Car Cybersecurity: What do Automakers Really Think?
Post on 24-Jan-2017
391 Views
Preview:
Transcript
1
Gene CarterDirector of Product ManagementSecurity Innovation
Peter SamsonVice President and General ManagerSecurity Innovation
Larry PonemonChairmanPonemon Institute
Walter CapitaniProduct ManagerRogue Wave Software
Car cybersecurity:What do the automakers really think?
2
First, a few things…
• The webcast recording link and the slides will be sent to all registrants tomorrow
• Please type all questions in the Questions dialogue box to the right
• The Ponemon white paper can be downloaded here:http://web.securityinnovation.com/car-security-what-automakers-think
3
The Current State of Automotive Cyber Security
Peter SamsonVice President and General ManagerSecurity Innovation
4
Source: IHS Automotive
Connected Car Market
5
$152 billion by 2020
$141 billion by 2020
$132 billion by 2020
$128 billion by 2020
$98 billion by 2018
Economic Value
6
1.7 MillionLines of Code
6.5M MillionLines of Code
100 MillionLines of Code
100 ECUs5 Networks
2 miles of cable10+ Operating Systems
50% of total cost
The Complexity Challenge
7
What’s the Risk?
Extortion
Theft
Terrorism
Revenge
Mischief
Insurance fraudCorporate espionage
Stalking and spying
Feature activation
Identity theft Counterfeiting
8
Where’s the Risk?Ex
tern
alInternal
Bluetooth
Internet
V2X
Key fob
LiDAR
TPMS
Wi-Fi
Tail light
Diagnostics
OBDII
USB
SD card
Aux input
DVD
CAN Bus
Touchscreen
Ethernet
Mobile phone
9
SecurityUpdates
Segmentation and Isolation
Evidence Capture
Third PartyCollaboration
Secure ByDesign
Early Pressure
10
Collaborations
11
Government Shows Interest – February 2015
12
Government Asks Questions – May 2015
13
Government Asks Questions – May 20151. Who in your organization is
responsible for evaluating, testing, and monitoring potential cyber vulnerabilities?
2. How does your organization incorporate cybersecurity best practices into your products?
3. What policies, procedures, and practices do you employ to evaluate potential cyber vulnerabilities?
4. Who in your organization is responsible for addressing potential vulnerabilities in the products of your suppliers
5. How do you work with suppliers to minimize potential vulnerabilities?
6. How do you track or evaluate potential vulnerabilities once a product is in the field?
7. How do you, or how do you intend to, remediate vulnerabilities after a vehicle has entered the market?
8. Do you intend to use over -the -air (OTA) updates to upgrade vehicle systems or technology?
9. To what extent do existing vehicle systems and technologies utilize public key infrastructure
10. What steps have you taken to evaluate how connected elements interact with vehicle safety systems?
11. Because vehicles interact with technologies outside the vehicle, what steps are you taking to evaluate potential vulnerabilities?
12. How do you interact with the security research community to identify potential threats and/or vulnerabilities?
13. What are the greatest challenges to cybersecurity in the industry?
14. How is the automobile industry working with the government to address the challenge of cybersecurity
14
Cybersecurity StandardsHacking protectionData securityHacking mitigation
Privacy standardsTransparencyConsumer choiceMarketing prohibition
Cyber dashboardA window sticker showing how well the car protects the security and privacy of the owner.
Government Plans Action – July 2015
15
Government Piles It On – October 2015
Anti hacking provision
Unauthorized access to ECU or critical system illegal, $100,000 fine per instance. No exceptions.
Formation of Cyber Security Advisory Panel
Standardized and controlled security best practices. Up to $15M fines fornon-compliance
16
Hardly New News
2003 ESCAR Founded2008 First CAN Bus Exploits2010 Univ of WA and UCSD – Seminal demonstrations
First known “hack for real” – Texas Auto Center2013 DARPA funds research on vulnerabilities
List of 20 most hackable cars2015 Enters public consciousness “60 Minutes”
Dongle hacks (Progressive, Zubie, Metromile …)BMW hackOnStar hack and weaponizationJeep Cherokee stunt ...
17
Application Security Maturity Model
Tool
s and
Tech
nolo
gy
People and ProcessesLow
Low
High
High
Panic andScramble Pit of Despair Security as a Core
Business Practice
TypicalProgression
Curve
https://securityinnovation.com/services/application-security-maturity.html
18
So Let’s Ask the Automakers
What do you know? How much do you care? What have you learned from the past? Are you optimistic? Are you ready?
19
The Survey Results
Larry PonemonChairmanPonemon Institute
20
MethodsSurvey response Number %
Total sampling frame 8,891 100%
Total returns 595 6.7%
Rejected or screened surveys 71 0.8%
Final sample 524 5.9%
21
Current role within the organization
Corporate IT
IT security
Supervisor of software development
Manager of software development
Software designer
Software programmer
Software engineer
Software developer
0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%
6%
7%
9%
10%
14%
17%
18%
20%
22
Company’s role in the automotive industry
Manufacturer OEM Tier One Tier Two Tier Three
45% 31% 19%
5%
23
Involvement in application development
High level of involvement
Moderate level of involvement
Low level of involvement
0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%
36%
46%
18%
24
Familiarity with company programs for securing software for automobiles
Very familiar Familiar Somewhat familiar0%
10%
20%
30%
40%
50%
60%
29%51%
20%
25
Current position within the organization
4%18%
17%
17%
38%
5% 1%Executive/VPDirectorManagerSupervisorTechnician/associateConsultantOther
26
Less than 100, 0.0477099236641221
100 to 500, 0.131679389312
977
501 to 1,000, 0.118320610687
023
1,001 to 5,000, 0.106870229007
634
5,001 to 10,000, 0.103053435114504
10,001 to 25,000,
0.154580152671756
25,001 to 75,000,
0.152671755725191
More than 75,000,
0.185114503816794
# of software developers and global headcountI am an independent software
developer ; 10%
Less than 100; 13%
101 to 1,000; 16%1,001 to 5,000; 25%
5,001 to 10,000; 28%
More than 10,000; 7%
Number of Software Developers Global Headcount
27
Location of employees
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
100% 68% 70% 58% 41% 31%
28
Hackers are actively targeting automobiles
Strongly agree Agree Unsure Disagree Strongly disagree0%
5%
10%
15%
20%
25%
30%
35%
15% 29% 31% 18% 7%
29
How difficult is it to secure applications in automobiles?
