Suppliers join auto industry push to block hack attacks

Melissa Burden, and Michael Wayland

Novi — An auto industry group formed last year to develop ways to prevent cyber security attacks on vehicles says it has been able to thwart hacking threats and recently added its first supplier member with plans to add four more within weeks.

The Automotive Information Sharing and Analysis Centerincludes 15 automakers such as General Motors Co., Ford Motor Co., Toyota Motor Corp. and Honda Motor Co. plus supplier Delphi Automotive.

“The automotive industry understands they can’t do it alone,” acting Executive Director Jonathan Allen told The News in an interview. “You’ve got to work with the supplier community to deal with cyber risks.”

The group, which shares information on attempted hacking, hacking events and threats, also is talking to Google about joining, Allen said during the annual TU Automotive connectivity conference here.

Hacking is a growing threat to the auto industry as more vehicles are connected through internet systems, are connected to smartphone apps and are becoming more complex as self-driving technology is developed.

The Alliance of Automobile Manufacturers and the Association of Global Automakers formed the ISAC in July 2015 and Allen said it began to share intelligence reports in December and became fully operational in January. The auto industry began talking about sharing information about cyber security threats in 2014.

“The fact that we have this thing set up and were operational before a major cyber event is very, very good,” Jeff Massimilla, GM’s chief product cybersecurity officer and vice chair of the Auto-ISAC, said during the TU Automotive event. “This is the first time that the auto industry has really collaborated at this level in a non-competitive fashion. So it was a cultural shift I think for all the automakers.”

Massimilla, in an interview on the sidelines of the conference, said a “significant amount of threat intelligence information” has been shared through the group. Exact numbers and a breakdown of the events was not disclosed.

Allen said the group does not provide details shared with federal agencies such as the National Highway Traffic Safety Administration, as it’s up to the automakers to inform the federal safety regulatory agency about incidents.

“We’re encouraging and helping to create that safe haven that (original equipment manufacturers) can share their vulnerabilities to each other, sometimes anonymously,” he said.

NHTSA Administrator Mark Rosekind on a conference panel Wednesday said he supported automakers sharing information to determine best practices. He said anonymous data sharing is a regular practice in other industries such as aerospace.

Last July, Fiat Chrysler recalled 1.4 million vehicles for the industry’s first-ever cyber security recall. It came after Wired magazine reported hackers could wirelessly take control of functions such as steering, transmission and brakes in a 2014 Jeep Cherokee. In September last year, Fiat Chrysler recalled another 7,810 Jeep Renegades with certain radios to address hacking concerns.

Also in July 2015, a hacker was able to remotely unlock a Chevrolet Volt’s doors and start engines, promoting GM to make fixes in its popular OnStar RemoteLink system and smartphone app.

GM is growing its cyber security workforce and now has about 80 employees working in that area, said Massimilla, who was named to GM’s top cybersecurity position in fall 2014.

In January, GM also turned to hackers, asking them for help. Hackers have long worked with the software industry, providing them information about threats and potential hacking methods.

Massimilla said after its OnStar RemoteLink issue last summer, the automaker decided it needed a more formal way to interact with hackers or researchers, to develop relationships with them and learn of potential problems more quickly. So it launched the GM Security Vulnerability Disclosure Program and uses the HackerOne website to receive information and to publicly recognize hackers on the site.

Massimilla said GM is the only major automaker to have such a program (Tesla Motors Inc. also does). So far, it has received hundreds of submissions, and Massimilla said there has been “significant interaction and excellent results.” In the future as GM’s program grows, it may consider paying hackers a bounty for bringing information to the company, he said.

Other automakers involved in the Auto-ISAC include BMW, Fiat Chrysler Automobiles, Hyundai Motor Co., Kia Motor Co., Mazda, Mercedes-Benz, Mitsubishi Motors, Nissan, Subaru and Volkswagen AG.

Henry Bzeih, head of connected car and chief technology strategist for Kia and an Auto-ISAC board member, said it’s important more suppliers join the group and share information.

Automotive technology consultancy and research firm SBD has cataloged more than 50 proven or theoretical attack points into the connected car, and that list continues to grow as technology evolves and interest from the hacking community increases.

Jeffrey Hannah, North America director of SBD, said cyber security should be viewed as an industrywide concern more than a competitive advantage.

“We don’t think cyber security at the end of the day will be a competitive advantage for any one automaker,” he said. “And if we don’t get cyber security right as an industry that obviously will threaten some of the innovations going into connected car today.”

(313) 222-2319

Staff writer Michael Martinez contributed.