A Hacker's Perspective: Cybersecurity and Autonomous Vehicles

A Hacker's Perspective: Cybersecurity and Autonomous Vehicles - SAE GT LinkedIn Live

7/30/2025 | 44:56

Join us on our next session in welcoming leaders from GRIMM to talk about cybersecurity and autonomous vehicles! The session will touch on these topics: • The current landscape of cybersecurity and autonomous vehicles. • The siloed cybersecurity community. • Cybersecurity safety, trust building and policy. • Vulnerabilities, threats, and mitigation best practices/standards. • NDIA Michigan Cyber Physical Systems Security Summit (May 7-8)

A Hacker's Perspective: Cybersecurity and Autonomous Vehicles

Video Transcript:

Mark Pickett, the Technology Transfer Program Manager at SAE Government Technologies, hosted a discussion on cybersecurity in the context of autonomous vehicles. The event featured Jennifer Tisdale, CEO of GRIMM, and Matthew Carpenter, Senior Vice President of Technology and Security Research at GRIMM.

Mark Pickett: Hello everybody, and welcome to another LinkedIn live event brought to you by the e-Government Technologies. For those of you who don’t know, my name is Mark Pickett. I’m the technology transfer Program Manager. We are super excited to welcome and a couple of guests today, two individuals from the company called GRIMM. We have Jennifer Tisdale, the CEO, and Matt Carpenter, the senior vice president of technology and security research.

And the reason I’m so excited today is because we’re going to get a hacker’s perspective about the topic of cyber security and autonomous vehicle. So, please, Jen, Matt, please introduce yourself and talk a little bit about your company and your role.

Jennifer Tisdale: First of all, thank you so much, for having us here today. Mark. I really appreciate the opportunity. But as I am the CEO at GRIMM, we are a cyber research arm that came here specifically, to work with Matt Carpenter when I first met Matt and his team and the work that they were doing with autonomous systems, it was head and shoulders above the rest.

The type of innovation, the type of research, the way that, they were building a niche within the embedded systems cybersecurity community, back then, which was 2012 or 2013 when the practice started, the company began a couple of years prior to that. It was just really, I think, a real milestone within the cybersecurity and, and in particular the automotive community.

So I came here happily, not to be a hacker. I am not the hacker in this conversation. Of course it is, Matt. But I came here to help build the business model around the business of breaking. And Matt and I and the rest of our team have had a great time trying to figure out what’s next and where the industry is going so that we can be ready for them.

Mark Pickett: Thank you. John. Matt.

Matthew Carpenter: Hi, I’m Matt Carpenter, and I’d like to point out that this may be the hacker perspective in the in the agenda, but it’s definitely also the hacker CTO perspective because what Jen throws out there is always so full of gold nuggets that, that I want to shut up and let her talk a lot. Yeah, I, I got involved in computer exploitation back in 2004, learned how to do software reverse engineering and exploitation and hardware reversing and exploitation and.

Wow, ten years ago, last month, Bryce and the founder invited me to join him to start the critical infrastructure team. Or it’s now called sci fi, the cyber physical systems team. Team.

Jennifer Tisdale: That is trademark.

Matthew Carpenter: Thank you. Jen. To, to bring nation state level exploitation experience and knowledge and, and focus to make the world a better place, whether

that’s in government, military or commercial side for, you know, making our critical infrastructure stronger, better, more resilient. And so far we’ve been doing pretty good job. It’s been a lot of work, but we’re surrounded by amazing people doing incredible work.

Mark Pickett: Excellent. Yeah. Thank you for that. And I will point out that Matt did not hack our backgrounds, that actually Jen and I figure out how to be at the same place at the same time. So that that was pretty awesome. Pretty proud of myself. So for the audience, again, thanks for joining us. If you have a question, please type it in the comment section and we’ll get to the end of the program and we’ll read those questions and, see if we can stump, Jen and Matt.

So again, yeah, I have a question. Type a question in the comment section. Let’s go ahead and get started. Just give us a high level, perspective of the landscape, the cybersecurity landscape in the in the context of autonomous vehicles from your.

