Recently I attended the SAE World Congress in Detroit. Being a very technical event, there were a number of interesting talks and tracks to participate in. Coming from a more traditional cloud and IT security background, it was a welcome change in perspective in some areas. However, in other areas it was also eye opening as to the disparity in maturity and readiness of the industry to tackle cybersecurity concerns of the growing connected vehicle trend.
As most readers have surely seen now and is basically the flagship of automotive security stories, the Miller/Valisek exploit of 2015 has done well to raise awareness of the risks bringing connectedness to vehicles. However, that awareness appears to have so far only diffused into pockets of the auto industry.
While not tremendously surprising, it is seriously concerning, as safely building systems for connected vehicles requires a much broader skill set than the prior generations of automobiles required. In this sense I'm broaching the topic of security by design.
Expanding Security by Design Beyond the Product Design Stage
When people speak of security by design, they often refer to a broad spectrum of activities and approaches used to build stronger security postures in solutions. I definitely feel that spectrum is an accurate term for this concept, as it really does span across lifecycle activities and functional domains.
Likely when people first think about security by design, we'd cover the design thinking required at the outset to model risks and threats of the solution early in the design stage, so that mitigation mechanisms can be built earlier and more effectively into the product. However, there is another dimension of this security by design approach that seemed to be missing from a number of the conversations I had at the show – security needs to be considered at every stage and by every person.
In this context, I mean that security isn't a separate isolated function of the process, or of the application development skills. Rather, security is an organizational competency across all individuals involved with designing the product. It's not a separate checkbox or stage gate that can be implemented to cover the range of needs. Although those stage gates are still useful for ensuring things go through proper reviews, on their own they are not sufficient for maximum efficiency of a proper security by design principle.
Impacting the Bottom Line
As more vehicles become connected, the urgency to build security into your product delivery capabilities will also grow in step. The goal is not only the noble pursuit of safety and saving lives, but also avoiding the costly bottom line impacts of brand damage and warranty recalls. We've seen from the NHTSA recall data, that software related recalls have risen from 5% in 2011 to 15%in 2015, with no indication that they'll turn around.
Moving Towards a Better Approach
While technologies are constantly evolving and the specific security design choices will be broad, organizations do have the opportunity now to recognize the need of building teams with the right mind-set and skillset for security. In addition to building internal teams, it's critical to build the right partnerships to help incorporate best practices and proven technology solutions.
Some of the key areas we see the auto industry working on right now include strongly identifying components in the vehicle and building appropriate mechanisms to manage the vehicle systems through its lifecycle.
At GlobalSign, we're ready and working with organizations to address key concerns of connected vehicles. We're hopeful that leaders in this space will set the tone for strong connected vehicle security posture and we're eager to help them achieve this aim through security by design thinking.
If you would like to talk to GlobalSign about security solutions for connected cars then contact us today, or find out more about Identity Management for the Internet of Things on our website.
