There is a growing realization of the need to address the cybersecurity and information privacy challenges. New functionality, like connected cars, has highlighted the stark reality that most automobiles were not built to be a secure environment. With over 100 million lines of code spread among 100 or more processors, the threat surface and the number of potential vulnerabilities is huge.
The Need For Innovation and Adaption
The industry is faced with a real challenge, and no easy answers. Much of the technology embedded in cars over the past 10 years is now potentially susceptible to malicious exploits that were inconceivable when the cars were designed. Connected vehicle technology now exposes these insecure systems to real threats. The electronic control units (ECUs), transmission control units (TCUs), and other critical on-board functionality are more and more vulnerable to rogue data and instructions that could affect safety.
Understanding Risks
Although automakers understand the concept, the vast majority of consumers do not appreciate the risks inherent in a hacker gaining control of the car from inside—or even the outside—of the vehicle.
- Security has to be an inherent design objective and be treated by development teams as seriously as functionality, performance, and reliability
- The earlier in the software life cycle that security is built into a system or network of systems, the more cost effective and hacker-proof it becomes
- However, reality and human nature being what they are, we spend as much time helping secure and remediate older systems as we do helping prevent vulnerabilities being engineered into the system
Common Vulnerabilities
Internal Vulnerabilities |
External Vulnerabilities |
V2V Vehicles |
|
|
|
Tough Questions
How do you address vulnerabilities in the connected vehicles already on the road?
How can these threats be mitigated?
How is software updated?
How should the industry address zero-day vulnerabilities?
These are all-important questions, and, once again, there are no simple answers. We know there is no single solution; no magic bullet. An in-depth defensive approach is needed that will require the application of traditional IT mitigation techniques such as network segmentation, cryptography, virtualization, blocklisting and allowlisting, intrusion detection, trusted platform and trusted execution, and many more buzzwords. In short, the solution must be holistic.
...Unfortunately, a reality of the security world is that the manufacturers need to be right 100% of the time—the bad guys only need to be right once.
Attacks are inevitable. If it can be done, it will be done. A truism in our business is that there are only two types of companies: those that know they have been hacked and those that don't. Unfortunately, this is the world we live in, and all we can do is help the industry to be as prepared as possible for the security threats posed by greed, fraud, pride, or malice.
...Not trying to scare anyone here... but this blog wouldn’t have even been written if the threats were just a figment of our imagination.
___
Content from this blog was created from a recent interview done by Frost & Sullivan:
Movers & Shakers Interview with Pete Samson - General Manager of Security Innovation
To read the entire interview, click here.