Some say that the automotive and transport industries trailed far behind the technology sector, until the arrival of ‘innovative’ start-ups and technology companies. However, one man disagrees.
Chris Clark, Principal Security Engineer at cybersecurity specialist Synopsys, believes that this isn’t the greatest assessment, stating that new technology is, in fact, building on the infrastructure introduced by the automotive industry itself.
“The arrival of innovative start-ups has accelerated work that was already in progress in an industry that constantly innovates,” he says. “The issue is that vehicles have not needed to address security. The drive for connectivity is a push by innovators bringing new interactions to the industry.”
Security is a key point, as vehicles up to this point have not had to prioritize the safety of their customers’ data. Now that these vehicles are becoming connected, it is vital that automakers and technology companies protect their products and customers.
A Lack of “Cyber Hygiene”
However, making this change by bringing in technology specialists from outside of the industry is not going to be as straight forward as people may think. In fact, it could be a hindrance to the automotive sector.
“To address these challenges, the automotive industry has flocked to existing technologies that have their roots in traditional IT,” adds Clark. “Be cautious, these technologies seem to address the challenges of vehicles coming out in the next few years but are not likely to scale or address the real issues of distributed development and lack of cyber hygiene.”
Even today, many technology companies are struggling with cyber attacks, which has become a game of cat-and-mouse from each side of the law. And, if these organisations are struggling, just think about the problems this would cause within the automotive industry.
“Manufacturers need to look at their supply chain and provide strong requirements for development to ensure the vehicle is far more resilient than they are today and the foreseeable future,” continues Clark.
Despite this, it seems as if the influx of tech start-ups entering into the automotive and transport sectors are approach the automotive industry in the same way which, although increases the speed of development, also rushes out the rollout of software, which could be detrimental to not just the business, but also the consumer. Electric vehicles, which can weigh up to four tonnes, are a lot more problematic than a mobile phone that can fit in your pocket.
According to Clark, the issue isn’t necessarily down to the influx of software, but the influx of poorly written software.
“The automotive space is highly regulated already but like other industries, the regulation does not look at the fundamentals of system design or security.”
He explains that standards such as ISO/SAE 21434 and work from the UNECE aim to address this but, ultimately, it is up to OEM’s to do a better job at requiring more secure software solutions.
“Consumers are far more knowledgeable than ever before, but the reality is that features sell vehicles and, until the market begins to consolidate and develop better more secure software, we will continue to experience cyber events.”
OTA Software Updates “Critical”
In a sector that requires each player to be a step ahead of not just the competition, but also cybercriminals, it is critical that over-the-air (OTA) software updates are introduced.
Clark believes that these OTA updates will play a critical role in addressing new vulnerabilities but warns me that they are not a silver bullet. In fact, he says that the process in itself will open the door to remote attack paths, which can cause even more problems if not approached correctly. Fundamentally, you are opening up more for hackers to exploit by building a weak backend.
“OEM’s will have to think hard and carefully about how OTA updates will be managed and what that infrastructure will look like,” he says.
Luckily, we are in the relatively early stages of the connected car, which means that we can prepare for the challenging years ahead.
“The next few years will be very interesting,” continues Clark. “We are already seeing partnerships to address technology innovation that a decade ago would never have been considered. These changes will bring a wide range of security technologies designed to protect what we might call the traditional vehicle. The real interesting piece will be the consolidation of computing capabilities in advanced vehicle designs. The amount of computing power and the proliferation of interconnections will force manufacturers to take a much closer look at the amount and type of testing that must be performed.”