2015 SAE Battelle CyberAuto Challenge

July 13-17, 2015

Troy, Michigan, USA

Delphi Innovation Center

Frequently Asked Questions (FAQs)

Why was the CyberAuto Challenge established?
The CyberAuto Challenge, since its inception in 2012, has sought to be a resource to the automotive industry by providing a confidential environment to explore cyber issues as a community of industry, government, academics, researchers and students. It has ignited interest in the automotive industry among "cyber-centered" college and high school students and provided a neutral forum at which engineers from different manufacturers can discuss common issues and help resolve common challenges. It has also served to facilitate collaboration among engineers from different organizations to form the germ of a topical community of interest. The Challenge has served as an exemplar that the automotive community:
  • takes cybersecurity seriously
  • is engaged on an ongoing basis to understand the risks
  • is keeping the core auto engineer well connected to the cyber community
  • is developing an auto cyber community of interest
  • is developing an auto cyber workforce pipeline

What is the CyberAuto Challenge and what goes on during the week?
The Challenge is a week-long (5 day) practicum based workshop - a series of classroom lessons and discussions alternating with hands-on work exposing high school and college students to real cars, real equipment, real communications protocols, and real industry experts.

Curriculum starts with an introduction, a legal briefing, and an ethics briefing. Technical courses follow on Tuesday and Wednesday which include topics such as CANBUS, electrical vehicle architectures, principles of reverse engineering, automotive data forensics, telematics, analysis of attack surfaces, etc. Tuesday afternoon is usually dedicated to a "field trip" to a local relevant location, and then followed with a "mixer event" and a keynote speech. On Thursday afternoon, we initiate an "all night Hackathon" in which teams conduct assessment activities on provided automotive learning platforms (cars). The teams present their results in a confidential briefing to Challenge team members only on Friday morning, and then there is a reminder course regarding ethics and legal matters and then some wrap-up procedural activities and conclude with lunch on Friday.

What is the value to the auto industry?
The Challenge creates an environment in which engineers from different backgrounds, industries, and organizations can jointly consider both immediately practical and theoretical problems as well as participate in sessions moderated by leading cybersecurity experts. As a result, the Challenge provides opportunities to explore and discuss issues with peers and experts that are simply not possible within the traditional automobile company. When the engineers from different organizations jointly work on projects, and jointly engage in mentoring college and HS students, it forms a very rich basis for meaningful dialogue and the avenue for new ways of looking at problems (because the HS and college students will have lots of ideas, will challenge long-held notions, and literally require that everyone look at things with fresh eyes). As the engineers across the automotive industry's cybersecurity domain of concern work together and build relationships among themselves, the strength of the industry and its body of knowledge flourishes. Moreover, the engineers have the opportunity to work with great students and identify possible intern or full-time workers for the future.

Who participates in the Challenge?
The SAE Battelle CyberAuto Challenge seeks to compose teams which have an equal ratio of working professionals to students, and embody many different points of view-from automotive manufacturers to the Department of Transportation, Department of Homeland Security, and Department of Defense, to different research organizations, and students at different levels and with slightly different technical backgrounds. Teaching is not lecture-based and this is not going to be the kind of environment in which everyone has the same background and training. Carefully chosen, highly competent participants interface openly with everyone else on their team. Everyone can learn something from everyone else, and the nature of the coursework and practicum will stress intra-team interactions.

Team composition is made up of high school and college students, OEM and supplier engineers, government representatives (e.g. DOT, DOD, DHS), STEM educators, and security researchers ("white hat" hackers). The typical team composition is:
  • 2-3 Auto Company (OEM) engineer(s)
  • 1-2 Supplier engineer(s)
  • 1 STEM educator
  • 1 Government engineer
  • 1 Academic researcher (or white-hat hacker)
  • 4 College students
  • 4 High-school (HS) students
  • 1 Facilitator

Visitors are invited to attend lectures and keynotes of general interest. They are usually senior managers and government officials. Their visit helps to promote the benefits of the Challenge and to obtain their organizations' support of future Challenges. Visitors are approved by SAE.

Media do not participate in the Challenge. Members of the media are carefully selected by the Challenge Officers (Patti Kreh and Karl Heimer) and invited to attend lectures or keynotes of general interest. Media are always escorted by Challenge staff and not allowed in the vehicle area.

