This article was originally published on Motional's Medium page, Minds of Motional, on April 21, 2021
Security is core to the overall safety of our vehicles. We have a mantra, “There is no safety without security.” This mantra reminds us that a system may be safe in the absence of a malicious actor, but malicious actors are not above subverting even safety mechanisms to achieve their goals.
Motional’s cybersecurity work provides justifiable confidence that our driverless technology is free of unreasonable cybersecurity risks.
A Journey, Not a Destination
The cybersecurity landscape is constantly changing. Threats evolve, attackers’ goals change, attack techniques improve, new defenses become available, and so on. Thus, a product’s security risk level changes over time. Security must be built into a system from its inception, and the system must be monitored and adapted as the landscape changes. We think of cybersecurity as a journey that teams need to continually work on.
At Motional, we have separate cybersecurity teams covering IT and product security:
- IT security focuses on securing those systems that enable efficient business operation.
- Product security focuses on securing the products the business builds. In our case, this is driverless technology.
This split exists to clarify and focus the priorities of each team. The security teams collaborate on multiple projects in any given month, and look for opportunities to work together or share information. This series focuses on product security.
Security Before Beginning Development
Effective cybersecurity teams require a solid foundation upon which to build secure products. Without this, it is difficult to prioritize and orchestrate security work, measure progress, and avoid preventable problems. This series will describe how Motional is using cybersecurity processes to build this foundation.
Secure product development is enabled by carrying out such tasks as:
- Adopting policies to codify the importance of and authority to develop secure products
- Defining a cybersecurity lifecycle aligned with the enterprise’s other development lifecycles
- Documenting the various roles cybersecurity will play during and after development
- Training the organization in the processes and skills required to successfully carry out or collaborate on security work
These preliminary tasks create a strong foundation on which to build a trustworthy product.
Security During Development
A secure driverless system, like any other quality product, is developed purposefully. Quality is achieved by defining the desired degree of excellence then (1) carrying out processes crafted to achieve the goal, (2) inspecting and testing current results, and (3) adjusting until the goal is met. This is often summed up in quality management as plan, do, check, and act. In cybersecurity, these processes are captured within a lifecycle, typically called a Security Development Lifecycle. The cybersecurity team defines such a lifecycle, trains the organization in its use, and contributes to carrying out the processes.
The lifecycle includes the following tasks:
- Writing security requirements for a particular subsystem
- Modeling a design to proactively find threats that motivate requirement refinements and design changes
- Writing code to protect subsystems or features by meeting the more complicated security requirements
- Helping to identify and test risky subsystems to find weaknesses
While this list is by no means comprehensive, you can see that security work spans everything from process definition to hands-on implementation. This level of involvement is critical to efficiently and effectively achieve a suitably secure product.
Security after Development
Developing a secure system is the first step. However, threats may still be present when security is built in. We must continuously monitor known threats and probe for previously undetected deficiencies. This ensures we can proactively address issues before they manifest in the field.
Security specialists therefore contribute to operations by:
- Ensuring the proper data is collected and analyzed in the field
- Investigating anomalies to detect threats and attacks
- Responding to threats and attacks to quickly reduce risk
- Informing engineering to ensure processes and technologies are adjusted to reduce emergent risks
Again, this is far from a complete list of cybersecurity’s contributions to safe driverless vehicle operations. However, it is clear that cybersecurity professionals are paramount in ensuring the safety of self-driving vehicles throughout their lifecycle.
Demonstrating Trustworthiness
The security of a self-driving car must be thoroughly demonstrated. It is not sufficient for security professionals to simply perform the tasks mentioned above. They must document their assumptions and claims, collect evidence to support them, and use this data to clearly and concisely present the case that their systems are trustworthy. This is analogous to the processes used to determine that vaccines are safe or to certify medical devices for use in or on humans.
While cybersecurity in the automotive industry is not as rigorously regulated as it is in the medical industry, we do have certification standards emerging [1]. Some jurisdictions are adopting regulations to require such certifications [2]. As with vaccines and medical devices, these standards and regulations do not ask the public to simply trust manufacturers. Manufacturers pursuing a certification must make their cases to certifying third parties. Those parties will only attest to the accuracy of the security cases if those cases are convincing.
A cybersecurity team is most effective at building such cases when it is integrated into the enterprise it serves. Integration ensures that everyone is aware of the cybersecurity team and what they offer, roles and responsibilities are well defined, and the importance of carrying out security work is communicated and understood.
In future posts, we will provide more details about how Motional is building secure driverless vehicles.
- ISO/SAE DIS 21434 Road Vehicles — Cybersecurity Engineering https://www.iso.org/standard/70918.html
- UNECE Trans WP.29 GRVA — World Forum for Harmonization of Vehicle Regulations — Working Party on Automated/Autonomous and Connected Vehicles https://www.unece.org/trans/main/wp29/meeting_docs_grva.html