According to consulting firm, Frost and Sullivan, we can expect the number of hackers to grow to more than 150,000 globally by 2018. This fact combined with the fact that in that same time the number of connected vehicles on the road will increase to more than 220 million creates an increased threat for a significant automotive cybersecurity breach.
In a recent Automotive Cybersecurity Study conducted by the Ponemon Institute, only 54 percent of automotive OEMs and suppliers surveyed agreed that security is a priority for their company. This leaves nearly half of the industry struggling for a solution. Although there is no foolproof tool for cybersecurity, having a comprehensive plan will deliver the best defense. The following are three strategies that should be considered today as OEMs and suppliers design and develop automobiles.
Lifecycle Security Methodology – Creating and implementing security early in the design phase of a vehicle is an important step in developing a "hard-to-hack" car. As the industry continues to struggle with exactly who is responsible for cybersecurity – an alarming 19 percent of suppliers and OEMs surveyed in the Ponemon study indicated nobody is responsible within their company – it is clear that secure development is not widely utilized across the industry.
To be effective, the industry must invest the resources in training, talent and process to elevate cybersecurity as a priority in product and vehicle development. This starts with having security processes integrated into product design all the way through development. The final step in secure development is implementing a robust testing methodology to ensure the security measures are effective.
In-depth Defense – Another layer of security comes from detecting an intrusion if one occurs. If the industry can quickly identify if and how a vehicle is hacked, it has a better chance at responding and limiting the possibility of a large-scale attack. An intrusion detection system (IDS) integrated with an intrusion prevention system (IPS) provides the first line of notification and defense. But this "perimeter" defense alone is not sufficient. By using other proven processes and tool such as cryptography, separation of networks, least privilege and hardware root of trust within each vehicle, the industry will not only be alert, but also better able to prevent hacking attempts.
Recovery – Currently across the industry there is not an effective way to update or fix a vehicle remotely. If a vehicle is hacked, the automotive industry must be able to move quickly and widely distribute a fix to prevent the attack from spreading. Secure over-the-air (OTA) updates to connected vehicles are one solution that provides a great deal of promise. This technology, that is currently not being widely used, could deliver updates and fixes and help mitigate hacking especially as hackers become more sophisticated. However, it’s important to note that while OTA is a useful tool for this application, it also could open the door to new hacking threats as it serves as another entry port into the vehicles. The industry must focus on further developing and testing secure over-the-air updates as a tool against cybersecurity.
To learn more about what carmakers and their suppliers think about cyber security, download our second annual survey: Car Cybersecurity: the Gap Still Exists.
Originally published on October 31, 2016 at blog.securityinnovation.com