Cutting-edge, interconnecting technology is being embedded into products at a rate never before seen. From coffee pots to cars, the IoT revolution is bringing great advances and conveniences to every day products. That said, it’s unfortunately also bringing a dramatic increase to the attack surface and potential vulnerabilities of those products.
When a coffee pot goes rouge, the risk is minimal, but when smart self-driving cars become a target, the potential damage is much greater. The dangers presented have required a paradigm shift in the way we assess security risks, especially in the world of manufacturing, where systems and factory controls were previously isolated from attacks but are now embedded and online out of necessity. More lines of code are being embedded, which means best practices like SecDevOps that were previously the concern of enterprise IT are now just as much a part of software development, for any product with an embedded microprocessor.
With any security program, it’s an accepted reality that nothing can be completely secure. It’s simply too cost prohibitive, and perhaps not even possible. So the challenge becomes adopting security defenses that would require large amounts of resources and time to overcome, so much so that it discourages adversaries from attacking in the first place. And with each additional layer of security or control we add to a particular product there are costs in development time, hardware, power consumption or even the usability of the product. It’s a constant cost/benefit evaluation using the formula Risk = Threat x Vulnerability x Consequence. When security is neglected, people take notice. Trust and credibility are affected. When it comes to the automotive industry, the time to mitigate these risks was yesterday.
A Bit of History on Auto Security
Before we get to where we go from here, a bit of history is beneficial. The automotive industry is still feeling the repercussions of widely publicized hacks by duo Charlie Miller and Chris Valasek in which they demonstrated major exploitable problems with Ford, Toyota, Chevy, and Jeep cars.
As they stated in their paper “As cars move into the future, they are being more connected with features normally found in desktop computers like apps and even web browsers. We believe this new technology opens up many attack vectors that did not exist before, such as web browser exploits, malicious apps, and internet service exploitation. Not only is the added attack surface being added in droves, but the underlying research and exploitation methodologies are widely understood by attackers. Complex code is being added to vehicles and there is no reason to believe corresponding anti-exploitation technologies are being added with them.” (A Survey of Remote Automotive Attack Surfaces)
A grass roots driven initiative by security testers across the globe was pushed by a group called I Am The Cavalry, which focuses “on issues where computer security intersect public safety and human life.” They released their Five Star Automotive Cyber Safety Program letter in February of 2015, urging car makers to attest to five foundational capabilities to improve the visibility of their Cyber Safety programs:
• Safety by Design
• 3rd Party Collaboration
• Evidence Capture
• Security Updates
• Segmentation and Isolation
All good stuff, but fast forward a few years to today. How have things improved? How well is the automotive industry adopting best practices, like SecDevOps, from the more traditional software development community? Not well enough. And unfortunately, according to the Upstream Security Automotive Cybersecurity Report 2019, there has been a 6X increase in automotive cyberattacks between 2010 and 2018 – a very rapid growth of incidents in the connected car industry.
As is so often the case when designers build to requirements without considering security, vulnerabilities will inevitably be discovered and exploited. The modern connected car contains a Telematics Control Unit (think OnStar), always-on GPS, always-on cellular connectivity, interfaces for Bluetooth and smartphones, and complex software to tie it altogether communicating over a Controller Area Network (CAN bus). All this makes for an extremely large attack surface. It only took 400,000 lines of code to orbit earth in the space shuttle. But today, Microsoft Windows has 39 million lines of code. A typical new car now has over a 100 million lines of code. These numbers are staggering, and when one considers that one million lines of code is equivalent to 18,000 pages of printed text, it’s obvious that securing this code is no easy task and perhaps just not possible.
A TechBeacon article I wrote, titled “How to boost your breach defense: A three-part plan” focused on helping CSOs and SecOps teams categorize security challenges into the three distinct areas of Security In-Depth, SecDevOps, and Security Validation, which apply to automotive and manufacturing as well. Manufacturers need a comprehensive security strategy that incorporates security from the earliest stage of development all the way to the end of that product’s functional life. Manufacturers also need to have protections across the attack life-cycle, with the understanding that certain defenses may fail where others overlap. Some threats come from external entities hoping to steal intellectual property, while other “insider threats” can accidentally or maliciously introduce vulnerabilities into your enterprise.
