2. Gene Carter
Director of Product Management
Security Innovation
Peter Samson
Vice President and General Manager
Security Innovation
Larry Ponemon
Chairman
Ponemon Institute
Today’s Speakers
Greg Rudy
Director of Business Development
INTEGRITY Security Services
A Green Hills Company
3. A Few Things…
• A link to the webcast recording and a copy of the slides will be
sent to all registrants.
• Submit your questions at any time. They will be addressed at
the end of the webcast.
• The Automotive Cyber Security White Paper can be found at
https://web.securityinnovation.com/automotive-cybersecurity-
gap-still-exists
4. The State of Automotive
Cyber Security
Peter Samson
Vice President and General Manager
Security Innovation
5. F22 Raptor
2 Million LoC7 Million LoC 130 Million LoC
Software Complexity
787 Dreamliner 2016 Ford F150
http://www.informationisbeautiful.net/visualizations/million-lines-of-code/
"Perfection is achieved, not when there is nothing more to add, but when
there is nothing left to take away." Antoine de Saint-Exupéry
7. What Could Go Wrong?
Theft
Terrorism
Revenge
Mischief
Extortion - Ransomware
Insurance fraud
Espionage
Stalking
Feature (de)activation
Identity theft
Counterfeiting
8. Entry Points for Hackers
Internal
Diagnostic Port
CD/DVD
USB/SD card
Aux input
CAN Bus
Other networks
Mobile phone
External
Bluetooth
Internet
Wi-Fi
Key fob
LIDAR
Digital broadcasts
Tire Pressure Monitors
Tail light
DSRC
9. The Hacker Threat - 2015
A Sky News investigation finds that almost
half the 89,000 vehicles broken into in London
last year were hacked electronically.
12. Cybersecurity Standards
Hacking protection
Data security
Hacking mitigation
Privacy standards
Transparency
Consumer choice
Marketing prohibition
Cyber dashboard
A window sticker showing how well the car
protects the security and privacy of the owner.
Government Takes Action
The Security and Privacy in Your Car (SPY) Act
15. Information Sharing and Access
Centers
Automotive Security Best Practices
Security by design
Risk assessment and management
Threat detection and protection
Incident response
Collaboration with third parties
Governance
Awareness and training
16. Sponsored by Security Innovation and
Integrity Security Services
Automotive Cybersecurity:
The Gap Still Exists
Larry Ponemon
Chairman
Ponemon Institute
17. During August 2016 the Ponemon Institute
conducted a cybersecurity survey of more than
500 automotive developers, programmers,
engineers, and executives, from automakers
(OEMs) and their electronics suppliers.
Introduction
18. Summary Findings
• A growing concern that hackers are actively targeting automobiles.
• OEMs are more concerned than their suppliers about automobiles being hacked
• The lack of skilled personnel and requirements, and pressure to meet release
dates are the main impediments to secure software development.
• Insufficient use of cryptography.
• Legacy technology is hindering the ability to make vehicles more secure.
• Automakers believe they are not as knowledgeable about secure software
development as other industries.
• There is little clarity or consensus regarding a single point of responsibility
• On the positive side, there is a small but statistically significant trend toward a
more mature approach to securing vehicles.
19. Sample response Number %
Sampling frame 8,680 100.0%
Total returns 590 6.8%
Rejected or screened surveys 63 0.7%
Final sample 527 6.1%
Survey Size
25. Perceptions about automotive security
42%
43%
45%
44%
47%
47%
51%
52%
MY COMPANY MAKES AUTOMOTIVE SECURITY A PRIORITY
AUTOMOTIVE DEVELOPMENT TEAMS HAVE THE SKILLS
NECESSARY TO COMBAT CYBERSECURITY THREATS
MY ORGANIZATION RECRUITS AND RETAINS EXPERT PERSONNEL
TO MINIMIZE SECURITY RISKS IN AUTOMOBILES
HACKERS ARE ACTIVELY TARGETING AUTOMOBILES
FY 2016 FY 2015
26. AGREE
45%DISAGREE
55%
Workers
IS SECURITY A PRIORITY FOR YOUR COMPANY?
