Reimagining Cyber - real world perspectives on cybersecurity

Connected Car Chaos - Ep 102

Reimagining Cyber Season 1 Episode 102

In this podcast episode, hosts Rob Aragao and Stan Wisseman are joined by Arun DeSouza, a renowned expert in connected vehicle security and former CISO at leading automotive companies. Arun begins by highlighting the critical challenges facing connected vehicles, emphasizing the importance of security by design throughout the development lifecycle. He stresses the need for rigorous vulnerability assessments and penetration testing to prevent vulnerabilities that could lead to remote hacking or data breaches.

Arun discusses the vital role of infrastructure connectivity and encryption in securing data transmission between vehicles and the cloud. He emphasizes the necessity of secure over-the-air software updates to patch vulnerabilities promptly. Addressing the risks associated with peripheral devices connected to vehicles, Arun advocates for robust system interface protections and micro-segmentation strategies to isolate critical systems from non-critical ones.

Privacy and data security emerge as central concerns, with Arun emphasizing the importance of adhering to privacy-by-design principles. He discusses the implications of GDPR-like standards for protecting sensitive data collected by connected vehicles and underscores the need for user consent frameworks in data handling practices.

The conversation extends to the complex automotive supply chain ecosystem, where Arun stresses the importance of implementing robust security measures across third-party suppliers. He highlights the role of continuous security assessments and collaborative efforts within the supply chain to mitigate cybersecurity risks effectively.

Concluding the episode, Arun offers practical advice for consumers considering connected vehicles, suggesting they seek transparency from manufacturers regarding cybersecurity features. He encourages leveraging industry networks and expert advice to make informed decisions about vehicle purchases in 2024.

Join us for an insightful exploration of the evolving landscape of connected vehicle security.


Follow or subscribe to the show on your preferred podcast platform.
Share the show with others in the cybersecurity world.
Get in touch via reimaginingcyber@gmail.com

[00:00:00] Stan Wisseman: Welcome to another episode of Reimagining Cyber. This is Stan Wistman with my co host Rob Arago. And Rob, I was recently taking a lift back from the airport, um, and It was a model Y. First off, it's impressive that a, you know, lift rider is using a Tesla. It's just, it's just cool. Um, I, I drive an old car, you know, I drive a 2016 Mazda and, um, and this lift.

[00:00:27] Driver was giving me an education on all the different capabilities, as we're looking at the screen with all the different cars and he's self drive mode. And, you know, it was just, it was just so impressive. It certainly had me salivating over an upgrade, you know? Um, did 

[00:00:44] Rob Aragao: you sit there and give some thought to all of the different connectivity?

[00:00:49] Of that vehicle. And just knowing that if it's connected, it's vulnerable. Did your security kind of hat come on and think about that versus your googly eyes over what, what wanting to get. 

[00:01:00] Stan Wisseman: I'd love to say yes. However, I was, I was pretty dang just drooling over the, the cool display and seeing all the cars around you in a way, but at the same time, you're right.

[00:01:14] I do have a security hat that I probably should have put on as opposed to my Envy hat, which was wanting to be the owner of the vehicle as opposed to the rider in it. 

[00:01:25] Rob Aragao: Well, let's see how you feel after we have our guest join us today and talk about connected vehicle security. 

[00:01:29] Stan Wisseman: You're absolutely right.

[00:01:30] You know, it's fortunate that we have somebody who's an expert in the field. Uh, Arun D'Souza is joining us, and he is the former CISO at two automotive companies. And so he has a great extensive background in the industry, and he's earned a number of accolades. He's been named the top global CISO by the Cyber Defense Magazine, and he's also been inducted into the CISO Hall of Fame by the Global Cyber Startup Observatory.

[00:01:57] Arun, We're glad to have you with us to help us figure this all out and given your experience, I mean, just to start things off, um, can you share some of your insights on some of the major challenges like, you know, security of connected vehicles of the data privacy issues or, um, maybe again, this addressing the vulnerabilities and vehicle to everything kind of communication.

[00:02:18] So what are some of the things that you see are the biggest challenges? 

