Cyber security startup Cybellum defends against automotive cyber security attacks
Playing cyber defense with the cyber digital twin
The rise of technology has completely changed the way we think about security. Breaking into a building, a car, or a computer system used to require physical action and brute force, but today, that’s no longer the case. Technology has eased the burden of the hacker, and remote access is an everyday occurrence. Today, not only can criminals forego the ‘80s-style ski masks and the convoluted plans; now they don’t even have to leave the house.
Despite the potential threats, we’re still romanced by the possibilities of automated transportation. So, how do we stay safe in a world controlled by remote software? Well, we’re best leaving that job to the experts. And thankfully, highly-trained hands are already on the case.
In this special episode of The Future Car Podcast, we’re talking about cybersecurity. Ed Bernardon interviews Slava Bronfman, the CEO and Co-Founder of Cybellum. His cybersecurity company focuses specifically on automotive product security, identifying potential threats to the software supply chain, and ensuring that the entire network remains impenetrable.
Today, you’ll hear about the unique trajectory of a cyber start-up founder, and how his time spent in the Israeli Defense Forces prepared him especially well for a career in software defense. We’ll discuss the rise of cyber vulnerabilities as cars and transportation become more complex, and how his team manages threats from a defense perspective. You’ll also gain an understanding of the layers involved in securing a vehicle software system, and how the security industry stays one step ahead of hackers in order to keep drivers safe.
Some Questions I Ask:
- What’s it like to work for the Israeli Defense Forces? (3:32)
- How did your experience in the defense forces help prepare you for a cybersecurity startup? (11:02)
- What’s the benefit of having your vehicle connected? (25:28)
- What needs to be improved in order to help increase cybersecurity? (32:42)
- Is the WP 29 regulation helping to standardize security regulations? (37:05)
- Are people ever going to accept autonomous vehicles and feel comfortable driving in one? (47:58)
- How do you stay ahead of the hackers? (59:08)
What You’ll Learn in this Episode:
- The difference between offense and defense in the world of cybersecurity (6:26)
- How Cybellum was born (15:24)
- A typical auto-related cybercrime (17:52)
- Understanding the layers of cybersecurity (29:16)
- The challenges of trying to keep systems secure (45:12)
- How Cybellum uses the digital twin (50:47)
- Why consumers should feel optimistic about vehicle security (1:01:50)
Connect With Slava Bronfman:
Connect with Ed Bernardon:
Ed Bernardon: In the 1969 movie, The Italian Job Michael Caine played a thief who hacked the transportation control system of Turin to cause a traffic jam so he could rob an armored vehicle full of gold. Of course in the 60’s there was no internet so in order to “hack” the Turin transportation system, he had to physically drive to where the system was located, break down the door, knock out a few cameras and then his hired “hacker” change a security tape reel, and finally, traffic around the city came to a screeching halt.
The idea of hacking a transportation system, even in 1969, by physical force is a startling example of just how far technology had come and the vulnerabilities that come with that progress. Today, unlike in 1969, taking advantage of these vulnerabilities is something that can be done remotely from anywhere in the world. A hacker can hide in the shadows, maybe in their basement or even hack away while sipping a cocktail on the beach thousands of miles away. With the right set of skills hackers have potential to cause damage from a distance. The ultimate unseen enemy.
As we enter a new era of transportation automation, where a car you buy today may have more lines of code that a Boeing 787, this increased dependence on software opens up a lot of vulnerabilities. And in order to protect ourselves and the systems we use daily, we’ve got to stay one step ahead of potential security threats from the dreaded hackers. Thankfully, there are people out there shoring up our defenses to help minimize the risks so that we can ride around safely in our connected cars with all our privacy and data protected.
- Intro music –
Welcome to the Future Car podcast, I’m your host Ed Bernardon VP Strategic Automotive Initiatives at Siemens Digital Industry Software and For this week’s episode of The Future Car podcast, we’re pausing our Women Driving the Future series to bring you a special episode on cybersecurity. We’re going to look at cyber vulnerabilities that open up as cars and transportation become more complex from a software standpoint especially with Connected and autonomous vehicles that are driving up software content at an ever-increasing rate. With the greater potential for transportation cyber threats comes a greater need for transportation cybersecurity.
With us today is Slava Bronfman, CEO from Cybellum, a startup that assesses cybersecurity threats for companies developing software for the automotive industry. He is a perfect person to talk to, to help us get an idea of how cybersecurity, connected and autonomous vehicles are all coming together, and all the cyber security issues that need to be addressed as our transportation future unfolds.
Slava Welcome to the Future Car podcast.
Slava Bronfman: Thank you, Ed. Thank you for having me here. Excited to be here, talking about this fascinating topic.
Ed Bernardon: Well, you came upon cybersecurity and the need for cybersecurity based on your experience that in part was with the Israeli Defense Forces, that was your previous job. Could you tell us a little bit, what’s it like to work for the Israeli Defense Forces?
Slava Bronfman: When you talk about the Israeli Defense Force, it’s very different if you talk about the cyber unit or technological unit and combat soldiers. So, to be in fighting forces it’s pretty much similar, I guess, to any army in the world. But that’s not something that I did, I was part of the cybersecurity intelligence core. And in a sense, it’s very much similar to any other technological corporation in the world. Obviously, you start in the army, do the basic training and everything and all the kinds of military duties which vary, but eventually once you start, once you get to your unit, and usually, in many cases, you’re not even wearing the uniform, just working with the latest technologies. Solving some great challenges, cybersecurity challenges, adopting software in the army today. The latest thing in Israel, adopting software development methodologies, for me, I served actually, in the army for almost six years, I was an officer, and so on. It was like going to a great workplace work in a very young environment with very talented people, they’re kind of cherry-picked by the army.
Ed Bernardon: There’s a traditional army like you mentioned, and now it’s evolving where cybersecurity is a key piece of that. How does that change what security forces have to do? How important is cybersecurity becoming relative to say, a more traditional army, or the traditional forces?
Slava Bronfman: Yeah. Interesting that our general of the Israeli army was a couple of times quoted saying that the next battle or the next war won’t be in a physical world; it will be definitely a cyberwar. And we’re definitely getting prepared for that. I know, in the Israeli army, today what you can do with cyber means a lot more powerful and easier than what you need to do with traditional forces, getting to some foreign countries, and so on. You can just from your computer somewhere remotely or in the center of Tel Aviv control other countries’ facilities, and so on, it’s definitely changing.
Ed Bernardon: It’s hard to see the enemy, you don’t even know where they are, if they’re coming, or what they’re going to do, right?
Slava Bronfman: Definitely, it’s a different kind of enemy. They’re getting through the bits and bytes and through your software. It’s a completely different type of enemy and it’s harder to defend probably from this kind of enemy. Just you need to think of the kind of clear borders of what you need to defend.
Ed Bernardon: Well so, if you have – and you’ve touched on it – you have the offense and then the defense. I would imagine doing a good defense, you have to think about what the offense is going to do. Are they similar? Do they think in different ways? Do you get to think of yourself as “Hey, what would that hacker do to get in?” to figure out how to make that best defense?
