pedestrians on the street would it swerve off the street risking killing the occupants or would it hit the pedestrians yeah so that's just topical questions that are being brought into practical to the hands of the engineers yes but that's still bias now there could be malicious uses of ai where somebody deliberately hangs something on a stop sign so that it is not recognized so our assurance will have to cover uh our ai and machine learning systems as well and i think that's a significant area that we will have to address and we have begun to make some steps in this area we have some some offerings which we can take to our customers but i think this is an important complexity that we will have to grapple with as well most definitely and as you know as we've seen with the csms regulation that's recent you know the there will probably be additional regulations that will come into place and and oems will have to reconsider consider different approaches when it comes to autonomous vehicles uh as well in the future and have to implement cyber security elements within that entire system and process as well that was a very very valid point uh thank you again for for joining me today um i really appreciate this is a great conversation i i enjoyed it i think we meandered our way through a lot of different topics which i think are really fascinating and i hope those that are that will be listening to this will enjoy our our wide coverage of uh conversation thank you faye pleasure
2021-01-28 02:42
