SlideShare una empresa de Scribd logo

Car cybersecurity: What do automakers really think?

OnBoard Security, Inc. - a Qualcomm Company
OnBoard Security, Inc. - a Qualcomm Company

Ponemon Institute Survey; Taking a look into Car Cybersecurity, the advantages and the roadblocks

Tecnología
1 de 52
Descargar para leer sin conexión
1 Gene Carter Director of Product Management Security Innovation Peter Samson Vice President and General Manager Security Innovation Larry Ponemon Chairman Ponemon Institute Walter Capitani Product Manager Rogue Wave Software Car cybersecurity: What do the automakers really think?
2 First, a few things… • The webcast recording link and the slides will be sent to all registrants tomorrow • Please type all questions in the Questions dialogue box to the right • The Ponemon white paper can be downloaded here: http://web.securityinnovation.com/car-security-what-automakers-think
3 The Current State of Automotive Cyber Security Peter Samson Vice President and General Manager Security Innovation
4 Source: IHS Automotive Connected Car Market
5 $152 billion by 2020 $141 billion by 2020 $132 billion by 2020 $128 billion by 2020 $98 billion by 2018 Economic Value
6 1.7 Million Lines of Code 6.5M Million Lines of Code 100 Million Lines of Code 100 ECUs 5 Networks 2 miles of cable 10+ Operating Systems 50% of total cost The Complexity Challenge
7 What’s the Risk? Extortion Theft Terrorism Revenge Mischief Insurance fraud Corporate espionage Stalking and spying Feature activation Identity theft Counterfeiting
8 Where’s the Risk? External Internal Bluetooth Internet V2X Key fob LiDAR TPMS Wi-Fi Tail light Diagnostics OBDII USB SD card Aux input DVD CAN Bus Touchscreen Ethernet Mobile phone
9 Security Updates Segmentation and Isolation Evidence Capture Third Party Collaboration Secure By Design Early Pressure
10 Collaborations
11 Government Shows Interest – February 2015
12 Government Asks Questions – May 2015
13 Government Asks Questions – May 2015 1. Who in your organization is responsible for evaluating, testing, and monitoring potential cyber vulnerabilities? 2. How does your organization incorporate cybersecurity best practices into your products? 3. What policies, procedures, and practices do you employ to evaluate potential cyber vulnerabilities? 4. Who in your organization is responsible for addressing potential vulnerabilities in the products of your suppliers 5. How do you work with suppliers to minimize potential vulnerabilities? 6. How do you track or evaluate potential vulnerabilities once a product is in the field? 7. How do you, or how do you intend to, remediate vulnerabilities after a vehicle has entered the market? 8. Do you intend to use over - the -air (OTA) updates to upgrade vehicle systems or technology? 9. To what extent do existing vehicle systems and technologies utilize public key infrastructure 10. What steps have you taken to evaluate how connected elements interact with vehicle safety systems? 11. Because vehicles interact with technologies outside the vehicle, what steps are you taking to evaluate potential vulnerabilities? 12. How do you interact with the security research community to identify potential threats and/or vulnerabilities? 13. What are the greatest challenges to cybersecurity in the industry? 14. How is the automobile industry working with the government to address the challenge of cybersecurity
14 Cybersecurity Standards Hacking protection Data security Hacking mitigation Privacy standards Transparency Consumer choice Marketing prohibition Cyber dashboard A window sticker showing how well the car protects the security and privacy of the owner. Government Plans Action – July 2015
15 Government Piles It On – October 2015 Anti hacking provision Unauthorized access to ECU or critical system illegal, $100,000 fine per instance. No exceptions. Formation of Cyber Security Advisory Panel Standardized and controlled security best practices. Up to $15M fines for non-compliance
16 Hardly New News 2003 ESCAR Founded 2008 First CAN Bus Exploits 2010 Univ of WA and UCSD – Seminal demonstrations First known “hack for real” – Texas Auto Center 2013 DARPA funds research on vulnerabilities List of 20 most hackable cars 2015 Enters public consciousness “60 Minutes” Dongle hacks (Progressive, Zubie, Metromile …) BMW hack OnStar hack and weaponization Jeep Cherokee stunt ...
17 Application Security Maturity Model ToolsandTechnology People and Processes Low Low High High Panic and Scramble Pit of Despair Security as a Core Business Practice Typical Progression Curve https://securityinnovation.com/services/application-security-maturity.html
18 So Let’s Ask the Automakers  What do you know?  How much do you care?  What have you learned from the past?  Are you optimistic?  Are you ready?
19 The Survey Results Larry Ponemon Chairman Ponemon Institute
20 Methods Survey response Number % Total sampling frame 8,891 100% Total returns 595 6.7% Rejected or screened surveys 71 0.8% Final sample 524 5.9%
21 Current role within the organization 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20% CORPORATE IT IT SECURITY SUPERVISOR OF SOFTWARE DEVELOPMENT MANAGER OF SOFTWARE DEVELOPMENT SOFTWARE DESIGNER SOFTWARE PROGRAMMER SOFTWARE ENGINEER SOFTWARE DEVELOPER 6% 7% 9% 10% 14% 17% 18% 20%
22 Company’s role in the automotive industry 45% 31% 19% 5% Manufacturer OEM Tier One Tier Two Tier Three
23 Involvement in application development 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% HIGH LEVEL OF INVOLVEMENT MODERATE LEVEL OF INVOLVEMENT LOW LEVEL OF INVOLVEMENT 36% 46% 18%
24 Familiarity with company programs for securing software for automobiles 0% 10% 20% 30% 40% 50% 60% VERY FAMILIAR FAMILIAR SOMEWHAT FAMILIAR 29% 51% 20%
25 Current position within the organization 4% 18% 17% 17% 38% 5% 1% Executive/VP Director Manager Supervisor Technician/associate Consultant Other
26 Less than 100, 5% 100 to 500, 13% 501 to 1,000, 12% 1,001 to 5,000, 11% 5,001 to 10,000, 10% 10,001 to 25,000, 15% 25,001 to 75,000, 15% More than 75,000, 19% # of software developers and global headcount I am an independent software developer , 10% Less than 100, 13% 101 to 1,000, 16%1,001 to 5,000, 25% 5,001 to 10,000, 28% More than 10,000, 7% Number of Software Developers Global Headcount
