 I would now like to invite my colleagues from ITU, Bilal, to give you just a brief overview on ITU activities on intelligent transport systems. Bilal, the floor is yours. Thank you very much, Walter. I'd also like to invite my colleague Sergio Bonomo from ITU, from the Radio Bureau to join me. We're going to do a tag team on this quick update on the standards work that's underway in ITU with respect to intelligent transportation systems. Great. Thank you very much, Gifty. So for the newcomers to ITU, there are three sectors in the ITU. One is the radio sector. The other is the standardization sector. Sergio works in the radio sector. I work in the standardization sector. And we have a third sector, the development sector, that works with the developing countries to enable deployment of new telecommunication technologies. So when we talk about ITU, we're not talking about Sergio and I as staffers. We're really talking about the whole world community that includes the governments, the private sector, and the academia. These are the experts that come to our meetings to develop international standards, to agree on new frequencies, satellite orbits, as well as new policies and regulation when it comes to telecommunications. And in a way, it's a unique platform because it is the only UN organization that is open to the private sector and to academia. So we have an ecosystem that has fully inclusive of both private public and academic institutions. Walter says, no, perhaps UNEC is also open to private sector, government, and academia. Very good. So that's why we're partnering on this topic today. So what we'll do in the next 20 minutes or so, we're not going to take a lot of your time, but since we're talking about future network car and we have been holding this, as Mr. Zhao mentioned, since 2005. And part of it is really to enable the dialogue between the ICT sector and automotive sector and to come up with some concrete deliverables and milestones. As Ms. Olga, her excellency mentioned today, some of the standards and regulations are based on ITU standards when it comes to e-call and some of the in-car communication that is enacted on a global level. So we need to show you a bit how it goes behind the scenes and what some of the standards are happening. I'd like to first start by giving the floor to Sergio to tell us a bit on the radio sector what's happening to enable intelligent transportation systems. Sergio. OK, thanks, Bilal, and good morning, everybody. As you can see from this picture, you have on board of a car several sensors, detectors of speed, radars, other system which detect the nearby vehicles or bodies or objects. And we have a lot of other systems on board the car which detects the presence of the people on board, how many people are on board. Then you have the device which you bring with you when you enter into the car. All this makes this environment from the electromagnetic point of view very important and radiating in all directions and in all frequency bands. What we need to do, at least what we do in ITU, we try to allocate the spectrum in order to avoid those systems to interfere to each other. Because otherwise, when you talk on the phone while on the car, you may interfere with your intercollision radar and the car may activate something which you don't want. So this is something which we have to take care of by separating, generating some distance between the frequencies allocated to the specific device. What you also wish to do with the car to avoid that the car interferes with the infrastructure, means outside the car, or connect to the infrastructure of a city in order to be like a self-driving car or because you want to have traffic information. At the same time, you don't want the car to interfere with the airport controls, for instance, while driving in an area. Even here, we are very close to the airport. Our car may interfere with the radar systems of the airport. So we need to have these frequency bands separated and with the noise and sideband noise which should not generate troubles to others. So basically, this is the work we do in the radio part. We try to look into these aspects by identifying the spectrum for each specific service and each specific device. And we also try to have this spectrum harmonized everywhere in the world so that you can use your device in any car or any car everywhere in the world. To do that, what we do, we develop some recommendations. We have in the radio communication center, we have mainly one group which does, it's called the Working Party 5A, which does all the studies, sharing studies in the use of the frequency and use of the spectrum for automotive radar and for other kinds of services. So basically, this is the one. I am aware of what is done on the ITUT concerning the other study groups which probably Bilal will talk to you after. But basically, there is quite a distinction. Whatever it's radiated, it is done within our sector. I just go one step forward. These are examples of some recommendations which we have produced. Some of them have been very, very recently updated and two new ones have been published at the beginning of February. And there has been an event in preparation of the World Radio Conference which will take place at the end of this year. There has been a preparatory event to this conference which took place two weeks ago and it last two weeks where we discussed the spectrum allocations for all kinds of services, not only for cars but also for satellites, maritime, aeronautical and science, radio astronomy and all other kinds of radio spectrum. So these number of recommendations are of relevance for those car manufacturers or device manufacturers who are interested to see what are the specific bands and what are the techniques to be used in order to be uniform everywhere in the world. So it has to be to allow globalization of those systems and at the same time to allow the harmonization of the use of the spectrum. Try to use the spectrum in a similar way in an effective manner everywhere in the world. I think that's the cover the part that it is of my perspective here. Maybe I'll give the floor to Bilal to talk about the ITUT component about it. Thank you. Thank you very much, Serge. So on the ITUT side, we have a number of what we call study groups which is really a group of experts that come together on a particular topic and try to work on a question or a problem statement. So in the context of ITS, we have a study group 17 that's works on security and it's specifically working on ITS and automotive cybersecurity. The over the air software updates, study group 12 that works on the quality of service and quality of experience. The study group two that is the perhaps the unique group in the world that assigns the telephone numbers and those telephone numbers are also used today for machine-to-machine communication. So when we talk about IoT, this group is also assigning those, what we call the standard is E.164, E164 numbers that you heard in the previous panel, all the new cars are connected and so when they're connected with the SIM card, they have a telephone number that's assigned by the ITU either to a member state and then the member state to the operators or in the case where the car might be in a shared environment, they're not specific to a geography, it's assigned directly by the TSB director. It's called the shared code and we get a lot of those applications today for M2M connectivity. We also have a study group 20 on internet of things and smart cities and study group 16, working on vehicle gateway and in car communication and in particular it has a focus group on vehicular multimedia. So just a bit more detail on these items. A couple years ago, Hyundai Motor joined ITU. So ITU is not just telecom or ICT, we're getting automotive industry to join us as members and they joined the ITU because of the over the air software updates and how to secure that communication and ensure that the cyber threats associated with downloading software to the vehicle over the air are addressed. And now we have a standard called ITUTX.1373 that is looking at this particular problem statement and the nice thing about the ITU standard is that once they're published, they're freely available for download in PDF form. All you have to do is Google the standard name or the number and you can download it and use it. There is adjacent to that over the air software updates, a number of what we call work items or draft new standards covering various aspects of V2X communication, security, external devices, intrusion detection guidelines to edge computing. So the next panel will touch in more detail on the cybersecurity aspects, but we wanted to leave you with this foundational work of international standards on the cybersecurity aspects of over the air updates. Study Group 12 that has traditionally worked on voice quality has been also addressing voice quality in the context of vehicular multimedia or vehicular domain. Today, when you bring your phone into the car, in the car, most of the modern cars have a multimedia system inside. And there is a protocol and a standard in the ITU, the P1100 series that really tells the phones how to behave once they are in the car and who's in control, whether the phone or the car, multimedia system that's in charge. And whether the phone adheres to this protocol or not, will be listed in our certified set of phones. And by being certified, it provides a better quality of voice in the car. And so we have regular testing events. We've had one at Telecom World in Bangkok a few years ago, last year in Busan, where we try to certify mobile phones to make sure they adhere and comply with the ITU standard when it comes to the voice quality within the car. We also have Study Group 12 that has a standard on emergency calls. And Her Excellency Olga mentioned this this morning, that is now part of the P29, and it makes reference to the ITU standard as a mandatory standard that regulators refer to and need to apply when looking at the intelligible e-calls. I mentioned Study Group 2 and the assignment of numbers and the rise in demand for M2M connectivity. The car is part of the IoT space, and it's a connected device. And having the international numbering resources for that is something that we do in ITU, and we call it the global SIM. So it's not associated with a particular country, but it's a SIM that can operate globally. Study Group 20 is addressing