But even the most well-architected defensive strategies will have gaps and should be validated by external auditors, penetration testers and security researchers. If you can’t defend against a simulated attack, how can you defend against the real thing?
That’s why I think security pros would benefit from utilizing Security information and event management (SIEM) tools to use real-time data correlation from multiple sources to identify deviations from the norm and take appropriate action against cyber threats. Bringing best of class SIEM technologies into automotive and manufacturing can do the following:
- Provide visibility across the enterprise by collecting machine generated logs and data from critical systems. When systems are interconnected, event logs and monitoring should follow!
- Apply advanced correlation and logic to the event stream to identify events of interest (EOI), alerting system owners or analysts of possible malicious activity. Whether on-board sensors or those protecting aggregated data in the data center, rules and thresholds should be set with alerting that occurs when things occur outside of normal baselines.
- Monitor privileged accounts and user behaviors for anomalies and misuse. Whether the account is a system level account, or tied to an actual user, behaviors should be monitored.
- Identify attempts to exfiltrate sensitive data. Regulations and the consequences of failing to protect data are increasing. It’s imperative that companies assess all of the points where sensitive data exists, whether in storage or in transit, and ensure it is adequately protected. When the cost of redesigning systems is too great, companies should look at newer technologies like Format Preserving Encryption (FPE) as a stopgap. They should also consider modernizing their data warehouse or moving analytical workloads to purpose-built analytical databases with built-in machine learning at scale.
A report entitled “Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk” detailed major gaps in how auto companies are securing connected features in cars against hackers. In this report, only 2 of the 16 car companies had developed any capability to detect and respond to a hacking attack in real time. Collecting log and event data is a critical first step on which all other defense follows. Often an industry needs external motivation to get thing moving in the right direction, and such is the driver (pun intended) for the Security and Privacy in Your Car Study Act of 2017 (SPY Car Study Act, for short), a bipartisan bill with major focus on automotive cybersecurity. Certainly new governmental standards are to follow and companies need to get ahead of these changes, not just to gain immediate security benefits, but also to avoid a last minute scramble to become compliant.
GDPR, for example, was just the beginning. Dave Kemp, business strategist at Micro Focus explains: “On the launch of the 1995 GDPR Directive, Viviane Reding, the EU Data Commissioner, stated that only 17% of Europe at the time had a computer – and only 8% were on the internet.
Today, if we consider the Internet of Things (IoT) and widespread use of mobile devices, these percentages have changed dramatically. A seminal difference between the 1995 Directive and the 2016 regulation is the exponential growth around the ease of communication, coupled with the sheer volume of data being generated.” It’s imperative that the manufacturing industry, especially the automotive segment, keep up with the accelerated change of pace.
Helping you along this journey, it’s critical to have partners that are well versed in the digital transformation occurring across every industry, especially partners that understand exponential growth in data volume and the increasing demand on IT teams to deliver more with fewer resources.
Questions to ask your security vendors:
- How comprehensive are the data types your product can support and use for security analytics?
- Is there a well-defined process to onboard new and custom data streams and data types?
- Does your product provide real-time correlation with out of the box rule sets and the ability to easily create custom rules and use-cases?
- Does your product offer the machine learning functions required to deliver accurate and actionable predictive analytics?
- Is your data being centrally collected? How secure and protected is that data?
Micro Focus Universe – Register Today!
Don’t miss your chance to speak with our InfoSec experts, and hear their insights on how to help protect the automotive and manufacturing industries at Micro Focus Universe, our premier customer and partner event, happening 26-28 March in Vienna, Austria. Register today, and follow the action on Twitter with the hashtag #MicroFocusUniverse.