When an industry without experience in Internet security starts connecting things to the Internet, it typically makes a number of mistakes both in how it implements secure systems, and how it interacts with the security community. With connected automobiles, the stakes for getting security right have never been higher. “What’s the worst that could happen?” is a lot more serious when you’re talking about a computer that can travel 100+ MPH.
3. Vehicles are becoming computers on wheels
and now have more in common with your
laptop than they do the Model T.
4. Just as smartphones have supplanted non-
Internet-connected phones, connected cars
will supplant non-Internet-connected cars.
5. Auto manufacturers need to become
software companies if they want to
survive into the 21st century.
6. The auto industry must now consider cybersecurity
as an integral part to how cars are built, just as
physical safety became a critical part of how cars
were built in the late 20th century.
7. When an industry without experience from the
front lines of Internet security begins connecting
its products, one of two outcomes often occurs.
8. When an industry without experience from the
front lines of Internet security begins connecting
its products, one of two outcomes often occurs.
If there are clear security
best practices, then most
companies will (hopefully)
implement those best
practices.
9. When an industry without experience from the
front lines of Internet security begins connecting
its products, one of two outcomes often occurs.
If there are no clear best
practices, companies will likely
make a lot of security mistakes,
resulting in major cybersecurity
problems down the road.
10. How do we make cars
resilient in the face of
cyberattacks?
11. How do we make cars
resilient in the face of
cyberattacks?
In our research, we have found that if the auto industry is to
build vehicles that are resistant to cyberattack, they must
implement three important measures.
12. An over-the-air update process: Ideally without the owner having
to subscribe to a separate service.
Isolation of vehicle and infotainment systems: With this in place, it’s
important that any gateway systems receive an extreme amount of
security scrutiny.
Hardening each individual component: A resilient automotive
cybersecurity architecture should assume that attackers will
compromise some component (e.g. the web browser). That single
component compromise should not affect the functionality of the
system as a whole.
1
13. An over-the-air update process: Ideally without the owner having to
subscribe to a separate service.
Isolation of vehicle and infotainment systems: With this in place,
it’s important that any gateway systems receive an extreme
amount of security scrutiny.
Hardening each individual component: A resilient automotive
cybersecurity architecture should assume that attackers will
compromise some component (e.g. the web browser). That single
component compromise should not affect the functionality of the
system as a whole.
2
14. An over-the-air update process: Ideally without the owner having to
subscribe to a separate service.
Isolation of vehicle and infotainment systems: With this in place, it’s
important that any gateway systems receive an extreme amount of
security scrutiny.
Hardening each individual component: A resilient automotive
cybersecurity architecture should assume that attackers will
compromise some component (e.g. the web browser). That single
component compromise should not affect the functionality of the
system as a whole.
3
15. Read Hacking a Tesla Model S: What we found and what we learned