While cybersecurity in vehicles is a relatively new concept—a field ushered in by widespread web connectivity and the emergence of self-driving cars—there are several universities which have turned their attention to this high-growth field.
One of the most prominent institutions focusing its research in this area is the University of Michigan’s Mobility Transformation Center (MTC) located near the old heart of the American car industry. The stated goal of the MTC’s R&D partnership with the automotive industry is to develop an advanced system of autonomous, connected vehicles by 2021. The MTC aims to give students cross-disciplinary instruction and opportunities to collaborate in a real-world setting. By illustration, in the College of Engineering’s Multidisciplinary Design Program, students at all degree levels take on varied research projects under the guidance of experienced mentors such as Dr. Di Ma (profiled below in the “Rockstars” section).
In one exemplary project, students are designing an automotive intrusion detection and prevention system (IDPS), which is being tested in the lab by one of the school’s Vertically Integrated Project (VIP) teams, drawing from various departments such as engineering, information science, design, business, and law. The technology is being tested at the MTC test track or Mcity, a state-of-the-art facility for testing connected (i.e., web-integrated) and autonomous (i.e., self-driving) vehicles. One of the current projects is to develop the “Cybersecurity Roadmap for Automated Cars.” Furthermore, the university’s famed Transportation Research Institute (UMTRI) has focused recent investigations on the cybersecurity of vehicles, highlighting the need to safeguard vulnerabilities such as the electronic control units (ECUs), web-connected infotainment systems, and other modern conveniences. One of the leading researchers in automotive cybersecurity in the world, Dr. André Weimerskirch (profiled in “Rockstars” below) leads this branch of the UMTRI.
Another school of interest is the University of Arkansas at Little Rock (UALR Aug. 2016), which boasts one of the world’s youngest researchers in vehicular cybersecurity: Zachary King, an undergraduate in computer science who authored a piece entitled "Investigating and Securing Communications in the Controller Area Network (CAN).” King was one of ten students selected from around the country to participate in the CyberSAFE@UALR program. Under the guidance of Dr. Shucheng Yu and Dr. Menjun Xie (profiled in “Rockstars” below), King helped to develop a security protocol to protect the CAN, an internal communications feature in cars. UALR’s Donaghey College of Engineering and Information Technology (EIT) offers several programs in areas such as computer science, information science, and systems engineering with independent research opportunities, including those in the field of automotive cybersecurity.
Additionally, Ohio State University’s Center for Automotive Research (CAR) offers interdisciplinary programs in systems engineering, including a graduate-level specialization in automotive systems engineering (GS-ASE). Classes in this track include instruction in vehicle electrification, dynamics & control, and engine & powertrain systems. One CAR research focus is on autonomous vehicles, which provides insight into the cybersecurity of automated driving mechanisms.
Carnegie Mellon University’s (CMU) College of Engineering counts one of the leading researchers in automotive cybersecurity among its faculty: Dr. Raj Rajkumar (profiled in “Rockstars” below). This school has a number of cybersecurity-focused research facilities, including the CyLab and the GM Collaborative Research Lab. The latter focuses on advancing the realm of vehicle information technology with research squarely aimed at developing dependable embedded systems. Among CMU’s program offerings is a bachelor of science (BS) in electrical & computer engineering, which strongly encourages students to pursue original, practical research stemming from their coursework and interests. An impressive 60 percent of undergraduate engineering students take advantage of the opportunity to work under leading researchers.
Finally, New York University (NYU) provides excellent opportunities for mentored research in this field. In fact, the Department of Homeland Security’s Science and Technology Directorate (DHS S&T) awarded $1.4 million to NYU in October 2015 to develop a technology to prevent cyber-attacks in government and consumer vehicles. A team led by outstanding professor Dr. Justin Cappos (profiled in “Rockstars” below) has been developing a multi-pronged security feature to prevent vehicle cyberattacks at varied points of entry (e.g., car manufacturers, dealerships, internal software developers, etc). Notably, the Tandon School of Engineering provides a dual bachelor of science (BS) degree in computer science and computer engineering. This innovative 140-credit program has courses such as engineering & design; programming & problem-solving; structures & algorithms; fundamentals of electric circuits; logic & state machine design; and a professional development & presentation unit for student-developed research to flourish.
For students and working professionals interested in automotive cybersecurity, it’s crucial to connect with the most experienced professors and researchers in the field, particularly for a discipline still in its infancy. Here are five leading mentors in this nascent industry:
Dr. Justin Cappos, Assistant Professor of Computer Science and Engineering at New York University
“The philosophy is ‘technology in service to society’...You need not only to have technical skills, but you really need that heart and that passion for making a difference, that willingness to take a problem wherever it needs to go in order to solve it.”
Dr. Cappos is a respected role model and professor who concentrates on the real-world, practical applications of his research. While working on his PhD at University of Arizona he built Stork, the first package manager optimized for OS virtualization environments (e.g., cloud computing). His current team projects include work with TUF, PolyPasswordHasher, and Seattle, among others. Notably, NYU received $1.4M from the Department of Homeland Security’s Science & Technology Directorate in October 2015 to develop technology which combats cyberattacks against vehicles. Dr. Cappos was appointed the leader of that effort for which he’s been working in conjunction with the University of Michigan and the Southwest Research Institute. Overall, Dr. Cappos serves as a collaborator and mentor to many people, including four high school students, six undergraduates, a dozen master’s students, eight PhD students, and others.
In August 2016, he graciously agreed to an interview with OEP:
Who inspired you to get into your career field?
“When I was in elementary school, I taught myself to program. My parents bought me an old Commodore 64.” He added that as a teenager, he enrolled in a University of Arizona capstone course in operating systems for which he’d taken none of the prerequisites. After initial challenges, Dr. Cappos ultimately did well in the class with the support and encouragement of Professor Patrick Homer and spoke positively of his young induction into academia: “There was such beauty and depth in the field that I’d never realized.”
Who continues to inspire you in your field?
Dr. Cappos celebrates the work of CMU Professor Dr. Mahadev ‘Satya’ Satyanarayanan, who had built a distributed file system and shared it with people throughout the university. “He demonstrated a philosophy that I try really hard to carry into all of the work that I do: solve problems that matter and do enough to solve them in practice. Don’t assume that every person who’s a practitioner in the world is going to read your paper published in some obscure academic journal.” He later referred to this tenet as “technology in service to society,” a philosophy which has been embraced at NYU.
What are the real hands-on challenges of the automotive security project and your approach?
“I really want to understand the real-world constraints that keep a problem from being solved and these can sometimes be things that aren’t ‘technical’, such as legal forces or business forces. My goal above everything else is to solve problems in practice. I don’t just want to write papers; I don’t just want to write grants for the sake of having lots of students...I really want to make the world a better place.” He likened the theoretical approach of his current DHS-funded project to the checks-and-balances of a nuclear submarine: “To give you a conceptual idea, think about the nuclear submarines...They have a way of controlling the system launch: two people with keys who simultaneously need to turn them to enable the launch codes...We use that technique so that two parties need to go in to produce an update that your car will trust.”
Dr. Di Ma, Associate Professor at the University of Michigan—Dearborn and Esteemed Security and Forensics rEsearch (SAFE) Lab Director
After earning her PhD from the University of California—Irvine, Dr. Ma worked at IBM’s Almaden Research Institute and the Institute for Infocomm Research based in Singapore. The main thrust of her research is in security and cryptography, and she’s slated to speak at the 2016 Automotive Cybersecurity Summit in San Francisco. She’s won countless awards and honors, including the NSF-TRUST Fellowship and an Appreciation Award from IEEE.
Dr. Mengjun Xie, Associate Professor of Computer Science at the University of Arkansas at Little Rock (UALR)
After receiving his PhD in computer science from the College of William and Mary, Dr. Xie joined the faculty at UALR where he currently leads the Networked and Complex Systems Security Research (NEXUS) Lab. He’s received grants for research in information assurance and cybersecurity from the National Science Foundation (NSF) and Amazon Web Services (AWS) in Education. Notably, he’s the director of the CyberSAFE@UALR program, which aims to “decrease cyberattacks on people using mobile technology and social networking sites,” said Dr. Xie. Through CyberSAFE, promising undergraduate Zachary King conducted research on automotive cybersecurity in 2016.
