Lessons from a 40-year-long automotive OEM leader
Paul Cha is a cyber and product security leader, serving as the VP of Cybersecurity at LG Electronics Vehicle component Solutions. Paul held critical positions at Synopsis, Ford Motor Company, and Samsung before joining LG. He found his way to cybersecurity while working on his Ph.D. in risk management.
Paul started his career in cyber security work as a senior security solution development engineer, where he focused on smart appliances such as smart TVs and smartphones. He performed security assessments of several software and cloud services, where he developed security solutions to provide protection mechanisms for connected products.
He is responsible for product security software solutions in LG, one of the biggest Tier-1 manufacturers in the automotive industry. He spent the last few years collaborating with OEMs (original equipment manufacturers) and car manufacturers worldwide.
Paul let the Left to Our Own Devices podcast pick his brain about being a world leader tier-one certified OEM in the automotive industry. Strap in.
The main challenges faced by the product security industry
The product security industry becomes more difficult as the world becomes more interconnected. According to Paul, there are 3 main challenges product security faces. The first challenge is following the best practice standards in every software and hardware component under the growing number of regulations. It’s difficult to follow these standards because the maturity level of cybersecurity researchers and each company’s activities vary from one another.
“Supplier and supply chain management in product security is one of the topics which are hard to fulfill because most companies do not have workforce and budget resources to handle best practice cybersecurity activities.” Said Paul.
Another challenge Paul points out is the different security requirements of manufacturers. For example, some manufacturers strictly follow Automotive Spice (Software Process Improvement and Capability Determination), while others don’t. “Even though LG decided to fix vulnerabilities with CBS 7.0 or above, some manufacturers choose to resolve all bugs regardless of CBS (Cross Border Security) abilities.”
Finally, Paul points out the lack of customized systems and platforms that satisfy manufacturer security requirements. For example, manufacturers don’t provide risk findings, mitigations, or SBOMs so instant responsive codes could be archived. Still, there is no feasible system to handle this problem.
How struggling tier-one manufacturers can embed better security across their entire lifecycle
As most manufacturers have complicated supply chain requirements and are moving toward software and cloud solutions, it becomes harder to handle complicated security issues. LG was recently awarded all the top product security certificates in the world, including CSMS. An accomplishment that Paul Cha can clearly take some credit for. When asked how manufacturers can embed better security in their products, Paul provided two answers.
Manufacturers need to understand that security requirements should be declared during product development through threat analysis and risk assessment activities. Like a hierarchical chain, Tier-1 suppliers should align their security needs based on the Tier-1 threat analysis and risk assessment such as R156. While these activities are highly reliable, the practice is still poorly defined for manufacturers.
Security issues are connected across companies as many hardware and software components are sourced from one company to another. But in reality, companies only focus on their own security issues. Tier-1 manufacturers want their security policies and requirements to be strictly followed regardless of where their products will be embedded. With this kind of process, it’s hard to reach mature levels of cybersecurity in real-world situations.
Preparing for upcoming automotive cybersecurity regulations
LG continues to lead future vehicle vehicular software development by acquiring both functional safety and cybersecurity certifications. In fact, LG is the world’s first auto component supplier to meet global standards for functional safety and cybersecurity. During the interview, they Left to Our Own Devices hosts asked Paul to share practical tips and tricks for product security teams.
“I carefully observe the maturity of the software process and the organization’s structure and culture. All companies have different maturity of the development process and different organizational structures. The organization’s culture is crucial when it comes to embedding strong product security measures.” Said Paul Cha.
The second tip Paul shares is the importance of constantly prioritizing security activities. When considering company limitations like budget and resources, Paul suggests sticking to the important issues first. Paul stresses that product security and threat modeling is never going to be a one-off activity. He calls for security leaders to understand that product activities require continuous effort to improve security activities. Dynamic changes in hardware and software components from sub-tier manufacturers are unavoidable. As such, product security teams must continuously run TARA activities to enhance the quality of the product’s security.
One way to achieve this level of trust in product security is by enforcing better software testing. Robust tools are crucial for effective and productive product security development. These tools can scan all software and hardware in real-time, assessing, managing, and fixing newly found vulnerabilities in connected products.
According to Paul, the most exciting part of his career is receiving the certifications. Yet he acknowledges the hard work and the responsibility of being a global Tier-1 OEM. “Tier-1s have the responsibility to do whatever it takes to really guarantee all of the software and the hardware materials should have no vulnerability in bulk… In every piece of software and hardware that goes into the product.”