Slava Bronfman: Yeah, actually, I do. Thinking about the difference between offense and defense, they’re completely different. So different. Attacking is both easier and actually, I think also kind of a lot more rewarding if you will. Eventually, if you are an attacker and thinking like an attacker or in offense cybersecurity, you only need to succeed once. You only need to find one hole, one vulnerability, get in and that’s what you need. Unlike defenders, if you’re a defender you need pretty much to defend everything. There is no like, “I only will lose in one battle.”, you need to win all battles, otherwise you lose the war just by losing one battle. That’s also if you defend, your success is if nothing happens, right? This is a success for you if you’re doing defense in cybersecurity. However, if you are doing offensive cybersecurity, you kind of see results immediately. If you are successful in your operation or whatever, you’re kind of being able to penetrate some network, get out information, and so on. It’s like a puzzle or kind of enigma that you need to solve. I guess in that sense, again, they’re very much different, cybersecurity from a defense perspective it’s all about processes and technologies and people that perform the full kind of operations. But attacking, offensive can be a lot more like freestyle. You need to be a lot more creative, you can just need to find one path to get in. So, it’s completely different in that sense.
Ed Bernardon: You have the hard job, you got always that your boss is going to get upset if you make it one time they get through and it’s a big one. Do you have an example? You called it a puzzle, and when you think of it as a puzzle, it almost becomes fun in a way. Trying to solve the puzzle. Can you give us an example of one of the most complex or maybe surprising puzzles that you had to solve?
Slava Bronfman: Yeah. Eventually, when you need to – if we’re talking about cybersecurity – when attackers, all attackers, I guess like everyone, eventually, they’re lazy, looking for the low-hanging fruit in a sense. So, when you are doing kind of an operation or trying to hack a network or some IoT device, and you will try to break it and get in, eventually, you can work on a project for months, or sometimes there are projects that you work for years to try to get into some kind of network or something. And almost always, from my experience, you get to something that is very kind of stupid that the other side kind of missed like a default password or some open port in a network, in a network firewall, or something like that. It’s always the small things, some leftovers in the code that the developers have just for debugging, and eventually, you find them out in the production environment. So, you’re always looking, when starting some kind of an operation like that, you’re always trying to think, “Okay, this is the network, this is the device, maybe we’ll find some cool vulnerabilities, then we need to find some exploitation to that, and so on.” but in many cases, in most cases, I think that I saw it’s eventually getting down to a very small mistake, the other side did. Default passwords are always fun to find they’re very easy, once you get the password you’re in. Yeah, so usually, there are tons of examples like that that people left things for the development environment and eventually pushed it to the production environment. They have everything encrypted, but there is just one device, one printer, eventually, that is communicating to the network without any encryption. All the firewalls, everything is very hardened but there is one VPN, a legacy VPN that they left behind that is fully vulnerable. And they thought…
Ed Bernardon: The missing piece, right?
Slava Bronfman: Exactly. It’s always the missing piece.
Ed Bernardon: It’s exciting when you’re doing a puzzle and you can’t find that piece, right? You have a big pile of pieces on the table and you finally find the one that fits in there. So, it’s probably the same feeling, I would imagine.
Slava Bronfman: Yeah, exactly. It’s exactly like that. And again, eventually, it’s something that you think, “Oh, my God, I should have seen that the first day when we just started this.”.
Ed Bernardon: Well, the next time you’ll find it right away, of course. But then there’ll be a new piece that you can’t find that’s the way it works. Now, it’s an interesting career. You go from the armed forces to a startup in cybersecurity, which I would think is somewhat unique. How did that unique experience in the defense forces help prepare you for creating a startup in the cybersecurity area?
Slava Bronfman: It’s interesting that in the Israeli army, first of all, if we talk just about cybersecurity specifically, I personally think that in Israel of course the army is the best cybersecurity school and the best three cybersecurity training you can get. Probably, one of the tops in the world. So, in terms of just understanding the basic of cyber, there are usually training programs and onboarding programs that last nearly a year for every new soldier that getting into those forces. And so, you get in their decades of best practices already built today, and all these units are there from the 90s, from the early 90s, so there are great practices around that. So, you learn cybersecurity, but they think moreover something that you learn in the Israeli army – at least in the cybersecurity units that I was part of – is we learned about problem-solving. Widely talked in the unit that always saying that technology is just one means to solve your problems. The most important thing is you need to find what is the real problem and not just to play with technology. And moreover, that there is always a technological solution. There is no question if something is possible, it’s always a question of time, resources, and so on, but it’s always possible. Once you define the problem, well define the problem, there will be a technological solution to solve this problem. So, I can give you an example where there is some discussion or some meeting and then you are asked to bring a solution, technological solution to something there is no one expects you then to come and say, “Yes, it is possible.”. It’s, of course possible, you just need to come with a plan that says how long it will take me and how many people or men I need for that. So, I think this kind of thinking is the transition from the military, from the Israeli army to starting a startup, I think it’s very helpful. So, being a founder of a startup in Israel that served in the Israeli army for many years, it’s not unique. I think most of the Israeli startup founders did their military in cybersecurity in Israel. And I guess it’s not only cyber, it’s this kind of thinking that helps and makes it successful.
Ed Bernardon: Now, as an entrepreneur – because I was a founder myself of a startup – and there’s always an interesting story about that moment when you said, “Oh, I should start a company to solve this problem.” When did that inspiration come? When did the light bulb turn on that said, “I’ve got to start a company?”
Slava Bronfman: Yeah. So, interesting that this moment came that I said, “I need to start the company.” before I had any idea what the company is going to be about. I actually started it with who is my co-founder today, who used to be actually my commander in the army.
Ed Bernardon: Michael?
Slava Bronfman: Michael Engstler. Yeah. He’s the CTO and he used to be my commander in the army. The same is true for many of the other employees that we have today.
Ed Bernardon: When you were in the army and he was your commander, did he ever like for instance say, “Hey, you do 20 push-ups because you mess up.” You never make them do that if you make the technology mistake?
Slava Bronfman: No, definitely not. And you won’t see any “do 20 push-ups” or something in technological units. Won’t fly in these areas.
Ed Bernard nly mental exercise.
Slava Bronfm or sure. That’s exactly. It’s interesting that even that the Army Today is fighting for talent. They try to keep cybersecurity people as much as they can in the unit. So, there are no punishments or stuff like that, it’s all about tech.
Ed Bernard0n: Hard to recruit everybody that you need.
Slava Bronfman: Very hard to recruit smart people, especially when there are so many opportunities out there.
Ed Bernardon: It’s very good pay too, I would imagine. So, that makes it very competitive.
Slava Bronfman: It’s widely discussed in Israel, that all the international companies like Amazon, Facebook, Google, and others are opening R&D centers in Israel and paying crazy money for talent that, of course, the army can not compete with those salaries and yet it’s causing in an issue in Israel.
Ed Bernardon: So, you and Michael put your heads together sounds like and decided it was time?
Slava Bronfmann Yeah, it was just when Michael got discharged from the army after I think also about seven years or so and we actually met for a beer and he said, and he came to me – and it was his idea, the credit is to him – “Let’s basically start the company that will automate what we’ve been doing for the last so many years in the army manually.”. And that’s actually how Cybellum started. The entire vulnerability, detection, and hunting today in most of the world is happening manually, where security researchers are sitting, reverse engineering devices, and trying to find the vulnerability. And we started Cybellum to try to automate this entire process, and that’s kind of was the initial thing.
Ed Bernardon: So, it wasn’t necessarily just for autonomous vehicles, it was more vulnerability in general.
