New research highlights the gap between automotive manufacturers’ security capabilities and their desire to address cybersecurity issues, writes Matan Scharf, senior security solutions manager at Synopsys.
Cybersecurity is an issue of public safety, especially for smart cars and the automotive industry as vehicles become connected, mobile computers, with all the risks inherent to software security.
There is a gap in the research looking at how the automotive industry is addressing those risks: a study conducted by the Ponemon Institute on behalf of Synopsys and SAE International ventured to fill this gap by surveying 593 professionals responsible for contributing to or assessing the security of automotive components.
The findings revealed that automotive manufacturers are struggling to secure the technologies used in their products and are failing to keep up with the ever-evolving cybersecurity landscape. Respondents demonstrated significant awareness of the problem and a strong desire to see things improve.
The roots of the cybersecurity problem in the automotive industry can be traced back to organisational and technical dynamics, product development and security practices, and supply chain.
Organisational dynamics and challenges
Over half of the respondents (52%) said they were aware of potential harm to drivers because of unsecure automotive technologies, produced either by their organisations or by third-party suppliers. Worryingly, however, 31% of them didn’t feel empowered to raise those concerns to upper management, revealing a communication disconnect that hinders progress and prevents security from becoming the priority it should be.
Moreover, 62% of surveyed professionals believed that either a malicious or proof-of-concept attack was likely to occur against automotive software, technology, or components in the next 12 months, but two-thirds (69%) admitted they would not escalate their worries up the chain of command.
Indeed, 30% of the surveyed professionals acknowledged that their organisation’s approach to cybersecurity didn’t currently include a dedicated, central cybersecurity team to guide and support product development teams. Half of the sample also confirmed that the information security skills gap was as real in the automotive industry as it was in any other: 51% stated that they did not think their organisation possessed the necessary workforce or the budget to address cybersecurity risks.
Technical dynamics and challenges
Automotive engineers, product developers, and IT professionals highlighted several major concerns around the technical dynamics of their organisation. Overall, 84% of respondents admitted they were concerned with the ability of cybersecurity practices to keep pace with changing technology. As many as 37% placed their concerns at the high end of the spectrum and stated they were “very concerned” that RF technologies, telematics, and self-driving software were making their way into vehicles without the appropriate risk management in place.
Most respondents (71%) indicated strict time-to-market schedules as one of the causes of software vulnerabilities in modern vehicles, but lack of understanding and training on secure coding practices (60%) and accidental coding errors (55%) also featured among the top three factors. Lack of quality assurance and testing procedures were a close fourth, with 50% of surveyed professional believing that this oversight was also a reason behind vulnerabilities in automotive technologies developed by their organisation.
Product development and security practices
The established common practice for product security is to adopt a risk-based, process-driven approach to cybersecurity, which should be integrated throughout the entire product development life cycle. However, the survey found that less than half of the companies (47%) assessed vulnerabilities in the requirements and design phase or the development and testing phase.
What once might have been considered overhead is now a consensus among professionals. The advantages of integrating security into the product development life cycle are obvious. Integrated security ensures that issues are discovered and addressed earlier in development and the overall time to market is reduced with fewer compromises on quality. This limits the likelihood of triggering recalls and, in some cases, regulatory fines.
Interestingly, 63% of respondents stated that their organisation tested less than 50% of hardware, software, and other technology for vulnerabilities. Combined with the statements that unsecure automotive technology negatively affects business interests by delaying release dates, these figures suggest that tests on certain components are scrapped for the sake of meeting time-to-market targets.
Supply chain and third-party component challenges
A fourth cause of concern regarding automotive security is the complex and disparate supply chain, which can lead to quality issues and security vulnerabilities. Only 44% of respondents stated that their organisation imposed cybersecurity standards on their upstream suppliers, making it perhaps less surprising that 73% of them described themselves as “very concerned” about the cybersecurity posture of automotive software, technology, and components supplied by third parties.
Finding the right combination of people, processes, and technology is the key to success, and both training new professionals and retraining the existing workforce remain organisations’ best defense against the security threats that the industry faces.
Cybersecurity shouldn’t be viewed as a cost centre and tacked on at the end of production. Instead, it should be thought of as an investment programmed into every step of the system engineering process that guides the entire product development life cycle. The automotive industry can enjoy a wide range of solutions through guidance, best practices, and standards developed in other industries.
It is possible
Achieving rapid time to market while ensuring security, quality, and safety is possible. Although some organisations aren’t there yet, the respondents to this survey acknowledged their limitations and seemed to have a good handle on where their processes could use a boost.
Though some of the figures in the report are discouraging, the trend that emerges is that of a workforce eager to see things change and prepared to make the shift.
The author of this blog is Matan Scharf, senior security solutions manager at Synopsys