15 May 2015
Today’s connected automobile contains hundreds of electronic components, modules and systems from numerous suppliers, all of which are running code likely to have been developed (at least in part) by yet more of the external providers that make up the increasingly long and complex automotive software value chain. And it’s this multi-organisational complexity that poses a threat to the cyber security of the modern vehicle, every bit as troubling as any teenage hacker with a grudge.
A typical ECU controlling, say electric power steering, will have thousands of lines of code, and the chances are that only a minority of it will have been written from scratch. Numerous software engineers, probably on more than one continent, will have contributed to the project. There will likely be some legacy code. There will be code re-purposed from other applications. Some specialist parts will be outsourced. And the developers may well have used open source software to solve some of their challenges. With so many sources and so much collaboration involved, ensuring the software integrity of a simple ECU quickly becomes a major headache. Now extrapolate that across an entire vehicle.
For OEMs whose traditional expertise lies in manufacturing largely mechanical products within a closed ecosystem, transitioning to become highly secure IT enterprises is a daunting challenge. But it’s a challenge they and their T1 consolidators need to come to grips with, and fast. If they are going to keep their customers, their reputations and their intellectual property safe, car manufacturers will need to take a leaf out of the books of other sectors like financial services and critical infrastructure, and learn to embed IT security into every layer of their product creation, manufacturing and service operations. This would be tough to do at the best of times. It’s tougher still in an era when most OEMs and infotainment suppliers are already working flat out to add ever more enticing features and functionality to their vehicles in a bid to out-do the competition.
Historically, cyber security has not been a major part of the day-to-day workflow in automotive product development. In many cases, developers may not actually be aware of what they should be doing as individuals to ensure the code they’re writing does not present security issues. Managers throughout the value chain have a lot to do in terms of educating their own personnel about the critical importance of security, and setting clear expectations of the role played by each individual towards releasing products that are watertight.
Thankfully, a host of powerful new tools are emerging, along with many new expert consultancies which promise to help software developers to code and exchange information across enterprises with robust security policies and procedures baked in.
Ultimately though, the buck stops with the automakers themselves. They have the most to lose if their products fall victim to successful cyber attack. And however expensive and sophisticated their vehicles become, they are only ever as secure as their weakest supplier’s code.
Author: Ian Dickie