Slava Bronfman: Yeah, exactly. We actually started and we did taper about two and a half or three years ago to the automotive sector. But we started as a general vulnerability detection solution, at least the initial idea which is solving problems even for the IT world. About two years or a year and a half after we started, we met the guy who used to be the head of car security in Daimler, Daimler Mercedes. He ran the entire car security practice was reporting directly to the CEO of Daimler, and he basically took us to the automotive world. Presented us his challenges today, what are his challenges to run the security program across all Daimler. He presented us actually that the supply chain in the automotive sector, which I found fascinating that to know that they are called car manufacturers, but they’re actually not manufacturing anything.
Ed Bernardon: The supply chain is very, very big.
Slava Bronfman: Yeah, and it’s so complex. And actually, if you look at software-based components, it’s usually 100% of the software-based components are produced by tier-one, tier-two suppliers, and so on. Yeah, so basically, these guys are today part of Cybellum’s advisory board, taking active partner at Cybellum is who he showed us the automotive sector, and then we focused on automotive.
Ed Bernardon: Can you give us an idea of a typical vehicle cybercrime?
Slava Bronfman: Yeah. So, probably you would imagine what you see in movies that hackers are hacking cars and driving them off bridges, and so on. But fortunately, it’s not the case yet. Hopefully, it will stay like that. So, we see today a lot of cybercrime around vehicle theft, like stealing cars. Most of the – in some developed countries – most of the vehicle theft today is done remotely, by hacking the smart key fobs or the mobile apps that are today able to open a vehicle, start the engine, and so on. Actually, you can not even come today to modern vehicles and play with the wires as we saw in Gunmen.
Ed Bernardon: Yeah, hot-wiring the car.
Slava Bronfman: Yeah. It’s not possible anymore because you need to start all the software systems and all the technological systems. The car is a data center on wheels, right? For these vehicles, we see a lot of car theft that is done like that, remotely. So, this is one thing and the other thing is stealing data. Today, a vehicle stores an enormous amount of data about you, how you drive, where you’re going, your GPS, your location, you’re pretty much storing your credit card details inside your infotainment system to pay for all the services and apps like Spotify and Netflix and others that you have on the vehicle, or to pay for the electrical charging station. You’re no longer getting out of the vehicle paying with the credit card or going to the cashier. So, we see these kinds of attacks today. Think of other examples that we saw now, I think over a year ago, a car, a smart car alarm that was breached. The interesting part about smart car alarms that are getting so much functionality in the vehicle today that once you breached them, you have full control over them. So, for example, they are recording the voice inside the vehicle, like if there is something, some accident and so on, so they can react to that. But just think if someone is breaking the application of this smart car alarm you can get all the talks that you can listen to in the vehicle and this is a great violation of privacy. But moreover, something that is also unique to those car alarms that they can turn off the engine. Just because they were traditionally designed to be kind of a safety feature to stop stolen cars. So, just think today…
Ed Bernardon: Yeah, you’re going down the highway, and suddenly your engine turns off.
Slava Bronfman: Exactly. And this was a hack of some, I think it was called the Viper Car Alarm system and Pandora in the UK. They were both hacked and basically gave full control for attackers to control the vehicle. Something that you wouldn’t imagine just a mobile application to my car alarm, but from that you can take full control over the vehicle.
Ed Bernardon: We worry about cyber attacks on our laptops, for all the reasons you just said. It could be your credit card information or other information you don’t want to share. But now you’re adding a physical element to that like you just said, could turn off the engine and endanger your life directly. How much of that is actually occurring now? Or is it still mostly cyber crime where you’re trying to get access to a car to steal it or get information? Have they been successful in doing for instance, what you just said, turning the engine off to try and cause harm?
Slava Bronfman: Yeah. So, in terms of white hackers doing that for research purposes or just kids that are doing that out of curiosity because they are bored and they’re very talented. So, yes, definitely there is a lot of proof of concept for that going back to 2015 where Charlie Miller hacked the Jeep. There are many examples of researchers doing that and driving vehicles remotely off of the road. For that, there are a lot of examples. However, we still haven’t seen any real-world hacking and taking over physical damage to the vehicle. I think this happens because of mainly two reasons. One is that, frankly, still most of the vehicles around the world are not connected.
Ed Bernardon: But that’s increasing, though.
Slava Bronfman: For sure. That’s increasing and in a few years, you won’t not have connected vehicles. But I think the other thing is the motivation to drive a car outside or to take physical control over a vehicle, you probably need to be some I don’t know, terror attack or something like that. But the true motivation of hackers today is financial. They try to get to the data, they try to get to the credit card and other financial data that is stored in the vehicle. They are trying to get to all the accounts that are stored and so on, to steal vehicles. But today there is no motivation for just hackers other than terror attacks to get physical access and control vehicles. But they do think it’s, unfortunately, it’s a matter of time there will be some compelling event and data in this industry that will kind of flip the entire industry upside down.
Ed Bernardon: You’re hearing all the time people hacking into one place or another. At what rate is this increasing?
Slava Bronfman: It’s exponentially increasing because it just getting easier. Again, as we progress, the selling of new connected vehicles is exponentially growing. Meaning today it’s really hard to buy, for example in Germany and other places a vehicle that is not connected. So, just if you’re an attacker, the attack surface is bigger for you. So, this is growing exponentially, and together with the tools to hack a vehicle. So, today you can go to the darknet and the dark web and just buy an out-of-a-box tool or service to hack your data.
Ed Bernardon: Oh, that’s scary. That sounds scary.
Slava Bronfman: That’s for sure. It is scary. It is scary and it is scary like to drive today a car, an old car; they don’t have all the safety mechanisms and drive a car without a safety belt. It’s pretty much the same for cybersecurity. It is scary for new vehicles, connected vehicles; they can be easily hacked.
Ed Bernardon: Well, not to scare people more, but if you go back, I don’t know, 10, 15, 20 years the number of connected vehicles was very small, if almost even nonexistent. What’s the percent of vehicles that are connected now and how is that going to change, say in the next 5-10 years, do you think?
Slava Bronfman: Today, the number of connected vehicles it’s very, very low in the single digit, probably around the world. There are countries like Israel, unfortunately, that we still don’t have connected vehicles, just because of regulations. We have new vehicles and the connectivity is cut off before bringing the vehicle to Israel. So, regulation is actually a big driver for that, increasing that. Once you will open up the regulation, as it happens in most countries like in Europe, in the United States, and so on. So, we’ll see more and more of that. So, I do expect that the regulation will change in just a couple of years, it’s a matter of two to three years once the entire world will accept connected vehicles. And once that happens, to get to 20, 30, 40, 50% of vehicles that are connected will be relatively easy in 5-10 years. We’ll see that probably most of the vehicles around us will be connected. Just think that every year there are about 100 million new vehicles that are sold. So, in that pace – and every new vehicle is already connected – so in that pace, we’ll see most of the vehicles around us connected.
Ed Bernardon: What’s the benefit of having your vehicle connected?
Slava Bronfman: That’s basically the future, Having your vehicle connected. it’s like getting all the services that you want.
Ed Bernardon: Netflix or whatever it might be.
Slava Bronfman: Yeah, exactly. It’s just sitting in the backseat, your kids sitting in the backseat of the vehicle and you don’t need anymore to bring then= your phone or your tablet or whatever. There are screens and again, just stream directly Netflix, or every kid can listen to their own Spotify or whatever. You are getting your maps and maps updated directly and…
Ed Bernardon: Ask Alexa a question, whatever it might be.
Slava Bronfman: For sure. That’s great just to see today the new vehicles and you just say whatever you want, where you want to go, and so on. You just communicate with the Alexa of the vehicle. And today there is the Alexa Auto, which is actually a great and amazing addition of Alexa for vehicles.
Ed Bernardon: How’s it different from the Alexa Auto versus the one in your home?
Slava Bronfman: So, they are basically I would say train the machine learning algorithms is trained for different types of commands and for different types of operations. They’re not just asking them what’s the hour or so on, actually, you need to ask them where to drive, where is the best way, and so on. So, they’re trained to understand what is the speed of the vehicle to adjust various functionalities that they have to work and display things on the vehicle screens, which are today becoming covering everything that you have in front of you. It just becomes a big LCD screen or LED screen today. So, this is great. And moreover, if we talk about connectivity, it’s not just your single vehicle, there is all that the V2X practice when you communicate with the traffic lights with the vehicle surround you.
Ed Bernardon: V2X, that’s the vehicle to X, which would be a vehicle to anything. What is anything?
Slava Bronfman: Just replace X with almost any letter and it will get something like V2V is vehicle to vehicle and you can communicate with the vehicles around you. So, if the vehicle in front of you is just stopping suddenly, so you will get a notification about that, and also your vehicle will slowly stop as well to avoid crashes. Communicating with traffic lights, so you know exactly when the traffic lights going to get red or green. So, then the engine can start again with the new vehicles that they turn off the engine while waiting in the traffic light. And there are so many other functionalities that will just make the driving experience amazing, like a real experience. And the entire movement of paper mile versus paper car, changing this entire world.
Ed Bernardon: One thing I don’t think I like about this is it sounds like if Alexa knows my speed and how I’m driving, she’s going to become another backseat driver telling me what to do and turn the wheel. This could be worse than the cybersecurity threat.
Slava Bronfman: Definitely. You’ll have someone in your system that will tell you every time that you pass the limit.
Ed Bernardon: Well, as long as they still have the off button will probably be okay, I would imagine. You’ve mentioned that to solve this problem there are layers of security. It’s not just in the vehicle, it has things to do with the supply chain, all the other systems that back this up. Can you tell us a little bit what you mean when you say the approach to security involves understanding all the layers that go into operating a vehicle, making it connected, keeping it on the road, keeping it safe? Tell me, what do you mean by these layers?
Slava Bronfman: Sure. So, and think just with IT work, it’s the same practice in cybersecurity I guess across all verticals, across all sectors. If you look at the IT world, so you have in your organization, you have the organizational network, and you have the laptops, the servers, and so on. So, just think of the layer of security there. You have the antivirus on your endpoint or on your laptop. However, you still have the cloud security to protect all the apps and your access to all the applications to the cloud applications like Gmail or whatever, Dropbox or whatever cloud applications you’re using. And they’re still in the organization, there is a firewall to protect on the organizational level that no one will get inside. And under different solutions for the encryption key management systems, and so on. So, it’s always a layered approach. And that’s because you have also basically layered networks or layered phases in a network of an organization and it’s pretty much similar in a vehicle. Eventually, a vehicle today has a couple of internal networks inside which there are a lot of computers that are connected to that. And moreover, of course, there is one thing to protect the single-vehicle but there is another thing to protect the full fleet of vehicles. So again, if you think about the same analogy as the IT world when I say a layered approach means that you need first of all to understand what are all the access points to your vehicle starting very early on from your supply chain. Do you protect your supply chain? How you can validate that your supply chain is protected? Next, you need to understand that there is, in the automotive world, there is a very long cycle of development until the vehicle is getting to the road, it takes like three to five years. So, you need to protect this entire cycle, the development, and of course, there is the entire manufacturing. So, in the manufacturing as well, you need to put security measurements to make sure that in your manufacturing facilities everything is protected. And then once you get to the vehicle itself, so you still need to have some endpoint protection on maybe each ECU, on each computer in the vehicle. Because if someone is eventually going to get to one of their computers to one of the ECUs, they need to be protected and have some antivirus or antimalware or some other protection on them. Then you have the network in the vehicle, you need to put some firewall or what is called the IDS – the Intrusion Detection System – to protect or to detect anomalies, to perform anomaly detection on the vehicle network level. And then you need to protect everything that’s connected from the vehicle to the cloud to protect this area. And the last part is, of course, you need to have some control measurements around your entire fleet, like how you can monitor your entire fleet, how we can you can react if someone is attacking your vehicle, how you can monitor your vulnerabilities. And many, many other aspects that are actually also today mandated by the regulation and standards in this industry.
Ed Bernardon: My first reaction to what you just said, it seems like there are so many pieces to this puzzle. All you have to do is find a weakness in one of them and the whole chain falls apart, so you have a system of systems. Where do you think the biggest weakness is, the vehicle, the back end, something in between? What’s the first thing you’d want to look at or what’s the first thing you think needs to be improved to help increase cybersecurity?
Slava Bronfman: Yes. I think there are two things that are absolutely essential. The first is design. If you design the vehicle, not in a secure way, there’s pretty much nothing you can do at a later phase. If the vehicle is designed in a way, for example, that can get from the external connectivity or from your Wi-Fi connectivity or something like that directly to your brake system and to the safety zone in the vehicle, so there is only so much that you can do to really protect it. So, design is key, the secure design of a vehicle is a key factor. And the other part is actually the supply chain mainly because this is how this world works. Then again, as we discussed before, there is a very long and complex supply chain in the automotive sector. Most of the components today in the vehicle are developed by third parties, not by the OEM itself, usually, this is the weakest link. Every supplier has their own security practices and eventually you as a big OEM, you’re dependent on the security practices and security level of each of your suppliers separately. So, eventually, you need to find the weakest link, the weakest supplier that didn’t implement the security measures. The other interesting part is that the entire industry is using the same suppliers. So, once you’ve detected the vulnerability in a component of one supplier, most likely that you will able to repeat, to reproduce the attack on other vehicles of other brands and other models, and so on.
Ed Bernardon: Find the weakest supplier and get in through that. It would be hard enough, I would imagine, to do this if you’re the vehicle manufacturer in your own company. And now you’re saying I have dozens and dozens of these suppliers out there and you want to make sure that they’re as secure as you are. And you’re going to do your best to be 100% sure that you’re secure, and in order to do that, I would think you’d have to have your suppliers be almost an open book. Here’s everything I have and they might be reluctant to do that. Is the cooperation there that needs to be there to make a vehicle manufacturer feel confident that their supply chain is as secure as they need to be?
Slava Bronfman: So, you definitely would expect that that will be the case that they will just give you everything as the supplier, even give you access to the source code and present to you all the security mechanisms and hardening that they implemented, but actually it’s exactly the opposite. Today the suppliers – I think this is just traditionally how the industry works – supply completely closed black boxes of the component just in black box closed component supplied to their customers which are the OEMs. The OEMs are traditionally know how to do the safety crash tests and so on whether you don’t need any visibility into each product integrated into the vehicle. So, the industry in terms of the relationship between the OEMs and the suppliers is still acting like the components are not connected and there is no huge cyber risk. Today the regulation is changing that, It still is not enforcing all the suppliers to kind of open the kimono and give the OEMs visibly to what is inside. But it is mandating all the suppliers in the entire supply chain to perform certain cybersecurity analyses, cybersecurity activities to perform ongoing monitoring of new vulnerabilities of new attack techniques of new threat intelligence, and so on. So probably, regulation, standards, and actually requirements by OEMs and actually, we see more and more like that tenders from OEMs today that are coming with a very clear, very specific cybersecurity requirement that each supplier need to meet, otherwise they just can not play in that industry.