27 Location of employees 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% UNITED STATES CANADA EUROPE ASIA-PACIFIC MIDDLE EAST & AFRICA LATIN AMERICA (INCLUDING MEXICO) 100% 68% 70% 58% 41% 31%
28 Hackers are actively targeting automobiles 0% 5% 10% 15% 20% 25% 30% 35% STRONGLY AGREE AGREE UNSURE DISAGREE STRONGLY DISAGREE 15% 29% 31% 18% 7%
29 How difficult is it to secure applications in automobiles? 0% 5% 10% 15% 20% 25% 30% 35% 40% VERY DIFFICULT DIFFICULT SOMEWHAT DIFFICULT NOT DIFFICULT EASY 36% 33% 21% 9% 2%
30 Is a major overhaul of the automobile’s technology architecture needed to make it more secure? Yes 48% No 40% Unsure 12%
31 Is it possible to build nearly hack proof automobile? 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% YES NO UNSURE 19% 47% 34%
32 Why isn’t it possible to build an automobile that is nearly hack proof? 0% 5% 10% 15% 20% 25% OTHER LACK OF EXPERTISE ADDITIONAL COSTS TO SECURE SOFTWARE NOT CONSIDERED IMPORTANT TAKES TOO MUCH TIME PRESSURE TO COMPLETE DEVELOPMENT 3% 10% 19% 22% 22% 24%
33 Is security being integrated into the entire software development lifecycle or is it an add-on? 0% 10% 20% 30% 40% 50% 60% TOTALLY INTEGRATED PARTIALLY INTEGRATED ADDED ON UNSURE 14% 29% 51% 7%
34 Yes, 43% No, 42% Unsure, 15% Should white hat hackers be subject to the Digital Millennium Copyright Act (DMCA)?
35 Should white hat hackers be encouraged to test the security of automotive software? Yes, 22% No, 54% Unsure, 24%
36 My company’s automotive software development process includes activities for security requirements 0% 5% 10% 15% 20% 25% 30% STRONGLY AGREE AGREE UNSURE DISAGREE STRONGLY DISAGREE 15% 27% 29% 21% 8%
37 What the results mean in the real world of automotive Walter Capitani Product Manager Rogue Wave Software
38 Enabling technologies are not being provided to developers so they can build security into their processes Developers want – but do not have—the skills necessary to combat software security threats and they do not feel they are properly trained Automakers are not as knowledgeable about secure software development as other industries 1 2 3 The top 3 key findings
39 Did you know? 60-70 % of vehicle recalls are due to software glitches Electronic components make up over 50% of the total manufacturing cost of a car
40 Security must be built-in! Enabling technologies are not being provided to developers so they can build security into their processes1 22% believe “security takes too much time” 22% say “security is not considered important” More than 50% say responsibility for security responsibility– after the fact 22% report “security is not important”
41 – Millions of lines of code, dozens of processors, each with multiple cores – Multiple systems interconnected – Some designed years ago with little or no security in mind – New code, COTS, suppliers, legacy, open source – Different platforms, people, and processes – Vulnerabilities and bugs will last for years – Not an easy update/upgrade path – Automation will be critical – Certification is inevitable More and more software running inside your car More and more software running inside your car Multiple sources of software being integrated Software running your car could remain that way for many years This requires a very significant security and functional verification process Why build security into the development process?
42 Build-only analysis in dev process
43 50% of defects introduced here Build analysis / test Find security defects when they are introduced Cost of defects
44 Developers want – but do not have—the skills necessary to combat software security threats and they do not feel they are properly trained2 Developers need your help! Over 50% indicate that their development processes do not include any activity supporting security requirements Only 41% agree that secure software is a priority for their company 69% believe that securing applications is difficult
45 How do hackers get in? Incoming data is well- formed Data breaches are the result of one flawed assumption Cross-site scripting Most breaches result from input trust issues OWASP Top 10 identifies common vulnerabilities from over 500,000 issues being researched today SQL injection Unvalidated input Heartbleed: buffer overrun CWE is a community-driven identification of weaknesses CWE-20: Improper Input Validation
46 Developers don’t know security (80% failed security knowledge survey) Visibility into applications Development teams need: Reports and audits of the code Threat modeling Penetration testing Mitigate security vulnerabilities
47 Automakers are not as knowledgeable about secure software development as other industries3 Only 28% of automakers believe that they are as knowledgeable as other industries with respect to security 47% don’t believe that making an automobile “nearly hack proof” is even possible Only 18% indicated that their biggest concern was non- compliance with industry standards The time is now!
48 • IT organizations have been dealing with cybersecurity for a long time • Many failures, but they learned from them • Tools, policies, and processes have already been developed • Automakers need to catch up – fast! Security domain knowledge is lacking
49 Move fast: Adopt and adapt Many existing cybersecurity practices can be put to use in automotive applications Adopt existing tools Find weaknesses and prove compliance Mitigate security risks up front Adapt them to the automotive environment
50 MISRA: Maybe I should reuse another…
51 Enabling technologies are not being provided to developers so they can build security into their processes Developers want – but do not have—the skills necessary to combat software security threats and they do not feel they are properly trained Automakers are not as knowledgeable about secure software development as other industries 1 2 3 Conclusion
52 Q & A Peter Samson Larry Ponemon Walter Capitani