the ITS space from a smart city in IoT perspective, and they have a number of standards looking at managing data, because a lot of data is now emerging from those sensors and from the vehicle, and how do you manage and process that data is an important element that Study Group 20 is looking at. It's also addressing the IoT in a smart city context and providing a number of frameworks and recommendations on this topic. Finally, Study Group 16, the multimedia Study Group has a reference architecture, which we call the Vehicular Gateway Platform, that shows how the communication within the car and from the car to the outside world happens, or should happen, and this has been adopted by a number of manufacturers, both on the ICT and automotive side, and it really provides a very nice and succinct framework on which you can build additional protocols, additional security frameworks, and additional communication protocols outside of the vehicle. So on top of that foundational framework standard, we have a number of functional requirements for the vehicle gateway, the service requirements, the architecture, and the communication interfaces in and outside of the vehicle. Finally, last year we launched this focus group on what we call the Vehicular Multimedia, and we are very pleased to have both the Chinese Association of Automotive and BlackBerry and Honda Motor Company join us in the leadership team of this focus group. They've had some very interesting first meetings. The first one was in Ottawa. When we went there, it was interesting to see Ford next to BlackBerry. I think Ford acquired about 200 engineers from BlackBerry because a lot of the technology that was in the smartphone is now moving in the vehicle, and you can see that physically happening in terms of the engineering mindset and expertise moving from a smartphone company to an automotive industry. We had our second meeting in Japan, quite intense and quite fruitful in terms of participation. A lot of the Japanese car manufacturers joined Toyota, Honda, and others. And our third meeting will be in Geneva coming up, so call for participation. If you're working in the infotainment or vehicular multimedia, we would like to invite you to join this focus group. How much more time? Almost done. Minus 10 minutes. Okay, so these slides will be posted on the website. We have a call for you to join us. The final word is on the CITS. I think Russ mentioned this in the opening. We have the collaboration with ITS. It will have its meeting tomorrow. We'll also invite you to join that. Thank you very much. Thank you so much. The next session is dealing with cybersecurity invite Michael Sena and his panelists to the floor. Let's get another microphone here. Okay, now we're on. Thank you all for being here. It's a pleasure to be back. My name is Michael Sena. I'll be moderating the session on cybersecurity. The main reason that I am here and working as a moderator is a few years ago, in 2015, the ITU reached out to me to help prepare a report that has been used in their standardization efforts, and that report was on cybersecurity and over-the-air updates. Basically, why aren't we making the kind of progress that we need to make, and what are the issues that we need to be addressing? And I'm happy to see that that report has now been progressing and has now been issued on the ITU. ITU is one of the reports that is going into standardization. I've also worked with a number of car companies over the years, and one of the areas that has been of great interest is communications. As we heard in the first session, it's very difficult to touch on any area of communications without discussing the issue of cybersecurity, because cyber being over-the-air, internet, our cars can't communicate with an electric system by some wires. We need to be able to move our messages and move data over-the-air, and when we do, we're open to the kinds of attacks that have occurred in some of the white hats, and hopefully not yet, but potentially with some black hats and gray hats. We have an expert panel here today, and as Russ Shields said in the first session, we have decided to work with a discussion format as opposed to a stand-up and present something and then have questions. What I've understood in the years of coming to sessions like this in seminars and symposia is that everyone comes with at least one question, and they would like to leave with that question answered. So I'm assuming that there are a number of people here right now who have a question that they would like answered on cybersecurity, and I'd like you to make sure that when you leave this room, it is answered. We've got an hour and approximately 30 minutes to do that. The format that I've chosen to work with our panel is not to leave it open to their mind, but to ask each one of them a question based on their expertise in the areas that they're working in. Our first panelist who will open the discussion and open our panel discussion is Miguel Bagnon, and he is the Vice President of Business Line Security at DECRA. And those of you who don't know DECRA cannot do a little Googling, and I think Miguel will give us a little bit of an understanding of what DECRA is. What are the specific areas that a company like DECRA working with vehicle inspection has found to be necessary to address in the area of cybersecurity? How is that incorporated into the process of what DECRA does with certification, with inspection? Miguel? Okay. Thanks for the easy question. And thank you for the audience. Good afternoon for a few minutes. Okay. I'm afraid my experience in cybersecurity comes back to 20-something years. I would like to say it's much less, but I've been working on cybersecurity or IT security as we call it at the time, testing and certification for a long time. And I'm recently new to DECRA. I have been heading a common criteria crypto testing lab for more than 10 years. So DECRA has taken a very fast and aggressive approach incorporating knowledge, know-how capabilities to certify, to test, and to provide services to the automotive industry. In that my new coming to this sector, what I found is that in comparison to other type of technology vendors or producers, which have been our usual customers, the automotive sector is new to the problem of cybersecurity. When I started working in aerospace sector, safety was everything. And of course safety is well engaged into the engineering processes, qualification, all those things in the automotive. But cybersecurity is not. So we have capabilities to certify components. We can certify common criteria, crypto devices. We are certifying system networks, all of these things, but not today in the automotive sector. So what we have found is that there is a need to learn very quickly from other type of products. The automotive sector has to learn, the experiences learn from other and apply them very quickly. Because we have seen that this layering of components provides us all these things. It still needs to engage the cybersecurity methodology and engineering maturity, which we don't see today. So coming back to your question. How are we approaching these things? We have already capabilities to perform security evaluation. We can provide testing services. But we probably are ahead of the race. Probably our horses are still as of today to advance and we are waiting for the courage to come. So we see a urgent need to develop standards, regulation, and a real transformation of the sector. Because cybersecurity has to be taken into account from the very beginning as we are already doing with safety. Do you find that there are any countries or any parts of the world, and DECRA is covering, I believe is covering all of Europe. Do you find that there are any specific areas that are more advanced than others when it comes to either trying to ensure from a country standpoint, like in Germany, for example, than in other countries? Yes and no. Yes, because of our different cultural approach. For example, in Europe we rely or we expect legislation to come and guide us. Whereas in the US they are more looking at the insurance and economic self-progressing. So in that sense, yes, there are a difference. But however, because the market is global, at the end of the day, the component is coming from the same factory anywhere in the world. And they are just waiting for looking up to see which one is the first to impose cybersecurity requirements or qualification requirements or certification requirements in them. So at the top level, yes, we see differences. But on the producing manufacturing facilities, I think it's still waiting to see what happens. So where are we? I mean, where do you feel that the whole issue of certification for cybersecurity is at this stage? Is it something that's very far in the future or is it something that's going to happen now? Hopefully it's something that's coming very quickly, at least in Europe. And because of the common market it will have a global impact. However, the problem with component certification or cybersecurity certification, you don't get cybersecurity by piecewise approach. You need a fully holistic approach. And that's the major revolution I like to see happening quickly. Well, I know there's at least one person on the panel from a country that's working on these issues who might have a question for Miguel. Darren, what's happening? I'm going to ask you your question, but specifically with this issue of certification or with inspection, is there something that's going on in the UK that you can share with us? I think it's more at the UN level. So we have a draft regulation and four cybersecurity for vehicles. And that's got two parts to it. One is making sure the organizations are set up to actually do the processes that they need to do to develop things securely and support them, maintain them. There's the actual vehicles. And within that, there will be a cascading requirement for suppliers in the supply chain, which obviously it's a draft regulation. So I think it's a very good point that it's a bit of a chicken and egg thing that maybe not everyone will be certified as they are in the defense industry where suppliers can show that they're set up to use cybersecurity. But it will come. And regulation will probably help. But the people who are doing it well will be there already. There is something new here. There is a new challenge that hasn't been faced in the past by any vendor. Because until