How is SAE International involved?
In December 2014, SAE announced its engagement with the Battelle CyberAuto Challenge. Battelle established the CyberAuto Challenge in 2012 and nurtured the event for three years. Now Battelle is transitioning the leadership to SAE. SAE is leading the event for 2015 and future Challenges. The name of the event has changed to the "SAE Battelle CyberAuto Challenge" in acknowledgment of SAE's leadership.

SAE sees great value in the Challenge's ability to bring together students and engineers from different backgrounds, industries, and organizations to collaboratively consider both immediately practical and theoretical problems relating to automotive cybersecurity. This is a new and growing field for the automotive industry. The industry has relied on SAE for over 100+ years to support the development of its future workforce. This intersection of students and engineers is perfectly aligned with SAE's objectives in STEM education and life-long learning for automotive professionals. We see that SAE can help to improve the value of the Challenge by leveraging our close and longstanding partnerships with the automotive community.

How is Battelle involved for 2015?
Battelle established the CyberAuto Challenge in 2012 and nurtured the event for three years. Now Battelle is transitioning the leadership to SAE. Battelle is committed to continuing its support by providing planning experience and security subject matter experts.

How is Delphi involved?
Delphi is hosting the Challenge at their facility in Troy, MI. The Challenge will be held in their garage and Innovation Center Monday, July 13 through Friday, July 17, 2015.

How is Michigan Economic Development Corporation (MEDC) involved?
As part of the State of Michigan's automotive and defense cyber strategy, MEDC is engaging many Michigan institutions, businesses and organizations to assist in the planning and support of the Challenge. MEDC is working to increase the number of Michigan students and businesses involved with the Challenge with the goal of establishing Michigan as the center for cyber-auto and cyber-defense talent.

How is SquareOne Network involved?
SquareOne is responsible for Michigan student and teacher/educator recruitment. SquareOne Network has deep experience in providing K-12 students opportunities to pursue technology oriented careers through authentic, hands-on science, mathematics and engineering opportunities. SquareOne's extensive Michigan connections are helping to support MI Governor Snyder's desire to increase the number of Michigan students in the 2015 Challenge.

How many people participate in the Challenge?
In 2014, about 110 people attended the Challenge. We expect about the same number in 2015.

About 64 people participated for the entire Challenge week as members of vehicle teams and about 40 visitors over the span of 5 days. Visitors are invited to attend lectures and keynotes of general interest. They are usually senior managers and government officials. Their visit helps to promote the benefits of the Challenge and to obtain their organizations' support of future Challenges. Visitors are approved by SAE and badged for easy identification and escorted by Challenge staff for the duration of their visit. Visitors are not allowed in close proximity to vehicles or allowed to work on vehicles. Visits can be arranged for 1-2 hour blocks of time on Monday, Tuesday, Wednesday and Friday lunch. Visitors will not be accommodated on Thursday or Friday morning. Contact SAE to arrange all visitors.

Who are on the vehicle teams and how many individuals are on a team?
Team composition is made up of high school and college students, OEM and supplier engineers, government representatives (e.g. DOT, DOD, DHS), STEM educators, and security researchers ("white hat" hackers). The typical team composition is:

  • 2-3 Auto Company (OEM) engineer(s)
  • 1-2 Supplier engineer(s)
  • 1 STEM educator
  • 1 Government engineer
  • 1 Academic researcher (or white-hat hacker)
  • 4 College students
  • 4 High-school (HS) students
  • 1 Facilitator
A total of about 16 people make up a team. Each team works together for the entire week on the same vehicle. The number of team members is intentionally low to maximize interactions and relationship building between team members. One of the many benefits of the Challenge for students is experiencing real professional teamwork at play. Professionals benefit from the unencumbered thinking of students. Both benefit from mentor-protégé relationships.