Recomendados

Scaling Systems Securely: Challenges and Risks
Scaling Systems Securely: Challenges and RisksScaling Systems Securely: Challenges and Risks
Scaling Systems Securely: Challenges and RisksOnBoard Security, Inc. - a Qualcomm Company
 
Security for Connected Vehicle: Successes and Challenges
Security for Connected Vehicle: Successes and ChallengesSecurity for Connected Vehicle: Successes and Challenges
Security for Connected Vehicle: Successes and ChallengesOnBoard Security, Inc. - a Qualcomm Company
 
Connected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go WrongConnected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go WrongOnBoard Security, Inc. - a Qualcomm Company
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...OnBoard Security, Inc. - a Qualcomm Company
 
Automotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still ExistsAutomotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still ExistsOnBoard Security, Inc. - a Qualcomm Company
 
Quantum Safety in Certified Cryptographic Modules
Quantum Safety in Certified Cryptographic ModulesQuantum Safety in Certified Cryptographic Modules
Quantum Safety in Certified Cryptographic ModulesOnBoard Security, Inc. - a Qualcomm Company
 
Misbehavior Handling Throughout the V2V System Lifecycle
Misbehavior Handling Throughout the V2V System LifecycleMisbehavior Handling Throughout the V2V System Lifecycle
Misbehavior Handling Throughout the V2V System LifecycleOnBoard Security, Inc. - a Qualcomm Company
 
Certificate Management Protocols for 1609.2 Certificates
Certificate Management Protocols for 1609.2 CertificatesCertificate Management Protocols for 1609.2 Certificates
Certificate Management Protocols for 1609.2 CertificatesOnBoard Security, Inc. - a Qualcomm Company
 

Recomendados

Scaling Systems Securely: Challenges and Risks
Scaling Systems Securely: Challenges and RisksScaling Systems Securely: Challenges and Risks
Scaling Systems Securely: Challenges and RisksOnBoard Security, Inc. - a Qualcomm Company
 
Security for Connected Vehicle: Successes and Challenges
Security for Connected Vehicle: Successes and ChallengesSecurity for Connected Vehicle: Successes and Challenges
Security for Connected Vehicle: Successes and ChallengesOnBoard Security, Inc. - a Qualcomm Company
 
Connected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go WrongConnected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go WrongOnBoard Security, Inc. - a Qualcomm Company
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...OnBoard Security, Inc. - a Qualcomm Company
 
Automotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still ExistsAutomotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still ExistsOnBoard Security, Inc. - a Qualcomm Company
 
Quantum Safety in Certified Cryptographic Modules
Quantum Safety in Certified Cryptographic ModulesQuantum Safety in Certified Cryptographic Modules
Quantum Safety in Certified Cryptographic ModulesOnBoard Security, Inc. - a Qualcomm Company
 
Misbehavior Handling Throughout the V2V System Lifecycle
Misbehavior Handling Throughout the V2V System LifecycleMisbehavior Handling Throughout the V2V System Lifecycle
Misbehavior Handling Throughout the V2V System LifecycleOnBoard Security, Inc. - a Qualcomm Company
 
Certificate Management Protocols for 1609.2 Certificates
Certificate Management Protocols for 1609.2 CertificatesCertificate Management Protocols for 1609.2 Certificates
Certificate Management Protocols for 1609.2 CertificatesOnBoard Security, Inc. - a Qualcomm Company
 
Will future vehicles be secure?
Will future vehicles be secure?Will future vehicles be secure?
Will future vehicles be secure?Alan Tatourian
 
