Automotive cybersecurity: Growing technology needs a broader safety net
Think secure, vigilant, resilient
New technologies will connect, automate, and ultimately drive our vehicles. They will become part of an interconnected vehicle ecosystem, vulnerable to the same cyber security risks as other information ecosystems. Security, vigilance, and resilience are the hallmarks of cyber risk management and information security in more familiar information ecosystems. With the safety of human passengers at stake, these three principles should also guide cybersecurity in the evolving mobility ecosystem.
Secure, vigilant, and resilient vehicle ecosystems
Technology is claiming a greater and greater place in our cars, all in the name of improving customer experience, safety, and security. Consumers expect these components, systems, and services to keep us safe. It is critical to making sure any vehicle ecosystem has three mutually reinforcing properties:
Secure: Prevention is worth more than a cure, and effective risk management begins by preventing system breaches or compromises.
Vigilant: Hardware and software can degrade, the nature and intensity of attacks can change, and no level of security is perfect. Security must be complemented by monitoring to determine whether a system is still secure or has been compromised.
Resilient: When a breach occurs, limiting the damage and reestablishing normal operations are much more easily and effectively done when there are processes in place to quickly neutralize threats, prevent further spread, and recover. Remember the definition of “fail-safe”—not safety from failure, but safety during failure.
Read the full supplement "Examining the evolving mobility ecosystem" here.
Securing vehicles of the future
A typical automobile today contains about 70 computational systems running up to 100 million lines of programming code—twice as many lines of code as the Windows Vista operating system. Security must inform design from the outset.
We have seen a broad set of responses to the risks. For example, Senator Markey introduced the Security and Privacy in Your Car Act of 2015, which would begin the process of developing motor vehicle cybersecurity regulations. The National Highway Traffic Safety Administration (NHTSA) meets regularly with the technical leads at OEMs and Tier 1 suppliers regarding their cybersecurity initiatives, processes, risk assessment, and product/process plans to design security into their products. NHTSA also works closely with other federal organizations with interests in automotive cyber security like DARPA, the U.S. Department of Homeland Security (DHS), and the National Institute of Standards and Technology (NIST).
As vehicles continue to expand in complexity, the attack surface of an automobile expands. A single vulnerable device can leave an entire automotive ecosystem open to attack and the potential exposure ranges from inconvenience to massive safety breakdowns. In the face of such challenges, automakers can remain secure, vigilant, and resilient by taking several steps to safeguard their ecosystems and the data they create:
- Expand the regulatory, risk, and cybersecurity dialogue to enhance overall vehicle safety, security, and privacy
- Cultivate the industry’s cybersecurity talent, methodologies, expertise, and awareness
- Build secure product development and software coding regimens —with heavy involvement from security professionals
- Create robust technology and monitoring capabilities and share information across the industry on evolving threats and responses
- Build for resilience: Establish capabilities within the vehicle, its ecosystem, and supply chain for avoiding attacks, repairing vulnerabilities, and responding to attacks
In the IoT, the many data-driven components of a car will form a rolling ecosystem. The car itself will be one component of a larger ecosystem. And the whole thing will be moving at highway speed, with people’s lives and their personal information as the cargo. Cyber threats and cyber security have paced each other in an arms race for many years. But now, those dual forces have a new field of battle.
The prospects for creating and operating within a seamless, secure network—with or without external partners—may seem daunting. Vulnerabilities exist on all sides. Security cannot be an afterthought—it must be integral throughout the design process. Connected product and services that blend a deep understanding of the myriad of use cases with knowledge of multilayered cyber risk management techniques can create customer experiences that are secure, vigilant, and resilient.