Symantec: Building Comprehensive Security Into Cars
Recently, threats to cars have escalated from the realm of possibility to harrowing reality. Symantec is working with automakers, chipmakers, and other forward-thinking companies to block hackers’ many inroads into vehicles and keep cars—and people—safe.
Over the past few years, automotive security threats have gone from theory to reality. Tech-savvy thieves have stolen cars throughout Europe and North America. Online videos show hackers remotely hitting the brakes on cars in ways that can endanger drivers and passengers. Hackers can exploit some of these vulnerabilities from an adjacent lane without forewarning to the driver. Other vulnerabilities are open to attack over the cellular network—from halfway around the world—and for large numbers of cars simultaneously.
Even though technology exists to solve many of these security problems, the challenges of deploying such technology in cars loom far larger than similar challenges do in traditional information technology (IT) systems. In traditional IT systems, most problems can be solved with a quick install, update, or configuration change—or at worst, restoring from a backup, executing a failover to a disaster recovery site, or calling in a breach response team to tackle the most sophisticated threats.
However, cars don’t work like that. Multi-year safety certification processes to meet Federal Motor Vehicle Safety Standards (FMVSS) requirements don’t engender the weekly, daily, and real-time security updates that IT teams enjoy. Nobody can call in a breach response team to investigate the millions of cars you’ve built, now happily garaged in millions of homes. A car can’t safely fail over to another car. Companies often use redundancies at critical IT layers to keep high-volume web services running reliably, but few, if any, carmakers can afford the NASA-like investment of doing this for every vehicle.
Protecting cars against such threats has to be done in a context that works both within the car, and at scale for carmakers. The responsibility doesn’t stop at the assembly line: It extends all the way from the carmakers to the full breadth, depth, and complexity of auto supplier relationships. Security is a concern at each tier of the value chain, and attackers seek the weakest links.