Ed Bernardon: So, regulation is the way to do that. It’s no different than regulations for the crash, right? It would be more safety from a mechanical standpoint. So now, regulations from a software standpoint. There is a regulation out there WP29, I think United Nations put that together. Now, is that helping do this? Is that an accepted standard that the supply chain and the car manufacturers are working to?
Slava Bronfman: Yeah, and actually, it’s a great initiative by the United Nations. They came up with regulations with very little, I would say cooperation from the industry itself. They just came up with regulations and they understand the threat, and said, moreover that it’s not only applicable to OEMs and suppliers that are in the EU, but actually, it’s applicable to any vehicle that eventually will run on European soil. Meaning that it’s pretty much applicable to any manufacturers around the world because they’re also probably selling to Europe. And you can just think about the expectation in the automotive industry that this WP29 regulation will do the same transformation as we saw with GDPR did to privacy. So, GDPR started in Europe and it’s actually European regulation, but today…
Ed Bernardon: GDPR. What exactly is GDPR?
Slava Bronfman: I don’t remember the acronym, but it’s general data protection regulation. It’s the biggest regulation in Europe, or I guess, the main regulation in Europe about what you need to do with data that you store and any personal information that you store. And it’s kind of became a synonym today for data privacy. So, thinking of data privacy today, no company can collect data without meeting with the GDPR compliance. And all day the annoying cookies and notifications that you get when you try to log into websites, this is thanks to the GDPR. It’s a bit annoying to see them every time popping up when you surf to a new website, but it’s really helpful for all of us to keep our privacy and keep our data private and not give companies to share our data with others.
Ed Bernardon: So, it’s like an anti-cookie regulation for cars in a way. It’s an extension to that level.
Slava Bronfman: In a way. In a way, it’s something similar that if you do need to understand that, if you’re going to sell a connected vehicle, a vehicle that is based on software – which is every new vehicle today – you must meet WP29. It’s kind of coming together. Again, similar to what you mentioned before with functional safety if you are selling the car today that you need to meet safety regulations and it’s becoming the same with cybersecurity.
Ed Bernardon: Let’s talk about the two aspects of this. There’s the need for cybersecurity when you’re developing the vehicle – and let’s say you develop it perfectly just for a second – then you put that vehicle on the road and now even you feel that it’s perfect, and now it’s out there, then there’re going to be issues with cybersecurity-related to operating. So first, from the engineering standpoint, as the software’s become so complex, especially with autonomous vehicles we have these massive data sets that you’re training the AI algorithms o or you’re using sub-routines that you’ve gotten from, say open source potentially. It would seem that there are so many places where someone could sneak this little tiny thing in there and cause you a problem. I imagine that’s a big worry for your customers.
Slava Bronfman: For sure, 100%. That’s a huge worry and it’s a huge challenge. There’re so many – as you mentioned – there’re so many moving parts, there are so many pieces of code in a vehicle and you need to make one mistake. That’s why again, coming to the layered security, that even if you do this one mistake, you will have other security mechanisms to stop that. It’s a huge challenge, and that’s why our opinion is that. Because just trying to go over everything manually and making sure that you haven’t entered some kind of malicious piece of code or did some mistake or left your default passwords or a development password in the code that eventually someone can hack you or just you took some piece of open source code from the internet and use it in one of the vehicle computers, it cannot scale. You can do it once for one specific component, but actually, if you really want to do it across all the vehicles and all the models and all the variants – for each vehicle, there are so many versions and variants that are going for different geographies and so on, and each one will have different codes and different suppliers, and different open source – the only way to cope with that is very strict processes that are very strict engineering processes that tell you exactly what you can do what you cannot do, and how you need to document everything. And the technology that will do the governance for you.
Ed Bernardon: But you can’t really talk about cybersecurity and processes without mentioning SolarWinds and what happened here in the United States. And in that case, I believe that they had their processes set up, but somehow they were able the cyber threat was, they could get in there. And even though they checked everything out and it seemed like everything was perfect, right, at that last minute right before the code went out they slip that thing in there. It’s almost like over here in the United States, when we have Halloween and Trick or Treat and all that when you’re going out they say “Always be careful, there might be something sharp in that candy bar, a razor blade or something like that.” It’s almost like you check the candy and everything’s perfect and right before they seal the package after all the checks, they slip something in there. So, how do you protect against that?
Slava Bronfman: Yeah. Actually, again, this is a great example that what we discussed before. An attacker needs to find one path, one path inside and that’s exactly what happened as you mentioned, in SolarWind. It is challenging, there is no silver bullet to that and there is no 100% in cybersecurity, there will always be this kind of risk. And eventually, a very persistent attacker would be able to get in. You can not protect against everything. You should do the best effort that you can, especially again, not to be the low-hanging fruit for attackers. Like the old saying goes that “You don’t need to outrun the bear, you need to outrun your friend.” So, you need to make sure that you as a brand, as a vehicle manufacturer, you won’t have silly mistakes during your engineering and development. And you will perform the best practices, and best effort, and have a real budget for that. That’s another challenge in the industry that today cybersecurity, they treat cybersecurity only as a cost, it’s only costs for them. Every dollar that goes to cybersecurity makes the vehicle less profitable. And it is a challenge, right? It’s just doing your best effort putting more budgets, hiring more people, using more technology inside from the very early stage of design throughout the entire vehicle lifecycle which is 15 years, and validating every piece of that. Every piece of your supply chain, every piece of your internal development, monitoring post-production, all those practices.
Ed Bernardon: It’s interesting because we’re always willing to pay for an option like a bigger screen or something like that, but we expect the vehicle to be safe. And if the added cost goes into that what’s going to happen, is that the price of the vehicle may go up unless somebody figures out a way to do that in a more economical way. So, that’s going to become a greater and greater point of competition, I would imagine as to what car manufacturers can do that most efficiently and most securely in the future, especially as it becomes a bigger and bigger problem. So, that was the development side. So, now your vehicles out on the road and it’s going to rely on like you said V2X. So, vehicle to infrastructure or vehicle to, for instance, you want information from GPS, you want information on traffic lights, you want information from other vehicles. Even if you have a perfectly secure system, now someone could hack the information that’s going into that perfect system. How do you protect against that?
Slava Bronfman: Just pointing out all the challenges. So, to give you an even more kind of extreme scenario, if you look at autonomous vehicles today and they’re having all the cameras and radars to read the traffic lights and to read all the traffic signs to know how to drive. So, just think that there are cameras today in there. We already saw a couple of attacks like that, that you just put a kind of transparent sticker on one of the traffic signs. It says like a stop sign and put a sticker on there that says, I don’t know, that the speed limit is 100 miles per hour, whatever.
Ed Bernardon: Anything but stop, right?