Matthew Carpenter: So autonomous vehicles. Along with, autonomous vehicles have an interesting, set of constraints. When it comes to cybersecurity. Oftentimes the initial things that come to mind for autonomous vehicles, as opposed to just connected vehicles are the simple fact that there’s probably not somebody in charge of the vehicle that can defend the vehicle. So, imagine a, you know, autonomous taxi for example, with nobody driving.

And there’s an interesting little port or, or a part of the, panel over on the left hand side that nobody’s there to tell you not to touch. And maybe it gives you access to the vehicle systems. Maybe it gives you access to an uplink. So that’s this is the type of thing that differentiates automotive or autonomous from connected.

That and manipulating autonomous vehicles, AI and programing. Knowing that they’re not supposed to run you over. And this this plays out in, in New York City, but it it plays out in the military vehicles. If you’re in a hostile area, with the military convoy that’s automated. And this is, this is a years long conversation. The fact of the matter is, the people who get killed the most in a convoy are the people driving.

If you they’ve noticed that if they don’t have somebody in the driver’s seat, if fewer people get killed by far. And so they’re putting a lot of effort into protecting, protecting our soldiers by autonomy and autonomy. I love that. Automating their convoys. The problem is, we’ve already shown that IED is given to a two year old. Or a four year old are not outside the realm of possibility.

Now, imagine a four year old that’s just been told to go lay down in front of this vehicle. The vehicle, assuming the recognizes that the kid is a kid and it’s not going to run them over. Suddenly, that convoy is at the mercy of this small child and whoever’s controlling them.

Mark Pickett: Yeah.

Matthew Carpenter: You know, from their physical security of your vehicles are really important. And oftentimes there’s somebody with a gun in the back of the vehicle. So maybe, maybe that’s I don’t want to overstate it too much, but these are all concepts that, that we’re talking about. Where it’s Matt.

Mark Pickett: If I may jump in. Yeah. You know, where are we at in terms of, you know, in a lot of environments like the armor space, for example, there’s more and more new threats and there’s more and more new armor systems trying to catch up to those new threats. Is there a gap like that in cyber security with respect to autonomous vehicles?

I mean, how far behind are we? Give us a sense of are we on target or are we keeping up with the pace of nefarious actors, or are we behind?

Matthew Carpenter: So the cat and mouse game that you’re describing is the same all throughout cybersecurity. There’s always, as long as there are people who are wanting to leverage cybersecurity issues for their own ends against some adversary. We will continue to have this cat and mouse game. Now, the benefit as opposed to what you just described a second ago.

The benefit is that, for the last.

How long? Math I can math, I swear, for the last eight years or so, we’ve had a lot of attention put on connected vehicles. So as far as cybersecurity is concerned, autonomous is gaining the value of heavily hitting on the need for securing your connected vehicle systems to start. So from that regard, we’re actually doing fairly well.

With, with the base, the actual vehicle itself, how to hack and over the cellular signal, how to hack it over there. Your tire pressure management via some band radio or your Bluetooth. These things. We’ve been putting a lot of effort. We need a lot more. Please don’t. Don’t take that to say that. Hey, we’re all great.

Call it quits. We need a lot more. However, as opposed to the Jeep hack in 2015 where we really had. We’ve not paid any attention. Now, that’s not saying that we haven’t been talking about cybersecurity since 2010 about vehicles, but it wasn’t until the Jeep hack of 2015 where my wife and daughters, who are definitely not technology or not computer savvy.

They’re hearing about car hacking for the first time. You know, we we’ve got a lot more. We’ve had a lot more concern and a lot of energy put into it since then. Autonomous systems. We have been looking at cybersecurity for autonomous systems for nearly as much time. We’re talking maybe 2016 is when I first ran into autonomous systems.

Cybersecurity, whether it was in 2016 or 15, I don’t remember, with a great conversation with, with a good friend, Darius Mikulski. Talking about robotic military vehicles. Part of partly why I’m so interested is that conversation sparked something inside of me. So go ahead.

Jennifer Tisdale: Now, please finish your thought. I just, I.

Matthew Carpenter: I keep trying to bring it back to the actual question, so I apologize, but, We have yet to discover where we’re weak in autonomous vehicles. That’s the end of the. That’s the end of the that’s conversation.

Jennifer Tisdale: I think I’d like to add a couple of two things. Not from a hacker perspective, but from, an economics, perspective. And government perspective. And I want us to be very careful to not conflate the two different worlds that we’re talking about, one being commercial automotive and the other potentially being autonomous systems for a military platform or application.

So I am a volunteer with the National Defense Industrial Association. I am the Cyber, director for the Michigan chapter and lead their initiatives for embedded systems cybersecurity. One of the biggest differentiators between what we see overseas and a global perspective for defense or national security is that other countries are finding more robustly, offensive research, practices, tools and tactics.

We’re doing it here also, but it is not applicable to our commercial market. In the same way that it may be applied in other countries, industries and commercial markets. And so I think we have to be cognizant that we are not comparing apples to apples. When we talk about commercial autonomy versus military autonomous systems. There is there is a barrier of difference there.

And the economic drivers behind that, are percolating every day with what that could mean from a national security perspective. I would point out briefly, in the 2023 cyber strategy that was published by DoD, it did not include embedded systems. It did include critical infrastructure. And I think that is indicative of what we see, from global events, geopolitical, global events, whether it be Russia, Ukraine, whether it’s Gaza and Israel, whether it’s China, right.

I think because of that, we’re paying more closely, more attention to, the CIA, to the critical infrastructure. But my professional opinion would be that that also has to include autonomous systems and vehicles, because if we are able to get capabilities of Matt and team or others around the globe, who are doing this research, come across something, in which it can be enabled to be what’s the right word, Matt?

Weaponize. Maybe, weaponize. It could be looking at commercial vehicles, being used for purposes that were never intended for them to be used for. I will I will put this on the table for our automotive friends or especially our, domestic automotive friends. Right. I know that they tend to shudder at the, at the notion of the Hollywood s, concepts, and I deeply appreciate that.

Because I we can get lost in the sauce. Right? We can get lost in the coolness of that. What that means and what that could be. It’s a rabbit hole that’s never ending. But I think that we. Awesome.

Matthew Carpenter: Furious eight. Yeah.

Jennifer Tisdale: Yeah. The new one that’s on Netflix, too. And somebody just mentioned to that to me yesterday, with Julia Roberts, I can’t remember what it’s called. But we’re getting a lot of glorified hacker cinema. And I don’t think that we’re keeping up with what’s reality and what is dramatic. And where will those two worlds potentially collide.

And that’s something I think that we need to be mindful of. If we’re talking about national security, is that others are looking at that more robustly than we are. And I’ll pause there for now.

Mark Pickett: So I will click on that for just a second, if you don’t mind. Matt. So, okay, when we see a, you know, geopolitical event, okay, gets our attention and maybe gets a response out of our of our government. What needs to be done organically here. John, do you think in terms of trying to create awareness about the problem, about the vulnerabilities and then how do we get that funded?

What do you think it’s going to take organically?

Jennifer Tisdale: I think we have a lot of people. It’s not militarily. It’s not unlike commercially in the sense that we have a lot of people rowing in the same direction, but they’re not harmonized. They’re not syncing up with each other. I think we have a guise of information sharing that’s out there. But we’re not doing it. And I say it, I say it apprehensively because I know there are business rationales behind it.

We don’t want to give our competitors an edge because we’re over sharing our vulnerabilities, with our particular products commercially. And we don’t want to publish too much, too much in the various actor in another country could read or see or understand. Right. So, so we want to info share, but we have to do so cautiously. I think we need to do that in a real way.

We really need to be focused on community building and cybersecurity. And if I’m talking too fast, please give me a nonverbal cue. I tend to do that when I get excited.

Mark Pickett: If I’m if I’m keeping up with you, you’re doing fine. Okay.

Jennifer Tisdale: But I am a, an advocate for cyber community building, and we need more of it. And we need to get to a place where industry and government can let down their guard. That sounds a little, rose-colored glasses, I know. But we need to be able to have those conversations in a way that helps.

Lower those barriers, to, to take away the fear for industry that it’s going to be somehow turned into a regulatory conversation. And hence help us all do what we need to do, which is, you know, create technologies that are used for the protection of our citizens and for the protection of our warfighters. And until we can get on the same page.

You know, I think we’re going to really be struggling with that. And some of it is happening in good faith. They get budget, right. You get budget, flow down from the mothership, if you will. Right. It goes to D.o.e. or it goes to, the FTC or the FCC or D.O.T. or FAA, and they get their budget to do a certain goal and they move forward.

But they’re not talking to each other.

Mark Pickett: I think.

Jennifer Tisdale: An industry to.

Mark Pickett: Like. Yeah. Thank you. I appreciate that perspective. And I think, you highlighted something and that the environment, creating an environment, a neutral convening environment, will people can come and collaborate and communicate. And I think I might even know a company that does that. A shameless plug for SAIC. But anyway, Matt, I think you wanted to comment further, I interrupted you, I apologize.

Matthew Carpenter: So many comments. So many comments. Oh, by the way, Jen, you missed XYZ and F. I think in those in those three letter acronyms you threw, I, I actually want to piggyback onto her other comments and say that, in addition to creating the environment where we can collaborate, we can make better security, we also want to be focused on workforce development and creating, spaces and environments that entice and encourage the curiosity of younger or just, you know, maybe younger to the field people.

Because we desperately need we need it to be okay. We need it to be normalized. We need we need people like myself and my colleagues to be viewed as potential helpers and not the adversary.

Jennifer Tisdale: I think that’s been, a long conversation that we’ve had at GRIMM and I’m sure within other pockets of the community as well, is how do we how do we take the stigma away from being a hacker? Right. It’s always used with, with such a negative connotation, but it really takes all of us to come together, to inform these discussions and to inform how we should design with cybersecurity in mind for product.

And we find ourselves, I think, in a better place today. I just, I just want myself and with you, Matt. So apologies, but I think we find ourselves in a better place today than we were just a few short years ago. And that’s incredible, considering, this niche area of the industry is still pretty young.

Mark Pickett: I tell you how when I, when I first met you, Jenny and somebody said she works for GRIMM. I’m like, oh, what does GRIMM do? Oh. They’re hackers. I was like, why are they not in prison?

Jennifer Tisdale: Well, there you go, Jenny.

Matthew Carpenter: Happy. But, but I’ll say it anyway. I would not be me where I am today if it weren’t for you being around. So I appreciate you can lump yourself in with me anytime.

Jennifer Tisdale: All right. Here I am.

Matthew Carpenter: So, yeah, I have so many, so many things I want to jump off on there. The, remember fate of the series, the fast eight. Fast. Fast and the furious eight movie where they had the raining cars scene, massive super hacker leveraged thousands of zero days, which is kind of amusing and something I won’t go into right now, but, to take over hundreds of vehicles in, I forget what city.

It doesn’t matter. Including a bunch of vehicles in parking garages and as a as a foreign dignitary comes around the corner in the south, you know, hundreds of cars come piling out of the, the parking garage, the multilevel parking garage, and just demolish the area around him. All autonomously. So when talking about autonomous vehicles, they represent different and unique and novel attack vectors, which I’ll talk about again in a second.

But one of the things to keep in mind is it’s not necessarily the attack vector that changes as much as the effects. So for that, for anybody who doesn’t understand, or have any experience when you’re attacking a computer system, you’re finding a weakness. You have to have some way to influence the computer system, most often a network connection over the internet or over wireless or something.

And then once you exploit that weakness, you may have some extra control or ability, but you’ve got to do something with it. And so what happens after you throw the exploit is called post exploitation. And that’s the, I took over a machine and put a, put a, put malware on it, but put, ransomware or, you know, some sort of a command and control thing back to so that I can control the, the computer system that I took over.

What autonomous vehicles have offer that traditional vehicles don’t is are a whole bunch of logic that actually is intended to drive the car. So imagine with me, I exploit your 2020. What are you driving, Gen in a 2022 Jeep? What is it?

Jennifer Tisdale: Bronco?

Matthew Carpenter: Oh, a Bronco. Okay. You.

Jennifer Tisdale: They asked to drive my car. Often I’m very apprehensive, but.

Matthew Carpenter: So I exploit that over your telematics uplink to the internet, which is? It’s a cellular connection, has some sort of ties to the internet and then ends up back at, at Ford, in this case, in their back end. And Ford can issue all sorts of commands but not go in there right now. I hack your, your Bronco.

Somehow I am then forced to manually drive that thing. I have to write the code to drive that thing, to do something with it. Now, oftentimes, I mean, I think worst cases actually just let you drive and wait until you’re doing 70 down the down a highway and then steer your hard left into oncoming traffic. So I mean, that’s something.

But imagine then.

Jennifer Tisdale: You thought about that too much.

Matthew Carpenter: You want.

So now imagine an autonomous vehicle where I can say, all right, just drive the Frick to this location and do this thing. You know, it becomes hacking for DoorDash, you know, go pick me up these drugs and then bring the car back, dump off the drugs at this location and go home like the owner may never know it was gone.

And I don’t have to write a lot of code to make that happen. It’s it it becomes a very empowering technology when it comes to hacking. So that’s what I wanted to throw out there. AV makes the post exploitation tasks far more powerful. Nice and all right. Thinking now, as far as attack vectors, the ways to influence and hack and an autonomous vehicle, there are a number of different new systems on autonomous vehicles or systems that are used in new ways, like, for example, forward and rear facing cameras, cameras on the sides, radar, lidar, and.

There’s probably audio stuff in there somewhere. Now imagine each of these as a relatively new addition to a car, because they kind of are. You know, we’ve been having we’ve been having the assisted driving for a while. They’re using some of these technologies to warn you, hey, you’re about to run into something and flick that little light on or vibrate your steering wheel or other.

That vibrating steering wheel may cause me to run into somebody one of these days. So there’s a lot of research that’s been done. This is novel research. It’s not like take over the car research, but it’s definitely, influenced the car in strange ways, where lidar, for example, is spoofed. You can you can make a car think that somebody is standing in its way and nobody’s there.

There are radar tricks, and, there’s camera tricks, and you can do things with lasers and you can render these systems. Inoperable or somehow degraded.

And then you’re down to what the logic is internal to the vehicle. For what? What to do when I actually am in driving blind if I, if I. Yeah. But imagine lidar, radar and hitting the cameras and making them all basically disagree about what’s going on. What’s the car do. Now I have been I grew up in Flint, Michigan.

I, I’ve been around the automotive industry for my entire life, and I’ve had the opportunity to, to tour a number of facilities. And I one of the things that I got to, I got to see was how they basically rained down hellfire and brimstone on their vehicular systems before they let them out into the air, into the field, literally causing lightning bolts to see how the things behave and trying to make sure that, and I think that was it was GM I got to see that from and so it’s, it’s a form of robustness testing that happens on the physical side of the vehicle.

We have something we have an idea of something like that for software, but it’s not nearly as robust. It’s not been around very long. And I’m not sure that everybody really has it. So one of the things that we, that we need to be doing with autonomous vehicles is running more than just simulations, but simulations as well.

But a combination of simulations on the autonomous driving software for okay, radar gets knocked out. Radar does weird things like lidar, you know, and hitting all of the major new core systems that autonomous brings to the table and making sure that the that the software keeps working, that we’re still driving or better yet, not driving, if that’s if we’re driving blind.

Mark Pickett: Yeah. Let’s jump on that for a second. So when you think in terms of cyber security in the community, it takes a village, right? There’s a whole supply chain. You’ve got, OEMs, you’ve got people involved in the in the supply chain, you’ve got government policy shaping. What is that? Maybe just a question for you, Jen.

I’m not sure, but what is that community looks like and is it well organized or is it fragmented?

Matthew Carpenter: I’ll let you answer first.

Jennifer Tisdale: Thanks a lot. I think I think the quick answer is everyone is there. Whether or not they’re siloed is another question. I think that we are still having some degrees of silo from industry to industry, meaning, maybe somebody who’s developing the communications aspect or not part of the R&D team within an OEM or the tier one supplier or what have you.

So I think there’s still some fragmentation. I’m hoping we get some comments. I’d love to hear from anyone in the audience who can share what’s going on in there. But I think organizationally, even how they’re structured, there’s been some corporation, within one company. Right. We’re talking about industry right now. So I think that, we’ve seen some progress in how those I’m going to call them teams or departments within a company are starting to work together.

