New standards will require the industry’s largest organisations to reshape how they address cyber security moving forward, writes Freddie Holmes
Modern vehicles are often described as computers on wheels owing to their various electronic control units and software-based features. While the importance of vehicle cyber security has grown in recent years, it remains a relatively new and complex challenge for automakers.
A number of best practice dockets and advice sheets have been released over the years, encouraging developers to adopt certain tools or measures during the development process. These have been useful guides, but automotive cyber security is now being formally regulated. Alongside various technology requirements, upcoming standards also mean that automakers and suppliers must make cyber security a top priority.
Expected in the second half of 2021, the upcoming ISO/SAE 21434 standard aims to ensure that vehicles are secure throughout their lifecycle, with a particular focus on risk management. It also makes specific reference to the need for a strong cyber security culture at an organisational level. The standard is expected to spur a number of organisational changes for automakers, suppliers and product developers in the sector.
Dr Dennis Kengo Oka, Principal Automotive Security Strategist at global software company Synopsys, says the introduction of ISO/SAE 21434 will impact not only how businesses operate, but also the way employees think about cyber security on a day-to-day basis. “Organisations will have to change in order to meet these new requirements,” he affirms.
Change your culture
A ‘cultural shift’ is somewhat vague but can be characterised by certain initiatives and in-house policies. At a base level, employees across the organisation will need a better awareness of cyber security in general, and what they can do in terms of risk mitigation.
This will require more than just a company memo: dedicated training sessions will take place for developers and other employees directly involved in the design of a vehicle. Nominated ‘cyber security champions’ will also be required to coordinate efforts within different company divisions. Whenever a new functionality is being developed, secure design and testing must be front of mind. New budgets must also be set aside. In effect, cyber security must become a key consideration from C-suite executives through to entry level positions.
“Security has to be part of the thought process, but this is going to be quite a difficult transition for many organisations as it is a fairly new topic for the auto industry,” observes Oka. “This will require a cultural change to promote cyber security from the top down.”
The challenge in using open-source software is managing it
Cyber security enables innovation
In tandem with this cultural transition, automakers must continue to adopt solutions that can prevent a vehicle or its data from being hacked.
Synopsys, which is headquartered in California, provides a number of different tools and services that can help OEMs and suppliers to develop high quality, secure code—and fast. Its static analysis tool Coverity can scan source code and identify weakness or vulnerabilities in the code; this could be anything from buffer overflows to various memory corruption issues.
Static analysis helps to speed up what is otherwise a laborious process: manual code reviews are extremely time consuming, whereas a computer programme can perform scanning at greater speed and scale than any team of humans could. This means any errors are flagged—and fixed—at the earliest opportunity.
Another important issue is the use of open-source software, which has dramatically reduced the time and effort required to develop many of the new functions on offer in modern vehicles. However, there are concerns that errors can begin to creep in when code is reused, perhaps creating gaps in cyber security. “Large automotive organisations cannot develop everything on their own, and in many cases those open-source software components are very beneficial,” says Oka. “The challenge in using open-source software is managing it; you need to know which components and versions are being used in your products and systems, and if there are there any vulnerabilities associated with those versions.”
In 2017, Synopsys acquired Black Duck Software and now offers a product under the same name to address these challenges. Black Duck specialises in automating the management of open-source software, flagging any known security vulnerabilities or license compliance issues. Solutions such as these should not be seen as an expense or a burden, but as enablers, Oka explains. He refers to a common industry analogy: “Engineers don’t design better brakes to help cars slow down; they design better brakes to help cars go faster.” In the same way, says Oka, cyber security measures do not hold back innovation. Instead, they allow automakers to continue offering more advanced automated and connected technologies to their customers.
The journey continues
To some degree, the automotive industry has already begun to foster a culture around cyber security. In 2014, General Motors appointed its first ever cyber security chief, who would lead its strategy to protect vehicles from hackers. At the time, the automaker described this as providing a ‘competitive advantage’. “Some organisations have started their cyber security journey earlier than others,” observes Oka, “and we have seen other triggers in the past besides new regulatory standards.”
Various OEMs have proactively engaged with researchers to scout possible vulnerabilities in their vehicles; ‘bug bounties’ have offered cash rewards to each issue found, with the value increasing in relation to the potential severity of the problem. Strategic partnerships—and in some cases full acquisitions—between cyber security companies and automakers and Tier 1s have also helped to bolster the automotive industry’s capability and understanding of cyber security. Conferences such as Black Hat and Def Con have also catalysed efforts, with various ground-breaking hacks presented in detail to the public. “These kinds of forums have certainly raised awareness about automotive cyber security,” concludes Oka, “but many OEMs don’t understand that it could be their vulnerabilities that are presented next time round.”
With new standards incoming, building a culture around cyber security is no longer voluntary, and organisations must consider what will be required of them moving forward. As the automotive industry’s household names continue to arm themselves against cyber attacks, the expertise of companies already embedded in this space will prove invaluable.