Most, 84 per cent of automotive professionals have concerns that their organisations’ cybersecurity practices are not keeping pace with evolving technologies. That’s according to a survey of global automotive manufacturers and suppliers by Ponemon Institute, for SAE International, an association of engineers in the aerospace, automotive and commercial-vehicle industries. The study also found that 30 percent of organisations do not have an established cyber security programme, or team, and 63 percent test less than half of the automotive technology they develop for security vulnerabilities.
Jack Pokrzywa, SAE International director of Ground Vehicle Standards, said: “SAE, in partnership with Synopsys, is pleased to present the findings of this study, as it provides real-world data to validate the concerns of cybersecurity professionals across the industry and highlights a path forward. SAE members have sought to address cybersecurity challenges in the automotive systems development lifecycle for the last decade and worked together to publish SAE J3061, the world’s first automotive cybersecurity standard. Armed with the findings of the study, SAE stands ready to convene the industry and lead development of targeted security controls, technical training, standards, and best practices to improve the security, and thus the safety, of modern vehicles.”
Synopsys and SAE commissioned the Ponemon, the US-based IT security research body, to examine cybersecurity practices in the automotive industry and its capability to address software security risks inherent in connected, software-enabled vehicles. Ponemon surveyed 593 people from global automotive manufacturers, suppliers and service providers. To ensure knowledgeable responses, all respondents are involved in assessing or contributing to the security of automotive technologies, including infotainment systems, telematics, steering systems, cameras, SoC-based components, driverless and autonomous vehicles, and RF technologies such as Wi-Fi and Bluetooth, among others.
Andreas Kuehlmann, co-general manager of the Synopsys Software Integrity Group said: “The proliferation of software, connectivity, and other emerging technologies in the automotive industry has introduced a critical vector of risk that didn’t exist before: cybersecurity. This study underscores the need for a fundamental shift—one that addresses cybersecurity holistically across the systems development lifecycle and throughout the automotive supply chain. Fortunately, the technology and best practices required to address these challenges already exists, and Synopsys is poised to help the industry embrace them.”
Other findings:
More than half of respondents say their organisation doesn’t allocate enough budget and human capital to cybersecurity, while 62 percent say they don’t possess the necessary cybersecurity skills in product development.
Less than half of organisations test their products for security vulnerabilities. Meanwhile, 71 percent believe that pressure to meet product deadlines is the primary factor leading to security vulnerabilities. On cybersecurity training only a third (33 percent) of respondents reported that their organisations educate developers on secure coding methods. And 60 percent say a lack of understanding or training on secure coding practices is a primary factor that leads to vulnerabilities.
As for the supply chain, most, 73 percent of respondents expressed concern about the cybersecurity of automotive technologies supplied by third parties. Meanwhile, only 44 percent say their organisation imposes cybersecurity requirements for products provided by upstream suppliers.