Securing future connected vehicles and infrastructure
Securing future connected vehicles and infrastructureSecuring future connected vehicles and infrastructure
Securing future connected vehicles and infrastructureAlan Tatourian
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackDan Gunter
 
Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systemsAlan Tatourian
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
Systems architecture with the functional safety/security emphasis
Systems architecture with the functional safety/security emphasisSystems architecture with the functional safety/security emphasis
Systems architecture with the functional safety/security emphasisAlan Tatourian
 
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...OnBoard Security, Inc. - a Qualcomm Company
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
 
Garbled Circuits for Secure Credential Management Services
Garbled Circuits for Secure Credential Management ServicesGarbled Circuits for Secure Credential Management Services
Garbled Circuits for Secure Credential Management ServicesOnBoard Security, Inc. - a Qualcomm Company
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...Muhammad FAHAD
 
Functional Safety and Security process alignment
Functional Safety and Security process alignmentFunctional Safety and Security process alignment
Functional Safety and Security process alignmentAlan Tatourian
 
High dependability of the automated systems
High dependability of the automated systemsHigh dependability of the automated systems
High dependability of the automated systemsAlan Tatourian
 
Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat ModelingDr. Anish Cheriyan (PhD)
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
Взаимодействие с Check Point Technical Support
Взаимодействие с Check Point Technical SupportВзаимодействие с Check Point Technical Support
Взаимодействие с Check Point Technical SupportGroup of company MUK
 
Industrial cyber threat landscape
Industrial cyber threat landscapeIndustrial cyber threat landscape
Industrial cyber threat landscapebayshorenet
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Digital Bond
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen MillerAVEVA
 
Car Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsCar Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsSecurity Innovation
 
Strategy Analytics - Automotive Cyber Security - Oct 2020.pptx
Strategy Analytics - Automotive Cyber Security - Oct 2020.pptxStrategy Analytics - Automotive Cyber Security - Oct 2020.pptx
Strategy Analytics - Automotive Cyber Security - Oct 2020.pptxNiteshKumar958846
 

Más contenido relacionado

La actualidad más candente

Will future vehicles be secure?
Will future vehicles be secure?Will future vehicles be secure?
Will future vehicles be secure?Alan Tatourian
 
Securing future connected vehicles and infrastructure
Securing future connected vehicles and infrastructureSecuring future connected vehicles and infrastructure
Securing future connected vehicles and infrastructureAlan Tatourian
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackDan Gunter
 
Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systemsAlan Tatourian
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive softwareAlan Tatourian
 
Systems architecture with the functional safety/security emphasis
Systems architecture with the functional safety/security emphasisSystems architecture with the functional safety/security emphasis
Systems architecture with the functional safety/security emphasisAlan Tatourian
 
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...OnBoard Security, Inc. - a Qualcomm Company
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsMuhammad FAHAD
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...Muhammad FAHAD
 
Functional Safety and Security process alignment
Functional Safety and Security process alignmentFunctional Safety and Security process alignment
Functional Safety and Security process alignmentAlan Tatourian
 
High dependability of the automated systems
High dependability of the automated systemsHigh dependability of the automated systems
High dependability of the automated systemsAlan Tatourian
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Digital Bond
 
Взаимодействие с Check Point Technical Support
Взаимодействие с Check Point Technical SupportВзаимодействие с Check Point Technical Support
Взаимодействие с Check Point Technical SupportGroup of company MUK
 
Industrial cyber threat landscape
Industrial cyber threat landscapeIndustrial cyber threat landscape
Industrial cyber threat landscapebayshorenet
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Digital Bond
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Dilum Bandara
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen MillerAVEVA
 

La actualidad más candente (20)

Will future vehicles be secure?
Will future vehicles be secure?Will future vehicles be secure?
Will future vehicles be secure?
 
Securing future connected vehicles and infrastructure
Securing future connected vehicles and infrastructureSecuring future connected vehicles and infrastructure
Securing future connected vehicles and infrastructure
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
 
RSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System HackRSAC 2021 Spelunking Through the Steps of a Control System Hack
RSAC 2021 Spelunking Through the Steps of a Control System Hack
 
Safe and secure autonomous systems
Safe and secure autonomous systemsSafe and secure autonomous systems
Safe and secure autonomous systems
 
Highly dependable automotive software
Highly dependable automotive softwareHighly dependable automotive software
Highly dependable automotive software
 
Systems architecture with the functional safety/security emphasis
Systems architecture with the functional safety/security emphasisSystems architecture with the functional safety/security emphasis
Systems architecture with the functional safety/security emphasis
 
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
 
The Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control SystemsThe Top 20 Cyberattacks on Industrial Control Systems
The Top 20 Cyberattacks on Industrial Control Systems
 
Garbled Circuits for Secure Credential Management Services
Garbled Circuits for Secure Credential Management ServicesGarbled Circuits for Secure Credential Management Services
Garbled Circuits for Secure Credential Management Services
 
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Cyber-attac...
 
