EP 46 — TuSimple’s Madjid Nakhjiri on the Evolving Need for Automotive Cybersecurity

In this episode of the Future of Application Security, Harshil speaks with Madjid Nakhjiri, Head of Product Security and Lead Security Architect at TuSimple, a global autonomous driving technology company. They discuss the current landscape of automotive security today, why the industry is expanding its safety initiatives to cyber security initiatives, and the standards rising up to ensure that security. They also discuss the challenges to threat analysis and remote testing for vehicles, and what role VSOCs and AI will play in the future of automotive security.

Topics discussed:

• An overview of the current landscape of automotive security, and how the automotive industry, which already has a long history of safety initiatives, it’s now turning its attention to cyber security.
• The standards that are being put in place for automotive companies around the world, and how companies are trying to meet those standards.
• Why the automotive industry needs experienced product security practitioners in order to perform effective architecture analysis.
• The challenges to performing threat detection and remote pen testing on vehicles, and why threat analysis needs to be as automated and virtualized as possible.
• What the future of automotive security looks like, why we’ll see a rise in VSOCs, and what role AI will play.

Guest Quotes: 

“First of all, we need to remember that automotive, you have a product that is out there on the road, is widely available. So now we are talking about, there’s a new phrase around this that’s called cyber physical systems. So these are actually cyber physical systems. People have physical access to these devices or basically vehicles. And on top of that, security issues, cybersecurity issues can directly translate into physical safety, which is a very serious thing.” (4:54-5:37)

“You can buy a lot of things, but you cannot buy a tool that does an architecture analysis. … You still need people who have a long experience in product security, in hardware, in software, in cloud, in all of those aspects.” (12:16)

“All of these artifacts, the more they’re represented programmatically, the more efficient would all of this be. There are companies who are working on building this type of information security assessment exchange protocol. … These are really useful tools for architects. Architecture is a big problem.” (20:28)

“How do you collect data from a vehicle and push it into the SIEM? Is this vehicle even able to send logs? You have to think about these systems. How do you provide connectivity? Where you connect log, what you collect logs on? And that’s where the concept of VSOC is coming in.” (14:18)

“Cars are becoming more connected and more user interactions, which basically means more personal data and more security vulnerabilities for people. So these are areas that I think people will end up paying attention to more and more.” (24:41)