I recently attended the IQPC Automotive Cyber Security Summit at the Renaissance Center in Detroit, Michigan to observe trends in the market and network with prospects, customers, and industry experts. The conference was well attended with over 250 delegates from many different aspects of the automotive industry. There were Tier 1 suppliers, OEM’s, independent cybersecurity experts, and vendors.
The day was structured into talks punctuated by networking sessions. The most obvious theme of all the talks was that consumers should be terrified of the connected car. Each presentation from vendors, OEM’s, or researchers used the same formula: scare everyone with university studies or headlines about connected car hacks then pitch a product or process to solve the problem. I found it all pretty funny actually. The last presenter for Freescale Semiconductor echoed my thoughts by saying “We all clearly created these presentations in a vacuum because we’re all using the same material.” One of the vendors even attempted to give the audience a break saying, “Are we tired of being beat over the head about cybersecurity?” and proceeded to continue bludgeoning the message home with most of the same material for 5-6 slides. To give the expert a break, he mentioned several times that his marketing department was responsible for the slide deck not him.
One of the questions that kept coming up during the conference was “What is security going to cost?” Since most of the presentations were from vendors, no one was able to clearly articulate what adding security to your SDLC costs. They sidestepped the conversation by saying that it’s hard to quantify the cost. While it’s hard to put a number on adding more process to your SDLC, no one mentioned that you don’t necessarily have to “throw the baby out with the bath water.” There are things Tier 1’s are already doing that work quite well and could be tweaked to include security checking without massive investments.
Tier 1 suppliers aren’t going to do anything unless OEM’s start requiring evidence of security checking. In anticipation of this, one of the North American Big Three manufacturers that attended the conference is starting to ask suppliers for evidence of compliance to the CERT security standard. Several tools that Tier 1s already use for other types of testing (including Klocwork static code analysis) can also check for security vulnerabilities out of the box. As you might already know, we have many customers in the military and aerospace industry who are already advanced in securing their source code.
While security is a big scary topic for consumers, I believe that the automotive industry has the mechanisms in place to bring in advice from other industries quickly to answer these demands. OEM’s already have good relationships with Tier 1s and can ask them for stricter acceptance criteria. Also, Tier 1s are very good at learning and adapting to new approaches. They find ways to automate processes to minimize the increasing cost of security in their SDLC. I have faith that the automotive industry will get security right. They just need sound advice from other verticals and clear requirements from OEM’s.