Posted by Taylor Armerding on February 6, 2019
Automotive cyber security is a high-stakes endeavor, as software vulnerabilities in connected cars can threaten lives. A new report reveals industry concerns.
This is Part 1 of a three-part interview about the report Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices. Part 2 is about connected car security resources and priorities. Part 3 discusses how to improve auto software security testing.
Everything is a computer, from “smart” devices to home security systems to the massive infrastructure that delivers our utilities and provides mass transportation.
Or in the case of vehicles, many computers. Hundreds of them that control everything from infotainment to safety systems like steering, acceleration, and brakes. A modern vehicle is a collection of computers, run by millions of lines of software code, housed in a metal skin with wheels.
That means automotive manufacturers are software companies as much as they are transportation companies.
And vulnerabilities in that software can put the physical safety of vehicle occupants at risk. The damage from a malicious hack or breach of software running a car can be much more serious than credit card or even identity theft. It can hurt or kill people.
But even though “connected cars” are becoming mainstream, with autonomous vehicles well beyond the drawing board and into the testing phase—sometimes on public roads—we’ve lacked the data needed to understand the automotive industry’s cyber security posture and its capability to address software security risks inherent in connected vehicles.
To fill that gap, Synopsys and SAE International commissioned an independent survey of current cyber security practices in the automotive industry.
The Ponemon Institute, which conducted the survey, surveyed 593 professionals responsible for contributing to or assessing the security of automotive components.
Chris Clark, principal security engineer, strategic initiatives, at Synopsys, and Tim Weisenberger, project manager, technical programs at SAE International, spoke with Taylor Armerding, senior security strategist at Synopsys, about some of the highlights of the report on that survey, Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices, released today.
What is the top takeaway from this report?
Chris: I think it’s that the industry has started to make some serious improvements from a security perspective, but there is still a lot of work to be done. This is not necessarily a negative thing. It’s pretty typical of what we see in other industries. It’s in the process of becoming more mature. The automotive industry is expert in supply chain management and developing new vehicles. But when we start talking about the implications of software in a highly connected environment, there is opportunity for change.
Tim: The good news is that the industry really is aware of the cyber security threats they’re facing in the entire ecosystem of vehicles that are so interconnected. I think they’re pointed in the right direction. Their resources may be applied a bit more thinly than they’d like. But they’re very aware of their strengths and shortcomings.
Every industry that relies on technology has its own unique security “attack surface.” What components of vehicles pose the greatest cyber security risks?
Tim: At the high level, a majority of respondents (62%) think it is likely or very likely that malicious attacks on their software or components will occur within the next 12 months.
They identified a couple of components as having the greatest risks—RF technology and telematics. What’s most concerning is that these technologies are extremely common in vehicles. When you look at RF technologies, like Wi-Fi or Bluetooth, those are really communications protocols. So the auto industry is using open mobile communications just like every other industry. They’re not purpose-built for automotive.
Chris: That’s a good point. There’s a lot of commodity components that go into vehicles that may have a bit of customization. And any type of customization of an existing solution could lead to potential security vulnerabilities.
But when it comes to what particular components pose the greatest security risk, I look at it from a gatekeeper perspective. If we can keep the attacker out, we have a much better chance of maintaining a secure state within a vehicle. But as seen in the IT world, the gatekeeper will be compromised at some point.
So we need to look at security-in-depth, and that applies to anything in the vehicle. If we focus on something like an infotainment system, attackers simply move to another area that is not as robust. Overall, we have to look at security more holistically, to address it throughout the entire vehicle ecosystem of supporting technologies.
Automotive manufacturers rely on a supply chain of hundreds of independent vendors for their software components. What risks does that supply chain pose?
Tim: The industry knows it has a really complex supply chain. Some of the benefits of that are that manufacturers build high-quality, safe, and feature-rich vehicles very efficiently. But of course, that complexity can introduce some security risks.
The biggest is whether your various suppliers have built cyber security appropriately into the component, which is easier said than done. When you put together the specifications for a component, you have to make the security requirements generic enough so people can innovate, but specific enough so that whether the component comes to you from supplier A, B, or C, when it’s plugged into your system, your security is consistent. That gets back to how the whole thing needs to be looked at holistically.
Chris: Looking at the overall supply chain is one of the most powerful components or processes that an automotive manufacturer can do. The pressure of getting components ready to go to market is unbelievably compressed. Even though, for the outsider, it may seem like a very long time between vehicle models, it’s actually relatively short.
So when we look at the survey, and 19% of respondents said they don’t do enough security testing during the requirements and design phase, and only 28% said that development and testing is where they do a lot of the testing, it is clear that effective testing is happening far too late. For the majority, testing is post-release, which can lead to a 6x–14x increase in cost.
So if we enable suppliers to improve cyber security testing and vulnerability management early through the supply chain, we get a much better result.
Tim: That’s right. You really need to take a risk-based, process-driven approach to building cyber security throughout your product development life cycle. But the twist is, that life cycle has to include a whole bunch of different-tiered suppliers that bring it together. Right now, you’re seeing too much of a catch-basin approach, where there is holistic testing after it’s all done. It’s good to try to find all these vulnerabilities. But it should be done during the design phase.
Want to know more? Tim, Chris, and Larry Ponemon of the Ponemon Institute will discuss the report’s key findings in our webinar Shifting Gears: Focus on Cybersecurity, Feb. 27 at 1 p.m. EST.
Get the latest AppSec news and trends sent directly to you.