In February 2019, a new study entitled “Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices” was published, highlighting critical cybersecurity risks in the automotive industry.
Synopsys and SAE International commissioned the Ponemon Institute, an IT security research organization, to conduct the study by researching the current cybersecurity practices in the automotive industry.
The study also looked into the auto industry’s capability to address software security risks inherent in connected, software-enabled vehicles.
As auto manufacturers gear up to produce more connected and autonomous vehicles, we asked Dr Dennis Kengo Oka, Senior Solution Architect, Software Integrity Group, Synopsys, for his perspectives on some of the findings from the study:
What is the current state of cybersecurity in the automotive industry?
Oka: One very impactful finding from the study that sheds light on the current state of cybersecurity in the automotive industry is that 30% of surveyed organizations do not have a cybersecurity team or program.
This means that there is not a team or program formally establishing cybersecurity processes and policies within the organization.
This is a key first step in terms of security; with effective processes and policies in place, an organization can establish a baseline for cybersecurity, including employing activities such as utilizing the appropriate tools and applying corresponding security controls.
What organizational and technical challenges do auto manufacturers and their suppliers face in terms of cybersecurity?
Oka: In terms of organizational challenges, 62% of the survey respondents believe that an attack against their system or component in the next 12 months is likely or very likely.
However, 69% reported that they are not empowered to raise their concerns. In other words, there are security professionals at these organizations who know that the products they develop are susceptible to attacks, and yet they are not able to do anything about it to improve their security stance.
To further illustrate the reality of this point, more than half of the organizations surveyed reported that they do not allocate enough resources to cybersecurity.
In terms of specific technical challenges, the three areas that pose the greatest security risk are self-driving (or driver assistance) technologies, telematics, and RF technologies (e.g., Wi-Fi, Bluetooth).
The famous Jeep hack presented at Black Hat and Defcon in 2015 by security researchers, Charlie Miller and Chris Valasek, was executed by targeting these three specific areas. Using Wi-Fi, they were able to remotely connect to a vehicle within 10-20 meters. Next, by connecting to a vehicle’s telematics unit over cellular communication it was possible to connect to a vehicle hundreds of kilometers away. Finally, to take control of the steering functionality of the vehicle, they abused the park assist functionality – typically only invoked when a driver wants help parking.
The result is that the car begins initiating the park functionality, and thus, turns the steering wheel. You can imagine the resulting disaster if this attack were to have been carried out on multiple vehicles traveling 100km/h on the freeway.
Another technical challenge is that there will always be vulnerabilities in software. Knowing this, it is imperative to have a method to perform software updates when critical vulnerabilities are identified. However, only 37% of survey respondents say that they have an OTA (over-the-air) update solution. This means that a majority of organizations have no efficient way to patch vulnerable vehicles.
What additional challenges exist in product development?
Oka: A major challenge is that security is often considered an afterthought. Rather than building in security by design, security mechanisms are often added at the end of the software development process which is costlier and more inflexible.
A shocking number from the study is that only 47% of surveyed organizations assess security in the early phases of development (i.e., requirements, design, development, and testing).
By assessing security only during the latter phases of the development process, through activities like penetration testing on a finished product, may lead to the identification of vulnerabilities. However, bolting security on at the end of the process means that resolving these vulnerabilities can delay the time to market and be cost prohibitive to resolve. The majority of vulnerabilities should have already been identified and resolved earlier in the development lifecycle.
There are three major factors leading to vulnerabilities:
- Coding. Accidental errors and a lack of secure coding guidelines
- Testing. Lack of appropriate testing procedures
- Open-source software. Using vulnerable or outdated open-source software
Pressure to meet strict deadlines in the automotive industry is also often an underlying factor.
What are the necessary next steps for the automotive industry to take to enable the introduction of safe and secure smart cars in smart cities?
Oka: Regarding organizational challenges, it is imperative that organizations consider cybersecurity in upper management (e.g., CISO, VP of Cybersecurity) to create a culture of cybersecurity and empower developers and security engineers to raise their voice if they have any concerns.
All organizations should also establish a cybersecurity program and team, and increase the resources needed for cybersecurity. This program and team should define cybersecurity processes and policies, which will drive all other cybersecurity activities.
In terms of technical challenges, the focus should be on securing the external interfaces such as telematics and RF technologies, in addition to safety-critical functions such as self-driving and driver assistance technologies.
Securing the external interfaces is the first step to prevent attackers from gaining entry to vehicles. Secondly, considering a defense-in-depth approach, if an attacker would somehow be able to gain entry to the in-vehicle network, employing an additional set of security controls to protect safety-critical functions in the vehicle is crucial.
Moreover, since there will always be new vulnerabilities, it is essential for all car manufacturers to have an OTA solution to apply security patches.
When considering product development challenges, it is necessary to shift security as far left in the development process as possible and to assess security earlier in the software development lifecycle.
Using automated tools to find and fix vulnerabilities as early as possible reduces cost and time. To address the three main factors leading to vulnerabilities, automated tools can be used.
Using static application security testing (SAST) tools supports developers in preventing coding errors and following secure coding guidelines from the very beginning of development.
Using software composition analysis (SCA) tools helps organizations identify vulnerable and outdated open-source software components included in their products as the development process moves along.
Fuzz testing tools allow organizations to test the robustness and identify unknown vulnerabilities in their products. By employing these types of automated tooling solutions throughout in the software development lifecycle, teams can improve efficiency, allowing the overall organization to better meet strict deadlines.
Applying security does not equate to slowing development velocity. There are solutions that go hand-in-hand, supporting teams throughout the software development lifecycle.