Learn about team member roles

What is different for 2015?
The name of the event has changed to the "SAE Battelle CyberAuto Challenge" in acknowledgment of SAE's leadership. Important changes for 2015 include:
  • Codification of information sharing protocols to insure a safe, trusted and confidential environment for all participants.
  • Auto OEMs wishing to participate for the week are required to contribute a vehicle and OEMs engineers will only work on their own vehicle.
  • SAE, a not-for-profit, is seeking funding to offset costs (which may be tax deductible) through sponsorships from OEs, suppliers, other contributors
    Other changes include:
  • In support of Michigan's workforce development efforts, we are seeking to increase Michigan student participation; targeting 50% MI school representation 16 out of 32
  • To broaden interest in future years, we are seeking to increase aerospace, commercial vehicle, defense and gov't sector awareness by inviting guests to observe the Challenge during the instructional and social activities time periods.
  • SAE will grant a "certificate" of merit/completion for students to include on their resumes
  • Potential Information Sharing pilot using Challenge results; table top exercise by members of the proposed auto-ISAC. Proposed pilot process:
    • As discoveries are made during the week; OEM analyst applies information sharing filter/criteria and then passes to representatives acting as information sharing analyst(s)
    • Information sharing analyst(s) generate appropriate alerts/notices, etc. during the week
    • Extends professional participation to Friday afternoon (most students leave after lunch); invite potential ISAC members to pilot debrief
    • Briefing with potential ISAC members on results of information sharing pilot

What is the same?
The founding mission of the Challenge remains the same - helping to forge a new discipline of Automotive CyberSecurity Engineering by:
  • Creating awareness of cybersecurity issues relevant to the consumer automotive industry
  • Facilitating collaboration among industry, government and academia
  • Attracting high school and engineering college students to choose careers in the automotive industry; specifically cybersecurity
  • Improving the skills and knowledge of the current automotive professional workforce in cybersecurity
The format and flow of the Challenge remains the same - a 5 day practicum for vehicle teams comprised of students, auto engineers, government, academia and security researchers. The technical programming is essentially the same with Karl Heimer, creator and founder of the Challenge engaged and responsible to execute the program. Battelle, Michigan Economic Development Corporation, SquareOne Network, and Delphi are active Partners in providing support in a variety of ways - by providing subject matter experts, facilities and other resources. Students will be required to complete pre-course work and then a selection process is conducted by a group of STEM educators to invite the brightest minds from high schools and colleges to participate. As in past years, a selected number of guests will be invited to observe the instructional portions and social activities of the Challenge enabling SAE to broaden the support and expand the program in the future.

Cybersecurity is a sensitive topic for the automotive industry. What confidentially protocols are in place?
SAE is dedicated to the creation of a safe and trusted environment. We are keenly aware that recent comments made at a conference could call the confidential environment of the Challenge into question. SAE is dedicated to providing a safe and confidential environment for all participants - before, during and after the Challenge. To that end, SAE has developed a set of protocols for participants to follow. The protocols clarify the past practices and expand the expectations for all Challenge participants for 2015 and going forward. Contact SAE for the Challenge Information Sharing Protocols.

What if something is discovered on a vehicle during the Challenge, how is it handled?
OEMs provide the "Learning Platform" (the vehicle) which teams use during training and exercises. Any team findings are debriefed (verbally) by Challenge officers (Patti Kreh and Karl Heimer) and by SAE legal. The team OEM engineer or representative is present during these debriefings and will help guide the discussion. No visitors or media are present during these briefings. Individual and organizational non-disclosure agreements (NDAs) will then be reviewed and restated. In the event that an OEM would like to highlight the result, they can request that SAE waive the particular NDA provisions for a specific and narrowly stated disclosure, but ONLY the OEM can make such a request to relax the Challenge's non-disclosure policies.

What happens to vehicle data capture and data logs at the conclusion of the week?
OEMs provide the "Learning Platform" (the vehicle) which teams use during training and exercises. The OEM providing the Learning Platform is the sole owner of all results and logs associated with their platform, and also receives all written notes regarding the platform. SAE erases data from all computers (we provide the computers used during the Challenge) and then low-level formats all the hard drives to ensure residual data deletion.

Are the results of the Challenge published?
No, the results of the Challenge are not published. The OEM providing the Learning Platform is the sole owner of all results and logs associated with their platform, and also receive all written notes regarding the platform. SAE erases data from all computers (we provide the computers used during the Challenge) and then low-level formats all the hard drives to ensure residual data deletion. Any team findings are debriefed (verbally) by Challenge officers (Patti Kreh and Karl Heimer) and by SAE legal. The team OEM engineer or representative is present during these debriefings and will help guide the discussion. No visitors or media are present during these briefings.

While specific results will not be published, SAE will create and publish materials, per these information sharing protocols, articulating the value and benefits of the Challenge for promotional purposes.