now, if you were a technology provider, let's say you are selling operating systems, you care about your product, but you rely on the user to set up the environment and all these things. So you were focused on product qualities. Or if you are providing a service, you are in charge of providing the service, but then you don't care about the product because that's the responsibility of the user. But here we're mixing everything. So we are delivering vehicles who happen to be a product that you buy, but then they are engaging to services. So from the certification point of view, we are creating a nightmare that has a lot of history, background, standards, to develop product-specific certification or systems, clouds, and things like that. But the future vehicle is a mix. And that's quite a nightmare from the standards and certification point of view. Lauren, you had a point. Yeah, just one point to what you just said, Darren. I think what you just described in terms of the standardization, dividing into two parts, right? The organization aspects and processes and the requirements from the supplier represent a gap. One of the gaps we see in the industry around cybersecurity is that the way car makers used to work, which is, here's my spec to the suppliers. Please give it back to me and buy. Thank you. That's not enough anymore. And what they need is, in addition to the organization, they need their own technology, their own systems, their own solutions to be productive, to monitor it on an ongoing basis, and that's the part we see missing today. Most OEMs are investing in hardening and, again, telling the suppliers, secure it and give it to me secured, but that's only the beginning and what we're missing today in the industry is what happens after. How do you become proactive? How do you mitigate? How do you monitor? How do you analyze? That's the part that is still takes too much time to implement. Is there anyone who's working with certification or is specifically focused on cyber security that could offer some suggestions or has some questions on the issue of certification and inspection? Okay. Koji? Thank you. Thank you. This is Koji Nakao, so working for ITUT, our stability 17 standardization body. And the... As for certification, there are many, many discussions. Even in ITUT, but also ISO, SC27. And in the case of our certification of organization or services, it's quite different from the certification of vehicle itself. And the... As we often discuss how to threat assessment or how to risk assessment, it might be a very, very important topic for us. But the how to conduct risk or how to conduct risk assessment or threat assessment is not easy. And in Japan, I like to talk about a little bit about Japanese situation. In Japan, we try to make some penetration tests. Target it to the some vehicle offered by sort of oil builder. And try to check inside the CAN network or external, using external accessible devices. And to find out some the threats based on the impact analysis. And such a kind of activity seems to be very, very important, but not easy. So in Japan, we have some of the new project, which is SIP, Strategic Innovation Project, which is very, very focused on automotive driving environment. And they try to summarize and clarify the kind of scenario, attack scenario, to find out some of the assessment method how to verify the vehicle itself. But such a kind of activity may be connecting to the certification of vehicle itself, including some of the attack interface. However, as we discussed often, often discuss the vehicle communication is not so simple ecosystem. So vehicle are connecting to many of the out, out, out, somehow including backend system, IOT devices, IOT telematic unit, et cetera. So maybe we need to assess in a total ecosystem other vehicle. Because, for example, I'm sorry, just I'd like to give you one example. I'm working for NICD, which is research entity under the ministry. And we have observing some of the IOT device scan from all over the world. And when I got some scan from the one country, and tried to scan back by using port 80, which is web interface. And we recognize such a kind of scan device is located in their parking management system. But that means parking management system may be inflicted by malware. That means if vehicle implements some of the parking automatic parking system as an agent. Such a kind of vehicle may be injected by the malware by the parking management system. Such a kind of the attacking scenario is one of the example. But we need to not only focus on vehicle itself but to focus on somehow ecosystem globally. So certification is maybe we need to quickly develop and implement such kind of system but not easy to establish at least in Japanese situation. Is Japan developing such a certification? We have not yet. But we are now developing the kind of software update for Shiji in the Japanese environment. Just to add one point at least from where we see it. So my name is Shai Horowitz and I'm from Simonov. I think the challenge divides into two. A is how do we make sure that vehicles that are SOP, they go down from the production line, they are cyber safe. And this is a problem as an industry. But the bigger question is how do we keep them safe over 10 and 15 years? Which is the time that the OEM is liable for the vehicle. And whether we can use technology to our favor to maybe take one step advantage of hackers and maybe protect the vehicle before the attack is coming into the vehicle. So as an industry if we talk about traditional OEMs, if they have or if they predict that some element in the vehicle is malfunctioning, they know exactly what to do. They have the processes and to my understanding they do it quite well. But when it comes to cyber, this is the area where the OEM the industry is still in the learning curve how to be able to keep the vehicle safe over 15 years because with cyber, every day is the SOP. So today the vehicle is safe, tomorrow when the ability is coming to the market to export and then how does it impact my fleet as an OEM? This gets to the question that I'm going to ask Martin. Martin Rosellis the CEO of Wireless Car. We work together for quite a long time with Wireless Car. And one of the issues that Wireless Car has always had to address is that they're working as part of a very large ecosystem. Starting 20 years ago that ecosystem has grown. How do you see the end-to-end complexity of adding an additional level of requirement for cyber security? Martin? To start with I don't think you can add cyber security. You need to work with it from beginning. That's the number one findings that we have. But you were right, Mike. When we started to work in this industry and Wireless Car is a white branded supply to the car OEMs. We sell our capabilities which is services and consulting to build the back end for connected vehicles. And by definition that could be a lot but if we look on the core business we're doing that is really connecting the vehicles. Put them into a context where we manage all the data the master data around the car and the users and then we take all this data and we use that to produce B2B and B2C services. Not doing everything, we're building ecosystems and we've heard about ecosystems a lot today. And that's a definition which is wide as well. But in our case we're doing this for car manufacturers like Jaguar, Land Rover, Volvo cars Mercedes Benz, Lanzen cars, Subaru and Volkswagen. So it's global systems and when we look on this from the whole value chain you can start to look into the cars. There are Volvo cars that we started to work together with Mike. We've done Volvo cars since year 2000. And there are still cars from 2006 in that system. So you can imagine how many versions of in-car technologies and communication devices and protocols that we need to manage. And of course you can't have the same security on this year's model as you have on the 2006. So that's an extreme complexity to start with. Then you add all the different OEMs and all the models you're building up. So it's a huge complexity. Moving up we all know we're gone from very traditional on-prem solutions and everyone is talking about cloud. The fact is that no one is 100% cloud today or in a hybrid situation or mostly on on-prem. And since the last three or four years we have started the more pure cloud implementations. But most of hybrids, that's another implication to security. Then you go to different markets. Our customers are on typically between 60 and 70 markets today where we supply these services. And then you need to look on to the different geographies. It's about regulations and laws that are coming into force in Europe last May has implicated a lot on how we look on security in general. We have the cloud act from our friends in US who is basically just complicating things 100 times. Then you go to China, you're not allowed to do encryption by the cloud technologies and you know ending up with a complexity which is really hard to deal with. And if you don't start thinking security and I'm talking about my organization 400 plus where 90% is DevOps teams or DevSec ops teams if you would like to say it. I would like to say that because it starts there. If we don't work properly security with each and every developer from start it doesn't work in the end. But then we are just one part in the chain. So in an ecosystem which is typically 30, 40 different partners everyone need to think about this from the start and then we need to also set a strategy for security which is owned by the OEM and pointed out the fact that the OEMs are actually moving into this with not so much maturity and knowledge so they need to build it up as well. But each and every of our customers are actually going back to your discussion about Japan are doing thoroughly tests. So even if you know we use hybrid solutions or old technologies the OEMs they need to do the tests and if you remember one of the brands I said are actually selling fleets to MI6 you can imagine the type of pen tests they are doing on the systems there. But it's difficult because moving in this other hybrid solution from a product to services as you pointed out complicates things as well. So then we have the macro factors and in my role I'm not sitting as a security expert so I'm more trying to convey the complexity in what we need to manage under the label cyber security. Then we have the macro factors with autonomous vehicles or AD