The Ponemon Institute's survey highlights significant gaps in automotive cybersecurity, revealing that many developers and executives are concerned about hacking threats but face challenges such as lack of skilled personnel and outdated technology. The study indicates that automakers feel less knowledgeable about secure software development compared to other industries, and there is no clear point of responsibility for cybersecurity. Despite these issues, there are signs of a maturing approach to security within the automotive sector.

1. Automotive Cybersecurity:
A Gap Still Exists
Ponemon Institute Survey
Automotive Cybersecurity: The Gap
Still Exists

2. Gene Carter
Director of Product Management
Security Innovation
Peter Samson
Vice President and General Manager
Security Innovation
Larry Ponemon
Chairman
Ponemon Institute
Today’s Speakers
Greg Rudy
Director of Business Development
INTEGRITY Security Services
A Green Hills Company

3. A Few Things…
• A link to the webcast recording and a copy of the slides will be sent to
all registrants.
• Submit your questions at any time. They will be addressed at the end
of the webcast.
• The Automotive Cyber Security White Paper can be found at
https://web.securityinnovation.com/automotive-cybersecurity-gap-
still-exists

4. The State of Automotive
Cyber Security
Peter Samson
Vice President and General Manager
Security Innovation

5. F22 Raptor
2 Million LoC7 Million LoC 130 Million LoC
Software Complexity
787 Dreamliner 2016 Ford F150
http://www.informationisbeautiful.net/visualizations/million-lines-of-code/
"Perfection is achieved, not when there is nothing more to add, but when
there is nothing left to take away." Antoine de Saint-Exupéry

6. Connected Vehicle Market Growth
$152 billion
$141 billion
$132 billion
$128 billion
$98 billion
Five-year Economic ValueNumber of Connected Cars

7. What Could Go Wrong?
Theft
Terrorism
Revenge
Mischief
Extortion - Ransomware
Insurance fraud
Espionage
Stalking
Feature (de)activation
Identity theft
Counterfeiting

8. Entry Points for Hackers
Internal
Diagnostic Port
CD/DVD
USB/SD card
Aux input
CAN Bus
Other networks
Mobile phone
External
Bluetooth
Internet
Wi-Fi
Key fob
LIDAR
Digital broadcasts
Tire Pressure Monitors
Tail light
DSRC

9. The Hacker Threat - 2015
A Sky News investigation finds that almost
half the 89,000 vehicles broken into in London
last year were hacked electronically.

10. The Hacker Threat - 2016

11. The Hacker Threat - 2016

12. Cybersecurity Standards
Hacking protection
Data security
Hacking mitigation
Privacy standards
Transparency
Consumer choice
Marketing prohibition
Cyber dashboard
A window sticker showing how well the car
protects the security and privacy of the owner.
Government Takes Action
The Security and Privacy in Your Car (SPY) Act

13. And Warns the Public

14. Digital Millennium Copyright Act
11/2/2016
05:50 PM

15. Information Sharing and Access Centers
Automotive Security Best Practices
ü Security by design
ü Risk assessment and management
ü Threat detection and protection
ü Incident response
ü Collaboration with third parties
ü Governance
ü Awareness and training

16. Sponsored by Security Innovation and
Integrity Security Services
Automotive Cybersecurity:
The Gap Still Exists
Larry Ponemon
Chairman
Ponemon Institute

17. During August 2016 the Ponemon Institute
conducted a cybersecurity survey of more than
500 automotive developers, programmers,
engineers, and executives, from automakers
(OEMs) and their electronics suppliers.
Introduction

18. Summary Findings
• A growing concern that hackers are actively targeting automobiles.
• OEMs are more concerned than their suppliers about automobiles being hacked
• The lack of skilled personnel and requirements, and pressure to meet release
dates are the main impediments to secure software development.
• Insufficient use of cryptography.
• Legacy technology is hindering the ability to make vehicles more secure.
• Automakers believe they are not as knowledgeable about secure software
development as other industries.
• There is little clarity or consensus regarding a single point of responsibility
• On the positive side, there is a small but statistically significant trend toward a
more mature approach to securing vehicles.