SAE will publish and confer a "certificate of merit/completion" for students to include on their resumes.

How is the Challenge funded?
For the first three years (2012-2014) Battelle invested and fully funded the Challenge. As the Challenge matured, the industry is now supporting the event through sponsorships and contributions. SAE is leading the event for 2015 and future Challenges. We are looking for sponsorships to create an immersive, relevant learning environment in support of the development of the future cyber auto workforce. Sponsorships are new for 2015, they will help offset expenses associated with this event including student accommodations, meals, transportation, learning materials, hardware kits, and other tools necessary to participant in the Challenge.

We are looking for OEMs to provide:
  • a current production vehicle to utilize as a learning platform
  • 2-3 OEM engineers as team members for the entire week
  • a technical expert to teach an on-site course
  • sponsorship support
We are looking for suppliers to provide:
  • 1-2 supplier engineers as team members for the entire week
  • a technical expert to teach an on-site course
  • sponsorship support

We are looking for other organizations to provide:
  • technical experts as team members (e.g. facilitators, researchers) for the entire week
  • a technical expert to teach an on-site course
  • sponsorship support

What types of expenses does the Challenge incur?
About 50% of the expenses are dedicated to developing an intensive, immersive and relevant course work, lectures and experiences. Approximately 20% of the expenses are spent on student lodging, transportation and meals. Rental of computers, learning materials, tools, tables and chairs, visitor meals and transportation, registration, insurance and meeting planning make up the remaining 30%.

 
Expenses
16%
Program and course development
19%
Student lodging, food, transport, certificates
12%
AV, sound system, lighting, computers, tools, chairs, tables, signs, etc
10%
Non student attendee food, beverage, transport
6%
Student and sponsor recruitment
5%
Meeting planning, coordination
2%
security, insurance, medical, registration, legal fees

What are the sponsorship opportunities?
We are looking for the industry to support the Challenge to create an immersive, relevant environment for learning in the development of the future cyberauto workforce. Sponsorships are new for 2015, they will help to offset expenses associated with this event including student accommodations, meals, transportation, learning materials, hardware kits, and other tools necessary to participant in the Challenge. SAE can provide a menu of sponsorship opportunities for OEMs, suppliers and other organizations.

Are contributions and sponsorships tax deductible as a charitable donation?
SAE International is an IRS 501(c)(3) charitable organization. The following represents SAE's understanding of the tax law but is not meant to be tax advice. You should consult your accountants/tax advisor with any questions you may have. By definition, a corporate sponsorship is a payment to a tax-exempt organization by a payer engaged in a trade or business, provided that the payor does not expect any substantial return benefit. The use or acknowledgment of the payor's name, logo, or product line in connections with the activities of the tax-exempt organization is not considered a substantial benefit. With this definition, a payor's treatment of the payment is going to depend upon their intent. If the payment is made with a charitable intent, then a charitable deduction under Section 170 would probably be allowed (again, you will need to consult your tax advisor). If the payment is made as an ordinary and necessary trade or business expense, you should be able to take it as an ordinary deduction (practice development, advertising) under Section 162.

How many teams will participate in 2015?
For 2015, the target is four (4) teams. Due to the high interest in the Challenge, we are prepared to accommodate up to six (6). The number of teams is determined by the number of vehicles donated by automakers.

Is there a limit to the number of teams?
Yes, for 2015 the Challenge is limited to a maximum of six (6) teams. The limiting factors are the number of vehicles provided by automakers as well as the space and resources required at the facility. Since interest is high, expansion is planned for the future.

Who selects members for each team?
OEM engineers will work on the vehicle provided by their organization. The Challenge officers (Patti Kreh and Karl Heimer) will select other members of the team in consultation with the OEM vehicle owner. OEMs are encouraged to recommend suppliers which provide product for their vehicles. Challenge officers will invite and confirm the other team members.

Does the instructional course work change each year?
Somewhat, a few different subjects are included based on new areas of concern for the industry. In 2015, we are looking to include topics on information sharing and virtual modeling. However, fundamentals like CANBUS, forensics and reverse engineering are taught each year to serve as a good base of knowledge for the development of the future cyber auto engineer.