[00:02:21] Arun DeSouza: Let's start with sort of the key. Yeah. The top five, in my opinion, the first one is security by design. It's real important to adopt a security centric approach across initiation, design and development and release. But as well, just like we do a night classical it leveraging vulnerability assessment and penetration testing across the full SDLC life cycle, because if you don't do those two things, what's the result is buggy code and, you know, say human safety risks of the car can be hacked or remote control.

[00:02:53] Right. And then the next one is infrastructure connectivity. People don't realize that as you, in a car, a car is nothing but a moving computer, right? So it's connected to a cloud and so on. So data transmission is a concern in that space. Uh, it's important to secure data transmission between the vehicles and the cloud, via data encryption at rest and in transit to particularly protect the personal data against interception, and then, you know, Infrastructure connectivity is also important from the perspective of strong delivery of software updates over the air so that, you know, they're not able to exploit any bugs and vulnerabilities, you know, in transit as well.

[00:03:39] Right. So that's important. The third. Pillar would be patch and key management. Uh, it's important to issue a prompt, a software patch updates to prevent compromise it just like in computers where you have the zero days and so on. The cars are the same because with the exposure to wifi and things of that nature, we'll probably talk more about that later.

[00:04:02] It's important to be able to patch promptly and efficiently. Right. And the other thing is. Leveraging specialized public and private key certificate services to validate the vehicles as well as the delivery of the software. And, uh, another one that comes to my mind is, you know, the safety and infotainment system exploits, right?

[00:04:24] Because there's so many of these devices that are connected to Wi Fi, Bluetooth, USB or phone. So it's not just the car itself and the inherent devices, all the peripherals are added, right? So safeguarding those, uh, System interfaces to prevent, uh, unauthorized access and remote control. That's huge to me, right?

[00:04:44] Because why is that important? It's important because you have to assure human safety and protect personal information because there's so much data, there's so much risk to life and PII that it's very, very important, right? And the other thing to do is, as well as we talk about this term micro segmentation in, uh, Classical IT, but it's also equally important to translate that to, to cars and using a micro segmentation architecture to isolated critical systems from non critical system because not everything is the same level of risk.

[00:05:21] And the last thing is actually people are the first line of defense, right? So we have to do a lot more to. Promote training and awareness across the you know, the end users for the car consumers now as well across the ecosystem of suppliers So I think education training and evangelization is huge. So any of those resonates rob and stan talk to me 

[00:05:46] Rob Aragao: They all do they all do and I think Let's, let's kind of dive into some of them, right?

[00:05:52] You have this connected vehicle, as we've been discussing, um, at the end of the day, it has a huge attack surface, infotainment systems you mentioned, telematics, there's all different ways for, um, the bad guy to get into this connected vehicle at this point in time. You go back close to 10 years ago, right?

[00:06:11] The, the, the very first kind of major realization That these connected vehicles were pretty ripe for attack was was conducted by wire magazine where they went and showed a jeep basically being stopped at a point, right, from being being breached and in essence taken over. You talked about, you know, kind of the five principles as you view it.

[00:06:33] Maybe you could also, uh, double click into some control measures you specifically look at, maybe on the access side of things, maybe access control specifically, but you know, up to you, Arun. What would you look at as some kind of key access, or I should say control measures in general, um, from a connected vehicle security point of view?

[00:06:49] Arun DeSouza: So the immediate challenges with connected vehicles include but are not limited to safeguarding against remote hacking, hijacking, unauthorized access and safety compromise because the evolution of cyber security. cars. If you look at many orgs today, the car cybersecurity started with the car safety function, right?

[00:07:14] And that's how it evolved. And so safety and cybersecurity are now sort of, you know, interlinked and intertwined. And also protecting against ransomware injection, because for sure you can do that with cars as well, right? So And there's other things you can do. But now, let's get on to some, uh, control measures to protect the connected vehicles.

[00:07:34] Uh, number one, approved software. It's real important to utilize software that has been approved by the manufacturer only, because the applications developed by third parties are risky and they're not Be as trustworthy. And when this comes into place, sometimes, you know, people want to customize their cars and things of that nature.