Slava Bronfman: Anything, exactly anything but stop. And if a human being cannot see this transparent sticker but the camera of the vehicle for sure it’s exactly the pixels the day for reading and in working with. So, it’s a completely new attack vector. It’s a completely new attack vector that you are completely not familiar with from any other industries, there are no practices how to deal with those kinds of attack vectors. This is exactly what today’s security engineers and product security teams and vehicle security teams in all the automotive OEMs are starting to learn. What is the attack surface? What are the new attacks? What are the challenges? How we solve them? Cybellum, for example, is coming up with a solution that is composed of what we call the cyber digital twins, that we can create a kind of digital entity of each component in the vehicle or the vehicle as a whole. And to do the simulation of all those attacks and different attack scenarios and different attack techniques on this digital entity, again to help them both to constantly be able to test new things. Because testing new things on hardware and creating a full kind of testing beds, and scanning across all the variants that we talked about before vehicles, it’s pretty much challenging. My solution to everything is eventually technology. Processes and technology, that’s the only way.
Ed Bernardon: Now that we’ve built up this big threat and got everybody worried out there, I’m anxious to hear how Cybellum is going to solve this. But one question before we do that. Autonomous vehicles and people are, well, they’re becoming more accepting, there was a lot of PR out there. But you’re trusting a computer to drive your car, so you have to overcome that. And now we add on top of this, the whole cybersecurity threat. Do you think that if you put all this together, that people are ever going to accept autonomous vehicles, feel comfortable driving in one?
Slava Bronfman: Yeah. I remember the quote from Elon Musk that you remember he said about he was asked when autonomous vehicles will be allowed to be on the road. And he said that it won’t be the case, the case will be the cars that we drive today will eventually be outlawed because of the number of accidents and so on. And I think that will be…
Ed Bernardon: Better than the human driver, right?
Slava Bronfman: Yeah, exactly. And I think that’s pretty much the same will be with cybersecurity. Eventually, a car will be hackable and attackers will be able to hack them, but you will probably accept the risk just because it will be just a statistical thing. Cars, autonomous cars will be a lot safer than regular cars today, again because of the human factor. It will take time, but once we’ll have enough autonomous vehicles on the road, and the entire V2X communication, vehicle-to-vehicle communication will be mature enough, they will be a lot safer than cars that we drive today. And the same for cybersecurity. There will be still a risk, and we probably will be able to accept the risk. We’ll do new things that we are not doing today. We’ll buy insurance, we’ll buy cyber insurance for our vehicles, that will happen for sure. Other stuff like if you think of safe vehicles today, probably say I think of Volvo – Volvo is the safest vehicle in the world – will have the same brands for cyber. There will be some brands that will be considered more cybersecure and others and it will be definitely a factor when we will decide what brand we’re going to buy. We’re going to buy the most secure brand.
Ed Bernardon: An important feature to evaluate.
Slava Bronfman: For sure, definitely. As far as we’ll get more technology inside and will decide, okay, we want this very connected and full of screens and whatever services inside the vehicle. We will also think together with that what is the cybersecurity of that. And in the dealership, you’ll have the dealers telling you exactly how secure is this vehicle and what security mechanisms are inside, and how the vehicle before production was, I don’t know, validated with Cybellum and the Cybellum services protecting the vehicle post-production.
Ed Bernardon: Yeah, like 0 to 60 in four seconds, these interior features and the Cybellum rating of x, right? That’s the future.
Slava Bronfman: Exactly. That’s the future.
Ed Bernardon: Now let’s talk about Cybellum. And you mentioned a few minutes ago, the cyber digital twin is a key part of what you do. First, could you just explain what is a digital twin, generally? And what is it specifically when we talk about a cyber digital twin and how does all that fit into doing what Cybellum does? Trying to make autonomous vehicles, connected vehicles more secure.
Slava Bronfman: Yeah, sure. So, digital twin, it’s not a new concept, it’s been around for a couple of years now already. And digital twin is essentially a digital replica of a physical device. So, you can think that we use a lot of digital twins in the energy and manufacturing area where you create a digital twin of some systems or some smart meters and you do that some kind of simulation in some digital environment, just because you don’t want to create some physical piece every time when you want to do some tests and emulation on a digital entity. And it’s mainly used today, many use cases like predictive maintenance that you want to do some prediction on the digital device or in this digital, I don’t know, manufacturing IoT device before really updating the physical device just to understand how it’s going to react. You do some analytics on these digital twins, and again, they’re identical replicas of the physical devices, but just running in a digital environment.
Ed Bernardon: So, if I have a digital twin, it could be faster or lower cost to actually do a test on the digital twin than it would be to create the real physical item itself and run that test on the physical item. So, you could do development faster or get your final tested device out the door faster if you have a digital representation of it that’s very, very accurate.
Slava Bronfman: Precisely, exactly. That’s exactly the case. And that’s why it was invented, just because you cannot scale with hardware every time it really needs to create a physical device for every new variation of something that you want to perform testing. Another example is actually autonomous vehicles that are using a lot of digital twins for simulation. You create the digital twin of your ada system or some other system in the vehicle, and you do a simulation of different autonomous vehicle scenarios. And you run it on a digital entity because you can not run the vehicle in the field or on the road and test all these scenarios. So, you’re doing that using digital twins. That’s another example.
Ed Bernardon: So, cyber digital twin. What’s that?
Slava Bronfman: Yeah, actually, it’s a trademark of Cybellum, cyber digital twins. So, we understood the challenge that we discussed today, of the scalability and how many moving parts are there, how many moving variants, how hard it is to cope with all those challenges in a physical environment, and so on. So, we took this digital twin concept to the cyber world. Each digital twin – a digital twin is a complete area there is no single digital twin – and for each kind of use case you have, you have its own digital twin. So, when we take this digital twin to the cyber world, we basically create a digital twin of a physical component that encapsulates inside all the characteristics or all the parameters that are needed for pretty much any security analysis. So, I’ll give you an example. So, you want to test some vulnerability and understand if it’s applicable to this device, can this vulnerability be exploited can exploit this device or there is a new attack technique. Can I try, can I simulate this attack technique on this device? So, the cyber digital twin actually gives you the platform to conduct all those kinds of analyses without the need for the source code of the device. Because again, you can not get access to the source code in the supply chain kind of environment. And also you don’t need the hardware, everything is digital. This is a digital entity, a digital artifact and you can simulate everything there. And just to give you a sense, it has inside everything from the built of materials, what this component is composed of, what are all the hardening mechanisms, what are all the encryption mechanisms, what is the business logic inside, what is the control flow, what internal components are communicating with other client internal components? And with this simulation of everything, all security analysis tasks, security validation, and so on are performed by this digital entity and, again, not needed the physical component.
Ed Bernardon: So, imagine I’m a car manufacturer and I give you a call, “Slava, I need you to help me make all the software systems in my car secure.”, and you’re going to do it with this digital twin. How do you create it? How do you create a digital twin? You must, I would imagine, you have to know about a lot of the details of all the software that’s not only in the car, but all the software systems are going to interact with the car. That seems like a really big task.
Slava Bronfman: Absolutely. it is a big task. That’s why Cybellum has been around for almost five years developing this solution. So yes, we are getting, first of all, all the software of the vehicle and getting it usually from back-end systems that OEM is already maintaining. Usually PLM systems like Siemens PLM solution that we are integrating to and getting all the software that is eventually in the binary format of that, that is eventually getting into the vehicle. The security, the product team can actually create the vehicle structure or model the vehicle structure inside the system to exactly say what component is communicating with other components and how, and also connected to all the kinds of back-end or other applications like the mobile app and the key fob and so on. So, by integrating the back-end systems, and getting the binaries, or the fuels of all the components that are in the vehicle, the user, Cybellum user can actually model the entire vehicle and then basically perform all the security analysis that they wish.
