1

Gene CarterDirector of Product ManagementSecurity Innovation

Peter SamsonVice President and General ManagerSecurity Innovation

Larry PonemonChairmanPonemon Institute

Walter CapitaniProduct ManagerRogue Wave Software

Car cybersecurity:What do the automakers really think?

2

First, a few things…

• The webcast recording link and the slides will be sent to all registrants tomorrow

• Please type all questions in the Questions dialogue box to the right

• The Ponemon white paper can be downloaded here:http://web.securityinnovation.com/car-security-what-automakers-think

3

The Current State of Automotive Cyber Security

Peter SamsonVice President and General ManagerSecurity Innovation

4

Source: IHS Automotive

Connected Car Market

5

$152 billion by 2020

$141 billion by 2020

$132 billion by 2020

$128 billion by 2020

$98 billion by 2018

Economic Value

6

1.7 MillionLines of Code

6.5M MillionLines of Code

100 MillionLines of Code

100 ECUs5 Networks

2 miles of cable10+ Operating Systems

50% of total cost

The Complexity Challenge

7

What’s the Risk?

Extortion

Theft

Terrorism

Revenge

Mischief

Insurance fraudCorporate espionage

Stalking and spying

Feature activation

Identity theft Counterfeiting

8

Where’s the Risk?Ex

tern

alInternal

Bluetooth

Internet

V2X

Key fob

LiDAR

TPMS

Wi-Fi

Tail light

Diagnostics

OBDII

USB

SD card

Aux input

DVD

CAN Bus

Touchscreen

Ethernet

Mobile phone

9

SecurityUpdates

Segmentation and Isolation

Evidence Capture

Third PartyCollaboration

Secure ByDesign

Early Pressure

10

Collaborations

11

Government Shows Interest – February 2015

12

Government Asks Questions – May 2015

13

Government Asks Questions – May 20151. Who in your organization is

responsible for evaluating, testing, and monitoring potential cyber vulnerabilities?

2. How does your organization incorporate cybersecurity best practices into your products?

3. What policies, procedures, and practices do you employ to evaluate potential cyber vulnerabilities?

4. Who in your organization is responsible for addressing potential vulnerabilities in the products of your suppliers

5. How do you work with suppliers to minimize potential vulnerabilities?

6. How do you track or evaluate potential vulnerabilities once a product is in the field?

7. How do you, or how do you intend to, remediate vulnerabilities after a vehicle has entered the market?

8. Do you intend to use over -the -air (OTA) updates to upgrade vehicle systems or technology?

9. To what extent do existing vehicle systems and technologies utilize public key infrastructure

10. What steps have you taken to evaluate how connected elements interact with vehicle safety systems?

11. Because vehicles interact with technologies outside the vehicle, what steps are you taking to evaluate potential vulnerabilities?

12. How do you interact with the security research community to identify potential threats and/or vulnerabilities?

13. What are the greatest challenges to cybersecurity in the industry?

14. How is the automobile industry working with the government to address the challenge of cybersecurity

14

Cybersecurity StandardsHacking protectionData securityHacking mitigation 

Privacy standardsTransparencyConsumer choiceMarketing prohibition 

Cyber dashboardA window sticker showing how well the car protects the security and privacy of the owner.

Government Plans Action – July 2015

15

Government Piles It On – October 2015

Anti hacking provision

Unauthorized access to ECU or critical system illegal, $100,000 fine per instance. No exceptions.

Formation of Cyber Security Advisory Panel

Standardized and controlled security best practices. Up to $15M fines fornon-compliance

16

Hardly New News

2003 ESCAR Founded2008 First CAN Bus Exploits2010 Univ of WA and UCSD – Seminal demonstrations

First known “hack for real” – Texas Auto Center2013 DARPA funds research on vulnerabilities

List of 20 most hackable cars2015 Enters public consciousness “60 Minutes”

Dongle hacks (Progressive, Zubie, Metromile …)BMW hackOnStar hack and weaponizationJeep Cherokee stunt ...

17

Application Security Maturity Model

Tool

s and

Tech

nolo

gy

People and ProcessesLow

Low

High

High

Panic andScramble Pit of Despair Security as a Core

Business Practice

TypicalProgression

Curve

https://securityinnovation.com/services/application-security-maturity.html

18

So Let’s Ask the Automakers

What do you know? How much do you care? What have you learned from the past? Are you optimistic? Are you ready?

19

The Survey Results

Larry PonemonChairmanPonemon Institute

20

MethodsSurvey response Number %

Total sampling frame 8,891 100%

Total returns 595 6.7%

Rejected or screened surveys 71 0.8%

Final sample 524 5.9%

21

Current role within the organization

Corporate IT

IT security

Supervisor of software development

Manager of software development

Software designer

Software programmer

Software engineer

Software developer

0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20%

6%

7%

9%

10%

14%

17%

18%

20%

22

Company’s role in the automotive industry

Manufacturer OEM Tier One Tier Two Tier Three

45% 31% 19%

5%

23

Involvement in application development

High level of involvement

Moderate level of involvement

Low level of involvement

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

36%

46%

18%

24

Familiarity with company programs for securing software for automobiles

Very familiar Familiar Somewhat familiar0%

10%

20%

30%

40%

50%

60%

29%51%

20%

25

Current position within the organization

4%18%

17%

17%

38%

5% 1%Executive/VPDirectorManagerSupervisorTechnician/associateConsultantOther

26

Less than 100, 0.0477099236641221

100 to 500, 0.131679389312

977

501 to 1,000, 0.118320610687

023

1,001 to 5,000, 0.106870229007

634

5,001 to 10,000, 0.103053435114504

10,001 to 25,000,

0.154580152671756

25,001 to 75,000,

0.152671755725191

More than 75,000,

0.185114503816794

# of software developers and global headcountI am an independent software

developer ; 10%

Less than 100; 13%

101 to 1,000; 16%1,001 to 5,000; 25%

5,001 to 10,000; 28%

More than 10,000; 7%

Number of Software Developers Global Headcount

27

Location of employees

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

100% 68% 70% 58% 41% 31%

28

Hackers are actively targeting automobiles

Strongly agree Agree Unsure Disagree Strongly disagree0%

5%

10%

15%

20%

25%

30%

35%

15% 29% 31% 18% 7%

29

How difficult is it to secure applications in automobiles?

