在很多商业领域中，领导者的主要作用是为整个团队鼓劲。一般来说，如果你手下的部门成绩不错，传统的企业文化几乎会强制要求你“大力宣传”这种成功经验。

然而，网络安全领域的情况有点不同，大举宣扬自己在网络安全方面的成绩，几乎相当在公司的身上画了一个引人注意的靶心。作为全球第三大汽车集团，通用汽车可以说已经是个非常大的靶子了。

自 2014 年，通用汽车公司成立网络安全部门以来，Jeff Massimilla 一直担任公司的首席产品网络安全官。在最近一次与《汽车工程》的采访中，Massimilla 承认，虽然“我们肯定不会跑出去到处说，通用的汽车网络坚不可摧”，但通用汽车，乃至整个汽车行业，均已从过去几年的深度研究及各种不同形式的合作中积累了丰富的经验，足以应对他们所处的大环境中不断变化的各种威胁。

资金很充足？没错！

“在如今这样的经济衰退之后的大背景下，你不大会从大公司的经理口中听到‘我们的资源丰富、资金非常充足’这样的表述，”Massimilla 补充说，“但我们的董事会中有人了解网络安全的重要性。”通用汽车在网络安全方面的投资绝不吝惜，因为“网络和安全根本分不开。”

Massimilla 表示，他会定期向公司董事会汇报有关网络安全的工作进展。目前，Massimilla 手下共有大约 90 名员工，负责与公司车辆网络安全有关的方方面面的工作。与全球很多汽车生产商和供应商一样，通用汽车也逐步开始向新型交通出行业务模式转型，而这一切基本都离不开互联网、蜂窝移动通讯和卫星数据流等通信方式。在此背景之下，网络安全部门的重要性也在不断提高。

Massimilla 在 2001 年作为一名电气工程师加入通用汽车，并在此后任职多个部门，其中也包括通用汽车全球验证部门。Massimilla 表示，通用汽车还需要考虑安全意识越来越强的客户。“消费者在挑选汽车时，已经开始关注车辆的网络安全性能，”Massimilla 补充说，未来，车辆的网络安全性能极有可能成为一项新的关键性能指标，直接影响客户的购买决定。

Spy vs. Spy 间谍大战

与汽车行业中的其他公司一样，通用汽车也并非“单打独斗”。目前，网络安全环境太过复杂，任何组织和个人都无法凭借一己之力应对网络安全的方方面面的问题。在此背景下，通用汽车的产品网络安全小组开始积极与外部研究人员、军方以及“白帽”黑客展开广泛合作，以期能够应对在世界各地的阴暗角落中不断进化的网络攻击。

为了赢得这场战斗，2015 年，汽车行业一起成立了汽车信息共享分析中心(AUTO-ISAC)。具体来说，该组织集结了大量相关行业的公司与机构，积极开展各种协同合作，并共享抵抗网络安全威胁的最佳做法。

Massumilla 表示，任何一处独立性或结构性缺陷均有可能导致更严重的大规模网络安全问题爆发，因此目前大约30 家全球OEM和供应商正在 AUTO-ISAC 的框架之下，集中力量共同招架黑客的攻击。

Massimilla 表示，2015 年，一对“黑客”曾成功通过汽车网络，远程控制了一辆吉普大切诺基 (Jeep Grand Cherokee) 的控制系统，汽车行业也自此开始意识到汽车网络安全问题的重要性。

此外，行业还会进行传统意义上的合作，即一旦某项网络安全需求得到充分理解且达成行业共识，整个汽车行业即将形成一套统一的标准。Massimilla 表示，标准仍然是高效应用合作所得共同成果的重要框架基础。

Massimilla 表示，“我们也组建了（内部）的‘红队’，主要负责测试我们的系统，并对其进行模拟攻击。”

新型人才短缺

Ittakes engineers and other trained and exp构建安全的汽车网络需要一大批经过专业训练且经验丰富的从业人员，进行共同研究、资源聚集、分享学习、制定标准等方面的工作。

Massimilla 表示，根据具体角度不同，90 人的网络安全团队可能太大，也可能太小，但现在的关键问题是找到合适的人才。如今，一些传统的工程和技术学院已经开始设置有关网络安全的相关课程，但 Massimilla 专门指出，“一些业内最优秀的网络安全专家也并非个个都接受过四年制的正规大学教育，”很多出色的计算机专家都是“自学成才”。

“有很多活动都可以帮我们培养更多人才，”Massimilla 表示，各大高校都开始“开展（网络安全）相关工程项目”，但这些项目的效果如何，仍需要时间验证。与此同时，很多其他行业也同样因为网络安全威胁而倍感压力。

Massimilla 表示，目前，他认为“多层次”方法是目前最有效的汽车网络安全架构。他认为：“这是一种标准的跨行业作法，但我们需要考虑如何将其部署在汽车互联的生态系统中，这就是‘标准做法’中‘不标准’的地方。”

此外，标准也不会永远都是标准。Massimilla 坚称，“我们今天要做的事，到三年后肯定会变得不一样，变化是一定会发生的。”

而未来的发展，是否完全取决于 OEM 将会进行怎样的部署？Massimilla 的答案是肯定的。

Massimilla 表示，“我坚信，汽车制造商是唯一能够真正（安全、有效、全面）理解端对端汽车生态系统的人。”

In many business endeavors, a chief leadership function is cheerleading. And if your unit is doing particularly effective work, conventional corporate culture almost demands you “promote” that success.

