Cybellum Receives Frost & Sullivan’s Competitive Strategy Award for its Innovative Product Security Solutions
Cybellum Receives Frost & Sullivan’s Competitive Strategy Award for its Innovative Product Security Solutions
John Krzeszewski - Eaton

#65: John Krzeszewski: What’s Next for ISO/SAE 21434

We sat down with the Cybersecurity & Functional Safety Senior Engineering Specialist at Eaton to discuss the intersection of safety and security in the automotive world, upcoming updates to ISO/SAE 21434, and learn from his vast experience in the automotive and medical device industries.

About John Krzeszewski

John Krzeszewski is a Cybersecurity & Functional Safety Senior Engineering Specialist at Eaton. John has over 30 years of experience, focusing on cybersecurity strategies for eMobility products and medical devices. He has held pivotal roles at Aptiv, Delphi and GM, leading teams in developing advanced cybersecurity measures for Industrial Automation & Control Systems, IT, in-vehicle systems, telematics and medical systems.

Additionally, he has an academic background as an adjunct professor of Mechanical Engineering at Saginaw Valley State University and is currently the Chair of the Vehicle Cybersecurity Systems Engineering Committee at SAE, and correspondingly the SAE lead as co-convener in the ISO-SAE Joint Working Group on automotive cybersecurity, which includes current projects on Cybersecurity Assurance Level, Targeted Attack Feasibility, cybersecurity Verification and Validation methods, and the upcoming 2nd edition of ISO/SAE 21434.

A Summary of Our Conversation with John Krzeszewski

In this episode of “Left to Our Own Devices,” John Krzeszewski, a cybersecurity and functional safety senior engineering specialist at Eaton, shares his vast experience in the realms of cybersecurity and functional safety across various industries, including automotive and medical devices. John’s journey reflects his deep understanding of how these industries intersect and evolve with emerging cybersecurity standards. Below is a breakdown of the key segments of John’s conversation.

1. John’s Professional Journey

John’s career spans over 30 years, marked by significant roles in cybersecurity and engineering across companies like Aptiv, Delphi, and General Motors, leading him to his current position at Eaton. His journey began in vehicle instrumentation, where he developed data acquisition systems for fleet testing of vehicles. His work evolved into advanced engineering, focusing on electric power steering and contactless torque sensors, and later into test and measurement engineering, where he created several trade secrets.

His transition to cybersecurity began at Delphi Medical Systems, where he led the development of a vital signs home monitoring system. This system allowed patients to be remotely monitored for chronic conditions, marking his first significant foray into cybersecurity. Concerned about the potential of cybersecurity breaches, John partnered with Microsoft to perform threat modeling and develop mitigation strategies for both server and embedded device security. This experience set the foundation for his future in cybersecurity.

John later shifted into telematics and usage-based insurance applications, where he gained further cybersecurity expertise by working on systems that could control various vehicle functions like door locks and windows remotely. This experience, combined with his background in software and systems development, led John to transition into full-time cybersecurity, ultimately becoming an engineering manager and chief engineer in the field. He later joined Eaton Corporation, where he currently leads strategic initiatives in cybersecurity and functional safety within the e-mobility division.

2. Convergence of Cybersecurity and Functional Safety

John notes the growing convergence between cybersecurity and functional safety, particularly in industries like automotive. At an S-CAR event in Japan, John lectured on how these two disciplines should interact, proposing a framework for their synergy. He explains that there are touchpoints where functional safety and cybersecurity overlap. For example, cybersecurity may require adding a hardware security module (HSM) for encryption, which can affect functional safety by introducing new potential hardware failures. John highlights the importance of eliminating redundant work and ensuring that both disciplines are aware of changes that could impact the other.

3. Comparing Automotive and Medical Device Industries

Having worked in both the automotive and medical device industries, John observes that the two fields are highly similar in their focus on safety and security. He explains that while both deal with significant safety implications, medical devices, particularly life-sustaining implants, may pose even more critical cybersecurity risks. However, the level of required documentation is often more stringent in the medical device industry due to FDA regulations. Still, John believes the two industries are becoming comparable in terms of cybersecurity requirements, especially as automotive standards like ISO/SAE 21434 and UNECE WP.29 R155 demand more documentation.

4. The Importance of Standards in Cybersecurity

John is a strong advocate for the importance of standards in cybersecurity, emphasizing that while standards like ISO/SAE 21434 provide a solid framework, they are only the starting point. Certification and audits offer a point-in-time measure of cybersecurity compliance, but John stresses the need for organizations to continuously evolve and stay updated on the latest threat intelligence. He highlights the importance of ongoing cybersecurity training and secure coding practices, noting that static analysis tools, while helpful, cannot catch every vulnerability.

John also discusses the upcoming second edition of ISO/SAE 21434, which will address some of the confusion in terminology and consider the inclusion of Agile methodologies. He anticipates updates to the threat analysis and risk assessment (TARA) section, as current flexibility in attack feasibility ratings has led to inconsistencies.

5. Post-Market Cybersecurity and Challenges in the Automotive Industry

In the post-market context, John notes a significant difference between the automotive and medical device industries. Automotive dealerships often lack the cybersecurity staff that hospitals possess, making them more vulnerable to introducing malware into vehicles. He points out that automotive mechanics at dealerships sometimes work on infected PCs, creating opportunities for cybersecurity breaches. This lack of cybersecurity awareness can have severe consequences, as demonstrated by recent ransomware attacks on car dealerships.

John also touches on the impact of cybersecurity regulations on the automotive industry, particularly the discontinuation of legacy vehicles that cannot be retrofitted with adequate cybersecurity measures. While this can be a costly decision for manufacturers, John believes it is the right thing to do to protect consumers and ensure road user safety. He stresses the importance of maintaining flexible regulations that provide a framework for cybersecurity without being overly prescriptive.

6. Exciting Cybersecurity Tools and Technologies

John expresses his excitement about several emerging tools and technologies in automotive cybersecurity. He is particularly interested in tools that can analyze source code for vulnerabilities, such as Common Vulnerabilities and Exposures (CVEs) and Common Weakness Enumerations (CWEs). These tools can help developers triage and determine whether vulnerabilities are applicable to their specific systems.

John is also passionate about host intrusion detection and prevention systems that ensure control flow integrity. These systems can detect abnormal code behavior and block potential exploits before they cause harm, providing an extra layer of protection against cybersecurity attacks. He also sees great potential in tools that assist with threat analysis and risk assessment, especially those that integrate into requirement management systems, streamlining the cybersecurity process.

7. Memorable Moments in John’s Career

John shares two memorable moments from his career. The first was developing the first cellular-based fleet data acquisition system in the automotive industry, which allowed him to monitor vehicles like police cars and taxis remotely in the late 1980s. His second highlight was transitioning into the medical device industry, a decision that initially made him nervous but ultimately became one of the best experiences of his life.

Perhaps the most significant moment in John’s career was being nominated by his peers to join the ISO/SAE joint working group on automotive cybersecurity in 2016. He describes the honor of being recognized as an expert in the field and the privilege of leading the group responsible for developing the foundational parts of ISO/SAE 21434.

Conclusion

John’s deep expertise in both cybersecurity and functional safety, combined with his experience in automotive and medical device industries, offers valuable insights into the evolving landscape of product security. His work on standards like ISO/SAE 21434 and his passion for emerging cybersecurity technologies underscore his commitment to ensuring safety and security in the products we rely on every day.