19. Sample response Number %
Sampling frame 8,680 100.0%
Total returns 590 6.8%
Rejected or screened surveys 63 0.7%
Final sample 527 6.1%
Survey Size

20. Methods

21. Demographics
Headcount of Companies Surveyed

22. Demographics
Reporting LinesJob Roles

23. Demographics
Number of Software Developers Development Responsibilities

24. Responses

25. Perceptions about automotive security
42%
43%
45%
44%
47%
47%
51%
52%
MY COMPANY MAKES AUTOMOTIVE SECURITY A PRIORITY
AUTOMOTIVE DEVELOPMENT TEAMS HAVE THE SKILLS
NECESSARY TO COMBAT CYBERSECURITY THREATS
MY ORGANIZATION RECRUITS AND RETAINS EXPERT PERSONNEL
TO MINIMIZE SECURITY RISKS IN AUTOMOBILES
HACKERS ARE ACTIVELY TARGETING AUTOMOBILES
FY 2016 FY 2015

26. AGREE
45%DISAGREE
55%
Workers
IS SECURITY A PRIORITY FOR YOUR COMPANY?
AGREE
61%
DISAGREE
39%
Management
AGREE
52%UNSURE
28%
DISAGREE
20%
ARE HACKER TARGETING CARS?
Organizational Alignment ?

27. Who is responsible for Security?
23%
17%
18%
11%
12%
19%
CIO
CISO
Partner
QA
Developer
No One!

28. Perceptions about security practices
26%
44%
45%
43%
44%
24%
39%
43%
47%
49%
MY COMPANY HAS THE ENABLING TECHNOLOGIES TO ENSURE
AUTOMOTIVE DEVELOPMENT IS SECURE
AUTOMAKERS ARE NOT AS KNOWLEDGEABLE ABOUT SECURE
PLATFORM DEVELOPMENT AS OTHER INDUSTRIES ARE
IT WILL BE THE NORM FOR MY COMPANY TO PARTICIPATE IN OPEN
DISCLOSURE OF BUGS AND BUG BOUNTY PROGRAMS
MY COMPANY’S AUTOMOTIVE DEVELOPMENT PROCESS INCLUDES
ACTIVITIES FOR SECURITY REQUIREMENTS, DESIGN, IMPLEMENTATION
AND TESTING
ENGINEERS AND DEVELOPERS ARE ADEQUATELY TRAINED IN SECURE
ARCHITECTURE AND CODING PRACTICES
FY 2016 FY 2015

29. Challenges to securing automobile software
12%
16%
38%
48%
64%
67%
54%
6%
11%
18%
34%
43%
58%
65%
65%
OTHER
TOO EXPENSIVE
ADDS TOO MUCH TIME TO THE SOFTWARE DEVELOPMENT PROCESS
LACK OF FORMAL SECURITY REQUIREMENTS
LACK OF DEFINED CORPORATE APPLICATION SECURITY POLICIES
INSUFFICIENT RESOURCES
LACK OF SKILLED PERSONNEL
PRESSURE TO RELEASE
FY 2016 FY 2015

30. What methods does your team use to ensure code
is secure without vulnerabilities?
65%
48%
41%
27%
25%
24%
23%
3%
63%
50%
36%
0%
27%
24%
25%
10%
AUTOMATED CODE SCANNING TOOLS DURING DEVELOPMENT
AUTOMATED CODE SCANNING TOOLS AFTER RELEASE
MANUAL PENETRATION TESTING
NONE OF THE ABOVE
AUTOMATED SCANNING TOOLS USED IN PRODUCTION
THREAT MODELLING/RISK ASSESSMENT DURING DEVELOPMENT
ADHERENCE TO SECURE CODING STANDARDS
OTHER
2016 2015

31. 35%
39%
18%
7%
1%
Very difficult Difficult Somewhat difficult Not difficult Easy
How difficult is it to secure automobiles?