Ed Bernardon: As a car manufacturer, do they come to you at the very beginning before they even write the code? Or is it more, “Okay, here’s my system, and now you test it out?”
Slava Bronfman: So, it’s a mix. Cybellum today we sell a product eventually installed on the customer’s servers and they use it today for both. Our recommendation is, of course, to start with systems that you even haven’t, as you said, haven’t written a single line of code to make sure that eventually, they will be secure. But life is life, and there are already cars that are on the road or just before SOP, just before production and you need to make sure to validate their securities as well. So, it’s a mix and today it’s for both.
Ed Bernardon: If I’m sitting there coding, does he give me feedback and say, “Hey, wait a minute, you’ve made a mistake here, make sure you consider a, b or c.”, does it work like that?
Slava Bronfman: Exactly. And for every case, for every new version that you upload – it can be just the development version – you get a full list of what are all the vulnerabilities, what are all the threats and risk and weaknesses that you implemented into the code, whatever the best practices that you missed. Eventually, there is the cybersecurity policy of the organization, and I find for Daimler or whoever I have my own cybersecurity policy, once you code something or do something that is out of the policy, you get exactly a report of gap analysis. What are the gaps from the organizational policy or some industry policy, and also, what are the gap resolutions? The recommendation is a step-by-step kind of guideline of how to fix things and what is the best practice. And actually, we also focus a lot on education to not only give you the explanation, “Hey, change this back to this.”, but actually what’s the reason behind that. Because, we understand that the developers of vehicles today are not cybersecurity experts, and it is important for them.
Ed Bernardon: Educators you develop.
Slava Bronfman: Pretty much so, yeah. It’s very important in this industry to create this awareness and to explain what is the root cause, what is behind our recommendation, why we think this is better. This will eventually lead to better software build or more robust and secure software.
Ed Bernardon: We talked early on about offense and defense. And in order to have a good defense, you got to understand the offense. And the hackers are always figuring out that next best move. How do you stay ahead of the hackers?
Slava Bronfman: It’s a challenge. First of all, as you said, you need to think like a hacker and not just like a defender. You need to think like one, constantly read, and being up to date with all the new attack techniques, something that is constantly evolving. You need to stay up to date with a lot of the things that are happening in the darknet because many of the things are starting there. So, you need to be on top of all the threat intelligence and new attack techniques, new attack mechanisms, and so on. But even if you do so, eventually an attacker can be one step ahead of you. So, I think that the only way that you can do that is going kind of to the basics and focus on the root cause of things, to create a secure design, kind of design a secure vehicle. Things that won’t change in a year or two, you need to create to just fix vulnerabilities as they occur and not just put more and more security mechanisms and hope no one will find out those vulnerabilities and no one will find out your default passwords or open ports or whatever mistakes you made to the code. So, I guess really fixing issues from the root to detect the root cause of stuff, fixing it, and not just do some workarounds, that’s the only way that you can keep up with attackers.
Ed Bernardon: Always diligent, yet always had to be ready. Have you ever hired or is it worth hiring people that used to be hackers since they’re the ones that know how to do it? Do you do that?
Slava Bronfman: So, if it’s a white hat hacker or what we call it an ethical hacker or someone that of course doing hacking for…
Ed Bernardon: Someone you can trust.
Slava Bronfman: Yeah. I think there is a sane line, but it’s an important line, once you cross this line, we don’t want to deal with – at Cybellum – ethical things. And as long as you on the right side that and doing, if you’re a hacker…
Ed Bernardon: Just hire the good guy hacker, right?
Slava Bronfman: Yeah. But yeah, definitely a lot of the team in Cybellum is today composed of people that did hacking during their military service, and so on.
Ed Bernardon: Maybe to close out here a little bit, staying ahead of the hackers that are out there and that’s one of the main goals here. What can you tell all our listeners that we’ll put them at ease that if you’re using the digital twin, the cyber digital twin, if you’re working with Cybellum that, “Hey, everything’s going to be alright.”? What can you tell us sort of to close things out and let us know everything’s going to be alright?
Slava Bronfman: I’m a positive thinker and I believe that everything is going to be alright, that’s for sure. I can tell you that there is a lot of new regulation that is coming up. All OEMs and all the tier ones are adopting this kind of regulation. So, all cars that are – all connected cars that are going to be in a year or two – now will follow very strict cybersecurity practices, cybersecurity processes. And each component, each piece of code in the vehicle going to be validated against cyber threats and for cyber risk, and for various weaknesses. So, this is happening as we speak, and this will only increase. So, the guys that are manufacturing our cars are taking care of that and are thinking about that. The other part is that more and more vehicles today are secure, really secure by design. And this is starting, meaning that if someone is breaching, hacking your car, it’s really hard to get to the safety zone, meaning to what’s really controlling the physical aspects of the vehicle. And the other part again, I’m an engineer, so everything is down to numbers. So, statistically, it is still safer than driving a vehicle. The number of accidents that we see because of the human factor is a lot bigger than what we will see even if there will be a lot of cyber threats, or cyber-attacks. So, I guess we’re still in a good place.
Ed Bernardon: Well, listen, thank you so much for giving us such a great overview of the problems and also how we can address some of the issues related to cybersecurity. Before we finish though, we’d like to end with our rapid-fire section. And it’s a series of quick questions, some general questions about the automotive industry, some questions more about what you do when you’re not working, let’s just say. You can give me a quick answer if you want. If you want to pass you can also pass and if you’re ready to go, we can get started. Are you ready for rapid-fire?
Slava Bronfman: I’m ready for rapid-fire.
Ed Bernardon: Ready, as you ever can be. Okay, so what was the first car you ever bought or owned?
Slava Bronfman: I had a very old car, it was a small Fiat and Italian Fiat, model 1992. It was barely driving. Yeah, it was when I was a student.
Ed Bernardon: A model 19? I don’t think I’ve ever heard of that. Is that like a 500 or something even smaller?
Slava Bronfman: I think it’s a bit bigger, but like a square car, it was a Fiat Uno, the model.
Ed Bernardon: Well, hopefully, it ran most of the time.
Slava Bronfman: Most of the time.
Ed Bernardon: The older Fiats teach you how to fix cars. Did you pass your driver’s test on the first try?
Slava Bronfman: I want to think so, but I remember it was the second. Actually, it was the second.
Ed Bernardon: What happened on the first try?
Slava Bronfman: I’m still convinced that the tester was wrong. And I was okay. It was about a parking spot that I needed to get in and he said that I did it wrong, but nothing serious.
Ed Bernardon: It was the test, it was a problem with the test.
Slava Bronfman: Yeah, the tester. Yeah.
Ed Bernardon: Have you ever gotten a speeding ticket?
Slava Bronfman: Actually, I got this kind of speeding ticket just a couple of months ago, but it was driving an electronic scooter. I was driving on the sidewalk in Tel Aviv and was a bit speeding and also it’s not really allowed to drive on the sidewalk. So yeah, I guess I could have think of that.
Ed Bernardon: You didn’t this anyone or anything.
Slava Bronfman: No, never.
Ed Bernardon: So, in Israel, do they have police on scooters that chase down the speeding scooters? Is that how it works?
Slava Bronfman: They don’t chase you down. They just know the strategic places that they can stand at and they just can stop you there. And they are taking advantage of some corners and stuff like that.
