Modernizing Automotive Cybersecurity with Bosch: “Autonomous is 30 years away”
In this episode of the #beyondthenow IoT security podcast, we are joined by Peter Busch, Product Owner Distributed Ledger Technologies Mobility at Bosch. We review how automotive cybersecurity is expanding and how to modernize 100-year-old protocols. Peter also examines the relationship between safety, security, and privacy.
Why is cybersecurity important for mobility.
The relationship between safety, security, and privacy.
The layers of architecture protecting mobility and why the relationship between hardware and software is so critical.
Discover Key Talking Points in this Episode
- More about Peter and Bosch. [00:50]: “Bosch, it’s a very old (135 years old) and very broadly engaged company. We started in the automotive business with electric components and all that stuff. But nowadays my main broad vision is really the internet of things (IoT). We are still making lots of activities in the automotive sector, it’s still two-thirds of our market shares and lots of building technology, a lot of industry and consumer goods, as well as you might know the ‘whitewall’, as we call it, of refrigerators and all appliances. I’m a part of a think tank. It’s a strategic division at Bosch that thinks about new technologies in mobility. And there I’m looking for the connectivity trends, the IoT stuff, and the decentralized technologies. So, we look at the different divisions, but I’m the product owner for mobility.”
- What do we mean by mobility? [02:30]: “It’s not a new word, but it’s a special word now because in former times we only said automotive and automotive means everything on the road with cars and trucks and all that stuff. But I think the roles and the importance are changing here. Since we not only see the cars, but we also see the mobile ‘things’. So, trains as well as bicycles, planes, all that stuff belongs to the mobility sector. And so, we do not only talk about automotive vehicles, we talk about just mobility.”
- Why is cybersecurity important for mobility and to Bosch? [03:29]: “When we see the changing paradigms, we have today. Mobility, for example. We do not only see a car, but we also see a moving device, which is interconnected to lots of other devices. When we say connected we have explicitly new security challenges here. We no longer only have to put the spark plugs into the car, we don’t have to only put wiper blades or anything else. All the electric components of their care in the future will have their own digital identity. And that brings the complete plethora of security challenges that we already have in IT into the car and other mobility parts.”
- What does the cost of failure mean to a company like Bosch? Relationship between safety and security. [04:57]: “ In German, we only have one word for security and safety where in English you have two. So, we want everything to be secure. Having security means we can use data safely and have a safe system as a whole. However, at the end of the day, safety is the biggest concern. Security for mobility is there because of safety concerns, it means keeping the person that is in the car healthy. This is our main concern. If we come up with new technologies for the future, autonomous driving for example, before we even put one car, which is somehow autonomous on the road, we need to be absolutely sure that this is safe and therefore we need security as well. All the data which comes in and goes out of the car needs to be authenticated, authorized, and all that stuff first.”
- How has the role of manufacturers changed over time? How does the lifecycle of cars complicate things? [07:38]: “When you look at the automotive industry, not the new definition of mobility with its new scenarios, but if you look at the classic automotive industry, we definitely look at like 10, 15, 20, or even more years for a life cycle of a car; from when it was first assembled and then all the components need to be manageable or repairable in 30 years. But if you look at your PC or smartphone two or three years after it was produced nobody wants to use it anymore.”
- The relationship between safety, security, and privacy. [09:30]: “Because all we talk about in the last few years is data. Lots of data. One of my favourite sayings is that with the beginning of the internet of things, you have lots of connected devices that share that data. But when you come one layer further, these devices not only share their data but also do business with each other. So you have a lot of new dimensions here too, to look at not only the security, not only the safety, not only the privacy.”
All we’ve spoken about in the last few years is data. Lots of data. One of my favourite sayings is that with the beginning of the internet of things, you have lots of connected devices that share that data. But when you come one layer further, these devices not only share their data but also do business with each other.
- The role of data privacy in automotive and mobility. [11:19]: “Privacy is one of the very important things because the current development that we have in Europe with the GDPR processes that we see is talking a lot about privacy of data and as well, who owns the data that you have. And all that stuff comes into the car now and intuitive mobility sectors. Not only does the car need to not be able to do any dangerous stuff on the road, which compromises the safety of the passenger, but we have other stuff now that all the data that is produced is not compromised. Every day I use google maps and they gather that data. But in the future, if you go from point a to point b do you really want organizations to know exactly where you’re going? Maybe what are you doing there? What are you buying on the road? And so on and so on.”
- The layers of architecture protecting mobility, the relationship between hardware and software. [13:10]: “I think the advantage of our 140 years is that we have our foundation in bare metal, the hardware. This is something that we understand, we know the physics, we know how to put security and hardware into the car. I think that we have to transport as well in this new area of data economy, for example. And so now we have to find a way to transport the security measures that we had like a hundred years ago into the new challenges, what we would get with this data or with the IoT challenges. So this is one of the big challenges we see at the moment having the expertise in the hardware world and transporting that somehow in the software world.”
