Car cybersecurity: What do automakers really think?
1. 1
Gene Carter
Director of Product Management
Security Innovation
Peter Samson
Vice President and General Manager
Security Innovation
Larry Ponemon
Chairman
Ponemon Institute
Walter Capitani
Product Manager
Rogue Wave Software
Car cybersecurity:
What do the automakers really think?
2. 2
First, a few things…
• The webcast recording link and the slides will be sent to all
registrants tomorrow
• Please type all questions in the Questions dialogue box to
the right
• The Ponemon white paper can be downloaded here:
http://web.securityinnovation.com/car-security-what-automakers-think
3. 3
The Current State of
Automotive Cyber Security
Peter Samson
Vice President and General Manager
Security Innovation
5. 5
$152 billion by 2020
$141 billion by 2020
$132 billion by 2020
$128 billion by 2020
$98 billion by 2018
Economic Value
6. 6
1.7 Million
Lines of Code
6.5M Million
Lines of Code
100 Million
Lines of Code
100 ECUs
5 Networks
2 miles of cable
10+ Operating Systems
50% of total cost
The Complexity Challenge
13. 13
Government Asks Questions – May 2015
1. Who in your organization is
responsible for evaluating,
testing, and monitoring
potential cyber
vulnerabilities?
2. How does your organization
incorporate cybersecurity
best practices into your
products?
3. What policies, procedures,
and practices do you employ
to evaluate potential cyber
vulnerabilities?
4. Who in your organization is
responsible for addressing
potential vulnerabilities in the
products of your suppliers
5. How do you work with
suppliers to minimize
potential vulnerabilities?
6. How do you track or evaluate
potential vulnerabilities once
a product is in the field?
7. How do you, or how do you
intend to, remediate
vulnerabilities after a vehicle
has entered the market?
8. Do you intend to use over -
the -air (OTA) updates to
upgrade vehicle systems or
technology?
9. To what extent do existing
vehicle systems and
technologies utilize public key
infrastructure
10. What steps have you taken to
evaluate how connected
elements interact with vehicle
safety systems?
11. Because vehicles interact
with technologies outside the
vehicle, what steps are you
taking to evaluate potential
vulnerabilities?
12. How do you interact with the
security research community
to identify potential threats
and/or vulnerabilities?
13. What are the greatest
challenges to cybersecurity in
the industry?
14. How is the automobile
industry working with the
government to address the
challenge of cybersecurity
14. 14
Cybersecurity Standards
Hacking protection
Data security
Hacking mitigation
Privacy standards
Transparency
Consumer choice
Marketing prohibition
Cyber dashboard
A window sticker showing how well the car
protects the security and privacy of the
owner.
Government Plans Action – July 2015
15. 15
Government Piles It On – October 2015
Anti hacking provision
Unauthorized access to ECU or critical system illegal,
$100,000 fine per instance. No exceptions.
Formation of Cyber Security Advisory Panel
Standardized and controlled security best practices.
Up to $15M fines for
non-compliance
16. 16
Hardly New News
2003 ESCAR Founded
2008 First CAN Bus Exploits
2010 Univ of WA and UCSD – Seminal demonstrations
First known “hack for real” – Texas Auto Center
2013 DARPA funds research on vulnerabilities
List of 20 most hackable cars
2015 Enters public consciousness “60 Minutes”
Dongle hacks (Progressive, Zubie, Metromile …)
BMW hack
OnStar hack and weaponization
Jeep Cherokee stunt ...
17. 17
Application Security Maturity Model
ToolsandTechnology
People and Processes
Low
Low
High
High
Panic and
Scramble
Pit of Despair
Security as a Core
Business Practice
Typical
Progression
Curve
https://securityinnovation.com/services/application-security-maturity.html
18. 18
So Let’s Ask the Automakers
What do you know?
How much do you care?
What have you learned from the past?
Are you optimistic?
Are you ready?
20. 20
Methods
Survey response Number %
Total sampling frame 8,891 100%
Total returns 595 6.7%
Rejected or screened surveys 71 0.8%
Final sample 524 5.9%
21. 21
Current role within the organization
0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%
CORPORATE IT
IT SECURITY
SUPERVISOR OF SOFTWARE DEVELOPMENT
MANAGER OF SOFTWARE DEVELOPMENT
SOFTWARE DESIGNER
SOFTWARE PROGRAMMER
SOFTWARE ENGINEER
SOFTWARE DEVELOPER
6%
7%
9%
10%
14%
17%
18%
20%
22. 22
Company’s role in the automotive industry
45% 31% 19%
5%
Manufacturer OEM Tier One Tier Two Tier Three
23. 23
Involvement in application development
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
HIGH LEVEL OF INVOLVEMENT
MODERATE LEVEL OF INVOLVEMENT
LOW LEVEL OF INVOLVEMENT
36%
46%
18%
24. 24
Familiarity with company programs for securing
software for automobiles
0%
10%
20%
30%
40%
50%
60%
VERY FAMILIAR FAMILIAR SOMEWHAT FAMILIAR
29% 51% 20%
25. 25
Current position within the organization
4%
18%
17%
17%
38%
5% 1%
Executive/VP
Director
Manager
Supervisor
Technician/associate
Consultant
Other
26. 26
Less than 100,
5%
100 to 500, 13%
501 to 1,000,
12%
1,001 to 5,000,
11%
5,001 to 10,000,
10%
10,001 to
25,000, 15%
25,001 to
75,000, 15%
More than
75,000, 19%
# of software developers and global headcount
I am an independent software
developer , 10%
Less than 100,
13%
101 to 1,000,
16%1,001 to 5,000,
25%
5,001 to 10,000,
28%
More than
10,000, 7%
Number of Software Developers Global Headcount
29. 29
How difficult is it to secure applications in automobiles?