32. How difficult is it to secure automobiles?
1%
7%
18%
39%
35%
2%
9%
21%
33%
36%
1 TO 2 3 TO 4 5 TO 6 7 TO 8 9 TO 10
FY 2016 FY 2015
Easy Hard

33. Is it possible to build a near hack proof car?
17%
55%
28%
19%
47%
34%
YES NO UNSURE
FY 2016 FY 2015

34. Challenges to Securing Automobiles
11%
16%
38%
48%
54%
67%
18%
34%
43%
65%
65%
TOO EXPENSIVE
ADDS TOO MUCH TIME
LACK OF REQUIREMENTS
LACK OF COMPANY POLICY
PRESSURE TO RELEASE
LACK OF SKILLED PEOPLE
2016 2015
“Pick Top 3 challenges”

35. Caveats
There are inherent limitations to survey research that need to be carefully considered before drawing
inferences from findings. The following items are specific limitations that are germane to most web-based
surveys.
Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative
sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is
always possible that individuals who did not participate are substantially different in terms of underlying beliefs from
those who completed the instrument.
Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative
of individuals who are automotive application development process. We also acknowledge that the results may be
biased by external events such as media coverage. Finally, because we used a Web-based collection method, it is
possible that non-Web responses by mailed survey or telephone call would result in a different pattern of findings.
Self-reported results: The quality of survey research is based on the integrity of confidential responses received from
subjects. While certain checks and balances can be incorporated into the survey process, there is always the
possibility that a subject did not provide a truthful response.

36. © 2016 INTEGRITY Security Services - Confidential Slide 36
experts in end-to-end embedded security
Car Cybersecurity: The Gap Still Exists
Gregory Rudy
Director of Business Development
Driving Forward

37. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 37
Threat Actors
q Who are these hackers?
§ Individuals (significant time, varied expertise, limited $ & capability)
§ Corporate (moderate time, high expertise, moderate $ & capability)
§ Universities (moderate time & $, high expertise, high capability)
§ Terrorists (moderate time, varied expertise, moderate $ & capability)
§ Nation states (significant time, high expertise, high $ & capability)
q Hacking Goals
§ Fame and notoriety
§ Economic gain – e.g., unlock hidden functionality; access IP/content
§ Terrorism - e.g., disrupt a city at rush hour; remove fleet from service
q Hacking consequences
§ Brand damage – loss of customer confidence in products/systems
§ Liability
§ Economic loss

38. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 38
Standards: ISO 26262 Safety
Using ISO 26262 ≠ Security in your design
q If you design to ISO 26262 for safety, other considerations must
be taken to achieve levels of system security
§ Secure Boot
§ Device Authentication
§ Software Authentication
§ FIPS 140-2 Cryptography
§ Use of products that adhere to and are certified to high
Evaluation Assurance Levels (EAL) by BSI and/or Common
Criteria
§ And more….

39. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 39
ECU Security Architecture Design
q Many are looking in the rear view mirror to “solve”
current and future vehicle security problems
§ Focus on IT enterprise-style solution of perimeter
security
• “All we need is a firewall and IDS”
• Network segmentation
• SSL to the cloud
o Improper/outdated crypto
o Poor authentication
q “The concept of perimeter control is in total crisis” –
Dan Geer, CISO of In-Q-Tel
Totally
integrated,
15%
Partially
integrated,
34%
Added on,
47%
Unsure, 4%
Does your company integrate security architecture
design into the development process?

40. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 40
ECU Security Architecture Design
q Embedded space is fundamentally different
§ Constrained environments
§ Well defined functionality on most ECUs
• Infotainment is the outlier due to Android/IOS support & passenger
device/application interface.
§ We can do much better by designing for this environment!
§ Defense in depth is still required and attainable!

