Embed Size (px)
Citation preview
A Green Hills So�ware Company
Automotive Cybersecurity A Gap Still Exists
2016 Survey of Automakers and Suppliers Conducted by Ponemon Institute
Sponsored by:
2 3S e c u r i t y I n n o v a t i o n a n d I N T E G R I T Y S e c u r i t y S e r v i c e s 2 0 16 P o n e m o n I n s t i t u t e C y b e r s e c u r i t y S u r v e y
Most new vehicles are being connected to the Internet, other cars and mobile devices, raising many new questions about cybersecurity. With many vehicles containing more than 100 million lines of code, automakers and suppliers must change their processes to meet the complexity associated with secure software development.
To better understand this evolving challenge, Ponemon Institute, the leading independent security research organization, conducted research on the automotive industry and their attitudes about cybersecurity. The goal of this survey was to gather information on the state of the industry’s security practices and to identify any systemic changes from the equivalent 2015 Ponemon survey.
The current feedback was received from 500 respondents all of whom are directly involved with the development of automotive software, with 44% coming from OEMs, with the balance from Tier 1, 2, and 3 suppliers. It was clear from last year’s study that the industry was not yet sufficiently focused on cybersecurity. Although there is some positive movement in 2016, automakers and suppliers still haven’t made cybersecurity enough of a priority during vehicle development. We believe the automotive industry must undergo a significant cultural shift to address this deficiency.
Only 52% of survey respondents believe that hackers are actively targeting automobiles, compared to 44% of respondents in the previous year’s survey. Automotive OEMs appear to be more aware of the security and safety vulnerabilities in cars by nearly a 10% gap, while their suppliers lag behind. An unsettling finding is that developers are significantly less confident that security is a priority than are their managers, suggesting that the message has yet to permeate all levels of an organization.
During August 2016 the Ponemon Institute conducted a cybersecurity survey of more than 500 automotive developers, programmers, engineers, and executives, from automakers (OEMs) and their electronics suppliers. Sponsored by Security Innovation and INTEGRITY Security Services, a Green Hills Software company, the survey’s key findings include:
A growing concern that hackers are actively targeting automobiles.
OEMs are more concerned about automobiles being hacked than are their suppliers.
The lack of skilled personnel and requirements, and pressure to meet release dates are the main impediments to secure software development
Insufficient use of cryptography.
Legacy technology is hindering the ability to make vehicles more secure.
Automakers believe they are not as knowledgeable about secure software development as other industries.
There is little clarity or consensus regarding a single point of responsibility for a secure development process.
On the positive side, there is a small but statistically significant trend toward a more mature approach to securing vehicles.
Executive SummaryProtecting today’s increasingly connected vehicle
but industry response remains weakConcern about hacking has grown,
ARE HACKERS TARGETING CARS? IS SECURITY A PRIORITY FOR YOUR COMPANY?
Agree52%
20%
28%Unsure
Disagree
Agree61%
Disagree39%
Agree45%
55%Disagree
Agree52%
20%
28%Unsure
Disagree
Agree61%
Disagree39%
Agree45%
55%Disagree
Agree52%
20%
28%Unsure
Disagree
Agree61%
Disagree39%
Agree45%
55%Disagree
Management Workers
52 0 16 P o n e m o n I n s t i t u t e C y b e r s e c u r i t y S u r v e y4 S e c u r i t y I n n o v a t i o n a n d I N T E G R I T Y S e c u r i t y S e r v i c e s
Despite over half of the industry believing that hackers are actively targeting automobiles, only 54% of respondents agree that security is a priority for their company. This puts the automotive near the bottom of those industries who put security as a priority with financial at the top (73%), healthcare (67%), technology and software (63%) and education and research (62%). Once more, less than half (42%) of the respondents agreed that their company’s development processes include rigorous security requirements, design, implementation and testing. So although the industry has begun to accept the fact that automobile hacking is a real threat, there has been little change in the behavior of automakers and suppliers to address the growing concern.
When asked to rank the main challenges to securing automobile software the reasons reported are, lack of skilled personnel and pressure to release with 65%, followed by insufficient resources (58%), lack of defined corporate application security policies (43%), lack of formal security requirements (34%), adds too much time to the software development process (18%) and lastly, too expensive (11%). This is similar to the 2015 responses, with pressure to release being the only factor that significantly increased from 54% to 65%.
The survey respondents increasingly feel it is very hard to build a secure vehicle with an average of 55% indicating it is not possible to make a “nearly hack-proof automobile.” This is an 8% increase in perceived difficulty since the last survey. The automotive suppliers are even more pessimistic than the OEMS, with 61% (versus 47%) believing it is not possible to build a hack-proof automobile. This suggests that that the industry better understands the challenge it faces and
Too Expensive*
Adds to much time to the software development process
Lack of formal security requirements
Lack of defined corporate policies
Pressure to release
Lack of skilled personnel
Insufficient Resources
0% 20% 40% 60% 80% 100%
2016
2015
*Response wasn't available in 2015
CHALLENGES TO SECURING AUTOMOBILE SOFTWARE
reinforces the need for companies to accelerate secure development training, build sound security processes and create awareness across their organization.
The study uncovered a number of barriers that, unfortunately, indicate the automotive industry is not focused on secure product development.
These barriers could be addressed by both OEMs and suppliers, however, it will take significant investment in resources to improve these three areas, which are critical to secure vehicle development.
Another barrier to cybersecurity and one where the industry has less control is the prevalence of legacy technology. A significant number (55%) find this is a major contributor to improvements in cybersecurity. Current CAN and OBD-II functionality are hindering progress toward making vehicles more secure. Interestingly, OEMs see legacy technology as a greater setback (61%) compared to suppliers (50%), which can be considered a positive sign that OEM requirements may soon change.
Although improving, it’s clear OEMs and suppliers need to make substantive changes to their processes in order to ensure that security is a priority throughout the design and development life cycle. To be most effective, cybersecurity must become a imperative during the earliest stages of vehicle or component design and not be relegated to an add-on activity. However, the survey showed that only 15% of respondents feel security is totally integrated into the development process, while 47% believe that it is added at the end of development. Not only is security not integrated internally, the research found that more than half (55%) of companies do not integrate security architecture into the entire supply chain and partner network. Until good security practices are carried through every step of development and testing, by both the OEMs and their suppliers, automobiles will remain vulnerable to hacking.
Cybersecurity remains an afterthought
39% of those polled believe that automakers are not as knowledgeable as other industries about secure platform development, bringing the lack of basic knowledge to the forefront of barriers.
Only 40% of supplier respondents (versus 54% for OEMs) stated that they have the enabling technology to ensure automotive development is secure.
Just under half (49%) of those survived believe engineers and developers have the proper training in secure architecture and coding practices.
KNOWLEDGE
TECHNOLOGY
TRAINING
6 7S e c u r i t y I n n o v a t i o n a n d I N T E G R I T Y S e c u r i t y S e r v i c e s 2 0 16 P o n e m o n I n s t i t u t e C y b e r s e c u r i t y S u r v e y
Additionally, the industry has remained consistent year-over-year with the methods used to ensure code is secure, with automated scanning during development rating highest (65% in 2016, 63% in 2015), followed by automated scanning after release (48% in 2016, 50% in 2015), and manual penetration testing by internal teams or a third party (41% in 2016, 36% in 2015).
The research also identified a variety of system security alternatives being deployed, with more than half (53%) indicating they are using secure boot, 44% using encrypted communication, 42% using encrypted data in storage and 39% endpoint authentication.
While it is encouraging to see security tools, secure boot and encryption being used more frequently, the percentage of companies using these tools and technologies is still too low. And only 24% (unchanged from last year) use Threat Modeling or other high-level risk assessment tools, which are a proven way to identify security holes early in the development process, where they are most efficiently (and cheaply) fixed.
Although the year-over-year results of this Ponemon study have shown improvement in some areas of automotive cybersecurity, much work still needs to be done. To successfully protect a fleet of vehicles from a scalable hack, the industry must adopt a top-down culture of cybersecurity, not unlike it has done with safety and quality. By making security a priority throughout all phases of a vehicle lifecycle design, development, test and service – both OEMs and suppliers have a better chance at delivering a connected vehicle that can withstand hacking attempts.
Connected cars are here and along with them come a host of new safety features and vulnerability to hackers. We can conclude that automakers and suppliers alike are struggling to integrate new methodologies and software into their automotive development process to combat these new threats. Contrary to public statements by the automakers, the Ponemon survey shows that OEMs and their suppliers, although making some progress, continue to be challenged by cybersecurity and have not made it one of their top priorities.
Some steps are being taken
Automotive industry must adopt a culture of security
0%
10%
20%
30%
40%
50%
60%
OtherEncrypted Data in Storage
Endpoint Authentication
Encrypted Communiction
Secure Boot
The study shows that the perceived responsibility of secure development falls into many laps and, alarmingly, 19% of respondents believe that no one bears the overall responsibility of ensuring security in their automotive development process.
For those who named a role most responsible and accountable for security in the development process, respondents cited the Chief Information Officer (22%), followed by Chief information Security Officer (17%), Quality Assurance (18%), developers (12%) and partners (11%).
Similarly, when asked who is most responsible and accountable for security of digital trust assets in the manufacturing process, Chief Information Officer ranked first with 36% followed by Chief Information Security Officer (21%), partners (13%), Quality Assurance (5%) and developers (4%). In this category, 18% said no one.
When asked if OEMs should be liable for security vulnerabilities in their suppliers’ designs, 49% of respondents agreed. Not surprisingly, when broken down further, 52% of suppliers agreed with this statement and only 34% of OEMs agreed.
If the responsibility and accountability is being left to lower levels of the organization, being passed on to suppliers or worse yet, left to nobody in particular, then it is clear that security is not a priority.
Even though the study reveals that security is not a priority throughout the industry, many companies are not simply sitting back and ignoring the problem. Nearly half of companies (46%) are using cryptography as part of their secure software development. A third (33%) of those who do not use it state there is no explicit requirement to do so, followed by lack of knowledge (25%) and that cryptography is too expensive (21%).
CIO
23%
17%
18%11%
12%
19%CISO
Quality Assurance
Partner
Developer
No One
WHO IS MOST RESPONSIBLE AND ACCOUNTABLE FOR SECURITY
SYSTEM SECURITY FEATURES IN USE
Uncertainty on who is responsible for cybersecurity
of respondents believe that no one bears the overall responsibility
19%
Securing Software in the Connected World
Aerolink – Secure V2V Communications: The leading commercial software implementation of the IEEE 1609.2 and ETSI TS 103 097 security protocol.
Secure Transportation Infrastructure Consulting: We have world-renowned expertise and thought leadership for the design of Secure Credential Management (SCMS) for national providers of Intelligent Transportation Systems.
Automotive Centers of Excellence (ACE) offers application security services for the automotive industry, including: Software Assessment, Attack Simulations and Pen Testing and Developer Cyber Security Training.
www.securityinnovation.com
Experts in End-to-End Embedded Security
Automotive Cryptographic Libraries (FIPS 140-2, NIAP).
The first automotive root certificate authority and provider of production V2X and C2X digital certificates.
Security Infrastructures for the Most Complex Supply Chains.
www.ghsiss.com
A Green Hills So ware Company
© Security Innovation and INTEGRITY Security Services. All rights reserved.
