Introducing the First Virtual Conference for Product Security - Left to Our Own Devices: The Conference.
Introducing the First Virtual Conference for Product Security - Left to Our Own Devices: The Conference.

LTOOD: Securing OTA with Harman International’s Michal Geva

LTOOD: Securing OTA with Harman International’s Michal Geva

The once far-off vision of remotely updating software without needing to bring it into a service center was initially designed for bug fixes and cybersecurity updates. Today, over-the-air updates (OTA) are used to activate new functionality and upgrade a vehicle– all from the owner’s smartphone app and the manufacturer’s remote service center.

Michal Geva, General Manager, OTA and Cybersecurity at Harman International joined the Left to Our Own Devices podcast to discuss the automotive industry’s adoption of remote updates and the security risks that come with them. However, her experience began over a decade ago with Red Bend, a leader in the OTA technology field. 

Once a new competitor, Google, began offering their OTA services for free, Red Bend began looking for an alternative market. They set their sights on automotive, realizing their first challenge would be educating OEMs on why OTAs will be needed in the future. “We would take slides to our customers and explain what OTA is, what cybersecurity is, and why it’s important for the industry,” said Michal. “Step by step we were able to move ourselves from the mobile world to the automotive market.” Today, Red Bend, acquired by Harman in 2015, is a leader, working with 26 OEMs in the automotive industry.

While in the past various components were being digitized, “There’s a huge shift into software defined vehicles and these software defined vehicles are actually a data center on wheels,” said Michal. “That requires a lot of cybersecurity, a lot of protection.”

Gaps between Cyber and OTA

Having been on both sides, working in both OTA and cybersecurity, Michal has a unique vantage point on how each can be improved.

She said “Cybersecurity is a fascinating market in a sense that only when there’s a catastrophic event, then people really understand why we need cyber.” This isn’t news to Chief Product Security Officers (CPSOs) or other practitioners but companies need to get on the same page if they are to prevent attacks from happening to their vehicles. This can be achieved through building a culture of automotive cybersecurity, which at times can be prioritized too late. 

With regards to cybersecurity incidents “…after this happens once to an organization, there’s actually a good understanding of things that might happen,” said Michal. There’s a sudden awareness and need to protect the organization. She recommends going with the most state of the art cybersecurity that is available instead of building an in-house solution. Acknowledging that there’s no such thing as a hundred percent security, external teams are more nimble in mitigating vulnerabilities than OEMs.

Near-future trends

OEMs are widely adopting OTA as a go-to technology for remote bug fixes, updates, and activation of new revenue streams.

“We had this dream that we would be able to bug fix the vehicle. So you don’t need to go into the dealership. You can just fix things as you sit, watch TV, and update the vehicle,” said Michal. However, revenue streams and luxury updates weren’t a consideration. “But at that stage, we were talking about the quality. So there was a bug, there was a penetration, there was a security issue, and we wanted to update the vehicle to secure the vehicle.” This shift from necessary updates to requested updates has proven to be profitable, however each update comes with the danger of a software supply chain attack or some other malicious activity.

As vehicle owners, we worry less about these issues and can experience new functionality within our existing vehicle. As a company, the newly dynamic environment means that communication must be efficient at all stages. 

An analogy that Michal gave to highlight the gravity of the challenge, was with protecting a phone’s single CPU compared to a modern vehicle’s 80 ECUs. “The phone has one CPU. So one controlling power. But if you look at the vehicle we’re talking about today, you have 80 ECUs intercommunicating between and amongst themselves. Therefore, the vehicle is prone to issues, to errors, and to hacks. We need to be very, very cautious and be able to identify those issues quickly and be able to fix and amend as soon as we find the vulnerability.”

How do we secure the automotive supply chain?

In the past, it was common for product development teams that were focused on a specific vehicle to develop their own technologies without consulting IT. However, as OTA progresses, it creates common ground between these teams that never interacted.

To keep vehicles updated into the future, a component had to be installed in the vehicle, another one with IT, and they both shared data in the cloud. “So there’s a tighter connection between the vehicle and the data center, the vehicle and the cloud. That introduced a bunch of opportunities and it also introduced different thought processes,” continued Michal.

Going a step further, the success of OTA technology is allowing companies to think about the next step of this technology. Instead of thinking of OTA as a way to update deployed vehicles or manage fleets, OEMs are looking closer to home, rolling out over the air updates to manufacturing facilities, so that the absolute latest versions are going into the vehicle while still on the assembly line.

Key career takeaways

Discussing what she feels will be the key into growing successful organizations, Michal discussed two key topics: diversity and professionalism. 

It was only recently that she had a meeting with two other companies and all executives leading the call were women. This experience showed that there has been measurable success over recent years. In her view, the more women and minorities that hold leadership positions, there will not only be better representation within companies that reflect their customers. It will open teams to gain different perspectives to both old and emerging challenges.

As for professionalism, that involves always learning. The world of cybersecurity is always evolving, always changing, and it’s critical to remain up on the latest technologies. It also has to do with learning from experience and one another. 

These will create the mindset needed to shape the future of the automotive, cybersecurity, and OTA sectors.