It’s a little different with cybersecurity. Brag too much and you’ve potentially painted a target on your company’s back. And the back of General Motors, the world’s third-largest auto company, already is exceptionally broad.

Jeff Massimilla, who has been chief product cybersecurity officer at GM since the company initiated his unit in 2014, conceded in a recent interview with Automotive Engineering that although “you never want to go out there and say you have this all figured out,” he is convinced that GM—and the broad industry—has learned enough through an intensive few years of research and a variety of collaborations to feel as confident as is reasonable when your world is an ever-changing threat environment.

Well-funded? Whaaat?

And here’s one you don’t hear much from big-company managers in the post-Recession era: “We’re very well-resourced and well-funded,” he added. “We have the right people and personalities on the board of directors to understand the importance of this.” The company’s investment in cybersecurity is deep and serious he said, because “you can’t separate cyber and safety.”

Massimilla said he has regular access to and interactions with GM’s board of directors regarding cybersecurity. He is the leader of the global group of about 90 in GM charged with of every aspect of cybersecurity related to the company’s vehicles. The role is an expansive one as GM, like many automakers and suppliers, is embarking on a multitude of new mobility business models—most of which invariably involve a communication conduit to the internet, cellular networks and satellite data streams.

An electrical engineer who started with GM in 2001 and served in a variety of posts that included global validation, Massimilla said there’s even another aspect his organization must consider: an increasingly aware and concerned customer. “Cyber is something customers are making purchasing decisions on,” he said, adding that the customer’s notion of a particular company’s cybersecurity proficiency is likely to become like many other competitive metrics when it comes to winning a spot on a buyer’s consideration list.

Spy vs. Spy

Massimilla’s group, like many others in the industry, doesn’t rely solely on its own expertise. The cybersecurity landscape is vastly too multifaceted to believe that any band of individuals, regardless of their spectrum of expertise and experience, can cover all the bases. So GM’s product cybersecurity group works with outside researchers, the military and yes, so-called “white hat” hackers, in an effort to stay up to speed with the latest developments in the often shadowy alleys that blend cyber and corporate espionage.

A formidable asset in this vein is AUTO-ISAC (Automotive Information Sharing and Analysis Center), formed in 2015 to assemble industry-related companies and entities in a collaborative, non-competitive effort to develop and share cybersecurity best practices. AUTO-ISAC currently has about 30 global OEMs and suppliers working to parry the black-hat element that continually probes, said Massimilla, for individual or structural weaknesses that may lead to serious or large-scale exploitation. Massimilla said awareness of the potential to disrupt automotive security probably came to a head in 2015 in the widely-publicized remote hacking of a Jeep Grand Cherokee’s major and minor controls.

The industry also collaborates in the traditional sense by forming new standards once a certain cybersecurity need is fully understood and agreed upon, he added. Standards, he said, remain the vital framework in which to deploy collective findings.

"And we have our own (internal) 'Red Team' to test and hack our system," he said.

Non-traditional talent and short of it

It takes engineers and other trained and experience personnel to research, collaborate resources, share learning, develop standards. Depending on your perspective, an organization of 90 may seem like a lot or a little to be devoted to cybersecurity, but Massimilla said one the auto sector’s chief problems is finding those qualified people. Not only are traditional engineering and technical schools only now starting to develop cybersecurity-related curricula and students, “Some of the best cyber experts are not the people who go through college and get a four-year degree,” he almost wryly reminds of the computer-expert stereotype that to a meaningful extent is based on reality.

“There’s a lot of activity to create more talent,” he said. Major universities are beginning to “work (cybersecurity) into engineering programs,” but accreditation of those tracks takes time, he lamented—and meanwhile, countless other industries are under the same pressure to find immediate solutions to for cybersecurity's maddeningly indeterminate threats.

For now, Massimilla said, he sees the “multi-layering” approach to automotive cybersecurity as the most effective structure available. “I think it’s a standard cross-industry approach—but how you deploy it across the connected ecosystem,” is where differences are injected, he contends.

And count on it to change, he insisted. “What we build today and what we build three years from now—there will be differences.”

Will it be all up to OEMs to deploy? Massimilla thinks so.

“I am a firm believer that the automaker is the only entity that can (effectively and safely) see their ecosystem end-to-end,” he said.

Author: Bill Visnic
Source: SAE Automotive Engineering Magazine