Or maybe they’re being restructured under a CSO or a CIO. Within their organization. I think we’re seeing contractual flow downs. This is true both within the government, within the Dib, defense industrial base and commercial automotive. Right. We’re flowing down cybersecurity requirements for our products through our supply chain. The challenge with that becomes the smaller the supplier, the less likely they are to be able to have the cyber resources, budget or expertise, or know how, to, to run those cybersecurity, testing if it’s testing, right, or gapping down or whatever the case may be.

And so I think we have some more education to go. We’ve certainly made a lot of progress in a short period of time, but the short of it is there’s a ways to go.

Mark Pickett: Gotcha.

Matthew Carpenter: So my response is a little harsher. It’s hostile. We’ve got, 50 to 100 years of OEMs and suppliers beating each other down for pennies, trying to push prices as low as possible. And it’s been a very difficult, arena for a long time. So typically and traditionally in the past, we’ve had from a, from a electronics perspective, a smart components perspective, we’ve had OEMs that are the main integrators, the designers, and they farm out most of the actual vehicle creation to tier one, tier two suppliers.

They give very specific specifications, saying sorry for the redundancy there. But saying we need this thing to be like this and we need the software to interface with the vehicle like this. And so then they, they basically they have most of the software being developed by a bunch of different suppliers, oftentimes re duplicating efforts for, operating systems.

You know, we’ve got we’ve got six different suppliers. Each one has to maintain their own operating system version or software security stack for, for the different you see use that they supply. What we’re seeing right now is OEM starting to get smart to the fact that that’s a really high cost to pay. They can actually do it cheaper to bring it back in-house and maintain the technology.

Understanding in-house. And so we’re seeing the, the introduction of a software defined vehicle. Which is really cool because this is, this is signs of the automotive industry growing, because I remember a number of years ago, Tesla was the pariah. They were the non Detroit, US company doing automotive. And they weren’t they weren’t given any respect.

They were they were kind of treated as the enemy. And this is an example where Tesla has done something. I’m not going to say how. Well because you know, that’s a religious debate, but they’ve done something that makes a lot of sense. And all the other OEMs are starting to take notice and wrap in some of the lessons learned into their own process.

That is, having one massive computer system, that runs the vehicle and creating, in many cases, creating virtual ECUs in that can think of them as virtual machines in in your laptop, which it’s actually not that far off. Instead of having your brake controller have its own computer, its own operating system, or developed, firmware image, all that stuff, bringing that more central.

It makes it easier to manage. It makes it easier to hack, maybe a little bit. But there’s a lot of economies there that, that are driving the OS to, to bring it all back and out. So that will change the discussion over the next 5 or 10 years.

Jennifer Tisdale: But I think that if I could just, because I feel like I’m very protective now, Matt, you’ve made me protective of the ease. They have a big job in front of them, right? Like they’re balancing ice vehicles and the emergence of EVs, and they’re trying to redefine and redesign who and what they are. Some of them are trying to pitch as tech companies versus automotive companies, in particular within the supply chain.

So there is a lot there is a robust change that’s happening, and it’s a lot to balance. They have challenges with that. I think they know it. I think we know it too. Maybe more so. But what I, what I would present is that it is all still relatively new, from 100 year old industry plus to something that’s only 10 to 15 years old.

It’s going to ebb and flow. We’re seeing pivot. When I came to Grimm’s six and a half years ago, six and a half years ago, I think it was still the wild West, right, with automotive, cybersecurity. And they didn’t know what they didn’t know. Here we are six years later, six plus years later. And we’re starting to see with, you know, the work of SAIC and other bodies, under the UN, etc., with, with those standards that have been implemented.

Some of the worry that I’ve heard you expressed, Matt and others at GRIMM and others, from some of our, our frenemies that are out there, is the fear that compliance to standards is the opposite of cyber security, that it creates the antithesis of the practice that we would like to see happen as security professionals, right where it’s ongoing and innovative and you’re looking at what’s next and what the next technology introduced into the system of systems might bring to the fore.