Very difficult Difficult Somewhat difficult Not difficult Easy0%
5%
10%
15%
20%
25%
30%
35%
40%
36% 33%21%
9%2%
30
Is a major overhaul of the automobile’s technology architecture needed to make it more secure?
Yes48%
No40%
Unsure12%
31
Is it possible to build nearly hack proof automobile?
Yes No Unsure0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
50%
19%47% 34%
32
Why isn’t it possible to build an automobile that is nearly hack proof?
Other
Lack of expertise
Additional costs to secure software
Not considered important
Takes too much time
Pressure to complete development
0% 5% 10% 15% 20% 25%
3%
10%
19%
22%
22%
24%
33
Is security being integrated into the entire software development lifecycle or is it an add-on?
Totally integrated Partially integrated Added on Unsure0%
10%
20%
30%
40%
50%
60%
14% 29%51%
7%
34
Yes, 43%
No, 42%
Unsure, 15%
Should white hat hackers be subject to the Digital Millennium Copyright Act (DMCA)?
35
Should white hat hackers be encouraged to test the security of automotive software?
Yes, 22%
No, 54%
Unsure, 24%
36
My company’s automotive software development process includes activities for security requirements
Strongly agree Agree Unsure Disagree Strongly disagree0%
5%
10%
15%
20%
25%
30%
15%27% 29%
21%
8%
37
What the results mean in the real world of automotive
Walter CapitaniProduct ManagerRogue Wave Software
38
Enabling technologies are not being provided to developers so they can build security into their processes
Developers want – but do not have—the skills necessary to combat software security threats and they do not feel they are properly trained
Automakers are not as knowledgeable about secure software development as other industries
1
2
3
The top 3 key findings
39
Did you know?
60-70 % of vehicle recalls are due to software glitches
Electronic components make
up over 50% of the total manufacturing cost of a car
40
Security must be built-in!Enabling technologies are not being provided to developers so they can build security into their processes1
22% believe “security takes too much time”
22% say “security is not
considered important”
More than 50% say responsibility for security responsibility– after the
fact
22% report “security is not
important”
41
– Millions of lines of code, dozens of processors, each with multiple cores
– Multiple systems interconnected
– Some designed years ago with little or no security in mind
– New code, COTS, suppliers, legacy, open source
– Different platforms, people, and processes
– Vulnerabilities and bugs will last for years
– Not an easy update/upgrade path
– Automation will be critical
– Certification is inevitable
More and more software running inside your car
More and more software running inside your car
Multiple sources of software being integrated
Software running your car could remain that way for many years
This requires a very significant security and functional verification process
Why build security into the development process?
42
Build-only analysis in dev process
43
50% of defects introduced here
Build analysis / test
Find security defects when they are introducedCost of defects
44
Developers want – but do not have—the skills necessary to combat software security threats and they do not feel they are properly trained2
Developers need your help!
Over 50% indicate that their
development processes do not
include any activity supporting security
requirements
Only 41% agree that secure
software is a priority for their
company
69% believe that securing applications is
difficult
45
How do hackers get in?
Incoming data is well-formed
Data breaches are the result of one flawed assumption
Cross-site scripting
Most breaches result from input trust issues
OWASP Top 10 identifies common vulnerabilities from over 500,000 issues being researched today
SQL injectionUnvalidated
input Heartbleed:
buffer overrun
CWE is a community-driven identification of weaknessesCWE-20: Improper Input Validation
46
Developers don’t know security(80% failed security knowledge survey)
Visibility into applications
Development teams need:
Reports and audits of the
code
Threat modeling
Penetration testing
Mitigate security vulnerabilities
47
Automakers are not as knowledgeable about secure software development as other industries3
Only 28% of automakers believe
that they are as knowledgeable as
other industries with respect to security
47% don’t believe that making an
automobile “nearly hack proof” is even
possible
Only 18% indicated that their biggest concern was non-compliance with
industry standards
The time is now!
48
• IT organizations have been dealing with cybersecurity for a long time
• Many failures, but they learned from them
• Tools, policies, and processes have already been developed
• Automakers need to catch up – fast!
Security domain knowledge is lacking
49
Move fast: Adopt and adaptMany existing cybersecurity practices can be put to use in automotive applications
Adopt existing tools
Find weaknesses and prove compliance
Mitigate security risks up front
Adapt them to the automotive environment
50
MISRA: Maybe I should reuse another…
51
Enabling technologies are not being provided to developers so they can build security into their processes
Developers want – but do not have—the skills necessary to combat software security threats and they do not feel they are properly trained
Automakers are not as knowledgeable about secure software development as other industries
1
2
3
Conclusion
52
Q & A
Peter Samson
Larry Ponemon
Walter Capitani
top related