What Can Defense Teach the Auto Industry about Security?
Think back to the early days of personal computers. We used them for computation, played simple games, and never worried about computer viruses or cyber attacks. Why not? Because our computers weren’t connected to anything. Our security risks only increased when we plugged in to the internet.
Today, it’s not just computers that are connected. Current estimates suggest that 25 billion devices will be connected to the internet by 2020—including 80% of all cars. By 2025 over 30% of the automobiles in developed countries will receive direct software downloads.
Unfortunately, the automotive industry is not positioned to handle the security risks that this will bring. If they are wise, they will leverage processes and solutions, along with policies and controls developed by other industries. They should look specifically to industries that have adopted a higher level of assurance when it comes to protecting against cyber threats. So, what can the Aerospace and Defense industry teach the auto industry about security risks?
Recognize the cyber security risks
The Aerospace and Defense (A&D) industry puts a lot of effort and attention into defending against cyber threats. Surprisingly, the automotive industry does not seem to be as concerned about cybersecurity risks. Despite increasing investments in internet connectivity, car makers’ investments in cybersecurity, cyber safety, and cyber risk are not keeping pace. In a recent survey of 1000 CIOs, a well-known analyst firm ranked the automotive industry near the bottom regarding investments in cybersecurity.
This may be a result of misunderstanding the goals and capabilities of cyber attackers. After all, this wasn’t a concern before digital connectivity became a possibility. But the risks are real, and the consequences could be serious.
Consider this scenario: Malicious code is passed into a vehicle’s system via a gap in a supplier’s security. The code executes on a specific schedule trigger. Then the code deploys, causing hundreds of thousands of vehicles to stop functioning. If manufacturers can’t resolve the issue remotely, stopped vehicles would cause hazardous situations, jammed roadways, and a massive challenge to remove vehicles for service.
Clearly, a mass coordinated cyber attack like this would be a disaster. But better understanding critical control points of entry can help reduce overall risk.
For example, the aviation industry has separated the network connecting vital systems from the one connecting passenger entertainment systems. Segmenting these two systems reduces entry points of concern. This is a standard across the aviation industry because of a shared understanding of the risks involved.
To help the auto industry understand similar security risks, the Automotive Information Sharing and Analysis Center (Auto-ISAC) formed in August 2015 to bring together industry knowledge on this topic. According to their website, Auto-ISAC “gathers and disseminates information about cybersecurity risks facing connected vehicles around the world.”
This is a good first step, but there’s a long way to go to ensure that automobiles are not susceptible to dangerous security risks.
Protect the supply chain
Like Aerospace and Defense (A&D), the automotive industry relies on an ecosystem of suppliers to put together the finished product. No longer are automotive companies Original Equipment Manufacturers (OEM) assembling physical parts. They are high tech development shops, digitally interconnecting all components of a vehicle. Now, they must manage a supply chain network of partners —a model the A&D industry has been managing for decades.
The more suppliers you have exchanging data and plans, the more vulnerable you are to cyber attack. For example, a hacker could potentially infiltrate the less-secure network of a small supplier and gain access to sensitive information about your vehicles inner workings creating a potential Stuxnet situation.
Each connected device introduces another level of cyber-risk threat into the supply chain. It is important to include these risks into the supply chain risk management plan. Major A&D organizations rely on Exostar Supply Chain solutions to manage these risks.
Establish best practices
It’s not enough to just recognize the danger. A&D providers have established best practices that car makers should start to embrace immediately.
- Separate systems. On an airplane, the Wi-Fi in the cabin is not able to access any critical systems. Similarly, car makers should keep entertainment systems separate from car operations to reduce risks if someone were to gain access.
- Authentication. The industry needs to establish identity assurance requirements and authentication procedures.
- Secure IoT communications. Machine-to-machine communication is efficient and effective, but it increases risk—just like plugging your 1980s Apple II into the internet. So the industry must create security processes to reduce loss of sensitive data, fraud, and service disruption.
- Identity of Device (IoD) Strategy. Car makers should adopt an IoD strategy to reduce the risk as more and more devices are connected to vital components of the automobile.
Exostar has been supporting the A&D community for years as they focus on cybersecurity threats. The automotive industry must make those same investments to reduce security risks. If they can learn from the Aerospace and Defense industry and leverage the same solutions, we will all be safer on the road.
For more information about how Exostar helps reduce cyber-risk, contact us today.