And so I think that we can anticipate additional change within the industry collective five years from now. I don’t think it’ll look anything like it does today. And five years ago, it didn’t look like today. Now. Right. So we’re going to continue to see that that evolution of practices happen. And it’s incumbent on us as a gram.

Others like us in our whole community of automotive cybersecurity to talk to each other and keep pace and to go to what’s coming next and let ours deal. What’s here today?

Matthew Carpenter: I don’t think I was beating up on OEMs. I really had like I was trying to paint a really generic picture there where I’m not favoring any OEM and I’m just.

Jennifer Tisdale: Protective that, you know.

Mark Pickett: I’m starting to see some questions come in. That’s fantastic. And reminder to the audience, if you have questions, we’re running toward the end of time. Please. Andrew, those in the comment section, I just I probably one of the last question or so here. What are we? You know, we have wait. Go ahead. Matt.

Matthew Carpenter: I wanted to clarify, the I think the story. I’m trying to make sure he gets a lot of thoughts around Grimm is that standards are a good start. They’re not necessarily the end to the antithesis, but by standardizing Mark, I hope I don’t upset you here by standardizing. The goal is to reduce or remove or limit the amount of thinking required.

I don’t think that’s the actual goal, but it’s kind of the goal. Having been on several standards bodies or standards committees, generating things, it’s trying to remove much of the unknown and make it so that you don’t, so that you’ve got an easy button wherever you can have an easy button. The, the thing that we’re pushing for within Grimm and in other some, some of our, our competitors, it’s, is that we that we have a good starting point of standards because they’re vital.

If we don’t have standards, we can’t we can’t standardize on what things to what things to test, what things to poke at. Now, we also have to always have the creative part, too. We always. So standards get you to a base minimum. But that’s not actually security. That’s a good start. Kind of like CIP for energy grid that nobody would nobody would ever tell you.

Nurk SIP was enforcing security. But it was a heck a good start for a lot of companies who weren’t even close. So it’s a foundation. In talking about your smaller suppliers and energy grid since I got myself started on there. A lot of that same thinking happened, back in 2000, seven, 2006, I think, you remember with the IRA grants and, Obama and the IRA grants pushing a lot of money into cyber, cybersecurity for the power grid, among many other things.

In that time, you had huge mega electricity. Suppliers, and then you had the you had the mom and pop shops, you had the municipals, and you got the co-ops. And the idea was these smaller companies can’t afford to do security. Right. And so a lot of the, a lot of the energy companies that were bigger pulled together and said, we have to do it right for them because they affect us.

And so they’ve they tried to make it so that it was really easy. And they would give easy buttons to the smaller folks.

Mark Pickett: Right, right. Okay. I want to get to questions before we run out of time here. Thank you for that, Matt. One of the questions here, what would you say is the difference between the vehicle hackers and the aftermarket gray market industry that supports the racing tuning community? I’m not sure I understand that question.

Matthew Carpenter: Intent. There’s a so the goals or the goals are mildly different. Some of the there’s definitely significant technology overlap and skill set overlap. In fact, I was I met, met a guy from, a big tuning company, within the last year or so, who we had really fun conversations because our worlds collide left and right.

Now, his goals that he can talk about had more to do with, you know, enabling getting more torque and horsepower out of an engine and changing the power curves and stuff that, that people care about for, for going fans of which I’m one. But, but that’s a different discussion. But our goals is our goals center around, controlling the vehicle.

Remote code execution is the term that that I’m always pushing for. You know, we can we can spoof things on the can bus. But I want to own the ECUs. I want to be able to shut off functionality that I don’t like, for, you know, I don’t I don’t want there to be a message that tells me how fast I’m or tells the other ECUs how fast we’re going.

So I’ll just write that code right out of that ECU and then take over everything. That. Does that make sense? Maybe it’s good. Maybe it’s been, the but the intention, the intentional use is different. So maybe I’m a good guy and I want to I want to help make vehicles safer. Or maybe I’m a bad guy and I want to crash and cause chaos or reduce the efficiency of some foreign conglomerate trucking industry, for example.

You know, the. Yeah, I used the word intentionality, and now I just paint myself into a corner. But, the desired effects, whether they be good or bad.

