The Connected Car: Security Is in the Slow Lane


Posted on by RSAC Contributor

By Lancen LaChance, Vice President of Product Management, GlobalSign

Wi-Fi hotspots, navigation systems and self-parking technology—these are just some of the cool connected car features available today. No longer are cars just for driving, they are connected systems embedded in our personal data network with access to valuable information that is attractive to hackers. Safely building systems for connected cars requires a much broader skill set than the prior generations of automobiles mandated.

Several high-profile automotive security stories have created awareness around just how easy it is to remotely take control of vehicles and the potential risks, but the disparity in maturity and readiness of the industry to tackle the cybersecurity concerns of connected vehicles is still eye-opening. Securing these systems is a must. Our physical safety and the privacy of our personal information will depend on it.

Security at EVERY stage

When people speak of security by design, they often refer to a broad spectrum of activities and approaches used to build stronger security postures in software products. There is another dimension of this security by design approach—security needs to be considered at every stage and by every person. In this context, I mean that security isn't a separate isolated function of the process, or of application development teams. Rather, all individuals involved with designing the product must be thinking about and implementing security best practices. It’s not a separate checkbox or stage gate. Although those stage gates are still useful for ensuring things go through proper reviews, on their own they are not sufficient for maximum efficiency of a proper security by design principle. 

Impacting the Bottom Line

With GSMA Research estimating that 100 percent of all new cars will be connected by 2035 and that 75 percent will be autonomous by 2025, the urgency for auto manufacturers to build security into their product delivery capabilities will also grow.

The security vulnerabilities of connected cars can put consumer safety at risk and can significantly drive the cost of warranty replacements up when repairs are needed on potentially more than a million vehicles. Brands do not want to have to deal with expensive reputation repair and the resulting financial losses. For example, Fiat Chrysler has had to do a lot of damage control, including a widespread and costly recall of their vehicles after the Wired story of a hacked Jeep was published last year. Now, if something tragic had resulted from this, the damage could have been irreparable and affected whether the manufacturer would be able to stay in business.

Moving Towards a Better Approach

While technologies are constantly evolving, and the specific design choices will be broad, organizations do now have the opportunity to recognize the need to build teams with the right mind-set and skillset to ensure security is built into product design. In addition to building internal teams, it's critical to build the right partnerships to help incorporate best practices and proven technology solutions.

Some of the key areas we see the auto industry working on right now include identifying individual components in the vehicle and building appropriate mechanisms to manage the vehicle systems through its lifecycle. 

It is encouraging to see that the auto industry is now addressing cybersecurity with the formation of the Alliance of Automobile Manufacturers, an industry-wide effort to identify emerging threats and also that leaders in the security space are setting the tone for strong connected vehicle security posture through security by design thinking.

Lancen LaChance is vice president of product management for GlobalSign, a provider of security and identity solutions for the Internet of Everything (IoE). Lancen.lachance@globalsign.com


Contributors
RSAC Contributor

, RSA Conference

Business Perspectives

Internet of Things

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs