Cybersecurity is a word we have heard a lot this year. From the stories of car hacks on BMW and GM, to the Progressive Insurance dongle hack, and new government legislations (SPY Car Act, and exemptions to the Digital Millennium Copyright Act), it’s a fast moving landscape that automakers, OEMs, and developers will need to stay on top of as we move into 2016.
Last month, I joined Pete Samson, senior VP from Security Innovation, and Larry Ponemon, chairman of the Ponemon Institute, on a webinar to discuss the challenges facing the automakers on the journey toward automotive application security and the results of the 2015 Ponemon cybersecurity survey. And just a few weeks ago I attended the Connected Cars Expo where cybersecurity was top of mind with a panel of experts discussing what they see as the most crucial cybersecurity issues impacting the industry.
With everything we have seen and heard this year, it made me stop and think about the three key things I have learned about automotive cybersecurity in 2015
Security must be built-in
Securing software in automobiles is not a small task. With electronic components making up over 50 percent of the total manufacturing cost of a car, developers are looking at over 100 million lines of code from multiple sources in a single car. It’s no wonder that 90 percent of developers (25:48 in webinar) think that there is some degree of difficulty in securing their applications when asked on our automakers survey
Traditionally testing has been after the system integration build, but that is too late to really secure the software. Security is thought of as an add-on by over 50 percent of the Ponemon survey respondents and 22 percent said it takes too much time. Security needs to be built into the development process, early (32:14 in webinar). Time to test can be reduced if security is built-in to the development process, allowing individual developers to find security defects when they are introduced, address concerns, and mitigate the problems before the code gets compiled at the system build and time runs out.
Security cannot be an ad hoc process, it needs to be automated and enabling technologies need to be provided to developers so they can build security into their processes.
Developers need help
Developers want – but do not have – the skills necessary to combat software security threats and they do not feel they are properly trained. They are trained in tools for software development. They know best practices for performance, memory, CPU utilization etc. At Connected Cars, Karl Heimer made a point that the graduating class at West Point had the same number of cybersecurity engineers that it had in the first graduating class 200 years ago – zero!
If you are not trained then securing software will be difficult (69 percent of survey respondents agree – 36:05 in webinar). As a result of not being trained, developers won’t know how to protect against the hackers.
Organizations need to provide development teams with:
• Visibility into applications
• Reports and audits of the code
• Threat modeling tools
• Penetration testing capabilities
The time is to act is now (or actually a while ago)
Automakers are not on the same page as industries, such as IT, web, and ecommerce organizations who have had polices in place for a long time. From the Ponemon research, 47 percent of respondents don’t believe that they can make a hack proof car (26:45 in webinar).
Automakers need to catch up – move fast towards a strategy to adopt and adapt. There are many existing cybersecurity practices from other industries that can be put into use as they are using same protocols. CWE, MIST, Defence Information System Agency, and CERT, could all be used to help the automakers catch up.
Adopting these existing tools, would help find weaknesses, prove compliance, and mitigate security risks up front. As time passes, automakers can weed out tools that are not useful, provide feedback back to the ones that are, and ask for automotive specific requirements from other sources.
Cybersecurity is a word we have heard a lot this year and it’s one that will continue to be top of mind as we drive into 2016. It will be an interesting evolution to watch the automotive industry shift towards improved processes, training, and adoption of standards.
• Read the white paper, watch the webinar, and follow the road to application security which discussing the 2015 Ponemon survey of automakers and suppliers results.
• Watch this 3 part series on automotive cybersecurity.
• Follow along as we count down the top 10 security vulnerabilities of 2015.