Dr. Raj Rajkumar, George Westinghouse Professor of Electrical & Computer Engineering and Robotics Institute at Carnegie Mellon University
Dr. “Raj” is an international leader in the cybersecurity of vehicles and directs several research laboratories, including the Real-Time and Multimedia Systems Laboratory (RTML) and the General Motors-Carnegie Mellon Connected and Autonomous Driving Collaborative Research Laboratory (CAD-CRL), as well as the National University Transportation Center of Safety, an organization sponsored by the US Department of Transportation. Additionally, he was the founder of Ottomatika Inc., one of the pioneering companies in software for self-driving cars. He’s won countless awards such as the Carnegie Science Award (2011) and IEEE’s Outstanding Technical Achievement and Leadership Award (2009). Finally, Dr. Rajkumar considerately offered to answer some of OEP’s questions in August 2016. He mentioned that he’d loved math since childhood and had two uncles in India where he grew up who were engineers. He spoke highly of CMU Professors Raj Reddy and John Lehoczky who actively inspire him, adding that Dr. Lehoczky’s “world-class math expertise combined with the clarity of thinking and abstraction amaze me to this day.” He also outlined the greatest challenges today in developing safe vehicles in the age of connectivity:
First, cars, like many things in modern life today, are increasingly becoming connected through 4G cellular technology and WiFi. This capability introduces the possibility of malicious attacks or inadvertent intrusions into vehicles, which can potentially turn them into weapons of destruction. Secondly, traditionally, automotive components were designed assuming that everything that is received from within the car could be trusted. No security checks were put in place. But we now live in a different world, and automotive standards and components have quite some catching up to do.
Dr. André Weimerskirch, Vice President of Cyber Security for E-Systems at Lear Corporation and Leader of the University of Michigan’s Transportation Research Institute (UMTRI)
Before joining the prestigious UMTRI, Dr. Weimerskirch co-founded an automotive cybersecurity company (ESCRYPT), which Bosch bought in 2012. Also, he co-fouded the American workshop on embedded security in cars (escar USA) and was a featured speaker at TU-Automotive Cybersecurity USA (2016). As an international leader in cybersecurity research, he’s become an expert in connected infotainment systems; V2X (i.e., vehicle-to-everything) communication; risk assessment; transportation privacy; and vehicular electronics, among other areas. Finally, Dr. Weimerskirch generously answered OEP’s questions in September 2016 web-based interview:
Who encouraged you early in your life to enter a career in automotive cybersecurity?
I started intensely working on cryptography and security in 1999 while I was an exchange student at Prof. Christof Paar’s group at Worcester Polytechnic Institute in MA. Prof. Paar is a leading authority in embedded systems security (that’s data security for devices that are not PCs or laptops, but everything else like cars, medical devices, mobile phones, etc. - what’s today also called IoT devices) and he encouraged and motivated me to work on applied data security over the next years. So I received an MS in 2001 (WPI) and a PhD in 2004 (Ruhr-University of Bochum, Germany) under Prof. Paar’s supervision and guidance. I started working on automotive cybersecurity during my last year at Ruhr-University Bochum in a research project for an automotive supplier, and then at ESCRYPT. Christof Paar is a co-founder of ESCRYPT and we worked over almost a decade closely together at ESCRYPT where he provided invaluable guidance. Over time, my focus shifted from broader embedded systems security to automotive cybersecurity, which really became a term only around 5 years ago. Even today I still ask for Christof’s advice when making life decisions.
Who continues to inspire you professionally?
There isn’t a single person today but a group of people who I highly appreciate for having different but interesting and valuable opinions, for challenging my views, and for the ability to brainstorm, discuss and derive optimal solutions. There are different people for different topics, but overall it boils down to a small community.
What do you think are presently the greatest challenges in your field?
