Originally published on Forbes, January 15th, 2021
We sure have come a long way since the days of Henry Ford’s Model-T automobile. Today’s cars go faster, go for longer distances and come in more colors than Henry ever could have imagined. Perhaps most importantly, the development of car safety features, like seatbelts and airbags, alongside antilock brakes (ABS) and accident avoidance systems, has made today’s models safer than ever before.
The Connected Car
The latest tech advances use software to oversee the car’s operation and manage the entire driving experience. Connectivity enables new capabilities in the realms of safety, navigation and autonomous driving, to name just a few. Yet these new capabilities are a double-edged sword. While amazing to behold, the extensive use of software in connected cars also increases the risk that they will be exploited for malicious purposes. Hackers exploiting the software that runs the vehicle’s components may be looking for personal data stored there, steal the vehicle and even take control over the vehicle altogether.
These issues are driving automotive cybersecurity to the forefront of the safety discussion while creating challenges that manufacturers and suppliers have never had to contend with before.
The Supply Chain Challenge
Supply chain manufacturing has governed automotive production since its earliest days. The suppliers of car components manufacture almost every part of the vehicle, including the software behind each component. Automotive vendors then connect these manufactured parts and integrate their software into the vehicle’s consumer drive.
Each supplier develops its own code on specific OSs and different hardware architecture, in many cases leveraging third-party and open-source software to speed up time to market. Unfortunately, the widespread use of open-source software and third-party commercial code compounds the problem by introducing new vulnerabilities resulting from insecure software packages. These vulnerabilities are the result of a lack of secure coding know-how, accidental errors and inadequate testing procedures.
In addition, most supplier software components are delivered in binary form only, which is kind of a black box. Without access to the source code, components cannot be tested for vulnerabilities using standard tools.
As the use of such connected components accelerates, so does the number of common vulnerabilities found every month. And not surprisingly, cyberattacks focused on exploiting these vulnerabilities are on the rise.
Vulnerability Management
Vulnerability management offers one solution for dealing with the ever-increasing amounts of security risks in today’s connected vehicles. This comprehensive, proactive approach to cybersecurity focuses on reducing the chance that a flaw or weakness in the code can be used by hackers to penetrate any of the car’s components and eventually put the entire car and its users in risk. This is achieved by continuously identifying, analyzing and mitigating software flaws to make sure each component, and the car itself, is protected.
Automation Supports Speed And Scale
Unfortunately, manual assessment of the security posture of the underlying software is simply not feasible when working a scope of connectivity that requires such a large number of ECUs and code lines. There are just too many software components, versions and configurations that vary between models in today’s connected cars. Automated, ongoing risk assessment is the only way of lowering risk levels while delivering reasonable unit economics.
Automatic Investigation: The Next Generation Of Vulnerability Management
But to be effective, vulnerability management solutions need to stay at least two steps ahead of the hackers. Innovative vulnerability management solutions prioritize security without slowing down development and production, while enabling ongoing protection even after the vehicle has hit the road.
These smart solutions deploy a bespoke approach to security that adapts itself to the specific technical characteristics of a given model. They then look at the car’s operating systems and architectures and the way the different components interact with each other, clearly exposing vulnerabilities that can impact a vehicle and the entire attack chain. That way, car manufacturers have a clear understanding of the vulnerabilities relevant to a given model and how each one impacts security.
The technology operates by running an automated analysis that looks at a product’s binary code to expose cybersecurity risks in the software. This analysis maps out product characteristics like hardware architecture, operating systems, software bill of materials (SBoM), licenses, configurations, control flows, APIs and more.
The findings are then fused with public and private databases to detect all the known and unknown vulnerabilities for that product’s specific setup. Smart filtering technology removes those vulnerabilities that do not affect the specific configuration of the product. For example, a known vulnerability that targets Linux 4.0 isn’t relevant to vehicles using Linux 4.1.
But this smart filtering approach goes beyond just removing vulnerabilities that don’t affect a specific software version. It takes a deeper look at how the vulnerability affects all of the different aspects of the software in place. Take the CPU in place as an example. If a vulnerability only affects a specific CPU architecture, such as an Intel CPU, then it wouldn’t be effective when ARM CPU is being used.
Another filtering approach might focus on the operating system (OS). A vulnerability that targets navigation systems using Windows OS isn’t relevant when that same navigation system is deployed on Linux.
All this translates to weeks or even months saved in the time needed to handle the non-relevant vulnerabilities reported by standard vulnerability management approaches.
Where To Start?
Vulnerability management is already considered the best practice, but doing it manually won’t work. Given the number of code lines in our connected devices, it is clear that security measures must be implemented. However, since the compute power is expected to grow in the near future, and with it, the number of potential vulnerabilities, I would suggest adopting an automation mindset.
Strive to automate scanning, investigation and ongoing monitoring. Aim to combine cybersecurity tools into one cohesive solution and integrate with your other organizational tech solutions to avoid slowdowns and manual work. Prepare to scale your product security operation within and across products and look at the emerging technologies introduced into the market to help you keep up with the pace.