WARREN, MI – After nearly nine months studying the most nefarious corners of cyberspace, General Motors (IW500/5) executive Jeff Massimilla says, remarkably enough, he’s not having nightmares.
“I do sleep well at night,” laughs Massimilla, the automaker’s global chief product cybersecurity officer. “If there is one thing that does keep me up at night, it is the energy I have around this role.”
As head of GM’s product cybersecurity organization, which the automaker formed in November, Massimilla is responsible for the end-to-end safety and security of the company’s connected vehicles and services. In other words, it falls to his group to defend the automaker’s cars and trucks, as well as services such as OnStar and the emerging RemoteLink smartphone app, from hackers bent on wreaking havoc.
It is a job that thrusts Massimilla, a onetime design-release engineer at GM who most recently led product cybersecurity, into one of the industry’s leading roles as vehicle connectivity explodes and new forms of autonomous and shared mobility emerge. But while connectivity and new mobility promise safer, more efficient and satisfying driving, it also presents the transportation industry as a new treasure for thieves hoping to profit, or merely gain notoriety, by hacking into sensitive vehicle software.
NHTSA defines automotive cybersecurity as the protection of vehicular electronics systems, communications networks, control algorithms, software, users and underlying data from malicious attacks, damage, unauthorized access or manipulation.
According to the consultancy Frost & Sullivan, 50 vulnerable attack points exist on a modern vehicle, and buttoning up those areas is costly to OEMs because it cannot be sold to customers as an option. The consultant estimates cybersecurity accounts for upwards of 5% of the cost of vehicle electronics.
Although the automotive industry has not seen security breaches at the levels banking and retail have witnessed, it has not been incident-free. Reports recently emerged of thieves using laptop computers to break into and steal Jeeps in Houston, while last year a pair of software engineers remotely hacked into a Jeep Cherokee to take control, an incident that led to the recall of 1.4 million FCA US vehicles.
GM has been victimized, too. A hacker figured a way last year to slip through the security of the automaker’s RemoteLink app, which operates through GM’s OnStar telematics unit, to perform functions such as remotely starting a vehicle. The hacker was a researcher rather than a thief, but GM nonetheless devised and deployed a patch within 24 hours.
Trim, enthusiastic and most certainly energetic, Massimilla talks less like a University of Michigan-trained electrical engineer and more like an intelligence agency director.
“At GM we are taking significant action internally to deploy defensive measures in layers, monitoring detection and the ability to respond before we actually have a bad actor in our environment,” says Massimilla, who also serves as vice chair of the newly formed Auto-Information Sharing and Analysis Center, an industry group tasked with advancing cybersecurity protection among automakers and suppliers.
“We are doing this when the white hats and the researchers and other people are looking at our products and connected services before we have a fielded cyber incident,” he says during an interview at GM’s technical center here.