As the modern vehicle becomes smarter and more connected, everything from safety systems — such as steering, acceleration and brakes — to infotainment systems are controlled by some sort of computer. The car of today — and especially tomorrow — relies on countless lines of software code to get those wheels moving, a reality that has placed increasing importance on automotive cybersecurity. When you think about it, the auto industry is blurring the lines between transportation and software.
A recent survey of auto manufacturers from Synopsys and SAE International found that 62 percent of respondents think it is likely or very likely that malicious attacks on their software or components will occur within the next 12 months. The study also revealed that software security is not keeping pace with technology in the automotive industry and, as a result, connected vehicles have a range of unique security issues.
Even more concerning, 30 percent of survey respondents said they do not have an established product cybersecurity program or team. What steps should auto manufacturers take to avert the potential damage cyberthreats could cause to the industry?
The Transportation Industry in Transformation
To answer these questions, I figured it was best to go straight to the source. Chris Clark, principal security engineer for strategic initiatives at Synopsys, co-authored the aforementioned study and possesses in-depth knowledge of the auto industry from a high level down to the technical weeds.
The reality for the industry, according to Clark, is that car manufacturers have always been software companies because for many years they’ve had microcontrollers that perform some level of action. Depending on the type of car you drive, you may have capabilities such as Apple CarPlay, Android Auto or even a digital storefront from which you can add apps and capabilities to your infotainment system.
“We’re going to continue to see that progress,” said Clark. “And the only way you can do that is to be a software house. That’s where the industry is.”
Before we dive in, just to be clear, the purpose of the study — and, for that matter, this article — is not to scare you. Instead, it should be viewed as more of a learning tool.
“I think a lot of people had the same initial response that you had [about the study],” Clark told me. “But one of the takeaways I want to get out of this is that [the study] is really more of a helping document. I hope the technical person, middle management, etc. can reach up to the higher-level offices and say, ‘Here are the challenges we really face and how can we reevaluate the direction we’re going from a security perspective.'”
Assessing Realistic Threats to Automotive Cybersecurity
Reading the report, it’s evident that the industry is facing some severe cybersecurity challenges. The ramifications, however, are not as dire as they seem — at least in the short term. While the vulnerabilities that exist for auto manufacturers need to be addressed ASAP, the risk is more localized.
“When we talk about safety in the automotive industry, yes, there is a potential for hackers to take control of the vehicle and cause some malicious activity,” Clark said. “But right now, we’re so early in this security model … most of the discussions taking place revolving around automotive security aren’t realistically that applicable yet.”
For instance, say an attacker discovered a vulnerability in the infotainment system of a connected vehicle and went on to perform some level of control with the vehicle. According to Clark, it’s not very likely that the threat actor would be able to exploit that in the entire fleet of cars.
In the short term, there is a concern about malicious actors gaining access to personally identifiable information (PII) and/or injecting malware to deny access to a vehicle. In the malware scenario, there’s a parallel to be drawn to ransomware, where you’d need to call an 800 number and turn over thousands of dollars just to turn your car back on.
Interconnectivity Takes the Wheel
Make no mistake: The threat potential is significant, especially as we move toward a future of autonomous vehicles, where discussions around artificial intelligence and machine language will come into play. According to Clark, to do this effectively, vehicles will need to harness abundant local computing power to provide the amenities that the consumer is looking for.
We also must remember that the automobile is just one part of a growing tech-enabled transportation ecosystem. It’s not only car manufacturers that need to address cybersecurity concerns; because our vehicles are communicating with other vehicles, traffic signals and more, security plays a role well beyond the individual automobile.
The city of Los Angeles, for example, has been making progressive investments in public transportation, bicycle lanes and alternative transportation. Soon, it will launch a new data sharing platform. Ted Ross, general manager and chief information officer for the city’s Information Technology Agency, understands that there are tremendous benefits to networking a service — in this case, transportation — and making it digital. Equally important, however, is the investment required to secure these services.
“If not properly secured, [the automobile] becomes an entry point for malicious actors,” Ross said. “Automated cars, traffic signals and urban infrastructure become a tremendous liability if hacked and compromised by criminals.”
The concern for Ross — and any other smart city like Los Angeles — is that an insecure ecosystem could allow criminals to gain access to user payment accounts, personal data and possibly even the digital systems — e.g., automated braking, acceleration and autonomous vehicle guidance systems — used to ensure the safety of riders and pedestrians.
“Cybersecurity is paramount in a rapidly digitizing society,” Ross noted.
It’s safe to assume the most pressing issue for the automotive industry is the collective security practices of all manufacturers involved in the supply chain. The frequent integration of third-party components, software, communications protocols and applications can introduce threat vectors that original equipment manufacturers (OEMs) must address.
A Considerable Amount of Work Still to Be Done
To improve automotive cybersecurity, the industry can implement several strategies. Most importantly, according to Clark, companies in the industry need to ask the same important questions that apply to any industry. Have we hired the right people? Have they been trained properly? Do they have the education they need from a cybersecurity standpoint?
Industry leaders looking to make use of best practices can also turn to helpful resources such as:
SAE International’s “Cybersecurity Guidebook For Cyber-Physical Vehicle Systems,” which describes a cybersecurity process framework from which an organization can develop an internal cybersecurity process to design and build security into vehicle systems;
The National Institute of Standards and Technology (NIST)’s valuable and free resources for security knowledge and best practices — e.g., the special publication 800 series;
The Building Security In Maturity Model (BSIMM) and Synopsys’ automotive security resource page, which can help organizations develop a security initiative and meet security, safety, reliability and compliance requirements for automotive software; and
The Automotive Information Sharing and Analysis Center (Auto-ISAC), a valuable forum for security professionals to share and analyze intelligence about emerging cybersecurity risks to connected vehicles and collectively enhance automotive cybersecurity.
Despite the startling statistics and an industry fraught with challenges, there’s one nugget of information from my conversation with Clark that stood out from the rest. When you look at the automotive space, cybersecurity is a relatively new consideration.
“Ten years ago, we wouldn’t even be having this discussion about computing platforms and vehicles,” Clark said. “We look at cybersecurity in the automotive space; we’re like toddlers. Security in the space is only two, three years old, and maybe some [companies] are a little more ahead, a little bit more mature, but this is the early days.”
It’s a positive sign that research demonstrates how automotive industry leaders are jumping on the bandwagon to address the challenges they’re hearing about. To make real progress, Clark says there still has to be discussions within and between organizations on how to address potential vulnerabilities and challenges to integration related to security.
“Those discussions are happening, but they’re not happening enough,” said Clark.
There’s still a considerable amount of work to be done. While the Synopsys report isn’t meant to sensationalize the threat, perhaps it’s the wake-up call the industry needs.