Mark Pickett: Yeah. And I this contributor went on to say, and I think this is helping me understand the first question. Do you see those aftermarket companies becoming more hacker like as they become more connected? And is there an insider threat at OEM and tiers that is growing to support the aftermarket?

Matthew Carpenter: Ooh, and just really interesting. Do you want to jump in on that? Jen I.

Jennifer Tisdale: Go ahead.

Matthew Carpenter: Okay. So I will say that, well that was three things I want to respond to. If I can remember them. Well what was the first part again.

Mark Pickett: So do you see, but aftermarket companies becoming more hacker like as vehicles become more connected?

Matthew Carpenter: I mean, maybe, maybe I doubt it. Like they have a revenue stream. They’re actually very respectable folks who have a revenue stream. What does becoming more hacker like look like? Is it stealing BMW and whatnot? Because the technology they understand maybe. But then, I mean, that’s a risk. Anybody takes my company or, you know, we would never do that.

But you know, we that’s more that an individual.

Jennifer Tisdale: Would never do that.

Matthew Carpenter: And then we would put it. But it’s going to be a one off where somebody leaves and takes the knowledge, you know, takes their experience and skills to do something nefarious. So that’s actually more important in this. This goes back to a conversation Jen and I had years ago about. Getting to know and trust people before teaching them to hack. You know, we were we had a we had a cybersecurity push for, elementary and high school students.

And I actually was I pushed back going. They haven’t they haven’t shown their character yet. So I don’t want to give them that bazooka. If I don’t know that, they’re not going to point it at somebody. So the next thing, what was the,

Jennifer Tisdale: Keep inside.

Matthew Carpenter: Of the person? Sorry. Insider threat. Yes. It, insider threat. Oh. At the always in suppliers maybe to. And here’s the thing. Yeah, it’s worth aftermarket. So here’s the thing. Talking with several OEMs. I’ve got several very good friends. And each of the, each of the major, major domestic OEMs, and they’re not afraid of aftermarket.

They’re afraid of the they don’t want their intellectual property to be reduced in value. They don’t want terrible things to be done with their vehicles. They don’t want, your safety to be reduced. That’s their goal as far as aftermarket is concerned. I was talking to one OEM who just implemented, signed firmware, on all their vehicles at boot up, like the, like the ECU starts up and make sure that that nothing’s changed and that it’s signed.

And his reaction was the aftermarket is important. Modding is important. They can pop the chip off and just solder another chip down because that’s totally doable and we don’t care. We’re worried about maintaining the safety and security of our fleets. What was the last thing? There’s one more.

Mark Pickett: No. That’s okay, I think I think we’ve exhausted that question. And we have to be brief with this one because we’re running out of time. But I think it’s important. How does artificial intelligence machine learning complicate cybersecurity? Autonomous vehicles? 22nd answer.

Matthew Carpenter: There’s no way to know what AI is like. It’s like a it’s like a human being. I’m not saying that we’re to general intelligence or anything, anything like that. But it’s the Spaniards know how to how to differentiate. There’s two words to know. There’s to know. Like I know that this is blue and then there’s to know, like, I know.

Jennifer Tisdale. Like I don’t know Jennifer disabled. She’s a very complex human being that I could never know ever. I barely can know myself to some degree. So there’s this word that says I just don’t know. And the an AI falls into that. I can only know what I, what I kind of know, and I’m not even sure about that.

And that’s the problem.

Mark Pickett: Yeah, it’s going to it’s going to definitely make it more complex. Yeah.

Matthew Carpenter: Like I said, 20s.

Jennifer Tisdale: Are you throw on that to me, I am oh, I am just simply echoing what Matt said. Because if he doesn’t know, I don’t know for sure. But what I do know is that we are having these conversations, at length at an upcoming NDAA Cyber Physical System Security Summit in Troy, Michigan, May 7th, eight. We’re going to explore all of those topics there, too.

I hope you’ll join us.

Mark Pickett: And that’s a Troy area.

Jennifer Tisdale: Troy Marriott. That’s right.

Mark Pickett: All right. Thank you both. Tremendous I really appreciate you guys coming. Thanks everybody for contributing. Sorry you’re going to get to all the questions in the chat section there. But thanks again Matt and Jen everybody have a wonderful afternoon.

Change Lead Form