Jeff Massimilla is vice president of global vehicle safety and product cybersecurity at General Motors, and also vice chair of the Auto Information Sharing and Analysis Center (ISAC). Security Now's Simon Marshall conducted a telephone interview with Massimilla as part of our ongoing coverage of security in the connected and self-driving automobile industry. The interview that follows has been edited for clarity and space.
Simon Marshall: How has cybersecurity at GM changed over time?
Jeff Massimilla: We have been working with cybersecurity for years really, but it was all siloed. We had Onstar security, we had corporate IT security, we had R&D, we had some vehicle-based security activities. As vehicle security posture become more important, given my knowledge of execution on the primary attack surface of the vehicle -- infotainment -- in 2014 I took on the chief product responsibility in the firm for security. Having individual people looking at cybersecurity was no longer appropriate. We replaced that with me owning everything that touched the product or the customer ecosystem. Cybersecurity today is really all about keeping our customers safe, and so we recently combined global vehicle safety with the product cybersecurity safety organization. Now I'm head of a single organization.
SM: For what reason were the two groups moved together? Improved physical safety of the car?
JM: We have big sets of data on the vehicle safety and the cybersecurity side. A lot of the same data is used throughout our analytical processes. If you look at regulation and legislation, the safety and cyber aspects are very closely tied together. Car recalls, crash and safety worthiness will remain, but there'll now be my security specialists, there will be my red team of hackers, working on these tasks too. Then there's incident response where groups can learn from each other, and so we've also aligned the safety and cyber response approach to more effectively find any anomalies.
SM: Do you collaborate with external cybersecurity organizations?
JM: Absolutely... any company that can talk about their cybersecurity effectiveness will talk about collaboration. We have to be right 100% of the time but the bad guy has to be right only once. When you're up against those odds, the only way to beat them is through a significant collaboration. We work with industries including aerospace, defense, consumer electronics, the armed forces and other government agencies. We also pay contractors to find new solutions, we may want a third-party review of our procedures, and also, I may hire an external third party red team. That's because we want to learn from them or have them teach us things too.
SM: Do you employ hackers?
JM: I have 85 people working in our connected security ecosystem. I have a full-time red team of ten people, which are all hackers to some extent, they're certified ethical hackers. Some are from other walks of life that have entered our organization. In terms of a bug bounty approach, we have put the welcome mat out there, and asked 'please tell us what you find in our environment.' We haven't talked much in public about this yet, but we don't really want a public bounty program because maybe then you aren't incentivizing at the level where you would get the best people looking at your stuff.
Through our relationship with Hackerone, we offer private bug bounty programs where we encourage people we have a relationship with to compete with each other, and we give them access to assets they wouldn't normally be able to get ahold of.
SM: What threats are you facing today that weren't there five years ago?
JM: It's great the industry is getting out in front of this before we see any incidents in the field. The potential adversaries that we see are hacktivists, criminals, the nation state, but they haven't taken a focus on our ecosystem yet. But we all know it's a matter of when, and not if.
SM: Are you worried that hackers are out there already, gathering information unobserved?
JM: Worried is not the word I would use. People who have encountered zero-day exploits in any cyber environment of any industry know that threats don't just fall from the sky, they take time. So realistically, there are activities that are happening out there right now.
SM: You're designing an autonomous vehicle (AV). Is it ready?
JM: The security posture and learnings from our regular vehicles are the foundation of what we'll deploy in our autonomous vehicle. But we're not ready to stick an AV on the road today. Do we believe we're ahead of the other manufacturers? Of course. But our launch timing will be dictated by how successful our testing is.
SM: How are you testing?
JM: If you depend on just red team testing, you'll only find all the issues at the end, and then your ability to keep product launches on time is challenged. Instead, red teaming should really be a confirmation that we ran a truly secure process during the development of the vehicle.
When we do red team testing, we do a combination of white, grey and black box environments. We have an internal or external red team. At the end, their findings are then shared with the blue team to make sure that we're learning from them. Obviously, we need to keep the two teams separated, but when you're doing white box, for example, you're telling the red team everything you possibly can about the car's development, so they can take that and try to find a new attack surface or methodology to get in.
SM: A lot of threats out there in other industries apply to automotive. But it's not often that a security attack results in actual bodily harm. That's a very real possibility with AVs isn't it?
JM: This is not just specific to AVs, I'd argue that with any connected vehicle, harm could be the objective of an adversary. Unauthorized access of vehicle control and safety systems could be their primary motivation. And it's our primary motivation on our side to protect customers.
SM: Explain how you're protecting specific devices on an AV, and computer control systems on connected cars.
JM: We look at the entire attack surface of the vehicle. Weaknesses could be wireless or wired, or they could be devices brought into the vehicle. We have to look at all threats. And then we appropriately apply controls and capabilities to systems, subsystems or individual components to prevent unauthorized access or control. An example would be how we authenticate a sensor to make sure it's the appropriate sensor for that vehicle, is the intended design, and that it's the same part that was tested and validated during production. These systems are really no different from digitally signed software, it's just that they're applied to vehicles. We have to make sure that nothing else can be added onto the vehicle that would represent a weakness. This is a good example of how we view the attack surface.
SM: Do you have a secret sauce?
JM: No! I wish it was as simple as having a secret sauce. But from my perspective the secret sauce is the capability of the team. There's the great challenge of cybersecurity -- it's exciting and motivates people. Also, many people think that automotive is a very sexy industry. I put the two together and I say to team candidates 'I'd love to offer you a job to work on the red team to hack a Camaro,' and people are very, very motivated to do that work. The only way we can be successful really is through great talent.
SM: Characterize how much of a priority security threat management is throughout the entire GM organization.
JM: I'm a very well-funded and resourced organization within the company. The work that we do is on the critical path, and represents future technologies that are going into a secure environment. If we're not ready with cybersecurity on our cars, we will not launch them. I have regular interaction with Mary (Barra) and the board, so this is all at the highest level of priority for the company.
SM: How many hours a week do you work?
JM: The best way for me to answer is that I make it a huge priority to have dinner with my family and young children. I'm highly dedicated to the mission and the role but it's a big priority for me to have family time too.
— Simon Marshall, Technology Journalist, special to Security Now