Study reveals laxness among automakers in terms of cybersecurity
An independent study conducted by Ponemon Institute found that 30% of the automotive companies do not have their own cybersecurity programme or a team. It also found that these companies do not even hire external organisations to secure the software used in their products.
Moreover, the survey shows that around 63% of all automotive firms are heedless when it comes to testing vulnerabilities. Less than half of software, hardware, and other technologies they develop remain untested.
Commissioned by Synopsys and SAE International, the study used a sampling frame of 15,900 IT security practitioners and engineers in the automotive sector, in which the final sample comprised of 593 surveys. In order to make sure that the responses provided are relevant, the Ponemon Institute chose only those respondents who were either involved in assessing or contributing to the security of automotive components in their organisation.
The report says: “The security professionals surveyed for our report indicated that the typical automotive organisation has only nine full-time employees in its product cybersecurity management program.” According to the report, 60% of all responders lack understanding and training on secure coding practices, which is the key reason behind all vulnerabilities in the automotive software, components and technology. Among the respondents, 50% said that the lack of quality assurance and testing procedures, 55% mentioned accidental coding errors, and 40% highlighted the use of insecure/outdated open source software components as the most common factors that lead to vulnerabilities in their technologies.
“Seventy-three percent of respondents surveyed in our report say they are very concerned about the cybersecurity posture of automotive technologies supplied by third parties. However, only 44% of respondents say their organisations impose cybersecurity requirements for products provided by upstream suppliers.”
Security vulnerabilities have been found most of the times as software has been added to vehicles. For instance: In April 2018, a Dutch cyber-security firm found that in-vehicle infotainment (IVI) systems used by some car models from the Volkswagen Group were vulnerable to remote hacking. And in October 2017, an electronics designer discovered a fault in the key fob system of several Subaru models. This security issue was refused by Subaru to patch when contacted and that could potentially be abused to hijack its customers’ cars.
See also: https://iot-eurasia.com/news-2/