Very difficult Difficult Somewhat difficult Not difficult Easy0%

5%

10%

15%

20%

25%

30%

35%

40%

36% 33%21%

9%2%

30

Is a major overhaul of the automobile’s technology architecture needed to make it more secure?

Yes48%

No40%

Unsure12%

31

Is it possible to build nearly hack proof automobile?

Yes No Unsure0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

19%47% 34%

32

Why isn’t it possible to build an automobile that is nearly hack proof?

Other

Lack of expertise

Additional costs to secure software

Not considered important

Takes too much time

Pressure to complete development

0% 5% 10% 15% 20% 25%

3%

10%

19%

22%

22%

24%

33

Is security being integrated into the entire software development lifecycle or is it an add-on?

Totally integrated Partially integrated Added on Unsure0%

10%

20%

30%

40%

50%

60%

14% 29%51%

7%

34

Yes, 43%

No, 42%

Unsure, 15%

Should white hat hackers be subject to the Digital Millennium Copyright Act (DMCA)?

35

Should white hat hackers be encouraged to test the security of automotive software?

Yes, 22%

No, 54%

Unsure, 24%

36

My company’s automotive software development process includes activities for security requirements

Strongly agree Agree Unsure Disagree Strongly disagree0%

5%

10%

15%

20%

25%

30%

15%27% 29%

21%

8%

37

What the results mean in the real world of automotive

Walter CapitaniProduct ManagerRogue Wave Software

38

Enabling technologies are not being provided to developers so they can build security into their processes

Developers want – but do not have—the skills necessary to combat software security threats and they do not feel they are properly trained

Automakers are not as knowledgeable about secure software development as other industries

1

2

3

The top 3 key findings

39

Did you know?

60-70 % of vehicle recalls are due to software glitches

Electronic components make

up over 50% of the total manufacturing cost of a car

40

Security must be built-in!Enabling technologies are not being provided to developers so they can build security into their processes1

22% believe “security takes too much time”

22% say “security is not

considered important”

More than 50% say responsibility for security responsibility– after the

fact

22% report “security is not

important”

41

– Millions of lines of code, dozens of processors, each with multiple cores

– Multiple systems interconnected

– Some designed years ago with little or no security in mind

– New code, COTS, suppliers, legacy, open source

– Different platforms, people, and processes

– Vulnerabilities and bugs will last for years

– Not an easy update/upgrade path

– Automation will be critical

– Certification is inevitable

More and more software running inside your car

More and more software running inside your car

Multiple sources of software being integrated

Software running your car could remain that way for many years

This requires a very significant security and functional verification process

Why build security into the development process?

42

Build-only analysis in dev process

43

50% of defects introduced here

Build analysis / test

Find security defects when they are introducedCost of defects

44

Developers want – but do not have—the skills necessary to combat software security threats and they do not feel they are properly trained2

Developers need your help!

Over 50% indicate that their

development processes do not

include any activity supporting security

requirements

Only 41% agree that secure

software is a priority for their

company

69% believe that securing applications is

difficult

45

How do hackers get in?

Incoming data is well-formed

Data breaches are the result of one flawed assumption

Cross-site scripting

Most breaches result from input trust issues

OWASP Top 10 identifies common vulnerabilities from over 500,000 issues being researched today

SQL injectionUnvalidated

input Heartbleed:

buffer overrun

CWE is a community-driven identification of weaknessesCWE-20: Improper Input Validation

46

Developers don’t know security(80% failed security knowledge survey)

Visibility into applications

Development teams need:

Reports and audits of the

code

Threat modeling

Penetration testing

Mitigate security vulnerabilities

47

Automakers are not as knowledgeable about secure software development as other industries3

Only 28% of automakers believe

that they are as knowledgeable as

other industries with respect to security

47% don’t believe that making an

automobile “nearly hack proof” is even

possible

Only 18% indicated that their biggest concern was non-compliance with

industry standards

The time is now!

48

• IT organizations have been dealing with cybersecurity for a long time

• Many failures, but they learned from them

• Tools, policies, and processes have already been developed

• Automakers need to catch up – fast!

Security domain knowledge is lacking

49

Move fast: Adopt and adaptMany existing cybersecurity practices can be put to use in automotive applications

Adopt existing tools

Find weaknesses and prove compliance

Mitigate security risks up front

Adapt them to the automotive environment

50

MISRA: Maybe I should reuse another…

51

Enabling technologies are not being provided to developers so they can build security into their processes

Developers want – but do not have—the skills necessary to combat software security threats and they do not feel they are properly trained

Automakers are not as knowledgeable about secure software development as other industries

1

2

3

Conclusion

52

Q & A

Peter Samson

Larry Ponemon

Walter Capitani