How are students recruited?
In addition to Battelle's past educator contacts in Ohio and Maryland, SAE is leveraging its network of faculty members at major US universities. Plus we've engaged SquareOne Network to recruit Michigan high school and college students.
  • High School - we rely on outreach through the school system. We present information about the Challenge to administrators and teachers (and, when possible, through State Departments of Education). Individual instructors subsequently nominate some of their highest aptitude students for the course.
  • College - we work with schools and professors whose programs align with the goals and conduct of the Challenge and recruit both undergraduate and graduate students who are both high-aptitude and who can help be a mentor figure to the high school students.
Students submit a resume or letter about their interests and skills with their teacher's or school administrator's recommendation to cyberautochallenge@sae.org.

How are students selected?
Each student candidate must have a cognizant person (teacher, school administrator, coach, pastor, scout leader, etc.) provide an email or memo attesting to the strong ethical character of the candidate. Each student candidate must enroll in and complete preparatory educational course work and screening sessions on-line (during April - June) that teaches and measures progress on topics such as cryptography, automotive communications protocols, and programming basics. The top scoring students are invited to attend the Challenge.

Who develops the student pre-work?
A STEM education organization, figmentofimagination, has coordinated and developed the preparatory course work for students for the past 3 years and will develop materials for the 2015 Challenge. Students will work through these materials in advance (during April - June) to prepare for the intensive on-site program. Their progress in completion of this pre-work is used as the final selection criteria for selecting participants from the many applicant students.

What types of subjects are students required to know before Challenge Week?
There is some variation in on-line coursework each year which reflects the changing nature of some of the electives taught on-site during Challenge week. Core courses, however, are always taught and evaluated. These core courses are Linux and CANBUS. Examples of other coursework include cryptography, fundamentals of engine design, secure coding practices, microcontrollers, and embedded development. On-line qualification for students is the final selection criteria used for selecting participants from the many applicants.

Are automotive technical experts involved in teaching any of the courses?
Involvement of automotive professionals and their tacit knowledge is an important component of the Challenge. We are seeking industry professionals to deliver lectures on relevant cybersecurity and connected vehicle topics. Those interested in teaching at the Challenge should contact SAE.

What will students receive at the completion of the Challenge?
SAE will confer a "certificate of merit/completion" for students to include on their resumes.

How much does it cost for a student to participate?
The Challenge is free for the student. We do not want students' economic situation to dictate attendance. Attendance is merit based. Meals, lodging and local transportation are provided. Students are responsible for getting either to Detroit Metropolitan Wayne County Airport (DTW) where a shuttle will them pick up, or to the Delphi Innovation Center in Troy, MI.

Parents are welcome to accompany their student on Sunday, July 12 for registration and orientation and on Friday, July 17 for lunch and closing general interest session.

All other attendees are expected to make their own arrangements for lodging and transportation to/from the Challenge.

How much does it cost for a professional to attend?
The Challenge is free for invited professionals. We expect professionals to make their own arrangements for lodging and transportation. SAE is seeking sponsorships and contributions from participating OEMs and suppliers as well as other interested organizations to support the Challenge.

SAE, in consultation with OEMs providing vehicles, will invite and confirm professional team members. Team composition is made up of high school and college students, OEM and supplier engineers, government representatives (e.g. DOT, DOD, DHS), STEM educators, and security researchers ("white hat" hackers). OEM engineers will work on the vehicle provided by their organization. OEMs are encouraged to recommend suppliers which provide product for their vehicles. The Challenge Officers (Patti Kreh and Karl Heimer) will invite and confirm other members of the team with consultation with the OEM vehicle owner.

Will media (reporters, journalists) be in attendance?
Media do not participate in the Challenge. Members of the media are carefully selected by the Challenge officers and invited to attend lectures or keynotes of general interest. Media are always escorted by Challenge staff and not allowed in the vehicle area.

SAE or one of the automobile trade associations (e.g. Auto Alliance or Global Automakers) may plan a media event in conjunction with the Challenge to make a related industry announcement. Media are not allowed in the Challenge area.

Who are the Challenge officers?
Patti Kreh, SAE ITC, O: 248 273 2474, M: 248 210 5418, kreh@sae.org
Karl Heimer, AutoImmune, M: 410 900 5345, karl.heimer.pro@gmail.com, karl.heimer@autoimmune.io

Who is the SAE contact?
Patti Kreh, kreh@sae.org, O: 248 273 2474, M: 248 210 5418