Tech

Automakers need to make security 'part of the conversation'

In a Q&A with ZDNet, Managing Consultant at Capgemini Magnus Gerisch explains why automakers need to speed up in security efforts.

Written by Charlie Osborne, Contributing Writer July 7, 2015 at 4:00 a.m. PT

Automakers need to embrace security as part of the core architecture of their services, according to a Capgemini executive who believes cybersecurity must become part of the conversation when it comes to our vehicles.

As our devices become smarter and everything from home security to our vehicles become part of a network, access points create potential security threats -- which today's automakers are yet to fully realize.

It was not so long ago that our cars simply shifted us from A to B, but now, you can find satellite navigation, Bluetooth compatibility and infotainment dashboards with their own custom operating systems -- such as Apple's CarPlay and Google's Android Auto running everything from navigation to system checks and communication channels.

While integrating such technology can be convenient and make us safer -- such as the inclusion of rear-view camera installations, vehicle internal monitoring and automatic cruise control systems -- once a device is connected to a network, tunnels are forged which if insecure, can be exploited.

Today's automakers need to go beyond fuel regulation, maximum speed and chassis design to avoid cybersecurity disasters in the future. Companies which manufacture vehicles now need to consider security in the same way as software developers -- and make sure skilled professionals are available to weed out security flaws and vulnerabilities, a concept Magnus Gerisch, Managing Consultant at technology consulting firm Capgemini, agrees with.

In a Q&A session with ZDNet, Gerisch talked about cybersecurity issues affecting the vehicle manufacturing industry today, and what lies ahead for the automotive industry. Excerpts are below:

ZD: What do you believe are the most serious cyberthreats facing automakers today?

"The complex network of control units in current vehicles and the accelerated development lifecycle of vehicle software increase the probability to have (undetected) vulnerabilities in the software. Efficient mechanisms for detecting vulnerabilities and updating software are not yet commonplace."

ZD: How does Capgemini approach cybersecurity in the automotive industry?

"Capgemini provides advice to improve security in software development from our broad range of expertise supporting this sector from architecture through design and development to security testing."

ZD: In your opinion, is too much emphasis placed on keeping up with competitors to provide technological capabilities -- while forgetting about security in the process?

"In some cases, yes -- chances of technological capabilities are overrated and the risks are underrated. I recently attended the TU Automotive conference in Detroit (formerly Telematics Detroit) and the resounding message from keynoter Roger Lanctot of Strategy Analytics to automakers was to focus on four areas: security, security, security and then functionality and security. Security needs to be part of the conversation at vehicle conception."

ZD: What do today's automakers need to do to secure their automotive systems?

"Automotive OEMs need to embrace security as part of the very architecture of their services and products and adopt best practices."

ZD: What are the biggest challenges today for automakers looking to secure vehicle computer systems?

"There are numerous challenges automakers face including the diversity of suppliers, lack of standards, piecemeal security requirements and limitations with IT architectures across current vehicle lineups."

ZD: Is there a disconnect with how automakers approach security based on today's cyberthreat landscape?

Featured

"Almost all OEMs have a history of developing closed in-vehicle systems that would only interact through wires within their environment. This physical access restriction may have justified proprietary and security measures that are inefficient for protecting vehicles in this rapidly evolving cybersecurity landscape. Attackers will search for vulnerabilities in the complex vehicle ecosystem -- not just the vehicle itself."

ZD: In the past, computer system security was not an area automakers needed to explore. Now they have been thrust into the world of cybersecurity, do you think enough progress is being made?

"Automakers have made significant progress, but more needs to be done."

ZD: Should automakers invest in cybersecurity in-house, or in your opinion, are third-party services the direction to take in order to protect existing fleets and new models from hacking?

"Automakers need to find the right balance and combination. Security requirements must be understood in-house. Regarding specific security services, the whole range from in-house to third-party services are valid options. Automakers need to evaluate whether they have the in-house capabilities to build it out fast enough. Some services might prove more easily attainable from third-party providers, if you think of DDoS protection, for example."

ZD: Tesla recently introduced a bug bounty program for researchers who report security problems in the firm's products. Do you think this is a trend which is likely to continue in the automotive world? Do you believe it is necessary?