0%
5%
10%
15%
20%
25%
30%
35%
40%
VERY DIFFICULT DIFFICULT SOMEWHAT
DIFFICULT
NOT DIFFICULT EASY
36% 33% 21% 9% 2%
30. 30
Is a major overhaul of the automobile’s technology
architecture needed to make it more secure?
Yes
48%
No
40%
Unsure
12%
31. 31
Is it possible to build nearly hack proof automobile?
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
YES NO UNSURE
19% 47% 34%
32. 32
Why isn’t it possible to build an automobile that is
nearly hack proof?
0% 5% 10% 15% 20% 25%
OTHER
LACK OF EXPERTISE
ADDITIONAL COSTS TO SECURE SOFTWARE
NOT CONSIDERED IMPORTANT
TAKES TOO MUCH TIME
PRESSURE TO COMPLETE DEVELOPMENT
3%
10%
19%
22%
22%
24%
33. 33
Is security being integrated into the entire software
development lifecycle or is it an add-on?
0%
10%
20%
30%
40%
50%
60%
TOTALLY INTEGRATED PARTIALLY INTEGRATED ADDED ON UNSURE
14% 29% 51%
7%
34. 34
Yes, 43%
No, 42%
Unsure, 15%
Should white hat hackers be subject to the Digital
Millennium Copyright Act (DMCA)?
35. 35
Should white hat hackers be encouraged to test the
security of automotive software?
Yes, 22%
No, 54%
Unsure,
24%
36. 36
My company’s automotive software development
process includes activities for security requirements
0%
5%
10%
15%
20%
25%
30%
STRONGLY AGREE AGREE UNSURE DISAGREE STRONGLY
DISAGREE
15% 27% 29% 21%
8%
37. 37
What the results mean in the real
world of automotive
Walter Capitani
Product Manager
Rogue Wave Software
38. 38
Enabling technologies are not being provided to developers so they can build security
into their processes
Developers want – but do not have—the skills necessary to combat software security
threats and they do not feel they are properly trained
Automakers are not as knowledgeable about secure software development as other
industries
1
2
3
The top 3 key findings
39. 39
Did you know?
60-70 % of vehicle
recalls are due to
software glitches
Electronic components make
up over 50% of the total
manufacturing cost of a car
40. 40
Security must be built-in!
Enabling technologies are not being provided to developers so they can build security
into their processes1
22% believe
“security takes
too much time”
22% say
“security is not
considered
important”
More than 50% say
responsibility for security
responsibility– after the
fact
22% report
“security is not
important”
41. 41
– Millions of lines of code, dozens of
processors, each with multiple cores
– Multiple systems interconnected
– Some designed years ago with little or no
security in mind
– New code, COTS, suppliers, legacy, open
source
– Different platforms, people, and processes
– Vulnerabilities and bugs will last for years
– Not an easy update/upgrade path
– Automation will be critical
– Certification is inevitable
More and more software running inside
your car
More and more software running inside your
car
Multiple sources of software being
integrated
Software running your car could remain
that way for many years
This requires a very significant security and
functional verification process
Why build security into the development process?
43. 43
50% of defects
introduced here
Build analysis / test
Find security defects when they are introduced
Cost of defects
44. 44
Developers want – but do not have—the skills necessary to combat software security
threats and they do not feel they are properly trained2
Developers need your help!
Over 50%
indicate that their
development
processes do not
include any activity
supporting security
requirements
Only 41% agree
that secure
software is a
priority for their
company
69% believe
that securing
applications is
difficult
45. 45
How do hackers get in?
Incoming data
is well-
formed
Data breaches are the result of one flawed assumption
Cross-site
scripting
Most breaches result from input trust issues
OWASP Top 10 identifies common vulnerabilities from over 500,000 issues being researched today
SQL injection
Unvalidated
input
Heartbleed:
buffer overrun
CWE is a community-driven identification of weaknesses
CWE-20: Improper Input Validation
46. 46
Developers don’t know security
(80% failed security knowledge survey)
Visibility into
applications
Development teams need:
Reports and
audits of the
code
Threat
modeling
Penetration
testing
Mitigate security vulnerabilities
47. 47
Automakers are not as knowledgeable about secure software development as other
industries3
Only 28% of
automakers believe
that they are as
knowledgeable as
other industries with
respect to security
47% don’t believe
that making an
automobile “nearly
hack proof” is even
possible
Only 18% indicated
that their biggest
concern was non-
compliance with
industry standards
The time is now!
48. 48
• IT organizations have been dealing with
cybersecurity for a long time
• Many failures, but they learned from them
• Tools, policies, and processes have already
been developed
• Automakers need to catch up – fast!
Security domain knowledge is lacking
49. 49
Move fast: Adopt and adapt
Many existing cybersecurity practices can be put to use in
automotive applications
Adopt existing tools
Find weaknesses and prove compliance
Mitigate security risks up front
Adapt them to the automotive environment
51. 51
Enabling technologies are not being provided to developers so they can
build security into their processes
Developers want – but do not have—the skills necessary to combat
software security threats and they do not feel they are properly trained
Automakers are not as knowledgeable about secure software development
as other industries
1
2
3
Conclusion