AGREE
61%
DISAGREE
39%
Management
AGREE
52%UNSURE
28%
DISAGREE
20%
ARE HACKER TARGETING CARS?
Organizational Alignment ?
27. Who is responsible for Security?
23%
17%
18%
11%
12%
19%
CIO
CISO
Partner
QA
Developer
No One!
28. Perceptions about security practices
26%
44%
45%
43%
44%
24%
39%
43%
47%
49%
MY COMPANY HAS THE ENABLING TECHNOLOGIES TO ENSURE
AUTOMOTIVE DEVELOPMENT IS SECURE
AUTOMAKERS ARE NOT AS KNOWLEDGEABLE ABOUT SECURE
PLATFORM DEVELOPMENT AS OTHER INDUSTRIES ARE
IT WILL BE THE NORM FOR MY COMPANY TO PARTICIPATE IN OPEN
DISCLOSURE OF BUGS AND BUG BOUNTY PROGRAMS
MY COMPANY’S AUTOMOTIVE DEVELOPMENT PROCESS INCLUDES
ACTIVITIES FOR SECURITY REQUIREMENTS, DESIGN, IMPLEMENTATION
AND TESTING
ENGINEERS AND DEVELOPERS ARE ADEQUATELY TRAINED IN SECURE
ARCHITECTURE AND CODING PRACTICES
FY 2016 FY 2015
29. Challenges to securing automobile software
12%
16%
38%
48%
64%
67%
54%
6%
11%
18%
34%
43%
58%
65%
65%
OTHER
TOO EXPENSIVE
ADDS TOO MUCH TIME TO THE SOFTWARE DEVELOPMENT PROCESS
LACK OF FORMAL SECURITY REQUIREMENTS
LACK OF DEFINED CORPORATE APPLICATION SECURITY POLICIES
INSUFFICIENT RESOURCES
LACK OF SKILLED PERSONNEL
PRESSURE TO RELEASE
FY 2016 FY 2015
30. What methods does your team use to ensure
code is secure without vulnerabilities?
65%
48%
41%
27%
25%
24%
23%
3%
63%
50%
36%
0%
27%
24%
25%
10%
AUTOMATED CODE SCANNING TOOLS DURING DEVELOPMENT
AUTOMATED CODE SCANNING TOOLS AFTER RELEASE
MANUAL PENETRATION TESTING
NONE OF THE ABOVE
AUTOMATED SCANNING TOOLS USED IN PRODUCTION
THREAT MODELLING/RISK ASSESSMENT DURING DEVELOPMENT
ADHERENCE TO SECURE CODING STANDARDS
OTHER
2016 2015
32. How difficult is it to secure automobiles?
1%
7%
18%
39%
35%
2%
9%
21%
33%
36%
1 TO 2 3 TO 4 5 TO 6 7 TO 8 9 TO 10
FY 2016 FY 2015
Easy Hard
33. Is it possible to build a near hack proof car?
17%
55%
28%
19%
47%
34%
YES NO UNSURE
FY 2016 FY 2015
34. Challenges to Securing Automobiles
11%
16%
38%
48%
54%
67%
18%
34%
43%
65%
65%
TOO EXPENSIVE
ADDS TOO MUCH TIME
LACK OF REQUIREMENTS
LACK OF COMPANY POLICY
PRESSURE TO RELEASE
LACK OF SKILLED PEOPLE
2016 2015
“Pick Top 3 challenges”
35. Caveats
There are inherent limitations to survey research that need to be carefully considered before drawing
inferences from findings. The following items are specific limitations that are germane to most web-based
surveys.
Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative
sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is
always possible that individuals who did not participate are substantially different in terms of underlying beliefs from
those who completed the instrument.
Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative
of individuals who are automotive application development process. We also acknowledge that the results may be
biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is
possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings.
Self-reported results: The quality of survey research is based on the integrity of confidential responses received from
subjects. While certain checks and balances can be incorporated into the survey process, there is always the
possibility that a subject did not provide a truthful response.