[00:07:52] So, you know, they want to implement these custom apps and so on. It's like on a phone. I mean, not all apps are equally safe. Same thing for a car. Uh, number two, VPN, uh, deploying a virtual private network of VPN to mask Wi Fi transmissions and security vehicles is huge because there's so much wireless connectivity.

[00:08:15] And if one's not careful, that can be hijacked. 

[00:08:19] Stan Wisseman: Is that, is that a default capability, Arun, that a VPN is something that OEM or the manufacturer is providing, or do you have to, as a, as a, as a driver user of the vehicle, you have to buy it? 

[00:08:30] Arun DeSouza: Some do and some don't, but I think it's something that can be deployed because at the end of the day it is, it's a moving computer.

[00:08:36] So one could do that because that's something one can consider. And then stealing from the playbook of classical IT, using a firewall in IDS, right? The Introduction Detection System. So using a firewall to protect vehicle communications and prevent external attacks, right? As well as using an IDS to monitor and detect anomalous activity inside a connected vehicle systems, which as we all know, maybe a precursor to cyber attacks.

[00:09:06] The fourth thing that one can do is I would say restrict service usage. And just like on my phone, I turn off my Bluetooth and I turn off my location. Same thing on the car, turning off the GPS, especially Bluetooth and Wi Fi. We're not required to connect again. Is a really good at preventing against hacking, right?

[00:09:29] Because they're not able to spoof the radio transmissions and so on. If you do that with GPS and the attack vector to use your terminology, Rob will be, you know, frozen. And last is managing credentials, right? Restricting authorized users, just like on your computer. You don't want like the whole world to be able to access your car systems.

[00:09:50] Changing default passwords, especially the default password on the Wi Fi controller and things of that nature. And using strong passwords and then, you know, strong authentication and, uh, mechanisms as well. I mean, one would think why in a car, but at the end of the day, you know, the car has its own identity.

[00:10:09] And just like in classical ID, people forget, uh, that, uh, there's not only the user identity, this device identity too, so the car has that identity. And. One of the things that I look to in the future, not related just to cars, is the ability to have something called self sovereign identity, when you can have better data privacy, where everyone can control their private data like a sovereign nation, and you extend that to strengthen privacy in a car, and I'm jumping ahead, but I think that's something to look at in the future.

[00:10:41] Stan Wisseman: All right, that's great. I do have a couple of follow up questions to those that you just listed there, if you don't mind. Um, you know, so in an enterprise, if you have An intrusion detection system, an IDS, um, you have people that are monitoring it, right, typically in the security operations center. Who would monitor for anomalies?

[00:11:01] That your IDS would detect on a connected vehicle. Are the OEMs responsible for detecting anomalies? Are the, are the drivers given any kind of information about potential anomalous behaviors through some kind of alerting in their information system? So how does that work? 

[00:11:19] Arun DeSouza: So I think it's a two part answer.

[00:11:22] Yes, just like on your phone or on your PC, there is the ability to send an alert to the dash. I mean, for it to be effective, you know, like I mentioned earlier, people are the first line of defense. And, you know, just like in the story I said earlier about the hijacked tire pressure sensor, we would like to have, uh, or know, uh, what's happening in your car and be alerted.

[00:11:43] However, You know, that's not enough, right? You want to be proactive. So all the streams of data and alerts should be going somewhere. So to answer your question very directly, I don't think this OEM's responsibility nor do they have the ability to do that. And just like in classical IT, you have the security operation centers, you know, that, uh, take your classical modern digital enterprise and monitor for security anomalies and risks, and then alert you and take corrective action.

[00:12:11] I think the same sort of thing would be, we'll have dedicated SOCs for, uh, automotive cyber security that take all this data and they'll have different clients and customers and they will do that. And then of course, you know, in the specific case that they found somebody trying to inject ransomware in the car I'm driving, they'd probably call me if I had been busy listening to music and say, Hey, you know, Before things get worse, pull aside or take some preventive measures, right?

[00:12:39] So I think it's both really, in the sense that you still have to allow people to protect themselves to the extent possible, you know, as long as they're still in control of the car. But I do believe there's a time and space and a booming big business ahead for SOC operations for connected cars, right?

[00:12:56] Stan Wisseman: Gotcha. So, hey, so 1 of the other areas we, you mentioned, I want to follow up on again. You basically got a moving information platform system platform, right? I mean, that's what a vehicle today is now. And just like an information system, you need to be able to. Patch, um, for updates as well as, you know, if you have a vulnerability that you need to get out, some kind of remediation, um, you know, what are measures that the OEMs are putting in place to ensure the integrity of these updates?

[00:13:26] And, you know, what are some of the mechanisms in general? To sort of like monitor and validate the authenticity of the software running on a connected vehicle to your point about third party software that might have malicious software not be authorized. You know, how do you, how would you detect whether or not what's running on your mobile information platform is is legit?

[00:13:51] Arun DeSouza: The first thing is not to sound like a broken record, but. Timely and regular software updates to patch vulnerabilities and improve connected vehicle security is critical, right? And digital certificates can help authenticate software updates, validate the source and assure against tampering, right? To be effective.

[00:14:09] Now, that being said, other methods include encrypting the software updates. Signing the updates digitally, securing the data transmission between the, the cloud and the car with trusted certificates, delivering updates to only authorized devices. And then of course, when all is said and done, deleting the temporary data and keys, postal software updates and just purge the car, right?

[00:14:35] So I think, uh, collectively all these things can help. And, and, uh, The underlying theme in this is actually security and privacy by design and in action, because all these principles I just said is to make sure you get it right the first time. 

[00:14:52] Rob Aragao: Arun, one of the other things you, uh, you actually alluded to previously is the concept, obviously, of privacy and data security, right?

[00:15:00] Because at the end of the day, the consumer is the target. Getting to the vehicle is ultimately to get to the consumer, to get the data, to take, you know, and somehow, um, take advantage of that and consumer, if you will, of the vehicle, the owner. Now, I'd be interested to get your thoughts, kind of, couple of regards on this topic.

[00:15:19] One is, if you think about, um, protecting the consumer data relative to what I can pull from the car, what are some thoughts and approaches that you see, um, to better safeguard the privacy? Thank you. Information and the 2nd aspect of it, the kind of, I see some interconnection points here is that back in February, the Department of Commerce actually came out and said, hey, we are so concerned that connected vehicles are literally now becoming a national security.

[00:15:47] Risk, so they are now putting some, um, process, some definitions and control mechanisms and in essence requirements that will come forward, you know, and again, the OEMs, the, the, the manufacturers of the vehicles will start seeing that they have a voice at the table, of course, and shaping what that's going to look like, which I think is important that that that partnership that collaboration, but, um.

[00:16:08] I'd get, you know, kind of a sense that you're, you're driving towards, you know, that being something that probably is very much needed. So I'd like to get your thoughts on that aspect as well. So more again, privacy kind of control mechanisms of the data and the consumer side of it that then interconnect to like what you're thinking would be something that makes sense.

[00:16:24] And the regulatory, maybe in standards approach that's coming from the government. 

[00:16:28] Arun DeSouza: Okay. So let's discuss the topic of privacy and data security in connected vehicles, right? The security and privacy risk nexus of the Internet of Things is especially manifest in connected cars. And I think we touched upon it earlier, because once not careful, there can be identity theft, there can be human safety damage, and so on.

[00:16:49] With that being said, there is a tremendous amount of data that is collected, processed, and stored for any connected car, right? So much data. And this may include, but it's not limited to sensor data, voice recognition, driver behavior, Conversations, locations, drivers, where you've been, and personally identifiable information, right?

[00:17:12] So, a treasure trove of data for, you know, bad actors if you get a hold of and misuse. Uh, now, uh, It may also be used for secondary marketing purposes if exploited. Now, what I would say, and I'm going to sort of start talking regulatory from another perspective, right? In a sense, if you look at the classical enterprise, the EU GDPR is widely considered as a gold standard for data protection, right?

[00:17:43] You guys have heard of the GDPR, and you know the, yeah, violation of GDPR has a lot of ramifications. The enterprise, uh. Minimum fine could be 20 million euros, uh, up to 4 percent of the global revenue, as well as double jeopardy does apply. Civil suits can also be done with people who feel their privacy has been violated.

[00:18:02] But Uh, so with that being said, the GDPR has got, uh, certain guiding principles, seven of them, right? Lawfulness, fairness, transparency, focus limitation, data minimization, accuracy, storage limitations, integrity and confidentiality, and accountability. And I think, uh, you know, the car manufacturers are going to start taking that seriously and start applying it to the cars.

[00:18:29] Now, for example, these principles should be extended to connected vehicle privacy, especially privacy by design and default being a core tenet, right? We talked about security by design earlier. Now I'm going to plug privacy by design, making sure that Things are protected, you know, firewalls are done. So the data in transit is protected by encryption as well as certificates, things of that nature.

[00:18:55] Most importantly, the GDPR recommends data anonymization to minimize the risk of PII breach and identity theft. And I think car manufacturers should take heed of that. valuable, you know, nugget of wisdom and start implementing that as well. Because, you know, if the data is anonymized and are reconstituted by certain methods, you know, even if you hack it, who cares, right?

[00:19:20] Uh, and then as I noted earlier, a lot of personal data and preferences collected by connected vehicles may be used for secondary and tertiary marketing purposes, right? Uh, so therefore, Another thing we can learn from GDPR, the principle of consent should be considered. Therefore, if I'm in a car and, you know, they're using my data, they need to tell me a priori that, hey, you know, Arun, we're using our data, is that okay?

[00:19:47] And going towards that, because I think not only does that help protect the consumer, but also promotes a level of proactive governance on the part of the cyber manufacturers, right? 

[00:20:01] Stan Wisseman: No, it doesn't make sense. That doesn't make sense. Um, Arun, I want to go down a different path because we, you know, in your introduction, we mentioned that you'd worked with automotive companies before, including companies that create components for vehicles, right?

[00:20:17] You're part of that supply chain and these OEMs, these auto manufacturers rely on third parties and their supply chain for a lot of these different Pieces and parts that ultimately build a car, right? Um, so, you know, if you go back to, you know, solar winds and many other instances that have occurred since then, there's a heightened awareness of the risks of our supply chain and software.

[00:20:44] And, and I, you know, I don't know if, if, if the, you know, the OEMs themselves are taking measures to ensure that these third parties and the components accepted from them. Are secure before they integrate into their, their build into their system. Um, or are they putting in contractual guidance as far as, you know, you shall do these things and you're secure by design, uh, for these components.

[00:21:10] And we're only going to accept it unless you've proven with evidence that you've done these things. What, what, what, what's going on as far as helping mitigate that risk? 

[00:21:20] Arun DeSouza: Yeah, before I answer your question, Stan, Rob, I haven't forgotten, I owe you an answer on the regulatory compliance side that you mentioned related to move to vehicles.

[00:21:28] So, after this, we'll go to that one, okay, my friend? 

[00:21:31] Rob Aragao: Your opinion, yes. 

[00:21:34] Arun DeSouza: So, now, the extended automotive supply chain ecosystem is a vast area of suppliers, right? As the old adage goes, a chain is as strong as its weakest link. A classic example from another industry, the hotel industry, a chain which I shall not name, uh, acquired another hotel chain and didn't do the due diligence and then they got hacked through that, right?

[00:22:00] So we've already seen that in the classical side. And that's equally true in automotive cybersecurity. Because any chinks in the armor of any supply chain constituent, can be a pathway for exposure software and or hardware vulnerabilities for automobiles, right? Therefore, it's paramount To ensure that ecosystem vendors and suppliers have strong security.

[00:22:22] Now, whereas it is a complex endeavor, it's critical to have a periodic review of third party policies and practices. You mentioned Stan about contract management and putting in the contracts. The, I'll come back to that in a minute, but the thing with that is. Today, what's happening is security and risk questionnaires are sent to suppliers to assess their security posture.

[00:22:45] And, you know, this could be hundreds of questions and so on. And that's why it's complex. And the challenge here is the process that people have in place today is very tedious, and it's just a snapshot in time, right? So I think a third party risk management platform that can help provide a, balance scorecard view of cyber risk in near real time across the supply chain ecosystem can be a great asset.

[00:23:12] However, it's not lost on me that cost may be a barrier to acquisition and adoption, right? And then of course, uh, to your point, okay. As a car manufacturer, you can put in your contract, uh, and even if you have a right to audit, how do you effectively audit that, right? So that's the danger, right? So I think that it's people process technology.

[00:23:35] I think this is time to re trade one of the. The fifth principle from the first question you asked me, Stan, about, you know, educational awareness. When everyone realizes we are better together. And you know what I call the power of federation. I think it's going to take time. Everyone going towards and, and really, you know, I think sometimes, uh, I remember Toyota, uh, when a supplier had an issue or some production problem, they would actually send people to the plant and, and look at it and so on.

[00:24:06] Classic story, I heard about this, uh, Toyota representative going to auto manufacturer, but the paint was not so good, right? You observe the process and the very fancy equipment, very expensive for drying the paint, uh, you know, to, uh, And it wasn't so good. And then he observed it. And then basically he said, all right, I want you to do this for me.

[00:24:30] And he designed, like, I don't know the thing, just like, uh, eight or 10 or 12 hair dryers pointing to the car. And it did a much better job 

[00:24:40] Rob Aragao: at a much less cost, 

[00:24:42] Arun DeSouza: much less cost. Right. So, I mean, what I'm getting at is transferring that principle from Toyota to other areas like vehicle cybersecurity or whatever.

[00:24:52] I think those that have should help those that have less and, you know, why not, you know, Get together and work in groups or even send people, you know, to give them free advice, you know, or having these I know we have these purchasing seminars people come for the supply Why not a security seminar between manufacturing suppliers to give them free advice?

[00:25:15] I think there's more of that that needs to be done make sense 

[00:25:19] Rob Aragao: make sense does does your opinion And the Department of Commerce, I want to hear your thoughts on that one. 

[00:25:26] Arun DeSouza: I'm going to give you another parallel. Have either or both of you heard of the term zero trust? 

[00:25:34] Rob Aragao: A couple of times, just a couple.

[00:25:36] Indeed. 

[00:25:40] Arun DeSouza: Yeah, just a few times. And, you know, John Kindler came up with that, oh gosh, in 2012 or 2013, right? And, and, and basically what zero trust is, Is the fact that, you know, you've got to stop trusting network packets, uh, like people and saying, you know, packets inside the network is, uh, are trusted and those outside are untrusted.

[00:26:05] Essentially all network traffic is untrusted, right? That's how it started. So the change of focus from network packets to, uh, applications, user data, completely seismic change in the way security should be managed, right? But still people didn't understand it, didn't care about it, to, you know, Until the government came up with the U.

[00:26:24] S. cybersecurity order and made Zero Trust no less the cornerstone of the government's cybersecurity strategy. And suddenly we have this massive tailwinds behind zero trust, you know, started to propel it across the enterprise as well, because there's a host of benefits, which I won't go into here. So having seen that in action and how, uh, you know, the government cybersecurity order helped, I think I'm, I was very, very happy to hear about the DOC, uh, and this new regulation, because to me, it's indeed heartening to see that the U.

[00:26:56] S. Department of Commerce has dropped a stake in the ground vis a vis the critical area of connected vehicle. Cyber security there. I said it. And why is that? Because there are human safety implications and lives at stake if the appropriate administrative, physical and technical safeguards are not envisioned, developed and deployed.

[00:27:15] Right? So in my opinion, this is a great first step to develop. And mobilize a framework for automotive cybersecurity across the people, process and technology triad. It can also help foster a culture of accountability and proactive governance across the extended automotive supply chain, right? So then a logical next step to me is to leverage the power of federation I mentioned earlier by promoting Public private organizational collaboration to baseline, refine, strengthen, and publish the framework, right?

[00:27:49] If we're in it together from the get go, we can make something useful for everybody, right? Collectively, there is a Clear need for a strong coalition between automotive manufacturers, government agencies, and cyber security experts. There is a clarion call for broad collaboration and information sharing on emerging threats and vulnerabilities.

[00:28:11] This can then enable effective defense across the extended automotive ecosystem. Now, further to those observations. The key to long term success should also include international coalitions of leaders and practitioners who can tap their vast knowledge, experience, and expertise and pull them to craft universal best practices and policies for the benefit of all.

[00:28:35] In particular, three things come to mind. The first, cyber resilience protocols further to the Question or comment that you said earlier, Stan, about what if there's a problem, right? Need to be able to have the cyber resilience protocols, both at the individual car unit level or the cloud that delivers the updates.

[00:28:55] What happens, uh, uh, and what do you do when that, uh, so you need to be able to have, Tabletop exercises to calibrate the incident response plan for effectiveness and efficiency for business service assurance, and why wouldn't it be great if, you know, there are these archive or knowledge area of playbooks for each type of incident that everyone can share and benefit.

[00:29:20] The next would be, you know, promoting the need to design and deploy redundant systems and failsafe mechanisms. The area would be redundancy and failsafe mechanism, because even there, if we share and work together, it can extend the best practices and policies, right? And the third and last one, and Stan, you're going to have a chuckle about this.

[00:29:41] Third party security audits, right? Building a common framework to minimize third party risk and audit appropriately, right? 

[00:29:48] Stan Wisseman: I do have one wrap up question for you. I'm looking to purchase a car in 2024. And obviously, most likely is going to have Um, some features like the ones we're talking about, right?

[00:30:01] Um, and I guess as a consumer, what do you recommend people do? Because let's face it, there's not a lot of transparency into the security capabilities of a particular manufacturer, right? In a particular car. So is there a place to go or are there ways in which you can get that information to help inform your decision as to You know, the options you're looking at as to whether or not, okay, this manufacturer has to have a VPN, you know, or this one doesn't.

[00:30:29] I mean, the sales reps don't necessarily have an answer on those questions, right? As far as the security, cybersecurity aspects. So who do you, how do you, how do you address that? 

[00:30:39] Arun DeSouza: So both of you and me have watched who wants to be a millionaire, right? Yes. So one of the lifelines, if you recollect, is phone a friend.

[00:30:51] Because all of us have friends who work for auto suppliers and, you know, across the supply chain. So that's what I would do first. I'll say, okay, guys, made by X order, I know there and, and ask them, you know, they'll, they'll tell you, right, whatever. And they'll put you in contact with people and just, you know, it's best to go directly.

[00:31:09] But that being said, you know, I think what we also need is I talked earlier, what the coalitions between. You know, public and private or even among the auto suppliers, I think just as you could have these teams of people that go to help, you know, like, less fortunate suppliers, if you will, with lesser bank balance.

[00:31:29] You could also have these summits to actually then share, you know, the, the, Different standards that you're implementing in your car, and therefore there could be just a level of transparency where there's a website with this sort of non profit, if you will, that can say, okay, a Toyota car has these, an Audi car has that, and if you want to compare not just the operating features, today you can do that on so many sites.

[00:31:53] Stan Wisseman: Here's all those, cybersecurity and privacy, right, exactly. 

[00:31:57] Rob Aragao: It's, it's the Stan feature list. So, so next to all the great little features of the vehicle that you're typically used to seeing, there's the Stan feature list that gives you all the cybersecurity controls. 

[00:32:07] Stan Wisseman: That's what I'm looking for. 

[00:32:08] Rob Aragao: Fully customizable.

[00:32:09] Stan Wisseman: Exactly. 

[00:32:10] Rob Aragao: We greatly appreciate you coming on and sharing more about connected vehicle security. It's Stan opened with, you know, it's been quite some time since we had a guest on to discuss it and it's evolved so quickly. Um, we, Stan and I have done some work actually with some other organizations, major, large.

[00:32:25] You know, uh, manufacturers of vehicles, uh, here domestically in the U S they're all driving the cybersecurity control capabilities back into design principles. So it's great to see how important they truly are looking at it. And the safety and cyber aspects truly have merged together as being kind of underneath that same umbrella.

[00:32:41] So I think we're in for, you know, some concerning. You know, things that can happen to the vehicle and to us, but I think the right controls are being put into place. And again, the advancements are being made and you've come on to share that as well. So again, thank you for your time today. 

[00:32:56] Arun DeSouza: Thank you, Rob.

[00:32:57] Thank you, Stan.

People on this episode