Functional Safety and Security process alignment
Functional Safety and Security process alignmentFunctional Safety and Security process alignment
Functional Safety and Security process alignment
 
High dependability of the automated systems
High dependability of the automated systemsHigh dependability of the automated systems
High dependability of the automated systems
 
Cyber Security Threat Modeling
Cyber Security Threat ModelingCyber Security Threat Modeling
Cyber Security Threat Modeling
 
Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)Vulnerability Inheritance in ICS (English)
Vulnerability Inheritance in ICS (English)
 
Взаимодействие с Check Point Technical Support
Взаимодействие с Check Point Technical SupportВзаимодействие с Check Point Technical Support
Взаимодействие с Check Point Technical Support
 
Industrial cyber threat landscape
Industrial cyber threat landscapeIndustrial cyber threat landscape
Industrial cyber threat landscape
 
Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)Using Assessment Tools on ICS (English)
Using Assessment Tools on ICS (English)
 
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
 
Scada security presentation by Stephen Miller
Scada security presentation by Stephen MillerScada security presentation by Stephen Miller
Scada security presentation by Stephen Miller
 

Similar a Car cybersecurity: What do automakers really think?

Car Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsCar Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsSecurity Innovation
 
Strategy Analytics - Automotive Cyber Security - Oct 2020.pptx
Strategy Analytics - Automotive Cyber Security - Oct 2020.pptxStrategy Analytics - Automotive Cyber Security - Oct 2020.pptx
Strategy Analytics - Automotive Cyber Security - Oct 2020.pptxNiteshKumar958846
 
Network Security for Automotive Embedded Systems
Network Security for Automotive Embedded SystemsNetwork Security for Automotive Embedded Systems
Network Security for Automotive Embedded SystemsTonex
 
SI Accelerators for delivering IVI systems
SI Accelerators for delivering IVI systemsSI Accelerators for delivering IVI systems
SI Accelerators for delivering IVI systemsNepolian Rajarathinam
 
The Borderless Enterprise: Adapting Network Management to Mobility, Cloud, & ...
The Borderless Enterprise: Adapting Network Management to Mobility, Cloud, & ...The Borderless Enterprise: Adapting Network Management to Mobility, Cloud, & ...
The Borderless Enterprise: Adapting Network Management to Mobility, Cloud, & ...Enterprise Management Associates
 
EMA Network Security Survey Findings (SEP 2016)
EMA Network Security Survey Findings (SEP 2016)EMA Network Security Survey Findings (SEP 2016)
EMA Network Security Survey Findings (SEP 2016)Lora O'Haver
 
Security Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsSecurity Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsAlan Tatourian
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxlior mazor
 
Preparing for the Future of Enterprise Mobility -- Insights Not to Miss
Preparing for the Future of Enterprise Mobility -- Insights Not to MissPreparing for the Future of Enterprise Mobility -- Insights Not to Miss
Preparing for the Future of Enterprise Mobility -- Insights Not to MissEnterprise Mobile
 
McKinsey | When Things Get Complex: Complex Systems, Challenges and Where to ...
McKinsey | When Things Get Complex: Complex Systems, Challenges and Where to ...McKinsey | When Things Get Complex: Complex Systems, Challenges and Where to ...
McKinsey | When Things Get Complex: Complex Systems, Challenges and Where to ...Intland Software GmbH
 
Are we going to have security issues on connected cars?
Are we going to have security issues on connected cars?Are we going to have security issues on connected cars?
Are we going to have security issues on connected cars?PECB
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩baoyin
 
CompTIA International Trends in Cybersecurity
CompTIA International Trends in CybersecurityCompTIA International Trends in Cybersecurity
CompTIA International Trends in CybersecurityCompTIA
 
Antonio Rojas, PREMO
Antonio Rojas, PREMOAntonio Rojas, PREMO
Antonio Rojas, PREMOAMETIC
 
The Five Essential Truths of the Application Economy
The Five Essential Truths of the Application EconomyThe Five Essential Truths of the Application Economy
The Five Essential Truths of the Application EconomyCA Technologies
 
Presentazione CHECKPOINT Evento CloudGarage 5-11 giugno 2013
Presentazione CHECKPOINT Evento CloudGarage 5-11 giugno 2013Presentazione CHECKPOINT Evento CloudGarage 5-11 giugno 2013
Presentazione CHECKPOINT Evento CloudGarage 5-11 giugno 2013Clouditalia Telecomunicazioni
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityTyler Shields
 

Similar a Car cybersecurity: What do automakers really think? (20)

Car Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still ExistsCar Cybersecurity: The Gap Still Exists
Car Cybersecurity: The Gap Still Exists
 
Strategy Analytics - Automotive Cyber Security - Oct 2020.pptx
Strategy Analytics - Automotive Cyber Security - Oct 2020.pptxStrategy Analytics - Automotive Cyber Security - Oct 2020.pptx
Strategy Analytics - Automotive Cyber Security - Oct 2020.pptx
 
Revolution in Mobility
Revolution in MobilityRevolution in Mobility
Revolution in Mobility
 
Network Security for Automotive Embedded Systems
Network Security for Automotive Embedded SystemsNetwork Security for Automotive Embedded Systems
Network Security for Automotive Embedded Systems
 
SI Accelerators for delivering IVI systems
SI Accelerators for delivering IVI systemsSI Accelerators for delivering IVI systems
SI Accelerators for delivering IVI systems
 
The Borderless Enterprise: Adapting Network Management to Mobility, Cloud, & ...
The Borderless Enterprise: Adapting Network Management to Mobility, Cloud, & ...The Borderless Enterprise: Adapting Network Management to Mobility, Cloud, & ...
The Borderless Enterprise: Adapting Network Management to Mobility, Cloud, & ...
 