how will that complicate things over time but I'm not too worried because we have extreme small use cases in very small segments with limited approaches to it. We have the electrification which I think is the bridge to the better word because with electrification we actually remove 60-70% of the components in the car with software and that will drive firmware and software update strategies in the car which is extremely important because we cannot fix problems or low poles if we can't update the car on the fly so that's going to be imperative and then of course the whole sharing community or service community where we start to use cars with unknown users today is quite easy we know to 99% who is using the car so just a few factors in the complexity of delivery the role that wireless car has filled over these last 20 years has primarily been the link between the vehicle and the service providers it's been the channel it's been the secure connection to the vehicles so in the case of Olvos and Javer Land Rover's two companies that I've worked with the only way you get into that car is via wireless car, is via the telemanic service provider but the data that's coming through and the data that's passing through is coming from the vehicles coming and going to other sources do you see this role changing where the connection to the vehicle for some reason is now going to be different because of a new technology or a new service provider No way you're going Mike Absolutely and now we start to flush with great words again but we'll know about edge computing and of course that's happening as we speak we don't really see it in the cars so far but edge technology and what I think is really going to be big is the cloud providers edge technology like Microsoft with Edge as they call their product which is basically taking a sub component of the cloud with functionality and bring it into the car I don't believe that will be the new OS in the car because the OEMs really want to manage that operating system environment but it will be a technology which will be 100% associated with the cloud on ground or in the heaven or whatever you would like to put it Amazon web services have green grass as a good example and every OEM with respect are looking into this technology right now and that will actually standardize it will not be a standard or anything like that but it will provide a standardized and much more secure way in the future I'm looking at you any questions any points anything on the issue of communicating with the vehicle you're going to have to put your hats on I'm going to expect some questions okay thank you Martin I'm going to turn to you now Caramba security you promote the idea of the self defending vehicle do I use the right term yeah we're seeing really the transformation through autonomous self driving vehicles is there something that we can learn from the white hat attacks that were made on Tesla and on Jeep that can give us some guidance into where we're going with that whole issue yeah and I think so I'm a mirror now I'm VP marketing for Caramba security I want to connect to the point about the certification and the standards and so you know you rush to the where is the ecosystem around us but if you look at the manufacturers themselves and the tier ones and the industry as such I believe there is a tremendous progress over the last few years in the issue of cybersecurity and I think some of that should be credited for those white hat attacks so while we didn't see yet significant black hat sort of real serious attacks on vehicles but we did see proof of concepts by people that really know what they're doing and the outcome of that is that the industry is taking notice it's I don't know if it's so much about certification or progress as such but it definitely we see more people in the so we engage with 17 different OEMs and customers that are actually working with our technology and we see more people on the OEM side and the tier one side people that are expert to understand cybersecurity the discussion is becoming more and more intelligent as the year pass which is great I think that's you know it's a muscle the industry has to develop there's no question we don't have that muscle originally maybe three four years ago or more but more and more organizations now are developing this capability I think in terms of an era of software defined vehicle there's no question people are not wondering now anymore and the proof of concept that the attackers were able to show from the very famous Jeep all the way to the latest what was the latest let's keep on coming so it's hard to follow I think the last one was Subaru actually they are able to show significant issues in the way that the vehicles are designed and the vehicle are manufactured sometimes simple things sometimes sophisticated things and when we came up with this self-defending car we were thinking okay we have to help the manufacturing side these are first and foremost in the manufacturing industry we have to help them on that level to turn out a vehicle that comes out of the gate secure now yes there has to be afterwards services layer above that they have to have over the capabilities in order to fix things that missed the development cycle but the built-in security is a must in an industry so complex I mean if you think about it the vehicle is one of the most complex machines out there beside of the 100 million units a year it's also by itself it's a huge chunk of our annual investment as a consumer it's also a huge technology masterpiece so by definition there by the attackers and therefore by the defenders so what specifically can we learn from what's been done so far I mean how many of you saw the video of the attack on the jeep all of you here assume seems like most people when I looked at that and the experience that I had had up to that point was that none of the vehicles that I had had anything to do with or anyone that I knew of in the industry had had an attack on a vehicle so this was done in a way that in order for them to complete this mission that they were on they really did have to have help and they needed drawings, they needed to do something they couldn't do is anyone aware of an actual black hat attack on any of the connected vehicles anywhere so there was just now a report coming up cyber security start up that listed all the attacks that were measured a lot of them are on the enterprise side and a lot of successful ones are actually on the level of the key and stealing the car so a lot less dangerous but if you look at what the white hat hackers were able to do from jeep to Tesla to BMW significant brands that definitely everybody understand that they know how to develop software it's not like they played with the kids and they were able to control speed and direction which means that they are able to control the car so these kind of attacks are safety attacks they're not I can steal your car or I can breach your privacy and steal some data they're actually attacking the car as a target that by impacting its safety you can then translate that to all sorts of impacts such as ransomware such a corporate level ransomware I mean it can be all sorts of implications of that capability so the thing was working in an evaluation testing lab the only factor that you need to take into account when considering whether the system has vulnerabilities or not is time and effort so I think the only reason why we are not seeing attacks in the field is that they don't have a business case yet that's the only reason as soon as they have a business case you will see things happening so until now it's just an exercise for the shake of self-promoting your services or thing like that but I mean from a point of view it's as simple as that so the first time they have they can use it to steal cars so you see those things on the field but for the self thing of the connected whatever is a matter of putting services into play that allow the bad guys to have a business case for breaking it and you will see that I couldn't agree more I think but we saw in terms of vehicle hacks these are just the very start and frankly speaking I'm not so interesting from a black hacking point of view what the gentleman from so they forgot your name sorry Miguel, yeah sorry is the interesting part where if an hacker put a malware that will lock the vehicle for example in parking until you pay 300 euros in bitcoin and this goes to 100,000 or 500,000 vehicle this is a nightmare scenario in terms of cyber and this is where the real challenge of the industry is I want to react on the business case the business case is there when the white hack of Jeep was announced it resulted in multi tens of millions of dollars that FCA Jeep had to pull out of their pocket including they started by sending memory sticks to drivers to customers okay I think 4 million of them 21 cost whatever plus the communication they ended up paying fine to the government they ended up making a lot of changes to the system I think overall they had to pay more than 50 million dollars okay this is the business case now if it was a black hat and they would call FCA and say listen we're going to have a video tomorrow and it's going to end up costing you 100 million dollars or you can just pay us 20 exactly the point the business case for the OEM what you just said is clear but for the Hacker it's tough and actually Chris and Charlie were known for this hack they approached FCA they ignored them at the time so they went public now they know better no but the thing is that I am not aware of any hacking which was not made a fleet white so far luckily for white hacking for taking the industry a step forward and if you were in the industry 3 years ago it is incomparable to where the industry is today so if you go to OEMs and you see security divisions you really see the real experts there so they are learning and they are learning fast to my opinion and I believe that what we saw as 3 years ago and from time to time is just the industry forward I think it's these white haggars they do a great service because at the end of the day we are all in the interest of the connected car this is part of our lifestyle today and we speak about autonomous and clearly security is a must for that and in that respect this is the way to push the industry forward in order to bring a better product and definitely security will come as safety problem it's not security it's safety I think