We recently completed the third meeting of the Secure-CAV Advisory Panel, with a group of experts from a leading automotive OEM, semiconductor IP vendors, industry consultants (business and insurance sectors) along with members of the Secure-CAV consortium itself.
An issue that’s been flagged a few times during these meetings is the concern of the automotive OEMs’ cybersecurity readiness and adaptability to a different way of working to tackle the associated threats.
In the previous blog from our first panel, I highlighted the responsibility falling on the shoulders of the automotive OEMs, making it clear that the entire industry ecosystem would need to get behind automotive OEMs to tackle the challenges that lie ahead.
This latest Panel meeting started off discussing how and where security and safety overlap or where approaches differ, and the challenges that presents to automotive OEMs. Although it’s clear there are many parallels, security cannot be fully addressed by simply looking at reliability. A significant challenge is the move from a finite list of safety challenges, to the potentially unlimited cybersecurity challenges and ‘actors’. As highlighted by our panel: tackling intentional security attacks is very different to dealing with unintentional safety issues with a vehicle.
Industry standards and regulations provide a common language and a frame of reference but the only a baseline, a minimal response: ‘you can get a seal of approval on something that is frankly shocking’. The auto industry knows it therefore needs to take the lead, but it also admits a response [..to the looming threat landscape] is lacking, late or inadequate.
In the words of an automotive OEM, ‘We cannot change the mindset overnight, but we believe we have to change as fast as possible’. We have to involve the supply chain and the full design/IP ecosystem in tackling the changes…to identify biggest risks and develop mitigation strategies.’
The fact that timelines for development and updates for software and hardware are very different and seem not to be aligned creates key security issues or ‘holes’. With recent hardware-based attacks exploiting attacks in the microarchitecture there is a need for supporting hardware updates.
To improve the response time to potential threats, there needs to be a process and a risk mitigation communication infrastructure within the automotive supply chain. Many issues remain unaddressed while security issues are “pressing”
The target for automotive OEMs should be in line with that commonly seen in consumer electronics, where security patches are rolled out quickly. The automotive industry is “reacting” with a supply chain infrastructure that takes months where other industry sectors only need hours. Over-the-air (OTA) software updates could need time-consuming industry or regulatory approval. The need for reliable comms infrastructure and stable connectivity is also essential – and when there is ‘zero trust’ in the communications it’s clear there is much to be addressed.
Secure-CAV has been set up by the industry and academic consortium to identify the issues and provide both generic approaches and a specific defense-in-depth cybersecurity solution that is both proactive and responsive to an evolving threat landscape.