EMA Network Security Survey Findings (SEP 2016)
EMA Network Security Survey Findings (SEP 2016)EMA Network Security Survey Findings (SEP 2016)
EMA Network Security Survey Findings (SEP 2016)
 
Security Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical SystemsSecurity Architecture for Cyber Physical Systems
Security Architecture for Cyber Physical Systems
 
Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN Build Automate and Test Strategies - BATMAN
Build Automate and Test Strategies - BATMAN
 
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptxEmphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
Emphasizing Value of Prioritizing AppSec Meetup 11052023.pptx
 
Preparing for the Future of Enterprise Mobility -- Insights Not to Miss
Preparing for the Future of Enterprise Mobility -- Insights Not to MissPreparing for the Future of Enterprise Mobility -- Insights Not to Miss
Preparing for the Future of Enterprise Mobility -- Insights Not to Miss
 
McKinsey | When Things Get Complex: Complex Systems, Challenges and Where to ...
McKinsey | When Things Get Complex: Complex Systems, Challenges and Where to ...McKinsey | When Things Get Complex: Complex Systems, Challenges and Where to ...
McKinsey | When Things Get Complex: Complex Systems, Challenges and Where to ...
 
Are we going to have security issues on connected cars?
Are we going to have security issues on connected cars?Are we going to have security issues on connected cars?
Are we going to have security issues on connected cars?
 
六合彩香港-六合彩
六合彩香港-六合彩六合彩香港-六合彩
六合彩香港-六合彩
 
CompTIA International Trends in Cybersecurity
CompTIA International Trends in CybersecurityCompTIA International Trends in Cybersecurity
CompTIA International Trends in Cybersecurity
 
Antonio Rojas, PREMO
Antonio Rojas, PREMOAntonio Rojas, PREMO
Antonio Rojas, PREMO
 
The Five Essential Truths of the Application Economy
The Five Essential Truths of the Application EconomyThe Five Essential Truths of the Application Economy
The Five Essential Truths of the Application Economy
 
Check Point SMB Proposition
Check Point SMB PropositionCheck Point SMB Proposition
Check Point SMB Proposition
 
Presentazione CHECKPOINT Evento CloudGarage 5-11 giugno 2013
Presentazione CHECKPOINT Evento CloudGarage 5-11 giugno 2013Presentazione CHECKPOINT Evento CloudGarage 5-11 giugno 2013
Presentazione CHECKPOINT Evento CloudGarage 5-11 giugno 2013
 
Intelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software SecurityIntelligence on the Intractable Problem of Software Security
Intelligence on the Intractable Problem of Software Security
 

Último

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Último (20)

A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Car cybersecurity: What do automakers really think?

  • 1. 1 Gene Carter Director of Product Management Security Innovation Peter Samson Vice President and General Manager Security Innovation Larry Ponemon Chairman Ponemon Institute Walter Capitani Product Manager Rogue Wave Software Car cybersecurity: What do the automakers really think?
  • 2. 2 First, a few things… • The webcast recording link and the slides will be sent to all registrants tomorrow • Please type all questions in the Questions dialogue box to the right • The Ponemon white paper can be downloaded here: http://web.securityinnovation.com/car-security-what-automakers-think
  • 3. 3 The Current State of Automotive Cyber Security Peter Samson Vice President and General Manager Security Innovation
  • 5. 5 $152 billion by 2020 $141 billion by 2020 $132 billion by 2020 $128 billion by 2020 $98 billion by 2018 Economic Value
  • 6. 6 1.7 Million Lines of Code 6.5M Million Lines of Code 100 Million Lines of Code 100 ECUs 5 Networks 2 miles of cable 10+ Operating Systems 50% of total cost The Complexity Challenge
  • 7. 7 What’s the Risk? Extortion Theft Terrorism Revenge Mischief Insurance fraud Corporate espionage Stalking and spying Feature activation Identity theft Counterfeiting
  • 8. 8 Where’s the Risk? External Internal Bluetooth Internet V2X Key fob LiDAR TPMS Wi-Fi Tail light Diagnostics OBDII USB SD card Aux input DVD CAN Bus Touchscreen Ethernet Mobile phone
  • 11. 11 Government Shows Interest – February 2015
  • 13. 13 Government Asks Questions – May 2015 1. Who in your organization is responsible for evaluating, testing, and monitoring potential cyber vulnerabilities? 2. How does your organization incorporate cybersecurity best practices into your products? 3. What policies, procedures, and practices do you employ to evaluate potential cyber vulnerabilities? 4. Who in your organization is responsible for addressing potential vulnerabilities in the products of your suppliers 5. How do you work with suppliers to minimize potential vulnerabilities? 6. How do you track or evaluate potential vulnerabilities once a product is in the field? 7. How do you, or how do you intend to, remediate vulnerabilities after a vehicle has entered the market? 8. Do you intend to use over - the -air (OTA) updates to upgrade vehicle systems or technology? 9. To what extent do existing vehicle systems and technologies utilize public key infrastructure 10. What steps have you taken to evaluate how connected elements interact with vehicle safety systems? 11. Because vehicles interact with technologies outside the vehicle, what steps are you taking to evaluate potential vulnerabilities? 12. How do you interact with the security research community to identify potential threats and/or vulnerabilities? 13. What are the greatest challenges to cybersecurity in the industry? 14. How is the automobile industry working with the government to address the challenge of cybersecurity
  • 14. 14 Cybersecurity Standards Hacking protection Data security Hacking mitigation Privacy standards Transparency Consumer choice Marketing prohibition Cyber dashboard A window sticker showing how well the car protects the security and privacy of the owner. Government Plans Action – July 2015
  • 15. 15 Government Piles It On – October 2015 Anti hacking provision Unauthorized access to ECU or critical system illegal, $100,000 fine per instance. No exceptions. Formation of Cyber Security Advisory Panel Standardized and controlled security best practices. Up to $15M fines for non-compliance
  • 16. 16 Hardly New News 2003 ESCAR Founded 2008 First CAN Bus Exploits 2010 Univ of WA and UCSD – Seminal demonstrations First known “hack for real” – Texas Auto Center 2013 DARPA funds research on vulnerabilities List of 20 most hackable cars 2015 Enters public consciousness “60 Minutes” Dongle hacks (Progressive, Zubie, Metromile …) BMW hack OnStar hack and weaponization Jeep Cherokee stunt ...
  • 17. 17 Application Security Maturity Model ToolsandTechnology People and Processes Low Low High High Panic and Scramble Pit of Despair Security as a Core Business Practice Typical Progression Curve https://securityinnovation.com/services/application-security-maturity.html
  • 18. 18 So Let’s Ask the Automakers  What do you know?  How much do you care?  What have you learned from the past?  Are you optimistic?  Are you ready?
  • 19. 19 The Survey Results Larry Ponemon Chairman Ponemon Institute
  • 20. 20 Methods Survey response Number % Total sampling frame 8,891 100% Total returns 595 6.7% Rejected or screened surveys 71 0.8% Final sample 524 5.9%
  • 21. 21 Current role within the organization 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20% CORPORATE IT IT SECURITY SUPERVISOR OF SOFTWARE DEVELOPMENT MANAGER OF SOFTWARE DEVELOPMENT SOFTWARE DESIGNER SOFTWARE PROGRAMMER SOFTWARE ENGINEER SOFTWARE DEVELOPER 6% 7% 9% 10% 14% 17% 18% 20%
  • 22. 22 Company’s role in the automotive industry 45% 31% 19% 5% Manufacturer OEM Tier One Tier Two Tier Three
  • 23. 23 Involvement in application development 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% HIGH LEVEL OF INVOLVEMENT MODERATE LEVEL OF INVOLVEMENT LOW LEVEL OF INVOLVEMENT 36% 46% 18%
  • 24. 24 Familiarity with company programs for securing software for automobiles 0% 10% 20% 30% 40% 50% 60% VERY FAMILIAR FAMILIAR SOMEWHAT FAMILIAR 29% 51% 20%
  • 25. 25 Current position within the organization 4% 18% 17% 17% 38% 5% 1% Executive/VP Director Manager Supervisor Technician/associate Consultant Other
  • 26. 26 Less than 100, 5% 100 to 500, 13% 501 to 1,000, 12% 1,001 to 5,000, 11% 5,001 to 10,000, 10% 10,001 to 25,000, 15% 25,001 to 75,000, 15% More than 75,000, 19% # of software developers and global headcount I am an independent software developer , 10% Less than 100, 13% 101 to 1,000, 16%1,001 to 5,000, 25% 5,001 to 10,000, 28% More than 10,000, 7% Number of Software Developers Global Headcount
  • 27. 27 Location of employees 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% UNITED STATES CANADA EUROPE ASIA-PACIFIC MIDDLE EAST & AFRICA LATIN AMERICA (INCLUDING MEXICO) 100% 68% 70% 58% 41% 31%
  • 28. 28 Hackers are actively targeting automobiles 0% 5% 10% 15% 20% 25% 30% 35% STRONGLY AGREE AGREE UNSURE DISAGREE STRONGLY DISAGREE 15% 29% 31% 18% 7%
  • 29. 29 How difficult is it to secure applications in automobiles? 0% 5% 10% 15% 20% 25% 30% 35% 40% VERY DIFFICULT DIFFICULT SOMEWHAT DIFFICULT NOT DIFFICULT EASY 36% 33% 21% 9% 2%
  • 30. 30 Is a major overhaul of the automobile’s technology architecture needed to make it more secure? Yes 48% No 40% Unsure 12%
  • 31. 31 Is it possible to build nearly hack proof automobile? 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% YES NO UNSURE 19% 47% 34%
  • 32. 32 Why isn’t it possible to build an automobile that is nearly hack proof? 0% 5% 10% 15% 20% 25% OTHER LACK OF EXPERTISE ADDITIONAL COSTS TO SECURE SOFTWARE NOT CONSIDERED IMPORTANT TAKES TOO MUCH TIME PRESSURE TO COMPLETE DEVELOPMENT 3% 10% 19% 22% 22% 24%
  • 33. 33 Is security being integrated into the entire software development lifecycle or is it an add-on? 0% 10% 20% 30% 40% 50% 60% TOTALLY INTEGRATED PARTIALLY INTEGRATED ADDED ON UNSURE 14% 29% 51% 7%
  • 34. 34 Yes, 43% No, 42% Unsure, 15% Should white hat hackers be subject to the Digital Millennium Copyright Act (DMCA)?
  • 35. 35 Should white hat hackers be encouraged to test the security of automotive software? Yes, 22% No, 54% Unsure, 24%
  • 36. 36 My company’s automotive software development process includes activities for security requirements 0% 5% 10% 15% 20% 25% 30% STRONGLY AGREE AGREE UNSURE DISAGREE STRONGLY DISAGREE 15% 27% 29% 21% 8%
  • 37. 37 What the results mean in the real world of automotive Walter Capitani Product Manager Rogue Wave Software
  • 38. 38 Enabling technologies are not being provided to developers so they can build security into their processes Developers want – but do not have—the skills necessary to combat software security threats and they do not feel they are properly trained Automakers are not as knowledgeable about secure software development as other industries 1 2 3 The top 3 key findings
  • 39. 39 Did you know? 60-70 % of vehicle recalls are due to software glitches Electronic components make up over 50% of the total manufacturing cost of a car
  • 40. 40 Security must be built-in! Enabling technologies are not being provided to developers so they can build security into their processes1 22% believe “security takes too much time” 22% say “security is not considered important” More than 50% say responsibility for security responsibility– after the fact 22% report “security is not important”
  • 41. 41 – Millions of lines of code, dozens of processors, each with multiple cores – Multiple systems interconnected – Some designed years ago with little or no security in mind – New code, COTS, suppliers, legacy, open source – Different platforms, people, and processes – Vulnerabilities and bugs will last for years – Not an easy update/upgrade path – Automation will be critical – Certification is inevitable More and more software running inside your car More and more software running inside your car Multiple sources of software being integrated Software running your car could remain that way for many years This requires a very significant security and functional verification process Why build security into the development process?
  • 43. 43 50% of defects introduced here Build analysis / test Find security defects when they are introduced Cost of defects
  • 44. 44 Developers want – but do not have—the skills necessary to combat software security threats and they do not feel they are properly trained2 Developers need your help! Over 50% indicate that their development processes do not include any activity supporting security requirements Only 41% agree that secure software is a priority for their company 69% believe that securing applications is difficult
  • 45. 45 How do hackers get in? Incoming data is well- formed Data breaches are the result of one flawed assumption Cross-site scripting Most breaches result from input trust issues OWASP Top 10 identifies common vulnerabilities from over 500,000 issues being researched today SQL injection Unvalidated input Heartbleed: buffer overrun CWE is a community-driven identification of weaknesses CWE-20: Improper Input Validation
  • 46. 46 Developers don’t know security (80% failed security knowledge survey) Visibility into applications Development teams need: Reports and audits of the code Threat modeling Penetration testing Mitigate security vulnerabilities
  • 47. 47 Automakers are not as knowledgeable about secure software development as other industries3 Only 28% of automakers believe that they are as knowledgeable as other industries with respect to security 47% don’t believe that making an automobile “nearly hack proof” is even possible Only 18% indicated that their biggest concern was non- compliance with industry standards The time is now!
  • 48. 48 • IT organizations have been dealing with cybersecurity for a long time • Many failures, but they learned from them • Tools, policies, and processes have already been developed • Automakers need to catch up – fast! Security domain knowledge is lacking
  • 49. 49 Move fast: Adopt and adapt Many existing cybersecurity practices can be put to use in automotive applications Adopt existing tools Find weaknesses and prove compliance Mitigate security risks up front Adapt them to the automotive environment
  • 50. 50 MISRA: Maybe I should reuse another…
  • 51. 51 Enabling technologies are not being provided to developers so they can build security into their processes Developers want – but do not have—the skills necessary to combat software security threats and they do not feel they are properly trained Automakers are not as knowledgeable about secure software development as other industries 1 2 3 Conclusion
  • 52. 52 Q & A Peter Samson Larry Ponemon Walter Capitani