Koji Okay thank you as for the hacking the car in my company I did research in the industry of more than 10 white haggars and they are conducting the penetration test who did some of the existing car. But the weak, I'm sorry, I cannot provide more specific information, but we detect some of the vulnerability or weakness. It depends on the specific car. Not this car has this vulnerability, but this is not. So, but the problem is it's not easy for us to share such each vulnerability among the several oil vendor. Let me to say the in our Japanese member start discussing to have some common verification method for checking each oil vendor or each oil component of the vehicle to check this way and based on the penetration test. And the such a kinds of mechanism is sometimes not easy because the most of the oil vendor is not wearing to disclose everything. This is depends on the oil vendor itself. So, the having such a kinds of activity, the cyber security is finally providing the good countermeasure. And the self, of course, defending vehicle is maybe the one of the target for our activity. But the in ITT, for instance, we can provide the kind of the external device accessible some thread or the kind of how to define or how to develop the intrusion detection inside a car. It's kind of our of normal behavior detection, not signature based detection. So, it's the kind of very series of technology need to be somehow develop somehow total security. But the it's starting what is the starting point for such a kind of countermeasure is the based on the threat assessment. So, it's chicken somehow chicken egg, but the chickens came first. Sorry. I agree. That's the answer. The chickens came first. We're good. Let's go. Can I refer to this point for a second? I think no, I'm nothing to add on that. But regarding the sharing, the point about sharing, so I'm coming to the automotive industry from cyber security. So it's only been my first year in automotive, which is a lot of fun. It's a great industry going to be a great show today. In the regular world, cybersecurity, I mean, and it's very competitive industry for sure. And the players are not talking to each other. And there's a very high interest on IP and protecting IP and between the vendors and the customers and what have you. But in cybersecurity, I think it's critical to share and it's critical to exchange ideas and technologies because the bad guys do. So if we don't share and they do, we are in limitation. And they have the dark web. They have a place to share. There's actual places where you can put in a I mean, think about criminals share between them and it works for them. So the auto Isaac in the US started this, I think it's working very well for them. We joined a strategic partner end of last year because we believe that this is a good place for us to bring what we see to the community. But I think it is an effort also in the EU has to be a stronger effort to find ways. And it's clear again, anti competitive. How does those players can talk to each other? But I give you an example in a certain country that I know the chief security officer of the banks have an instant messaging between them. Of course, they are competing fiercely, but security has to share. Alina, I see you've picked up the the mic, please. Yes, thank you, sir. Aline Gougier. I'm a cryptographer. I work for Gemalto. And I have to agree really with the fact that what is really important is the risk assessment and the understanding of the global security to know really what are the attack pass, the different attack pass to reach the same goal. And it is really important to know that from the beginning. I mean, without even having already decided how it will be implemented with which which components and so on. I mean, this first risk analysis is already very important. And we can already see and have kind of prioritization, sorry, and see also, yes, different ways to reach the same goal for an attacker and understand that. So after that, I think it's really important to have the components and do real testing, penetration testing and so on. But really, there are different layers to take into account to really have the understanding of what is indeed the security in the end. And I think it was mentioned several times. So for the automotive industry here, I think that everything is in the same place. So a big complexity just because I think there's really many things at the same place, which was not really the case. I think in the past in the other industry, if we were talking about banking and financial industry, for example, even government, I think for the identity verification and things like that, it seems to me that in the automotive industry, you have just everything at the same place. So the complexity is by design. And I think it's very important to not add additional complexity where it is not needed. And especially be sure that when you you put some security in one specific component, this is really in this one that are maybe the others, but be sure that this additional complexity, because after you have to maintain that, sorry, to do as a full lifecycle of the credentials, the keys you will load into this component and so on. So I mean, really, and I agree you mentioned that twice, I think the risk assessment at the beginning is really, really important to coaching. So sorry, in connection of the cryptographer, my organization is also working for the pre-prography in the one of the member or no, no, we are team are now producing or proposing the kind of how to utilize the lightweight cryptography inside our automotive environment. So maybe how to such a kind of constrained environment, so no CPU or memory size as some are limited inside the car, the canvas is very, very limited. So how to make the communication inside the car while going outside the car should be secure. And the, it's kind of depend on the fundamental technology. So not only authentication, key exchange or cryptography is the major issue. So I would like to know the, is there any idea how to utilize a lightweight cryptography or any specific idea? I'm sorry, I'm not moderator, but no, but you know, but you've done something that I was hoping the, our group here would do is you've asked a question. So and the answer is Yeah, so we realized that there is such a challenge actually in Caramba and it's the second product we came up last, in the 2008 of 2017. And it's really based on authentication encryption. It's exactly that logic. And it's really because the can is so limited, the ability for you to use authentication and the can in effective way is limited. So each ECU can encrypt and decrypt what is getting and we managed to show it in a very lightweight so it's not affecting the performance. Maybe one part I need when you are talking about lightweight cryptography, you need also to specify what are the constraints of that because there are plenty of style of lightweight cryptography. So to be sure that it is really suitable and this is what you need, you have to describe to know at least what are the constraints. Which type of, yeah, yeah. Okay, I'm going to go out of order here because I think we're in a flow here and to stay with you, I mean, because you're the question that I had for you was on the, how do you secure this, the secure, sorry, how do you secure, and I teach a moment, yeah, exactly. How do you secure the, there are, okay, this time the same way, okay. Security by design, how do you build that in? Because what you said is that it's gotten so complex, is it too complex, is it so complex that we can't ensure that we have security by design or is there some trick that we can bring into the picture here? No, I don't say it's too complex, but I say it's complex by design. So it is really important to be sure to not add additional complexity where it is not really needed. Just, well, it just don't, the idea is not to say, okay, I will put, I want everything secure, so I will put everything at top level security everywhere. So we will, it will generate a lot of complexity without really knowing where it is really required. This was my point. But I don't say it's too complex, I just say to understand really what, let's say what types of traders can we consider between software, hardware, cloud and so on. We need to understand really the big picture of the security. So the risk assessment and say and have really in mind where we should focus first on the security for which level. And the complexity means here for me, we need to have the view about, we cannot just look at the component. We need to have the view about the use cases and see what are the possibilities typically from the, when you do an assessment in term of what are the main attack paths and things like that. Here, we need to understand the use case and see what is accessible for the attacker. Knowing that now, the attacker can attack everywhere in the supply chain. So we have to have that in mind. We don't say, okay, it's okay because with one, between one component and other component, I put some security and there's the keys and everything is okay. It's not sufficient because maybe the problem comes just before. So you just use an authentic channel to transfer your data, but the problem arise just before. So that's why it's really important to know really, to have the right level of information to do the assessment and to be able to identify the different ways the attacker can use to re-attack. I'm going to, Martin, you know, we've got a question here, but you made a point. You said that I'll insert the vehicle and the vehicle and communications is complex by design. Martin made a point that the electrification is simplifying the vehicle. Not only mechanically, I'm going to make a statement, just like chickens came first, that there's one car maker who has put the two together to create very simple electric car that at this point in time is the easiest car to update. And the question will be, is this an easier car to ensure cyber security? You know which car I'm talking about. So this is a question for everybody on the panel. If we reduce complexity in the vehicle and electrification allows us to reduce that complexity, is the problem simpler than the one that we have today? Shaking heads, yes, no, yeah. I know which company you're talking about. Obviously Tesla, right? Everybody, you know, and they did simplify. And I actually relate to, I think what you said there, that the simplification