Vol. 28, No. 1 u hansenreport.com u February 2015 Auto Industry Looking Carmakers Pushing for Full Car for Defenses against OTA Software Updates by 2020 Cybersecurity Attacks Anyone who uses a computer or a smart- park assist view with reverse camera guides, phone is familiar with over-the-air software among other modifications. updates. I’ve gotten used to updates, which When an update is available, Model S The auto industry is very aware that to- come unbidden. My computer and my owners are notified on the central display day’s vehicles are not well defended against smartphone are better today than when I with an option to install immediately or cyberattacks. Tomorrow’s vehicles, with bought them. schedule the installation at a later time. multiple wireless connections to the cloud Years ahead of every other carmaker, They are further advised to connect the and the world outside the vehicle, will be Tesla, the Silicon Valley maker of electric vehicle to their home’s Wi-Fi network, for even more vulnerable. But carmakers are cars, has made OTA updates routine. Since the fastest update speed, and put the vehi- unsure what to do about the cybersecurity the first Model S was delivered in Septem- cle into park. The average software update threat and concerned about how much ber 2012, Tesla has made 28 software takes 45 minutes. their mitigation efforts will cost. The indus- changes, according to teslasmotorclub.com, try is scrambling to understand the threat and conducted at least 18 OTA software The World’s Carmakers Follow Tesla and find solutions. Any solutions involving updates, according to telarati.com. Major The case for over-the-air software up- onboard electronics will take decades to releases, which bring fundamental improve- dates is solid. For starters, carmakers can’t work their way into the total ments and changes to how the vehicle oper- defend against cyberattacks without the vehicle fleet. ates, happen about once a year, and minor ability to frequently update their vehicles Every day another major corporation releases about every 60 days. with the latest cybersecurity software. falls prey to a cyberattack. Yesterday it was The latest Model S software release, ver- Plus, the economic benefits are substan- Sony; today it is the U.S. health insurance sion 6.1, expands the driver assistance fea- tial. Take away the recalls involving Takata company, Anthem, where a customer data- tures with traffic-aware cruise control, airbags and GM ignition switches and base containing 80 million personal re- forward collision warning and an enhanced most recalls involve software. According to cords was breached. A cyberattack on a Red Bend Software executive vice presi- dent, Oren Bezaleli, half of all recalls are major carmaker or multiple vehicles made What’s Driving Over-the-Air Updates: by a major OEM is not altogether unlikely. because of bugs in the software, and tomor- u In the face of numerous reports of Software defines the car and software row’s cars will be even more reliant on soft- white-hat hackers gaining access to vehicle content is increasing ware. Red Bend, a specialist in mobile u networks and controls, no one in the in- More frequent map updates software management and over-the-air up- u dustry is suggesting that cars are well de- The need to fix problems with infotainment dates, was recently acquired by Harman. systems and update them with new fea- fended from cyberattacks. The industry has (See the company profile of Harman on tures accepted that vehicles are vulnerable and page 4.) u The need to tweak vehicle control sys- Ford spent more than $150 million in the potential for mayhem is real. The prob- tems, especially for highly automated warranty costs over a seven-year period just lem is what to do about it. driving to reflash powertrain controls. Depending According to cybersecurity expert Karl u OTA updates are significantly less expen- Heimer, founding partner at Autoimmune sive than updates done at the dealer on where in the U.S. they are performed, Inc., speaking at the panel discussion I u Software fixes account for more than half software updates at dealers cost OEMs be- moderated at the 2015 Consumer Elec- of all warranty costs tween $75 and $100 per hour. OTA up- tronics Show in January, “Carmakers un- u More frequent updates can solve even dates, especially those done via Wi-Fi, derstand the issue. There is a hiring frenzy minor problems before they lead to a re- would cost a small fraction of that. If done going on across the automotive manufac- call over a cellular network, data charges would turing community and probably also in the u Tesla has shown the world that OTA up- be higher. Additionally, a company han- tier-one supplier community. They are post- dates even to vehicle control systems can dling the update, such as Red Bend Soft- ing many, many jobs for