Greater Security through Connectivity
The automotive security situation is bad. How bad is it? Only 19% of industry executives surveyed by The Ponemon Institute on behalf of Rogue Wave Software and Security Innovation think that it is even possible to make a car “nearly hack proof.â€
Ponemon surveyed more than 500 automotive developers, engineers and executives primarily from OEMs and Tier One suppliers with the following topline conclusions:
- Developers are not familiar enough with their company’s program to secure software for automobiles.
- Developers do not believe their companies are taking security seriously enough, or empowering them to make software more secure.
- Developers want – but do not have – the skills necessary to combat software security threats and they do not feel they are properly trained.
- Automakers are not as knowledgeable about secure software development as other industries.
- Security is not built into the Software Development Lifecycle (SDLC) in the automotive industry.
- Enabling technologies are not being provided to developers so they can build security into their processes.
The study further finds that “despite the understanding that automobiles are hacking targets, only 41% of developers polled agree (and 28% disagree) that secure software is a priority for their company. Worse, a large number of them (69%) believe that securing the applications are difficult/very difficult and nearly half (48%) believe that a major overhaul of the car’s architecture is required to make it more secure.â€
Industry analysts talk about the percent of cars that will have over-the-air software updates in one year, five years, 10 years. Some experts talk about the need for LTE connectivity – some day.
It is clear from the rash of hacks and recalls in the past 18 months that all cars need to be connected as soon as possible. These connected cars need to have live connections at all times such that software can be monitored to detect and/or prevent intrusions. Software updates will be necessary to keep defenses up to date.
The Ponemon study starkly illustrates the scope of denial and downright defeatism pervasive in the industry. This defeatism is only magnified by the scope of industry ignorance of the issue. In this context the driving public is growing increasingly sympathetic to government efforts to get involved and lend a helping hand.
The only thing more terrifying than hackers penetrating cars is the government stepping in to help solve the problem.
An even more fundamental barrier to resolving this issue for automakers is the internal conflict between telematics departments, which are being asked to generate revenue from wireless service subscriptions, and teams seeking to add vehicle-to-vehicle connectivity (based on DSRC Wi-Fi technology) operating out of the safety systems department. The safety engineers view DSRC as just another sensor - while the telecom module is simply seen as adding cost to the car's bill of materials. Car makers need to stop looking at telematics as a nexus of revenue generation and recognize its importance to enhancing the safe operation of the vehicle.
Some car makers, most notably BMW, have already recognized this proposition and made the decision to include 10 years of telematics service with their vehicles in multiple geographies around the world. Others are still trying to get an immediate short-term payback from telematics.
The path to secure cars leads through the telecom module. The sooner the industry embraces ubiquitous connectivity the more swiftly we will achieve robust vehicular security. We have Security Innovation and Rogue Wave to thank for highlighting the shortcomings of the industry's grasp of this issue.
Download your complimentary copy of the white paper here: https://web.securityinnovation.com/car-security-what-automakers-think
Risk Technical Program Manager - Cloud Platform Security at Capital One
9 å¹´Roger, with due respect I view the conclusions you express as naive and self serving (Market research / Strategy Analytics for vehicle connected products). Without improving the architecture, programming, and security (People, Processes, and Technology) of these vehicle systems your statement "It is clear ... that all cars need to be connected as soon as possible" demonstrates your lack of understanding of cybersecurity. This recommendation is completely opposite of what should be done. The safest systems are the ones DISCONNECTED, especially from the Internet (i.e. LTE). The path to secure cars DOES NOT lead through the telecom module! Hackers and vulnerability exploits come through the telecom module! The telecom module paves the path for the world to enter the inner workings of your vehicle. Yes, the vehicle and IoT world have a huge problem to figure out - how to update embedded software. But the view laid out in this article is not the answer, at least not for the near term.
Founder & CEO at AIRMIKA / AUTOCYB
9 å¹´ROGER: This may be old news to you: If not, take a look. Tom https://docs.house.gov/meetings/IF/IF17/20151021/104070/BILLS-114pih-DiscussionDraftonVehicleandRoadwaySafety.pdf
Sales and Business Development Executive
9 å¹´"The only thing more terrifying than hackers penetrating cars is the government stepping in to help solve the problem." Very good point, Roger. The auto manufacturers need to step up as an industry to prove that they can manage these issues as an industry. Especially in light of the problems over the past number of years. Otherwise they will deserve to be regulated, and this could put a halt to many of the exciting advances that are happening.
Autonomous vehicle control, Agritech, Digital Construction, Complex Workflow management, Perception, Threat Detection, Cobotics, Demining.
9 å¹´One aspect is defense within the telematics module. Another is the architecture and defense mechanisms emplyoed throughout the entire embedded controls infrastructure. It is wrong to assume that an up-to-date "norton -Auto" will keep the vehicle secure. Maybe something will get through or maybe the vehicle could be attacked via a service bay tester or nomadic device for example that bypasses the telematics module entirely. So there need to be multiple lines of defense and firm separations between systems either through HW or software mechanism - or both. Maybe there is no such thing as an unhackable vehicle - but there are many ways to vehicles and distributed embedded control systems much, much harder to compromise.
See your software in a new light
9 å¹´The security question comes with any "Smart, Connected Product", be it a car, an electricity meter, a jet engine or a factory! When manufacturers and software developers design, build and service their products, they need to stop using a DIY approach and use purpose-built tools for the Internet of Things. Among these tools - often called IoT Application Enablement Platforms, the leading ones address the end-to-end security requirements of the manufacturers: https://www.thingworx.com/white-papers/thingworx-security-white-paper-providing-secure-connected-products