they've done was on the architecture and mainly the mechanical aspects. Still the attack factors are the same. They have connectivity, right? They have cellular connectivity. They maybe have Wi-Fi connectivity inside the car. They have Bluetooth. This is where the risks are coming from. It doesn't come from the fact that in order to, I don't know, what accelerate the car, you need one ECU instead of four. That doesn't change anything. I mean, it changed a lot of things, maintainability, update is easier, and we do it, we help them do that, so we know that. But I don't think it changed the risk. Well, I think it's a matter of attack surfaces, as was said. So the attack surface is going, okay, because we want more services, more interfaces, more connectivity. So for hackers, that situation is getting better. This is one point. I think what makes the company you mentioned different is that they think like software company, not like an OEM manufacturer. And this gives them an edge in the areas where software plays a key role. But I want to refer to their previous statement because from my point of view, this is the key. And I will call it use cases. In PsyMotive, we call it the attacker's perspective. So the first thing which needs to be done, and here there's still a gap, at least to my view is that the industry needs to start to think like hackers. Then only once you understand how hackers are thinking, what is their use case, how they will attack the vehicle in order to get certain malware or certain private information which is in the vehicle. Then only once you have this understanding and it's not from the car perspective, it's from the ecosystem perspective, because maybe that the entry point is from the ecosystem, from the digital app, or from the leadership portal, or from the backend, whatever it is, only once you have this understanding, then you can start to think, okay, now I will design, I will do security by design to my ecosystem. So in our company, we call it the purple approach. It's simply mixing between the attacker, the red approach, and the defender, the blue approach. And we believe that our experience shows that if you follow this approach, you create a nonlinear thinking, which is the right way to tackle the problem, which is definitely a complex problem. A vehicle is a complex problem, because in every minute, there's a different scenario, even if I drive from my home to my work every day and then back, it's a different way, a different environment. So it's quite complex, we all agree, we all understand that. And the right way to my understanding to face the problem is to really think like the hackers. And this is something which I think there's still a gap in the industry. So we need more good hackers to join onboard, to help us improve, build the use cases, what we call the attacker's perspective. How will attack approach the problem, and then think about security solution to defend? We have a question. We have two questions. Thank you very much. Felix Guimar, UNICEF Information System Unit. Very interesting discussion. And thank you to all the panelists. To speak about what you just mentioned, the environment, and how do you manage the cybersecurity. Sometimes industries tend to have an egocentric approach, and they tend to think that their product is the main goal of a hacker. We had examples when hackers infected hundreds of thousands of security cameras, not to get into the video stream, but to use them as a zombie network, and to conduct some DDoS distributed denial of service attacks. So how this is taken into account by the current industry? And is there something that can be done against that? Thank you. Who would like to take that? I think it's an excellent question. And it goes a little bit back to the question I wanted to post back there after your discussion when you said, don't add unnecessary complexity. I agree. But the problem we have, or I mean, the opportunity, I should say, because I'm in this industry, is that we are adding all these sensors of different kind could be cameras or the sensors for measuring pressure in the in the wheels. So I mean, it's going to be a massive explosion of new sensors in the cars. And then we're going for the software defined car. And that is typically in combination with electrical cars. And for a special purpose to actually share them. So we opening up on all fronts, where we start to release APIs for the variant needs as a good example, looking on some of my clients are open up the car as a delivery unit where they get packages from food companies, you actually shop your groceries, you get them into the car. I'm doing that. It's very convenient. Or you can get Amazon delivery into the car. And these type of APIs are massively starting to be implemented. And that's another opportunity for hackers. Now, how will they actually penetrate and use all these sensors? But it comes from the same, typically, the risks we have, we all API is or every interface where you can actually go inside strongly believe that we need to increase the competence, because we see this daily in our discussion with all the partners in in in the ecosystems. And trust me, the ecosystems are not stable. If you go to, you know, versus markets use different map providers use, I mean, you're changing partners, M&Os, or, you know, so the if you start to do, you know, the risk assessment, you do a matrix on how many risks you have, it's it's a lot. Is your question that this hasn't happened yet? And why hasn't it happened? And what's the, what's the specific question that when sorry. Thank you very much. So first, how do you assess this risk? And when it will happen, because it could happen in the incoming 10 days, how we should react? Okay, first, we have a line. Hey, so I was thinking to answer first, I didn't see it yet. So practically, I didn't see the industry concern about that. And I think if I'm analyzing why I believe that the industry is much more concerned about what's actually going to happen to the car versus the car attacking others. Although I think there are example with the lights over there is probably going to come up. If you think about it, the and in the process, like was mentioned here in terms of in the process where you do a threat analysis with your customer and talk about what's what's possible, what's what's the highest risk was lower risk, what's should be addressed first, what should be addressed second. If you think about it, the GPU of the car, the new ADAS working as a crypto miner for Bitcoin is much more interesting. So I can actually use the car as a machine for my own use, not necessarily attacking others, which is a very logical and a small code by the IoT device that the car is a tremendous IoT device. So in a way, if you think about the standardization of IoT, the automotive industry has an option of leading that as they get their standardization and certification processes more in place. Just wait a minute. Are you saying that today there are companies using the on board system like an Nvidia for Bitcoin? Not yet. But I'm saying when we do analysis for safety component like ADAS, which is based on GPU, that's a much more interesting risk for that machine. We're going to get to the that question for UK regulations. Okay, just a great question. First of all, being part of the industry, I think the industry is looking at things like that. We've done a research with a university in Israel in the negative that what we did is we attacked a speed signs. So we did some, you know, manipulate the speed sign that the human eye still see, let's say 50 kilometers per hour, but the camera in the vehicle thinks it's 80 kilometers per hour. And for the camera in the vehicle, I can drive 80. Okay, but it actually should be 50. Okay. And so we are experimenting all things like that. However, when we come to the OEMs themselves, they look at us as what they don't, they don't they're still not aware of of the overall risk that that things that you're describing. One more coaching. Okay, thank you. According to my research experience, the we need to to consider the IOT device in a Murray infection into the vehicle Murray infection. As you know, the in at this point in time, so we have many, many IOT devices, which are already infected by mobile, like a melee or has him a, et cetera. So we have a lot of type of malware injected to IOT devices. And the country, the most of the tech is based on data. So using the bottleneck control C to server. But the latest malware is a little bit advanced. Comparing with the previous one, the normally the first three inject malware into IOT gateway, which is maybe router or that type of central system. And to after that, after injected to gateway, the gateway DNS is modified into the malware download server. And they all sensor or actuator is located down the gateway is trying to connect to the download server to get malware. In the same way in the vehicle, the vehicle gateway is faster infected by malware, and maybe infected later to issue. Maybe in the case of vehicle malware injection is the impact is not not like a DDoS, but maybe differently. So but in the case of using common control server, both net. So the attacker can do almost everything. So I think that we need to carefully consider the kind IOT device malware infection seem to be a similar malware infection into the vehicle environment. So in the case of risk assessment, we need to check the external interfaces, or also we need to detect some of the infection inside a car. Maybe such a kind of method is very, very important for to conduct risk assessment against the malware injection. Thank you, coach. You got another question. Thanks. Thanks very much. My name is Ian Yarnold. I'm also from the UK Department for Transport. Now, to be perfectly honest, I'm a vehicle engineer. I've worked in the government for a long time. And one of my jobs is actually ensure that vehicles coming on the road are safe. Sorry, I'm speaking close enough. So one of my jobs is to ensure vehicles, new vehicles coming on the road are safe. Now, everything you've done and spoken about so far has completely undermined my confidence that vehicles are going to be safe. That was the intention. Great. Okay. So let me ask maybe all the panel members and it's up to you, Chair, to decide how you handle it. But what is it that you're going to do in really sort of short order in terms of time to provide that confidence, not just