Computer security is not a new discipline and research has been conducted for several decades now. However, security for cyber physical systems, such as vehicles, is new and not well understood. This is due to the fact that there is a safety-critical component. For instance, if a vehicle is hacked there is potentially an impact to the passengers’ safety. The security of mass-deployed systems today is designed to withstand the majority of security attacks, and if there is a vulnerability, the ability to quickly update the system (smartphones are a good example). However, in vehicles even a single security breach that endangers passengers’ safety is not acceptable. We will need low-cost security solutions for vehicles that are resilient to security compromises.
What advice would you give to students interested in automotive cybersecurity?
Unfortunately, there are no comprehensive automotive cybersecurity courses today. There are several ways to start working in this space though, and I think a good one is to take courses in cryptography and applied data security, and also learn a bit about automotive electronics (e.g., during a summer internship). Then it’s a good idea to get in touch with a specialized group that you can find at a few universities such as the University of Michigan or the University of Tulsa.
In recent years, there’s been an explosion of research institutes and private ventures dedicated to preventing cyberattacks on vehicles. With several wealthy companies investing in self-driving cars (e.g., Tesla, Google, Apple’s Project Titan), there’s expected to be a concurrent demand for automotive cybersecurity experts at all of these companies. One way which corporations are investing in this branch of security is by learning from non-malicious hackers who are willing to share system vulnerabilities with industry experts.
By illustration, Uber hired Charlie Miller and Chris Valasak into the company’s Advanced Technology Center (ATC) shortly after the two famously hacked and assumed control of the Jeep Cherokee. Uber is squarely focused on developing a future of autonomous vehicles in a sharing economy. Naturally this endeavor presents several security challenges since there are many points of vulnerability in this on-demand car system, but this vision may become manifest sooner than expected. By illustration, Uber acquired self-driving truck startup Otto in August 2016, and since May, the ATC has been performing self-driving vehicle tests in Philadelphia. The company will likely continue to invest heavily in this project given its vast stores of cash and multibillion dollar valuation. These vehicles are not designed by Uber, but rather are hybrid Ford Fusions with self-driving modifications. If Uber’s sharing economy “fleet model” takes off, there are expected to be ample opportunities in their division of automotive cybersecurity in the coming years.
HARMAN is a vehicular infotainment systems, augmented navigation, and telematics (i.e., using cellular communication to automate functions) corporation. This company is one of the global leaders in developing connected systems for cars and more than 25 million automobiles worldwide have embedded HARMAN systems (e.g., BMW, Porsche, Mercedes-Benz). During the past two years, HARMAN has acquired Red Bend and award-winning TowerSec Automotive Cyber Security, moves widely seen to to beef up the company’s investment in secure solutions for connected vehicle controls. It’s worth noting that HARMAN is based in Ann Arbor, one of the most prolific regions for automotive cybersecurity R&D (Spark April 2016).
The Movimento Group occupies the gap between industries in Detroit and the Silicon Valley. This self-described “tech company with automotive DNA” is tackling challenges such as preventing infotainment system data theft, thwarting driving system takeovers, and developing advanced OTA (i.e., over-the-air) security updates and protections. For its groundbreaking OTA developments, Movimento won the 2016 TU-Automotive Award in the “best telematic product/service” category.
Another company recognized for its excellence was Security Innovation, which was awarded a 2016 TU-Automotive Award in the “best auto cybersecurity product/service.” The company’s award-winning product was Aerolink, an innovative technology aimed at securing vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2I) communications. The Aerolink product is celebrated for its interoperability with a wide range of OSs and processors and will be available in the 2017 Cadillac CTS. Above all, Security Innovation is expected to be a must-watch company in automotive cybersecurity into the future.
These are just a few of the companies available in this space and the options are expected to grow in coming years. Other companies of note include all car manufacturers (particularly those with web-connected vehicles) and Israel-based Argus Cyber Security.
Finally, there’s a wealth of conferences and other resources for students and professionals interested in the future of this high-growth field. These include:
Discover the humanitarian applications of artificial intelligence, robotics, virtual reality, and big data, including exclusive interviews with industry predictions and a discussion of current advances across these sectors of software engineering.