Connected cars need better connection to cybersecurity

Perhaps the most encouraging finding is that a majority of respondents are very much aware of the problem. More than two-thirds said the need for better cybersecurity is “urgent,” for obvious reasons: 62% said they think a malicious or proof-of-concept attack against automotive software, technology or components is very likely in the next 12 months.

But other key findings are less encouraging:

• Software security is not keeping pace with technology in the industry.
• Few companies—just 10%—have an established cybersecurity team.
• Less than a third of organizations (31%) educate their developers on secure coding methods.
• Fewer than half (44%) impose cybersecurity requirements on suppliers and other third parties.
• A majority said their organizations don’t have the skills, budgets or resources to make their products secure before they go to market.
• Only 39% said their organization issues timely software updates. And 25% said they don’t deliver security updates at all.
• While 52% of respondents said they were aware of the potential harm to vehicle occupants from software vulnerabilities, only 31% said they felt empowered to raise those concerns with upper management.

The significance of all this should also be obvious. The modern vehicle is a computer—actually dozens to more than 100 computers—containing more than 100 million lines of code that control everything from the infotainment system to safety systems like steering, acceleration and brakes.

That makes automotive manufacturers software companies just as much as they are transportation companies.

And software vulnerabilities could undermine the safety of those systems and features: Anything online is a target for cyber attackers. A hacker can put not just users’ personal information at risk, but their physical safety as well. Software security is easily as important as seat belts, airbags and antilock brakes.

These risks are not just theoretical. Security researchers Charlie Miller and Chris Valasek made international headlines four years ago when they remotely hacked into a Jeep Cherokee driven by a reporter for Wired magazine. They took control of the air conditioning, wipers, accelerator and brakes from 10 miles away. But they could have done the same thing from thousands of miles away.

The message at last year’s RSA Conference in San Francisco was much the same: Sergey Kravchenko, senior business development manager, future technologies, at Kaspersky Lab, said his firm had demonstrated that hackers can get control of vehicle functions like door locks, brakes and the engine. They can track a vehicle’s location through the GPS.

Still, even with multiple anecdotes like those, there has been a lack of the comprehensive data needed to understand the industry’s overall cybersecurity posture and its capability to address software security risks inherent in connected vehicles.

This report, commissioned by Synopsys and SAE International, is meant to address that gap.

Tim Weisenberger, project manager, technical programs, Global Ground Vehicle Standards at SAE, said the results provided “empirical data to validate our hunches,” which included not just problems but good news as well.

“The industry really is aware of the cybersecurity threats it’s facing in the entire ecosystem of interconnected vehicles,” he said. “Their resources may be applied a bit more thinly than they’d like, but they’re very aware of their strengths and shortcomings. I think they’re pointed in the right direction.”

And Chris Clark, principal security engineer, strategic initiatives, at Synopsys, said while the survey showed there is still much to be done, “this is not necessarily a negative thing. It’s pretty typical of what we see in other industries—it’s in the process of becoming more mature.”