Our second annual Ponemon Institute Survey tells us there's a growing concern that hackers will target automobiles, and the lack of skilled personnel impedes secure software development.
3. A Few Things…
• A link to the webcast recording and a copy of the slides will be sent to
all registrants.
• Submit your questions at any time. They will be addressed at the end
of the webcast.
• The Automotive Cyber Security White Paper can be found at
https://web.securityinnovation.com/automotive-cybersecurity-gap-
still-exists
4. The State of Automotive
Cyber Security
Peter Samson
Vice President and General Manager
Security Innovation
7. What Could Go Wrong?
Theft
Terrorism
Revenge
Mischief
Extortion - Ransomware
Insurance fraud
Espionage
Stalking
Feature (de)activation
Identity theft
Counterfeiting
8. Entry Points for Hackers
Internal
Diagnostic Port
CD/DVD
USB/SD card
Aux input
CAN Bus
Other networks
Mobile phone
External
Bluetooth
Internet
Wi-Fi
Key fob
LIDAR
Digital broadcasts
Tire Pressure Monitors
Tail light
DSRC
9. The Hacker Threat - 2015
A Sky News investigation finds that almost
half the 89,000 vehicles broken into in London
last year were hacked electronically.
12. Cybersecurity Standards
Hacking protection
Data security
Hacking mitigation
Privacy standards
Transparency
Consumer choice
Marketing prohibition
Cyber dashboard
A window sticker showing how well the car
protects the security and privacy of the owner.
Government Takes Action
The Security and Privacy in Your Car (SPY) Act
15. Information Sharing and Access Centers
Automotive Security Best Practices
ü Security by design
ü Risk assessment and management
ü Threat detection and protection
ü Incident response
ü Collaboration with third parties
ü Governance
ü Awareness and training
16. Sponsored by Security Innovation and
Integrity Security Services
Automotive Cybersecurity:
The Gap Still Exists
Larry Ponemon
Chairman
Ponemon Institute
17. During August 2016 the Ponemon Institute
conducted a cybersecurity survey of more than
500 automotive developers, programmers,
engineers, and executives, from automakers
(OEMs) and their electronics suppliers.
Introduction
18. Summary Findings
• A growing concern that hackers are actively targeting automobiles.
• OEMs are more concerned than their suppliers about automobiles being hacked
• The lack of skilled personnel and requirements, and pressure to meet release
dates are the main impediments to secure software development.
• Insufficient use of cryptography.
• Legacy technology is hindering the ability to make vehicles more secure.
• Automakers believe they are not as knowledgeable about secure software
development as other industries.
• There is little clarity or consensus regarding a single point of responsibility
• On the positive side, there is a small but statistically significant trend toward a
more mature approach to securing vehicles.
25. Perceptions about automotive security
42%
43%
45%
44%
47%
47%
51%
52%
MY COMPANY MAKES AUTOMOTIVE SECURITY A PRIORITY
AUTOMOTIVE DEVELOPMENT TEAMS HAVE THE SKILLS
NECESSARY TO COMBAT CYBERSECURITY THREATS
MY ORGANIZATION RECRUITS AND RETAINS EXPERT PERSONNEL
TO MINIMIZE SECURITY RISKS IN AUTOMOBILES
HACKERS ARE ACTIVELY TARGETING AUTOMOBILES
FY 2016 FY 2015
27. Who is responsible for Security?
23%
17%
18%
11%
12%
19%
CIO
CISO
Partner
QA
Developer
No One!
28. Perceptions about security practices
26%
44%
45%
43%
44%
24%
39%
43%
47%
49%
MY COMPANY HAS THE ENABLING TECHNOLOGIES TO ENSURE
AUTOMOTIVE DEVELOPMENT IS SECURE
AUTOMAKERS ARE NOT AS KNOWLEDGEABLE ABOUT SECURE
PLATFORM DEVELOPMENT AS OTHER INDUSTRIES ARE
IT WILL BE THE NORM FOR MY COMPANY TO PARTICIPATE IN OPEN
DISCLOSURE OF BUGS AND BUG BOUNTY PROGRAMS
MY COMPANY’S AUTOMOTIVE DEVELOPMENT PROCESS INCLUDES
ACTIVITIES FOR SECURITY REQUIREMENTS, DESIGN, IMPLEMENTATION
AND TESTING
ENGINEERS AND DEVELOPERS ARE ADEQUATELY TRAINED IN SECURE
ARCHITECTURE AND CODING PRACTICES
FY 2016 FY 2015
29. Challenges to securing automobile software
12%
16%
38%
48%
64%
67%
54%
6%
11%
18%
34%
43%
58%
65%
65%
OTHER
TOO EXPENSIVE
ADDS TOO MUCH TIME TO THE SOFTWARE DEVELOPMENT PROCESS
LACK OF FORMAL SECURITY REQUIREMENTS
LACK OF DEFINED CORPORATE APPLICATION SECURITY POLICIES
INSUFFICIENT RESOURCES
LACK OF SKILLED PERSONNEL
PRESSURE TO RELEASE
FY 2016 FY 2015
30. What methods does your team use to ensure code
is secure without vulnerabilities?
65%
48%
41%
27%
25%
24%
23%
3%
63%
50%
36%
0%
27%
24%
25%
10%
AUTOMATED CODE SCANNING TOOLS DURING DEVELOPMENT
AUTOMATED CODE SCANNING TOOLS AFTER RELEASE
MANUAL PENETRATION TESTING
NONE OF THE ABOVE
AUTOMATED SCANNING TOOLS USED IN PRODUCTION
THREAT MODELLING/RISK ASSESSMENT DURING DEVELOPMENT
ADHERENCE TO SECURE CODING STANDARDS
OTHER
2016 2015
32. How difficult is it to secure automobiles?
1%
7%
18%
39%
35%
2%
9%
21%
33%
36%
1 TO 2 3 TO 4 5 TO 6 7 TO 8 9 TO 10
FY 2016 FY 2015
Easy Hard
33. Is it possible to build a near hack proof car?
17%
55%
28%
19%
47%
34%
YES NO UNSURE
FY 2016 FY 2015
34. Challenges to Securing Automobiles
11%
16%
38%
48%
54%
67%
18%
34%
43%
65%
65%
TOO EXPENSIVE
ADDS TOO MUCH TIME
LACK OF REQUIREMENTS
LACK OF COMPANY POLICY
PRESSURE TO RELEASE
LACK OF SKILLED PEOPLE
2016 2015
“Pick Top 3 challenges”
35. Caveats
There are inherent limitations to survey research that need to be carefully considered before drawing
inferences from findings. The following items are specific limitations that are germane to most web-based
surveys.
Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative
sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is
always possible that individuals who did not participate are substantially different in terms of underlying beliefs from
those who completed the instrument.
Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative
of individuals who are automotive application development process. We also acknowledge that the results may be
biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is
possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings.
Self-reported results: The quality of survey research is based on the integrity of confidential responses received from
subjects. While certain checks and balances can be incorporated into the survey process, there is always the
possibility that a subject did not provide a truthful response.
52. Thank you!
Learn more about our automotive services:
https://www.securityinnovation.com/solutions/auto-industry-security
Download the whitepaper:
https://web.securityinnovation.com/automotive-cybersecurity-gap-still-exists