Today’s car has become a computer on wheels.
According to The Globe and Mail, the average car today can have 25-50 central processing units, controlling phones, navigation systems, computerized alerts and more.
While this connectivity provides convenience to the consumer, it also poses cybersecurity risks.
Security Risks for Connected Vehicles
Although hacking in any device can have a severe impact, a hacked automobile that affects someone driving down the freeway is much more serious than a simple computer reboot. Primary risks for connected vehicles include:
Technology continues to evolve rapidly, as does the security landscape. Unfortunately, cybersecurity practices are not keeping up, according to a Ponemon Institute study. The majority (84%) of professionals surveyed expressed concern that current methods are not keeping up with evolving technology. Some high-profile hacks have already occurred, and more are likely within the next year as the automotive industry continues to grapple with tightening cybersecurity measures.
More than half of the participants in the Ponemon Institute study named coding errors as a primary factor that leads to vulnerability. Most (55%) engineers and security practitioners in the industry say they are making errors.
Most professionals (63%) reported testing fewer than half of the hardware, software and other technologies they produce for vulnerabilities, according to the Ponemon Institute study. And, in many cases, the testing comes too late in the process, with only 47% of participants reporting they assess vulnerabilities in the initial phases of requirement and design or development and testing. For 18% of organizations, assessment is done post-production release.
Connected vehicles offer a plethora of entry points for hackers, many of them created by a third-party. Not only does the vehicle itself offer various vulnerabilities across its control systems, multiple communications applications, processors and sensors, but the car is also connected to other cars, roads and mapping systems.
Unique Security Issues
Deploying critical security updates for vehicles can also prove challenging. About half of participants in the Ponemon Institute study reported their updates are delivered by communications that are connected to personal electronic or computing devices, with just 37% saying they currently deliver them over the air (OTA). In addition, connected vehicles have unique access points for hackers, including cellular networks, Wi-Fi and Bluetooth, telematics and autonomous (self-driving) systems.
Supply Chain Risk
A disparate supply chain powering the automotive industry represents a key issue in security quality issues. It is common to integrate third-party components, software, communication protocols or applications into the process, and difficult for Organizational Equipment Manufacturers (OEM) to manage.
Lack of Management Support
While the professionals closest to the technology and security practices in their industry expressed concern for cybersecurity risks, a mere 31% said they felt empowered to raise those concerns to their leadership, according to the Ponemon Institute study. And, for those who may feel empowered, few organizations have established teams to offer support. Just 10% of professionals reported their organization had an established and centralized product cybersecurity team.
Security Practices for Connected Vehicles
While the problem is clear – the automotive industry needs to revamp its cybersecurity practices – several practices must be implemented for connective vehicles to improve security.
Design for Security
Instead of patching together a fix for a security problem, products should be designed with security in mind at the outset to create a sound framework. This doesn’t negate the need for ongoing cybersecurity practices, but it does ensure the product is designed with minimal gaps and easy methods for patching systems when events occur, according to a McKinsey report.
Assess Vulnerability Earlier
This practice goes hand-in-hand with overall design. Vulnerability assessment should be integrated into the product development cycle, not tacked on just before release.
Cultivate Upper Management Buy-In
Professionals close to the development process must be empowered to express concerns to leadership – and leadership must be able to provide organizational support. Educating business stakeholders on the critical nature of cybersecurity can help to ensure not only an environment that welcomes feedback, but also make it more likely the organization will prioritize building a team of experts prepared to support when needed.
Create and Enforce Guidelines
The automotive industry’s cybersecurity practices are largely unregulated, according to a McKinsey report. Rather than leave the space open for ill-informed rules to be imposed, OEMs and suppliers should help guide regulators through risks and appropriate countermeasures.
Adopt Over-the-Aid (OTA) Updates
Currently, OTA updates are only available for some software parts; however, despite the current limitations, McKinsey recommends this as the clear best approach for immediate updates when faced with vulnerabilities.
Ensure Consumers and OEMs Understand Risks
OEMs cannot adequately advocate for proper regulation, design and update capabilities without a robust understanding of what poses cyber risks. And consumer understanding is equally important to ensure drivers don’t unintentionally introduce new vulnerabilities. OEMs can support awareness by designing inhibitors and offering in-car education. At a broader level, OEMs can advocate for new cybersecurity questions in driver’s license exams to institutionalize awareness.
Rapid Response to Cybersecurity Incidents
The first step to timely response is immediate detection protocols. In addition, a road map for intervention, from the structural architecture to the specific methods and metrics, to measure must be outlined in advance to streamline response time.
Provide Secure Coding Training
In the Ponemon Institute Study, 60% of respondents conceded that vulnerabilities in automotive software often stem from a general lack of understanding and training on secure coding practices. By establishing training that educates coders on cybersecurity and offers industry-specific coding trading that adheres to cybersecurity best practices, OEMs can cut down on self-induced vulnerabilities.
Cultivate Cybersecurity Cultures
Groups like the government-supported Auto-ISAC (Information Sharing and Analysis Centers) strive to root cybersecurity practices into the culture of auto industry organizations. Through greater understanding within the industry, and more integrated cybersecurity practices in individual businesses’ development, cybersecurity can become a part of the overall vehicle development and testing processes, and remain a focal point for the industry overall.
Continued technological advancement will continue to increase convivence for drivers, and access points for hackers. To get ahead of the curve, the auto industry needs to examine cybersecurity risks and champion cybersecurity practices to ensure drivers, and the roadways, remain secure.