Ed Bernardon: In the future, when we have autonomous cars, we’d like to say they’re going to be like living rooms on wheels. Let’s say you’re about to take a five-hour trip in the future in your living room on wheels. What would you have in your living room on wheels? Describe it to us.
Slava Bronfman: I always imagined something might be even simpler, but I always imagined that like a business class that we have in airplanes today. That it’s going to be very much similar, you have your bed, you have your screens, you have a small minibar, you have everything equipment for a five hours drive that you can just take off and do whatever you want with these five hours. Lean back or work some and you have your Wi-Fi and connectivity and everything. Yeah, so I always imagine this kind of business class, like in the airplane model that we’ll have in the vehicle.
Ed Bernardon: Now on that five-hour car ride – what person living or not living – would you want to spend that ride with? If you could have anybody you want, in the history of the world.
Slava Bronfman: In the history of the world. So, actually, I’ll go for Elon Musk. I think this guy’s amazing, he’s so creative and things that he’s thinks about and envisions and imagines how he also executes and how he managed his time and how he built these great companies. Just asking him a couple of questions and discussing with him the future of mobility, the future of humankind.
Ed Bernardon: Well, here’s your chance. If you had one question and only one that you could ask Elon, what would you ask him? You only have 10 seconds to figure out what it is.
Slava Bronfman: To ask Elon? How he can really manage all these companies and come up with all these creative ideas and manage his time and manage, still to create some kind of work-life balance and everything in 24 hours?
Ed Bernardon: What car best describes your personality?
Slava Bronfman: That’s a tough one. Maybe an electronic scooter. Also, an electronic scooter to be agile and drive on the sidewalk.
Ed Bernardon: Quick turns, get through the small spaces. Perfect. All right, we’re going to shift gears just a little bit. What’s your favorite spy book or spy movie?
Slava Bronfman: So, just The Spy. The new one with Sacha Baron Cohen that is playing the Israeli spy interiorly coin just comes to mind and Trophy. It’s a great one.
Ed Bernardon: What’s your greatest talent not related to anything you do at work?
Slava Bronfman: Snowboarding. I’m really good at snowboarding. I love it.
Ed Bernardon: Have you been snowboarding in the United States?
Slava Bronfman: Yeah, in Lake Tahoe. It’s a great place.
Ed Bernardon: Ah, yeah. That’s great powder out there. We could do another interview about snowboarding. We’ll do that. Save that for another time. What do you wish you were better at?
Slava Bronfman: I’m really trying to get better in yoga. I practice it for quite a while now and I’m still so-so.
Ed Bernardon: What do you wish you understood better?
Slava Bronfman: I’m always fascinated and more curious about how we think. So, maybe psychology and all the interaction between the logical and the emotional, and so on. It’s very interesting.
Ed Bernardon: If you could have an answer to any question, what would that question be? Besides the one you asked Elon Musk.
Slava Bronfman: I guess I really want to know who is behind Bitcoin. The guy. Who is Satoshi Nakamoto? Who has really created the thing?
Ed Bernardon: If you could un-invent one thing, what would it be?
Slava Bronfman: I would not invent the microwave. I don’t like it. It dries food, it’s not helpful at all. I would un-invent the microwave for sure.
Ed Bernardon: And here’s the last question. If you could magically invent one thing, what would that be?
Slava Bronfman: Yeah, very trendy to saying vaccines or something where they’re already invented. Maybe in the context of our podcast, I would say that vehicles that are just working and running on air, no fuel, no electricity, nothing. Both to help with all global warming and so on, but also probably one of the biggest challenges that the entire industries.
Ed Bernardon: With that, you have solved all the world’s problems,
Slava Bronfman: For sure. That and the vaccine, and we’re good to go.
Ed Bernardon: Slava, thank you so much for joining us on the Future Car podcast. It was really fun learning about cybersecurity, and a little bit about you, and like you said, solving a lot of the world’s problems here.
Slava Bronfman: Thank you, Ed. Thank you for having me. It was really fun and thanks again.
Slava Bronfman – Guest, Cybellum CEO and co-founder
Slava is a highly experienced cybersecurity and automotive leader and entrepreneur who works with automotive OEMs and suppliers worldwide on implementing risk assessment solutions. He is an official representative of the Standards Institution of Israel in the ISO 21434 standard technical committee, leading ISO21434 Use-Case TF, and a member of the NTIA Software Component Transparency working group, working on future standardization of Software BoM. Slava is also an automotive software risk Assessment and ISO\SAE21434 evangelist, regularly presenting in automotive conferences and organizations.
Ed Bernardon, Vice President Strategic Automotive Initiatives – Host
Ed is currently VP Strategic Automotive Initiatives at Siemens Digital Industries Software. Responsibilities include strategic planning and business development in areas of design of autonomous/connected vehicles, lightweight automotive structures and interiors. He is also responsible for Future Car thought leadership which includes hosting the Future Car Podcast and development of cross divisional projects. Previously he was a founding member of VISTAGY that developed light-weight structure and automotive interior design software acquired by Siemens in 2011, he previously directed the Automation and Design Technology Group at MIT Draper Laboratory. Ed holds an M.S. in mechanical engineering from MIT, B.S. in mechanical engineering from Purdue, and MBA from Butler.
If you like this Podcast, you might also like:
- Part 2 How Virtual Reality is Making Mobility Accessible for Everyone
- Part 1 How Virtual Reality is Making Mobility Accessible for Everyone
- Building a More Accessible Transportation Future
- Engineering F1 Racing & Mobility: Hear the role one race car engineer plays
- Behind the Scenes of Formula One Design with Elizabeth Apthorp, Composite Design Engineer Alpine F1 Team
- Katherine Sheriff: Pioneering the Legal Framework of AI
- Behind the Scenes: How Policy Shapes the Future of Transportation with Sharon Masterson, OECD
- Susie Wolff, A Driving Force for Sustainability & Diversity, Team Principal ROKiT Venturi Racing
- Connecting the World with Byte-sized Satellites – Sara Spangelo CEO SWARM
- Driving the Electric Car Revolution w/ Henrik Fisker of Fisker, Inc.
- Sustainable Solutions for Cities of Tomorrow, Andrea Kollmorgen Vice President, Connected eMobility Siemens
- The End of Parking As We Know It with Anuja Sonalker CEO STEER Tech
- Government’s Role in Shaping Our Driverless Future with Dan Sullivan MassDOT
- From James Bond to the Future of Our Cities – Frank M. Rinderknecht, CEO Rinspeed, Makes Your Imagination Reality
- Building an Autonomous Future: Karl Iagnemma, CEO Motional
- Modeling, Economists and predicting the “New Normal” Ashley O’Donoghue PhD Economist Beth Israel Harvard Medical Center
- Transportation During the COVID-19 Crisis Finch Fulton Assistant Secretary of Transportation
- Driving Around the World with Henri Coron CBO Navya
The Future Car Podcast
Transportation plays a big part in our everyday life and with autonomous and electric cars, micro-mobility and air taxis to name a few, mobility is changing at a rate never before seen. On the Siemens Future Car Podcast we interview industry leaders creating our transportation future to inform our listeners in an entertaining way about the evolving mobility landscape and the people that are helping us realize it. Guests range from C-Level OEM executives, mobility startup founders/CEO’s, pioneers in AI law, Formula 1 drivers and engineers, Smart Cities architects, government regulators and many more. Tune in to learn what will be in your mobility future.