to me, but actually the people who are buying the vehicles and are going to be using them? Because just for example, the team I run in London has already got research underway in the notion of vehicle as a weapon. And that's not unique to the UK. Other countries have had similar problems with vehicles have been used as a weapon. And there are real concerns that cybersecurity creates more opportunity for that. So I'd be really grateful to understand what it is you're going to be doing quickly to provide that confidence. Thank you. Yeah, well, you've actually asked the question that I was going to pose to Darren, which is what is the UK doing and what do you see as the requirements? And then we're going to get to that question with the entire panel. So as for requirements in 2017, we published a set of principles which were saying organizations need to be set up. And that's supply chain and OEMs. And anybody else really playing in automotive space to do cybersecurity, which is design, maintain, support. And the items themselves need to be hardware, software, data, considered for resilience and support. So actually a lot of what we've talked about on the panel word fit in line with what we have stated we think world should be in order to give that confidence that actually things are secure. It's really needs the homework to be shown that first off that manufacturers and suppliers have done their due due diligence that they have considered the end to end done their risk assessments, know their system, identified where it could be attacked and done something about it and they can show and argue the case. And really it's like the safety case for a vehicle is a cybersecurity case. But is this for vehicles that are manufactured in the UK or vehicles that are sold in the UK? UK doesn't is probably not as big as we would like it to be on the global scale. So it has to be done globally. We buy vehicles in from outside the world. So the UN level, UNEC level, it's appropriate unless you are going to only allow vehicles from your own country in which is not there's no country in the world which is going to do that. It has to be done globally. So the now the question is anyone doing this and if they are to what extent if they're not why not? I mean there is no law that I know of whether it's a UN law or a country law that says that cars absolutely have to be cyber secure. So we have a draft regulation. I think as the automotive industry has gearing itself up to do this the governments and the regulatory bodies around the world are and there are actually a number of laws which you would convene in contravene if you attack the vehicle and you could be prosecuted under. So there's prosecution for people who perpetrate the crime but is there well maybe there is. Well there's GDPR for example. So there's not a specific vehicle regulation which is why I've been busy doing stuff at the UN but there are within domains and this will vary by country to country. Probably things in existence which are maybe a little left field you have to look for but in terms of manufacturers having to tell a responsible body what they've done. That's where we're going. We recognize there's a need but we're not there yet. We're getting there. I think there are a few of us working directly with OEMs here. I think we at least a couple of us are on daily in operation trying to solve this problem together with them. If you look on all my clients car OEMs I would say I'll probably divide them in three categories. This goes hand in hand with premium segments. They're spending a lot of time on this and they normally have a strategy and they try to implement throughout the supply chain and of course we're helping out from our position on it. They're doing thoroughly tests and I think they're doing a pretty good job. Now all of us know that security around software or cyber security is a constant chase because the bar is just going up all the time so will you always stay on top of that bar? Of course not. Not even the banks or the financial industry does that even though you can't or you probably could kill someone by throwing a bag of money on them but the car is more lethal. I agree to that. So I think the industry is doing a pretty good job and we also need to understand that even though we have regulations in each country the cars are built in one place and distributed globally so that's not an easy one getting how many nations do we have today. That number going in with specification of what you should do. You need to coordinate that and have one globe of course but I think they are doing a pretty good job. There are a couple of them I'm most scared of working with as well so there is a variety of how well they address this problem but that's my view from working with the OEMs daily on that particular subject. I think they are and I'll tell you what I mean. I agree with you you know to come up with a regulation that says the car needs to be secured is kind of funny because what do you mean and the hackers will always be a step ahead and maybe you catch up and they will have so the answer is not let's secure the car the answer is let's know what's going on in the car after it's secured and let's have a way to mitigate and the only way to mitigate is by over the air software update and if there should be regulations by the way Bilal maybe it's something I should be talking to you later on if there should be regulations around that then the regulation should be OEMs you have to have over the air capability not only that if there is a cyber attack that you identify you have to react within whatever 24 hours three days why today what is what is the protocol to react today a recall that takes six seven eight ten months right this is not acceptable so if there is a regulation it should be you have to have this mechanism and you have to react very very fast and you have to prove us that you did it very fast and the reason I'm telling you that I think the industry is going there you know I'm coming from Harman and we about four years ago acquired a company called Red Bend and Red Bend is one of the leaders in OTA and we have today contracts with 24 car makers representing maybe 40 different car brands already 30 million cars on the road doing OTA 350 million cars contracted to do OTA right and it's all in the last two years so once in a while I'm being asked why car makers don't do OTA will they do all of them and they go deep inside the car and they are investing in that and it's moving ahead and that's the way to make it safe given the cybersecurity threat I want to join in relaxing the gentleman over there so the along those lines I think what we see is that there is awareness there are as we said there are people now on the other side that are listening and trying to put requirements and trying to influence the vehicle specifications I must add a point to to Shai's point before one of our most successful workshops we do with our customers called Think Like a Hacker is exactly where those security people trying to educate the rest of the organization what's going on because there are no security pockets but the rest of the organization is starting to get into it they're not yet there but to Auri's point the first thing I mean what I'm saying is that there is progress is because I think there was just now a survey about about 60 percent of the manufacturers have a gateway already in the architecture that's beautiful that's a first layer of segmentation that has to happen in any cybersecurity architecture over the air like Auri was just saying is coming up very strong and it's very much a foundation as well because you have to have an option of fixing when you see something is wrong in Karamba when we are talking about our active hardening sort of technology we're now doing the ACLD certification because our customers are saying we take you now down into the certificate to the safety components and when you guys to join us they're certified by yourself as ACLD so I think in general the notion is that the industry is moving and it's moving relatively good it's the bear question right you know you're tying up your shoes the bear is coming was be faster and and in reality if I mean I want to give a right ray of hope here if the industry this automotive industry which is huge in terms of money in terms of capabilities smart focus innovative so are the hackers by the way so they have all those attributes if the industry is able to move as fast as it should then the attackers won't come because the attackers are like water right they're looking for the least resistant option and if it's easy to do on a camera a DDoS they'll do that they're not necessarily going to go after the automotive industry if the automotive industries keep on raising the bar themselves making for the attackers it's not worthwhile there's not enough motivation yeah just leave it move to something else yeah I have a question moving a little bit away from the blackhead guys what is what is about data ownership all the data that is generated in cars privacy who should use it and so on any any views on that topic that's a simple one from my perspective you know OEM and car owner use the data depending on how the data is generated and the OEMs are mostly regulated that you know if you buy a car you open up the first page in the manual and it often describes who is owning the data generated by the car but then you know we have GDPR and other legislations on top of that which so it's a combination so I would say the OEM and the car owner or the user of the car is actually owning the data I think that's a great debate probably for a special event still still agree I agree with you it's a simple answer but the problem is that the industry is changing and there are other factors other players coming into this industry that makes this question not very simple and one of them that is obvious is google right with the evolution or involvement of android being an operating system that more and more car makers implement in their cars there is a huge pressure by google to take control of some of the data so the answer is simple but it's being challenged that's my that's what we see in the industry and I think the jury is still out does that mean as these players come in that the car looks more like a pc and therefore is much more susceptible to everything that happens on our PCs like the messages that I get every day including your phone yeah including