41. © 2016 INTEGRITY Security Services, Inc. - Confidential Slide 41
Retrofitting Security is Hard to Do

42. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 42
First Steps - Understand the Task
q Identify critical assets that require protection and their lifetimes
§ Intellectual property, gold firmware images/bitstreams, software/feature updates, secrets (keys),
identities
§ ECUs fielded for 20 – 30 years
q Understand the attack surfaces that can be exploited to recover/modify the critical assets
§ Application & implementation dependent
§ All remote and local connectivity points
• Wireless (BT, WiFi, Cellular, GPS, etc.) & wired (USB, Ethernet, CAN, DVD, OBD-II, etc)
§ Physical analysis of ECU internals

43. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 43
First Steps
q Understand the difficulty of exploiting the attack surfaces
§ Can an attacker analyze one ECU to recover an asset that can compromise a
large number of vehicles?
§ Can over-the-air messages be sent to arbitrary vehicles?
§ Can the service network be used to inject specific data?
q Examine the likelihood of exploitation
§ A local physical attack that compromises a single vehicle is far less
interesting than one that compromises many
§ Remote attacks are the holy grail
§ A nation-state can be very patient and persistent
q Don’t assume proprietary implementations will protect you!
§ Arrogance and ignorance can each destroy your ECU

44. © 2016 INTEGRITY Security Services, Inc. - Confidential Slide 44
Holistic View Across All Domains is Required
Product
Security Domain
Manufacturing
Security Domain
Operations
Security Domain
- Hardware
- Firmware
- OS
- Applications
- Contract Manufacturing
- Chip Providers
- Board Providers
- Test Houses
- ISVs
- Updates
- Feature Control
- Content Mgmt
- Users
- Administrators
- Hackers
Security Must Exist in All Domains
44
Totally
integrated,
11%
Partially
integrated,
29%
Added on,
55%
Unsure, 5%
Does your company integrate the security
architecture, including the entire supply
chain and partner network?

45. © 2016 INTEGRITY Security Services, Inc. - Confidential Slide 45
ECU Cryptographic Boundary
q FIPS 140-2 requires all hardware, software and
firmware implementing cryptographic functions
including algorithms and key generation be
contained within a defined cryptographic boundary
q Reliable and separate from untrusted software
q Begins with a hardware root of trust
§ Secure Boot Support
§ Random Number Generation
§ Secure Key Storage
§ Cryptographic Acceleration
§ Anti-Tamper protection 0%
10%
20%
30%
40%
50%
60%
Secure boot Encrypted
communication
Endpoint
authentication
Encrypted data in
storage
Which of the following system security
features does your company currently
use? Select all that apply

46. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 46
Defense in Depth
Hardware Root of Trust
Software Crypto
Secure Boot
Security Protocols
Separation Design
Remote Updates
Establish a Trusted Platform
Secure secure communication
Minimize software defect risk

47. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 47
Todays Complex Supply Chains
Headquarters
Manufacturing
Sites
3rd Parties
Strategic Partners

48. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 48
Infrastructure Requirement
Security Infrastructures Must
q Sign software images
q Generate Keys and Certificates
q Inject sensitive material
q Root key protection
q Device Authentication
q Remote Management
q Software Updates
Critical Considerations:
§ Distributed Supply
Chains
§ Multiple Products
§ Partner Access
§ High-Availability
§ Changing Algorithms

49. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 49
Enterprise Security Infrastructure
Zero exposure distribution of trust assets across global supply chains

50. © 2016 INTEGRITY Security Services, Inc - Confidential Slide 50
Don’t be Afraid to Ask…
q This presentation only covers a few of the architecture design issues for
ECUs
§ “Cryptographic protocols and their implementations …they’re very
hard to get right.” – Steven Bellovin, professor, Columbia University
q Honestly assess your teams expertise in these areas
§ Secure design & implementation, supply chain security, post sale
security
q Diebold got it ALL wrong in their voting machines
q Reach out to an expert group such as INTEGRITY Security Services to
help you so your ECU security is correct from the start
§ Save design time – more eyes on the problem, the better!
§ Secure your supply chain
§ Prevent recalls
§ Protect revenue & brand

51. Q&A

52. Thank you!
Learn more about our automotive services:
https://www.securityinnovation.com/solutions/auto-industry-security
Download the whitepaper:
https://web.securityinnovation.com/automotive-cybersecurity-gap-still-exists