New FDA cybersecurity guidelines are out. Join the webinar to learn more.
New FDA cybersecurity guidelines are out. Join the webinar to learn more.

Thomas Wambera on Automotive Cybersecurity

Thomas Wambera on Automotive Cybersecurity

Since the “last century”, as he puts it, Thomas Wambera has been immersed in cybersecurity for hardware, firmware, and software, mainly in the automotive industry. The veteran has been involved in a very wide range of devices and usage models from small controllers to full Level 5 autonomous vehicles. Today, as the Affiliate Business Manager at AVL Deutschland, he is loaded with work, helping Tier-1 OEMs achieve compliance with the new WP.29 regulations.

Cybellum had the honor of hosting Thomas in our podcast, “Left to Our Own Devices”.

Ideal Hardware and Software Background

Thomas gained a valuable understanding of technology from his very first projects in signal processing, data processing, and error processing. Originally, he worked with a small company cracking codes and then moved onto bus systems in automobiles where he built diagnostic interfaces “way back when, before blocks were standardized”.

Moving into the automotive industry, he started building an interface for a global OEM in Germany where he was responsible for device drivers. His company merged with another OEM, whereupon the nature of his job changed to include a lot of reverse engineering. He came to deeply understand bus systems and how communication protocols were evolving. “The oscilloscope became my best friend.”

Thomas recalls two major cyber influences in his life. Early in his career, he read an eye-opening book by Kevin Mitnick about social engineering. Thomas believes that social engineering is and will remain the major threat to cybersecurity.

His second major influence came in 2018 in the form of the CalAmp hack. CalAmp provides vehicle security and tracking for many popular car-alarm systems. The company’s misconfigured reporting server gave direct access to many of its production databases, allowing anyone to modify the data. In an instant, 1.5 million vehicles were accessible due to a security hole. To Thomas, this was incredible.

Keep on Truckin’

When that project was done, Thomas had to decide between becoming a Level 2 support engineer or joining a big Tier 1 automotive supplier in Stuttgart, Germany. He chose the latter where he immersed himself in the automotive aftermarket that today exceeds $560 billion annually and is growing at a CAGR of 6.4%. There, he was charged with building test beds for fuel optimization in truck workshops.

Thomas spent a lot of time learning the truck business, visiting many truck companies in his work. With Tier 1 manufacturers responsible for embedded software, real-time operating systems (RTOS) and SW architectures, he enjoyed his involvement with truck development at all stages.

Possessing a unique combination of skills, Thomas, the deep technician, is also able to see the bigger picture. Intrigued by AVL’s reputation as a “ghostwriter of the automotive industry”, he joined the company seven years ago. Today, AVL is the world’s largest independent company for development, simulation, and testing in the automotive industry. Thomas found his place there in business management, frequently interfacing with some of the world’s largest automobile and truck manufacturers, all customers of AVL.

Working at a Major Supplier

AVL helps its Tier-1 OEM customers scale up by bringing considerable expertise and experience to the development of individual systems and even entire vehicles.

The company’s Engineering Department works on mechanical aspects, embedded systems, and more. They employ numerous mechanical, electronic, and other engineers and experts. A second department deals with myriad Instrumentation and Test Systems, while the third, Advanced Simulation Technology, boasts profound capabilities in virtual validation.

Thomas sums up AVL’s value as: “Finding the most efficient process for the customer”. He notes that this value shines when it comes to cybersecurity where legal issues, time pressure, and economic risks are all intertwined. Customers look to Thomas and AVL to establish good, compliant cybersecurity practices.

Cybersecurity Regulations

Thomas is super-familiar with the UNECE World Forum for Harmonization of Vehicle Regulations (WP.29). Going into effect this July, the new international automotive cybersecurity regulation  paves the way for connected vehicles and mitigates cybersecurity risks posed to passenger vehicles.

Thomas informs us that WP.29 Regulations 155 and 156 are the essence of the safety and security regimen. They explain how automotive manufacturers must maintain a managed process for cybersecurity, but they don’t specify exactly what that process is. They leave a lot of freedom. For example, WP.29 does not offer any instructions about how to implement countermeasures for security incidents. It only makes sure that you find them and analyze them, and that you are able to implement countermeasures, but it doesn’t state what those are.

Two ISO standards, 26262 – functional safety features, and 21434 – the security engineering process in the automotive environment, provide a way to do risk management, not only in the product development phase, but also in the operating phase, i.e., while the vehicle is on the road. This means that cybersecurity teams are required to track changes over the lifetime of the product.

Thomas is quick to point out the big challenge: once the engineering group is finished with the subsystem or the full vehicle, they move onto their next project. However, the cybersecurity people have to manage security and safety over the next decade or two without the engineers.

Tips for Product Security Teams

Thomas asks the core question: “How do you build processes around something that is continuously in development?” He answers by saying that keeping track of changes has to start early in the process with DevOps. You need to implement a virtual approach that will form a long-term test bed for cybersecurity: a cyber digital twin.

Thomas goes on to say that much of the cyber testing process must be automated by creating functional models that are already taught (machine learning). That will help for the first 90 meters of a 100-meter sprint. Then, the engineers and security experts can focus on just the last 10 meters. Time is vital because there is so much to do but not enough experts.

You can listen to the entire podcast here.