Recently, the US Government Accountability Office publicly released GAO-16-350 VEHICLE CYBERSECURITY: DOT and Industry Have Efforts Under Way, but DOT Needs to Define Its Role in Responding to a Real-world Attack.
For this 61 page report, the GAO interviewed 32 selected industry stakeholders, including 8 automakers, 8 automotive parts suppliers, 3 automotive cybersecurity firms offering vehicle cybersecurity products, and 13 subject matter experts, including 7 leading researchers. Security Innovation’s Chief Scientist, William Whyte, was one of the subject matter experts interviewed.
GAO was asked to review cybersecurity in vehicles specifically in regard to possible safety issues. The report looks at what is being done to remediate cybersecurity vulnerabilities in modern vehicles, the key practices and technologies to reduce these threats, the views of the selected stakeholders on the cybersecurity challenges they are facing, and finally, the DOT efforts to address vehicle cybersecurity.
One of the key practices mentioned most frequently (see Table 1 for the GAO list) had to do with offering over-the-air (OTA) updates of vehicle software and firmware. Some stakeholders called OTA updates an essential part of cars’ cybersecurity capabilities, as they allow carmakers to quickly and effectively respond to cybersecurity incidents. Unfortunately, only a few automakers have OTA update capabilities, and only Tesla can update all safety-critical systems on their entire fleet remotely. One carmaker explained they don't yet offer OTA updates because they want to first ensure these OTA updates do not become a new attack vector on their cars.
This represents a difficult dilemma for carmakers and their suppliers. Software vendors in every industry rely on regular updates to address bugs, add new features, and fix security issues. But for car manufacturers, they rely on service visits to dealerships or the inadvisable practice of sending USB sticks to their customers in order to install necessary software updates. OTA updates would be a great way to get the updates to the vehicles, but OTA updates can do more harm than good if hackers can use the updates to install malware on the vehicles. You can read more about OTA challenges in this post.
According to the interviewed stakeholders, there is a limited pool of employees with the specific mix of knowledge and skills needed to design, build and test secure vehicles. One automaker said “that due to the shortage of automotive cybersecurity professionals, the company often has to decide whether to hire hardware and software professionals and teach them cybersecurity or cybersecurity professionals and teach them hardware and software.”
This is where Security Innovation can help. In addition to providing automotive security services such as penetration testing and secure code reviews, we offer computer based training with over 120 courses teaching everything from cybersecurity fundamentals to programming language specific topics. The latest addition to our course catalog, Creating Secure OTA Automotive System Updates, is a 90-minute course that teaches students how to identify the benefits and risks of OTA automotive system updates, understand the importance of public key cryptography to the security of these updates, and identify secure design considerations for OTA development, delivery, and installation. Our portfolio of training courses will help carmakers teach cybersecurity to their hardware and software professionals and hopefully build safer cars for everyone.