The car that you drive today is a far cry from those of just a decade ago and in many ways is now an internet-connected computer on wheels. This push towards connectivity and smart-motoring has seen the automotive manufacturing industry shift towards becoming as much about software as they are transportation. And that means it faces much the same security challenges as the software industry, but with the distinct disadvantage of being way behind the game. Newly published Ponemon Institute research suggests that automotive software security is simply not keeping up with the pace of technology and supply chain postures in particular present a major risk not only to the cars of today but also the self-driving vehicles of tomorrow.
Securing the Modern Vehicle, commissioned by Synopsys and SAE International, examined cybersecurity practices in the automotive industry and addressed how capable it is as far as addressing the software security risks inherent in connected, software-enabled vehicles. The results of questioning some 593 professionals involved in assessing or contributing to the security of automotive technologies does not make for happy reading. Take, for example, the 52% who said they were aware of “potential harm to drivers of vehicles because of insecure automotive technologies” or the fact that 69% didn’t feel they were empowered enough to raise those concerns. Given this level of critical cybersecurity disconnect within the industry maybe it comes as no surprise that 84% felt that cybersecurity practices are simply not keeping pace with evolving technologies and 63% test less than half of hardware, software and other technologies for vulnerabilities.
This is particularly concerning given that David Barzilai, chairman and co-founder of automobile security specialist Karamba Security, warns “there is an increasing trend of white hat hacking attempts against automotive technologies and we expect more attacks to happen in 2019.” This position is backed-up by David Uze, founder and CEO at Trillium Secure, an autonomous vehicle security outfit, who says that “hackers have penetrated North American, European and Japanese automakers’ systems and their approaches have potential to cause great harm to vehicle safety, data privacy and the development of connected and autonomous vehicle technologies.”
So, what technologies were thought to pose the greatest cybersecurity risks within the automotive manufacturing industry? Radio frequency (RF) technologies such as Wi-Fi and Bluetooth topped the list (63%), closely followed by telematics (60%) and self-driving vehicles (58%). When it came to the primary factors leading to vulnerabilities in technologies either developed or used by the manufacturer it was pressure to meet product deadlines (71%) that lead a pack including a lack of understanding or training regarding secure coding practices (60%), accidental coding errors (53%) and a lack of quality assurance and testing procedures (50%). “More car electronic control units (ECUs) are becoming externally connected and that represents an attack surface for the hackers” David Barzilai says, continuing “some of those ECUs are safety certified, so once hacked the attacker can change vehicle speed and direction.”
The numbers don’t get any the more confidence inspiring for drivers of modern vehicles the deeper into the report you delve. Given that most manufacturers now rely upon hundreds of independent vendors to supply hardware and software components, that 73% of respondents were very concerned about the cybersecurity posture of the automotive supply chain is worrying. Not quite as worrying as the fact that only 44% also said their organizations insist on cybersecurity requirements for the products provided by these suppliers. Oh, and did I mention that the typical automotive organization only has nine employees devoted full-time to cybersecurity and 30% don’t have an established product cybersecurity program team at all?
Chris Clark, a principal security engineer at Synopsys, told me that the results of the report should be “a starting point for an organization to look internally at their practices and see where improvements can be made.” Clark suggests that automotive manufacturers need to shift left, telling me “the predominant amount of security testing happens when different systems are first connected, which means that issues identified later in the development life cycle will be more expensive to resolve.” It’s not all bad news though, the automotive industry is getting some things right according to Clark. “The first step is acknowledging the problem and I think it is clear that the industry has done so” he said. Considering the number of acquisitions relating to cybersecurity that are taking place in the automotive space, Clark reckons it’s easy to see that cybersecurity is in the forefront of automotive industry conversations. Which is just as well, because as he concludes “as we move closer to mainstream autonomous vehicles, the potential margin for cyber-attack will shrink drastically and the need for rapid response will increase…”