my phone sorry yeah including the phone that is yes that is exactly what's happening I don't know if the car is becoming pc but definitely the main you know console infotainment head unit whatever you want to call it definitely becomes more as you know looks like a pc you know connected opening open operating system and all the same risks that you have on pc are becoming natural to the car as well so I'm going to get spammed and what are you doing about spam and also now all these apps are on there that are now monitoring me and monitoring everything and now how you're dealing with the privacy issue of that and and then will I buy this or am I just going to turn it off yeah maybe I comment just for the question before and you can continue is that I don't know whether the question is easy or not but what seems important is that the end user really trusts the fact that their data are correctly protected and managed so and I don't know really how easy or how difficult it could be it really depends after on the on the on the different applications and and and openness about the about the privacy we see also let's say part of the complexity that is in the crypto part let's say of the vehicle to vehicle communication is the fact that it is important and needed to load many certificates so to have the the pki and to guarantee the security be sure we can trust the messages but after that to be able to protect the privacy in some extent it is important to to change the certificate very often and this is here part of the complexity but it is important because it is to to to make a better system in terms of protection of the of the privacy yeah one question about crypto because we talk about complex of the science and simplicity the nightmare of certificates and pki I think that they're putting into the car seems to amaze me I haven't read all those standards but are you taking into account crypto so essentially as part of that design what happens if one crypto algorithm happens to be next week declare absolutely weakness do we have to change also the crypto model from gemato it's going to be solved only by software or is the industry taking these risks of dependency in in today's crypto into account yes especially because we are more and more talking about the quantum straight and saying that we saw some development in the in the quantum processor and okay so for the moment there is no impact on the cryptography we are using but we see some developments so we know that we have to be prepared and be prepared means we have to work on what we call crypto agility be able to change the algorithm when the algorithm will be ready because for the moment we have only a let's say some of them for the signature part that with new constraints maybe not very suitable for the real-time constraint you are facing in in the in the at least in vehicle to vehicle communication so yes we are working on that and we are working on how to be able to change the keys and the algorithms and for that for sure it is really important to be able to to remotely load software keys and so on but the mechanism itself to be able to do this loading remote loading should be a quantum safe if we want to face this this rate so so crypto agility is a topic in general and the quantum trust is only part of it and we are working on that yes in in an hour and a half we've discussed a lot of issues related to cyber security we haven't even touched the question of what happens when we take the person out of the car and the car is driving itself do we want to spend five minutes discussing that or do we want to leave that for another discussion we'll leave that for the we'll handle that in mid-may and princeton or leave it to the next generation when we have those cars yeah okay um any any last questions before we break for lunch you yeah questions yes thank you my name is dr madeline chef i'm a president of a non-governmental organization are you hearing me yes okay a little bit louder okay uh i just want to know in your process if you would make some employment of women in the digital view how to strengthen women and how to how to make to develop the capacity building in african countries i'm not sure i understand the question is the question is that i'm appreciate what you are doing but i want to know if you have some resources women resources to help another woman in the domain to more understand what is going on because what you are using as a previous speaker said we we want to know if our data's are protected or not and how to spend that to another people okay and so this is but this is specifically for women for women yeah i don't know anyone can anyone answer the question is if there's specific work being done for communicating the specific requirements of women within the cyber security domain we have one woman on the panel i can call my wife but uh no thank you i i'm not aware of specific actions for that but i think the problem is for the problem the question is more general this is not specific to women i think the awareness about the cyber security and the way we are doing security in general is really changing evolving and i think uh it's not only a question of women it's a question of have we have to to to to to to discuss with men and women the topic and yes it's better if we can discuss with women also but i think yes the question about the awareness of how cyber security is evolving is for all of us okay but Mike there are things done and if you go on to wireless car on linkedin today uh or tomorrow actually tomorrow is the international women's day today so we it's tomorrow yeah thanks i shouldn't know that and we actually post all the women's working in wireless car and we too few we gather them take a big picture and then we you know advertise it come and work for us more women in the industry win and that that is a small thing but the balance is important because we have different views and different perspectives and we need every perspective into this extremely big question i don't consider myself as an expert in this area but i can say that in our company i think every third employee is a women uh some of them are even in a managerial position so what i see uh inside our company with customer for sure there is room room for women to take part some of them are even in more senior positions in the israel ecosystem because of the compulsory military service this brings a lot of sharp women into the into the industry so i don't see any any barrier in that respect and maybe the reason we see too many uh men's and too little women is because of the tradition but this may change in in few years yeah any there is a question here yes of course thank you i think you have one of your colleague has touched this uh topic if you don't mind we go back to the security uh we have heard a lot about the quantum computers and we know that they are very with uh in fact one of the company's ibm has launched its first commercially product a couple of weeks ago and we know by having these quantum computers there are our current security mechanisms are not safe anymore so one in order to protect yourself there are there are different solutions one of them is a quantum safe solutions that we have like using the for instance quantum random number generator to to making a better keys or a quantum key distribution to to to save secure the the back end and also any other uh quantum uh post algorithm do you think this is something that we have to to start thinking about it now or have you already started or or do you think this is something that that's we should we should touch very soon thank you so so maybe yes one point we we know uh uh yes was the state of the art on quantum cryptanalysis so we know the algorithms that maybe will be implemented one day on a quantum processor and we know for example that uh uh part of the cryptography is not really impacted by that so typically all the system builds on symmetric key cryptography with uh uh appropriate size for the circuit key is not impacted by that so it just to to be sure that everyone is understanding that all the cryptography is not uh uh fallen just with the quantum cryptanalysis after we already have some solution as i said for signature and we know uh based on the state of the art we know i mean regarding uh conventional cryptanalysis the conventional attack using classical computing and also quantum cryptanalysis so the we have we are aware based on the state of the art of some algorithms that could be implemented one day if we have a sufficiently powerful quantum uh computer but this is not the case for the moment and the sizes of the quantum computer we we see for the moment are really uh too small uh to uh to to swisseln the cryptography and more than that we have very very few uh public information about experimentations on this quantum cryptanalysis sorry on the very smaller keys so uh yes just to to know everything is not completely uh broken and we don't know when it would be the case but yes i think uh it's already uh possible to take that into account especially using what we mentioned so the crypto agility uh the mechanisms that would be uh uh useful in order to change uh the crypto algorithms and the keys the future if we need it we have the possibility to build on symmetric ecryptography so this is also a possibility to to to to manage uh uh this risk and uh after we know we have to wait for the the next process on on standardization on quantum safe crypto we have also another recommendation uh both in europe and also in the us which is when we you can do that maybe for confidentiality of data uh use um hybrid mechanisms that combine the mechanism we are using today and also some post-quantum mechanisms that that we have so we have some already some recommendations in europe uh and and in in the us and we have some possibilities to to take into account this rate in some extent and again depending on the on the general risk assessment uh because i think what is important is not to focus on one specific point but really has has the the the big picture the other view of what is really the security of the system in the end thank you so alina said the last word thank you very much um i know i could sit here longer uh unfortunately lunch is waiting so i think folks would like to uh to take part in that thank you very much for the preparation for participation and for what i hope you all believe was a it was a good discussion thank you very much