In the automotive industry, security is safety. And auto software security testing, like all security testing, needs to shift left to be effective.
This is Part 3 of a three-part interview about automotive industry cyber security practices. Part 1 introduced automotive cyber security challenges. Part 2 is about connected car security resources and priorities.
Synopsys and SAE International commissioned an independent survey of current cyber security practices in the automotive industry. The Ponemon Institute, which conducted the survey, questioned 593 professionals responsible for contributing to or assessing the security of automotive components.
Chris Clark, principal security engineer, strategic initiatives, at Synopsys, and Tim Weisenberger, project manager, technical programs, at SAE International, spoke with Taylor Armerding, senior security strategist at Synopsys, about some of the highlights of the final report, Securing the Modern Vehicle: A Study of Automotive Industry Cyber Security Practices, released this month.
The report found that firewalls and gateways are the most common security controls in vehicle software. Why is that a problem?
Chris: Automotive manufacturers looked at what the IT industry did. One of its first steps was to put some level of firewall or intrusion protection at the entry points for the vehicle. Most of today’s modern vehicles have a gateway that is the egress and ingress point that is heavily protected and monitored.
But attackers are going to find a way around that method of protection. So it is a good starting point, but it’s not as effective as we would hope or like it to be. As technology progresses and there is more autonomy within the vehicle, we are going to have to look at technologies like self-healing and more advanced monitoring that would allow OEMs to manage the cyber security of a fleet of vehicles much more effectively.
Tim: Putting up a wall is not the cure for everything. As Chris mentioned earlier, defense-in-depth is the right approach. Things like firewalls and gateways are just one security control. But once you’re inside the network, communications are occurring among everything, literally touching innocuous things, like the infotainment system, plus safety critical systems, like braking and acceleration. We have to look at how we protect the network on the inside. And that gets into message authentication, key management, and making sure that your communications security is robust.
What is the problem with security testing late in the product release process?
Tim: It’s better than doing nothing. But you’re not using your security resources efficiently. It’s much more expensive to do it later, because now you’re running around checking and testing for vulnerabilities in something that’s been designed and built already.
Chris: We hear regularly that adding security testing is expensive. There is a cost to it, but from a programmatic standpoint it’s the classic hockey stick. When you start doing this, it’s very expensive and it adds time because everybody’s getting up to speed on proper testing methods and where testing should be done. But if we start to shift left—moving that testing earlier and earlier—we start to see a reduction in the cost. Eventually it gets to where cyber security is just one of the standard processes, just like safety testing for a vehicle. The time and expense will pay off later.
What is the highest-priority change the industry could make to get the most improvement in its cyber security?
Tim: I say it is simply to make some low-hanging fruit changes that don’t take a ton of developing a process or spending a lot of key resources. Funding is scarce; personnel are scarce. If you don’t feel the resources you have in-house have the right skill set, get them some training. There are very simple training modules to develop key skills like secure coding practices.
Chris: First take a step back and evaluate what you have. You have to understand where you are, what your knowledge level is, what your capabilities are, what you can deliver. Once you have that, you can address key areas based on risk. That’s where the BSIMM [Building Security In Maturity Model] is useful. It shows you what people in your industry are doing in their software security initiatives—what’s working and what’s not. Because it’s not something where you walk in one day and say, “We’re going to address security,” and you finish it at the end of the week. It’s continuous growth and evolution.
Tim: If I were to advise the head of a cyber security team at a company, I would say take this report, read it, figure out where your issues lie, where the rest of the industry says their issues lie, and then start figuring out where you should prioritize. It may be different for different companies.
Chris: One of the most important points to take out of this is that security is an evolving process. Organizations shouldn’t look at the survey and be upset. They should realize that people in the industry really are interested, want to make changes, and look for the right partners to address those changes. They should look at this as a growth opportunity versus a threat to their industry.
Tim: We at SAE feel we are the best convener of the industry in the mobility space. We were happy to be approached by Synopsys to commission this survey, because this research has never been done in the automotive space. We now have empirical data to validate our hunches. From here, the next steps, once the industry absorbs this a bit, are to look for solutions we can drive throughout the industry. How do we make ourselves more secure, which equates to safer?
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.