cybersecurity ana- work ware, Arynga or Movimento, might charge lysts and people with cybersecurity u The promise of happier customers who a fee for each vehicle it updates. They expertise.” The CES panel on security experience new features and upgrades would also charge a price for any of their issues for connected cars was organized by after sale software embedded in the vehicle that u Genivi and the SAE. Software updates are an essential ingredi- manages the update. Turn to Cybersecurity, page 2 ent of cybersecurity Turn to OTA Updates, page 3 The Hansen Report on Automotive Electronics, www.hansenreport.com Page 1, February 2015 Cybersecurity… Continued from page 1 NHTSA’s Role the finance ISAC, are very successful be- more than one million modules. Mr. Presi- Mr. Heimer went on to introduce an cause the companies that participate are dio made a compelling case for Movi- idea that has been circulating. He suggested very cooperative and open to sharing. Oth- mento’s security gateway module. that the government needs to work with ers, such as the defense industry ISAC, “Anomaly detection is getting a lot of OEMs and tier ones to establish a base lev- haven’t been very effective, because the par- attention, but in my opinion that is a bit of el of cybersecurity hygiene for cars and im- ticipants tend to be secretive. He worries a red herring. They want to look at all the pel carmakers to adhere to it. David that given the importance to carmakers of CAN traffic, of which there is an enormous Strickland, former administrator of creating strong brand distinctions, carmak- amount. That requires an enormous NHTSA and now a partner at the legal ers will find it difficult to share critical in- amount of data handling, manipulation firm Venable LLC, also on the security formation, at least initially. and number crunching. Instead, we think panel at CES, spoke positively about the you should be worried about not letting concept. “NHTSA has been working very SAE anybody open the door to any of the hard to figure out what that baseline level The SAE Vehicle Electrical System Secu- ECUs, that is, put them into programming of hygiene is, and from there adapt their rity Committee has been officially active mode, which is when an ECU will accept defect authority to push carmakers to stay since May 2011, meeting monthly for a commands. As we do when we are reflash- above that level. Making that baseline flexi- couple of hours, primarily for information ing, we are only looking for somebody to ble and adaptable, but sufficiently hard- sharing. Balloting for its first publication, put the key in the door. That is a simple ened, will be really hard to do. Everything J3061, “Cybersecurity Guidebook for Cy- thing to detect and doesn’t require much with regard to automobile safety is based ber-Physical Automotive Systems,” will start overhead to monitor the bus traffic. When on a notion of unreasonable risk. What some weeks from now and take a few someone puts the key in the door it takes might be unreasonable risk in the eyes of months to be completed. The full commit- us about 10 milliseconds to respond, which the agency or in the eyes of a cyber-expert tee has 104 participants, 22 of whom are is faster than any of the ECUs could go or in the eyes of the consumer might be voting members. into programming mode.” wildly different. That will be another great Anyone thinking there are quick fixes to challenge.” Onboard Solutions automotive cybersecurity should listen to Given its limited resources, NHTSA will Carmakers worldwide are considering Karl Heimer: “Intrusion detection systems be hard pressed to meet the challenges it is how automotive hardware and software that are coming out will raise the bar. They facing. There are only about six or seven must change to harden connected vehicles are all very helpful, but cybersecurity is illu- electrical engineers at NHTSA who have against cyberattacks. “The solution starts sory. You never get secure, it is just not pos- been thinking about cybersecurity and with the software and hardware you sible. What you do is stay ahead of the u none has deep expertise in the subject. choose,” said Mark Zeinstra, a director at attackers in a perpetual arms race.” Visteon Electronics, one of my security Auto-ISAC panelists at CES. “You need to choose an The Association of Global Automakers SoC [system on chip] with the right securi- and the Alliance of Automobile Manufac- ty. You need a secure operating system and turers, which together represent the 28 ma- secure applications.” © 2015 Paul Hansen Associates, 150 jor carmakers operating in the United There will be no cybersecurity without Pinehurst Road, Portsmouth, NH 03801 States, hired the Booz Allen and Hamilton the ability to provide over-the-air software USA.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages8 Page
-
File Size-