The auto industry now has at least a couple of “best practices” guide for cybersecurity.
One, from the Automotive Information Sharing and Analysis Center (Auto ISAC), was released about a month ago, generated a flurry of stories that highlighted the group’s exhortations to automakers to start building security into their software from the ground up – from design through production.
Another is from Intel Security, which released a white paper earlier this month titled "Automotive Security Best Practices," a set of, “recommendations for building security into the design, fabrication and operation phases of the automotive production process,” according to McAfee blogger Lorie Wigle (McAfee was acquired by Intel in 2011).
“More than just a set of recommendations, this paper is a call to action for the industry to integrate best practices into their processes now to achieve automotive security,” she wrote.
And, a cynic might add, a long-delayed call to action. While welcome in the security community, the call for best practices also raises the question of why it has taken so long to put a serious focus on automotive cybersecurity.
Cars and drones can be hardened in a way that will make the risk of cyber hacking tamed to levels that are close to zero.
David Barzilai, cofounder, Karamba Security
Vehicles have been increasingly “connected” for decades – and the attack surface is now, according to more than one study, varied and porous.
GPS became available in production cars in the mid-1990s, Bluetooth started becoming common by 2007 and Wifi connectivity arrived several years later, along with video chat and streaming content. That connectivity has also made them “smarter” – they can call 911 if there is a crash, and many have accident-avoidance features built into them.
All of which has improved physical safety and made vehicles into entertainment centers. But it has also made them much more vulnerable. Anything that is connected is hackable.
In a white paper titled "Commonalities in Vehicle Vulnerabilities," released earlier this month, the cybersecurity firm IOActive noted the breadth of the attack surface – data can enter vehicles through cellular radio, Bluetooth, Wifi, V2V radio, infotainment media, companion apps and Zigbee Radio.
The company said it had spent 16,000 hours researching vehicle cybersecurity since 2013, and using a formula combining how serious a vulnerability is and how likely it is to be exploited, ranked 22 percent of more than 150 vulnerabilities it found as critical. “These are the high-priority ‘hair on fire’ vulnerabilities that are easily discovered and exploited and can cause major impacts to the system or component,” wrote Corey Thune, senior security consultant and the report’s author.
Sign up for CIO Asia eNewsletters.