By Taylor Armerding, Software Integrity Group
Your modern car is a computer on wheels—potentially hundreds of computers on a set of wheels. Heck, even the wheels are infested with computers—what do you think prompts that little light on your dashboard to come on if your tire pressure is low? And computers don’t just run your infotainment system, backup camera, dashboard warning lights, and the voice that tells you to buckle your seatbelt. They direct the fundamental vehicle functions too—acceleration, braking, steering, and transmission.
The Synopsys Automotive Group has coined a term for how vehicles are changing: the “SmartPhonezation of Your Car™.” Which means the transformation of the worldwide vehicle fleet is about much more than a bunch of new features and creature comforts. It means your car is part of the vast internet of things (IoT). This has enabled convenience, luxury, efficiency, safety, and the march toward autonomous driving, but it also makes it part of the equally vast IoT attack surface.
As speakers at security conferences have warned for years, if hackers get control of a connected car, they could take over the acceleration, steering and brakes, demand a ransom from an owner simply to start the car, disable the locks and steal it, and more.
That makes security just as important as safety in a car. If it’s not secure, it’s not safe.
Fortunately, that reality has prompted an increasing focus on vehicle cybersecurity. There are now multiple frameworks and standards aimed at improving it. One of the most recent is the National Highway Traffic Safety Administration’s (NHTSA’s) draft of “Cybersecurity Best Practices for the Safety of Modern Vehicles.” And while the timing of the draft (it was released in mid-December) was a bit earlier than Chris Clark expected, it did not come as a surprise. Clark, senior manager, automotive software and security, with the Synopsys Automotive Group, declared in a blog post he coauthored earlier this year that he expected 2021 to be “the year of automotive standards.”
Not that standards are new. ISO 26262, from the International Organization for Standardization (ISO), addresses safety-related systems that include one or more electrical and/or electronic (E/E) systems. It has been around for a decade and was updated in 2018.
As a Synopsys blog post puts it, the focus of that standard is on “ensuring that automotive components do what they’re supposed to do, precisely when they’re supposed to do it.”
More recently, ISO/SAE 21434, created by ISO and the Society of Automotive Engineers, calls for “OEMs and all participants in the supply chain (to) have structured processes in place that support a ‘Security by Design’ process” covering the development and entire lifecycle of a vehicle. Those include requirements engineering, design, specification, implementation, test, and operations. A first draft of ISO/SAE 21434 was released a year ago, with the final standard expected by the middle of this year.
But those two are private-sector, industry initiatives. ISO is “an independent, non-governmental international organization with a membership of 165 national standards bodies.” That, as Clark puts it, illustrates that “the automotive industry has historically been very strong proponents of self-regulation.”
And while in the past that self-regulation had more to do with physical functionality and safety, more recently the industry has also been proactive in looking at how it can address cybersecurity. But the NHTSA best-practices document means government is going to play a more direct role. “It’s a good starting point for automotive organizations to say this is a real thing,” Clark said. “NHTSA isn’t just saying, ‘Do something about cybersecurity.’ It’s outlining explicit items that have to be addressed.”
And he thinks NHTSA’s best practices along with ISO/SAE “are going to provide the automotive industry a good sounding board to look at how we address cybersecurity from a risk-based perspective. I think everybody could agree that the biggest concern is the risk of autonomous driving.” The goal isn’t perfection. “We’re not building a space shuttle, we’re building a car,” Clark said. “If we wanted to have every single security feature to ensure that a vehicle never failed, we couldn’t afford it.”
But that doesn’t mean vehicle cybersecurity can’t improve—a lot.
NHTSA recommends that the automotive industry follow the National Institute of Standards and Technology’s (NIST’s) documented Cybersecurity Framework, which is “structured around the five principal functions, ‘Identify, Protect, Detect, Respond, and Recover,’ to build a comprehensive and systematic approach to developing layered cybersecurity protections for vehicles.” That layered approach, it says, “assumes some vehicle systems could be compromised, reduces the probability of an attack’s success and mitigates the ramifications of unauthorized vehicle system access.”
If that sounds more general than specific, that is by design. The goal, which Synopsys supports, is for standards to mandate what results an industry must achieve, not prescribe how to achieve them. “Not all standards are prescriptive,” Clark said. “Standards organizations are trying to minimize the impact on innovation and eliminate a check-box mentality.”
Indeed, the reality of human nature is that if government set out a list of rules or specific requirements, “then everybody in the industry would do those things and nothing more,” he said. “But if we say organizations must design a security program that focuses on the cybersecurity of hardware and software to meet the needs of both the customer and the organization, then everybody’s going to be a little bit different, and some are going to be better than others. It starts to create the competitive landscape that we are really interested in.”
“Standards organizations are trying to minimize the impact on innovation and eliminate a check-box mentality.”
The key overall objectives of the Synopsys Automotive Group are what it calls the four pillars of automotive cybersecurity:
Those goals aren’t prescriptive either, but how to achieve them will become much more specific in the next few months. Over the next several months, this blog will feature a series of posts that cover the major elements of automotive cybersecurity addressed in the NHTSA and other best-practices standards. Planned topics include:
The goal is to share insights that will help organizations evaluate and improve their security practices. “Many organizations feel that they have addressed cybersecurity—they know it’s important, but they never take the steps to figure out if the actions they are taking are effective,” Clark said. “Are they just meeting a requirement pushed down from an OEM, or are they changing how they do business to ensure that security is a core component and that any standards requirements that come down are easily met?”
Another overall goal of the Automotive Group is to help organizations achieve NHTSA’s call for leadership making cybersecurity a priority. That, according to NHTSA, includes:
The Synopsys role in enabling that, Clark said, will be to give automotive clients the range of tools and services they need in one place. “No matter what the need is, all the way from SoC to a functional security problem or developing a new brake control system, we’ll provide the hardware technology that will address that and then go through your security testing and evaluation and software development. It’s an under-one-roof solution,” he said.
Catch up on these other recent automotive-related blog posts: