Less than half of automotive firms test their products for security flaws

News by Jay Jay

Two-thirds of automotive professionals said that their companies do not test a majority of the in-car technology they develop for security vulnerabilities.

A surprising number of in-car systems are not cyber-security tested (Pic: Busakorn Pongparnit/Getty Images)

Despite a huge potential for growth in the near future for connected cars, the automotive industry is presently lagging behind in terms of introducing cyber-security in automotive technologies at the design stage or testing upcoming technologies or products for security vulnerabilities.

A couple of years ago, a study conducted by Business Insider's research arm BI Intelligence estimated that the number of connected cars, or cars that feature Internet-connected technologies, to be shipped in 2021 would rise to 94 million from just 21 million in 2016, representing a compound annual growth rate of 35 percent in the five-year period.

More significantly, the firm also estimated that 82 percent of all cars shipped in 2021 would feature IoT technologies, that there would be 381 million connected cars on the road by 2020 and that such vehicles would generate $8.1 trillion (£6.28 trillion) in revenue between 2015 and 2020.

Despite such a huge potential for growth, even though the automotive industry is taking major strides in the introduction of customer-friendly technologies, it is severely lagging behind when it comes to ensuring that Internet-connected technologies are secured from existing and emerging cyber-threats.

A report published by SAE International, a global association of engineers and technical experts in the aerospace, automotive and commercial-vehicle industries, and Synopsys has highlighted existing deficiencies in the automotive industry in terms of preparing for challenges in cyberspace.

According to the report, while 30 percent of organisations do not have an established cyber-security programme or teams, 63 percent of automotive professionals do not test a majority of the automotive technology they develop for security vulnerabilities. A typical automotive organisation has only nine full-time employees devoted to cyber-security.

What this suggests is that a large number of infotainment systems, telematics, steering systems, cameras, SoC-based components, driverless and autonomous vehicles and Wi-Fi and Bluetooth devices that have been incorporated in connected cars so far may not be secure from hacking and could leak data to hackers.

"The proliferation of software, connectivity and other emerging technologies in the automotive industry has introduced a critical vector of risk that didn’t exist before: cyber-security. This study underscores the need for a fundamental shift – one that addresses cyber-security holistically across the systems development lifecycle and throughout the automotive supply chain," said Andreas Kuehlmann, co-general manager of the Synopsys Software Integrity Group.

Out of 593 automotive professionals who participated in the survey, more than half said that their organisation did not allocate sufficient human capital or budget to cyber-security, 62 percent said they didn't possess the necessary cyber-security skills in product development and alarmingly, 71 percent said the pressure to meet product deadlines did not allow them enough time to test their products' cyber-resilience. This has led to less than half of organisations testing their products for security vulnerabilities.

A majority of professionals also stated that their organisation did not provide training on secure coding practices or educate developers on secure coding methods, revealing a lack of emphasis on one of the major factors that lead to security flaws in connected products.

Yet another major drawback of the automotive industry is the lack of concern about the cyber-security of automotive technologies supplied by third parties. While 56 percent of professionals said their organisation did not impose cyber-security requirements for products provided by upstream suppliers, 73 percent said they were concerned about the security of products and technologies supplied by third-parties.

The visible lack of emphasis on cyber-security in the automotive industry is not because of any lack of awareness about cyber-threats. While 84 percent of professionals said their organisations' cyber-security practices did not keep pace with evolving technologies, 62 percent said they feared the possibility of a malicious or proof-of-concept attack against automotive technologies in the next twelve months.

Commenting on these findings, Ernest Aduwa, a solicitor at criminal defence firm Stokoe Partnership Solicitors, told SC Magazine UK that while the automotive industry is aware of the cyber-security problems faced by modern vehicles, the same cannot be said about the consumer, those who will be buying these modern vehicles. This means, the industry is likely to profit from consumer ignorance while it is in its "trial and error" stages of rolling out these modern vehicles to the mass public.

"The industry is actively trying to resolve issues identified, but more needs to be done to raise consumer awareness in order to determine whether a roll out of modern vehicles is premature," he added.

According to Martin Jartelius, CSO at Outpost24, what is surprising about the report is that a third of professionals in the automotive industry do not expect a proof of concept or malicious attack within the next 12 months.

"Research has been maturing fast, and cars are increasingly complex to secure due to the increased reliance on more components, software and communications. I will be surprised if we do NOT see new, novel attacks," he said.

He added: "An average of a nine-man cyber-security team can be seen in two ways. If this is due to each part of an organisation practicing good security and having those responsibilities as part of other roles, then a small central team to coordinate and oversee this work may suffice. This is an industry known to push effectiveness and automation – it would be great to see that spill over also into their security work." 

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews