Connected car security is a priority of the automotive industry, according to a recent report. But the shortage of resources and skills is a challenge.
This is Part 2 of a three-part interview about cyber security practices in the automotive industry. Part 1 introduced automotive cyber security challenges. Part 3 discusses how to improve auto software security testing.
Synopsys and SAE International commissioned an independent survey of current cyber security practices in the automotive industry. The Ponemon Institute, which conducted the survey, questioned 593 professionals responsible for contributing to or assessing the security of automotive components.
Chris Clark, principal security engineer, strategic initiatives, at Synopsys, and Tim Weisenberger, project manager, technical programs, at SAE International, spoke with Taylor Armerding, senior security strategist at Synopsys, about some of the highlights of the final report, Securing the Modern Vehicle: A Study of Automotive Industry Cyber Security Practices, released last week.
Is software security a priority for senior management in the automotive industry? Why or why not?
Chris: It’s very difficult to say that all senior management throughout the industry takes cyber security seriously. But it is reasonable to say they are looking at it but may not understand what needs to be done.
Simply throwing money at an issue isn’t always the right answer. It’s clear from the survey that some engineers believe they don’t have the necessary voice to raise cyber security concerns. Or they may not have the information needed or the teams or resources properly staffed to address cyber security. It’s a challenge to get a clear understanding of what should be done. But some of the key players in the industry are rising to meet the challenge of ensuring that there are proper standards and proper activities that can be effective.
Tim: If you ask any senior executive in the automotive industry if cyber security is a priority, I don’t think any of them would say no. But business owners are worried about revenue. Cyber security is seen more as a cost center, and it’s logical to want to invest in something where you get a return.
What we really need to do gets back to the point of plowing cyber into the product development life cycle. If security funding, skill set needs, and head counts become the regular elements of developing your product lines, it’s not a separate cost center. That shift can allow senior executives to put their money where their mouth is.
Chris: This isn’t a new paradigm in the automotive industry. Consider the changes related to passenger safety, Back in the ’70s, it was a new frontier. And look how far they’ve progressed. I fully expect to see the same thing in cyber security.
Do automotive companies have the resources and skills they need to address their software security challenges? Why or why not?
Tim: The survey validated the hunches that most of the industry has: While at most companies there are appropriate skill sets and resources, they can always have more. But by using best practices, you can optimize those resources. As Chris noted, when the testing is done much later in the product development life cycle, that’s much less efficient than if you design security in. Hackers can literally download simple scripts from the internet that allow them to hack more efficiently. You always have to keep building your skill set. You can never be secure. You’re always securing.
Chris: The industry is ever-evolving, and one of the fallacies is that once a manager has delivered security training, that’s it—they can check the box. Security is one of those areas where you cannot have a checkbox mentality. You have to continue to educate, train, evaluate solutions, and look at the evolving threat landscape. It’s a cyclical process.
Tim: The Department of Homeland Security engaged a couple of economists from the University of Maryland regarding cyber security investment. They found that the vast majority of investment in cyber security happened post-breach. And that is in sectors like retail and finance. So you think you’re safe and secure until you aren’t. And then you tend to back up the truck and fix the problem: fire the CIO, bring on security consultants, that kind of thing. So it is good to see that the auto industry knows it needs to plow security into the product development life cycle. That is really where automotive engineers grew up—they’re extending the systems engineering approach to security. That really impresses me.
The report found that most of the industry doesn’t have a system in place to provide updates and patches when vulnerabilities are discovered. What do companies need to do to make that possible?
Chris: In an IT environment, when a component is considered insecure and there’s no update for it, you retire it and simply replace it. But in a vehicle, you don’t own or have complete control of that asset. Once it’s out on the market, if there is a vulnerability that could lead to harm, you have to be able to manage and monitor that for an extended period of time. That could result in field replacement, service update, or in worst-case scenarios, a recall. Right now, there is no single solution to address this scenario.
That’s OK. We are literally taking our first step in addressing this problem. As long as the industry realizes the need for flexibility and use of well-established design and security practices, the appropriate technologies and solutions will present themselves.
This goes back to maturity. In the immature phase, everyone will have their own process. And it’s going to be different for every vehicle, even from the same manufacturer. Eventually it will get to the point where it is consistent across manufacturers.
Tim: The auto industry is unique for several reasons. The vehicles are out and about; they are owned by private citizens for the most part. You sell the car, the owner has it. And most owners don’t think of a car as a bundle of IT systems stitched together with mobile communications and the like.
That’s a unique challenge, because companies can download patches to their computers at night, or to your server at work, and then when everybody logs in the next morning, it’s done. It’s not as easy when your workstations are driving around at 60 miles an hour, connected wirelessly. That has to be addressed through various means—over-the-air updates, plugging electric vehicles into the grid, or through a software maintenance regime.
Maybe we need to come up with a best practice on how you patch software in cars. The ultimate would be to develop a secure approach to drop patches into the vehicle network over the air in the middle of the night, when it is not being driven.
Taylor Armerding is an award-winning journalist who left the declining field of mainstream newspapers in 2011 to write in the explosively expanding field of information security. He has previously written for CSO Online and the Sophos blog Naked Security. When he’s not writing he hikes, bikes, golfs, and plays bluegrass music.