Safety, Security And Open Source In The Automotive Industry

Today’s cars are as much defined by the power of their software as the power of their engines. Almost any car feature you can name is now digitized to provide drivers with easier operation and better information. Technological innovation is accelerating, enabling automobiles to monitor and adjust their position on the highway, alerting drivers if they’re drifting out of their lane, even automatically slowing down when they get too close to another car.

More and more vehicles are “connected,” equipped with Internet access, often combined with a wireless local area network to share that access with other devices inside as well as outside the vehicle. And whether we’re ready or not, we’ll soon be sharing the roads with autonomous vehicles.

Built on a core of open source
Driving the technology revolution in the automotive industry is software, and that software is built on a core of open source. Open source use is pervasive across every industry vertical, including the automotive industry. When it comes to software, every auto manufacturer wants to spend less time on what are becoming commodities — such as the core operating system and components connecting the various pieces together — and focus on features that will differentiate their brand. The open source model supports that objective by expediting every aspect of agile product development.

But just as lean manufacturing and ISO-9000 practices brought greater agility and quality to the automotive industry, visibility and control over open source will be essential to maintaining the security of automotive software applications.

Innovation may be outpacing security in cars
When you put new technology into cars, you run into security challenges. For example:

• When security researchers demonstrated that they could hack a Jeep over the Internet to hijack its brakes and transmission, it posed a security risk serious enough that Chrysler recalled 1.4 million vehicles to fix the bug that enabled the attack.
• For nearly half a decade, millions of GM cars and trucks were vulnerable to a remote exploit that was capable of everything from tracking vehicles to engaging their brakes at high speed to disabling brakes altogether.
• The Tesla Model S’s infotainment system contained a four-year-old vulnerability that could potentially let an attacker conduct a fully remote hack to start the car or cut the motor.

Vehicle manufacturers need to adopt a cybersecurity approach that addresses not only obvious exposures in their car’s software, but also the hidden vulnerabilities that could be introduced by open source components in that software.

When safety is a function of software, security becomes paramount
When a supplier or auto OEM is not aware of all the open source in use in its product’s software, it can’t defend against attacks targeting vulnerabilities in those open source components. Any organization leveraging connected car technology will need to examine the software ecosystem it is using to deliver those features, and account for open source identification and management in its security program.

Auto OEMS and their suppliers should adopt management practices that inventory open source software; that maps software against known vulnerabilities as well as alerting to new security threats; that identifies potential licensing and code quality risks; and that can maximize the benefits of open source while effectively managing risks.

For a more in-depth look, read the Black Duck (Synopsys) complimentary report, Managing and Securing Open Source Software in the Automotive Industry, which examines the rewards and challenges of open source use in the automotive industry.