- What are the challenges with mobility and automotive cybersecurity? [14:10]: “If you look at the supply chain as an example what we currently are trying to do is understand what kind of companies and suppliers are in the supply chain. because we have, of course, documentation. We know exactly who is there, which parts are from whom, but in the future, we’ll have lots more suppliers because we have lots of more functionality in the car. What we need to know now is from whom comes which component and what data is getting in and out of the car. So the supply chain does not end at the delivery of the car.”
- The role of digital fingerprints and the relationship with old hardware. [16:30]: “The manageability is the biggest challenge of working with a supply chain because we have to deal with lots of data nowadays and a lot of new suppliers coming in, and of course the cost is very high to manage them all. And so we want to leverage that somehow. And so, we see, for example, one thing that we’re currently doing is trying to understand where one component comes from. If we can put some digital fingerprint on it, here we can use the new IT systems. However, this now needs to come together with the old hardware measures that we have in the car. So we need some hybrid engineers who can understand the physics, the hardware, and on the other side can understand the new software technologies.”
- Entity Attestation Tokens. [17:07]: “One of the initiatives that we drive in PSA Certified is around the provision of an attestation token inside a chip. So inside a Root of Trust. So you have a portion of a chip that has a Root of Trust. And inside there you have a trusted token, which is exactly as you’ve just described. You can populate that token with data that allows you to attest what you’re talking to effectively. So you could say: ‘I’m a genuine Bosch part. This is my software version. This is my history. I’ve been updated 20 times during my life cycle. These are the versions of the firmware that I’ve been running.’ And it’s interesting because at the chip level it’s fairly simple technology. It doesn’t consume a lot of memory. It sits inside the Root of Trust. It’s fairly simple.”
One of the initiatives that we drive in PSA Certified is around the provision of an attestation token inside a chip. So inside a Root of Trust, you have a trusted token, which you can populate with data that allows you to attest your credentials. It’s interesting because at the chip level it’s fairly simple technology. It doesn’t consume a lot of memory. It sits inside the Root of Trust.
- Digital identities for automotive: using the example of car batteries. [18:25]: “The digitalization process is coming forward in every domain where you have paperwork. And so if you go look at the car in the same sense again, then you have some digital prints in all of your components of the car talking about electromobility for example. The most expensive part in the future will be the battery of some electric mobility cars. And so there you need to have an ID of that battery so that you know exactly how the battery is feeling, what is happening to it. You have to manage as well in a digital way. And you as a user should be able to control it too, and always know everything in order with your car. What we can see in the future is just with a mobile device you can check every component in your car- what’s happened to it and how it’s different.”
- Peter’s predictions for 5 years (or 10 years!) for mobility. [20:27]: “In five years all the demand on us will get quicker and faster. But I’m not quite sure we really want that. You need to be faster when it comes to software, when it comes to updates. However, in the car, the most important thing is that you need is to be safe. In 10 years, we’ll see a lot more electromobility on the roads. We’ll see a lot fewer combustion engines. However, when it comes to autonomous driving we will only go small steps in that direction. We’ll see a lot more real computers appearing in cars. So really more powerful computers with lots of storage and maybe an artificial intelligence component in it as well. But I think we will have to wait like 20 or 25 years until we see completely new systems autonomously talking to each other and having control of everything. This is smart because we need to consider safety. We talk about real engineering, real hardware. This is developing so slow and it’s really good that this is developing slowly because we have to really control and manage it.”
In five years all the demand on us will get quicker and faster. However, in the car, the most important thing is that you need is to be safe. In 10 years, we’ll see a lot more electromobility on the roads. I think we will have to wait like 20 or 25 years until we see completely new systems autonomously talking to each other and having control of everything. This is smart because we need to consider safety. We talk about real engineering, real hardware. This is developing so slow and it’s really good that this is developing slowly because we have to really control and manage it.
- Peter’s number one piece of advice for security. [23:43]: “My advice is to embrace new technology. But be aware and learn from the experiences you had with your old PC on the desktop. What happened to it with all the challenges that we saw in the security, this will also happen in the car as well. So try to learn from the failures of the past and not copy them all into the car.”
More About Your Podcast Host David Maidment
David Maidment (Senior Director of the Secure Device Ecosystem at Arm- a PSA Certified Co-founder) leads our discussions on the latest trends and developments from the world of IoT security.
Based in Cambridge UK, David brings over 25 years of experience in the embedded and IoT industry. He specializes in the intersection between device security and business assurance to drive best practice security adoption across the electronics industry. In his role at Arm, David leads device security ecosystem activities including the widely adopted PSA Certified initiative.