By John Blyler, Editorial Director, IoT Embedded Systems
Back at the turn of this millennium, the corporate security community was aghast that hackers could penetrate their WLANs. To combat this challenge, I suggested a controversial course of action, namely, that IT departments should, “step out of the bright light of respectability and into the shadowy world of the hacker.” This suggestion was met with anger from several enterprise IT managers but nods of approval from readers of 2600 and the like.
That is why it was gratifying to see that the idea of fighting fire with fire has not gone away. At a recent NXP event during the Frankfurt Motor show, Andy Greenberg, Wired Senior Editor, said that companies needed to hire an army of hackers to confront automotive security issues. He went on to say the security hacking problem was not like fixing a seat belt or a bug in your power steering. Instead, hackers represented a dynamic problem with adversaries. Unlike the effects of a car collision that can be mitigated with a better seat belt, a hacker can actively outsmart your solution. “So you need to play this cat and mouse game with a whole team of security people who every time that there is new attack they respondent and then the adversary responses and you respond to the (new) response.”
This constant game of cat-and-mouse suggests a corresponding continuous update of security software to the car under attack, which was confirmed by a follow-on speaker at the event.
Dr. Thomas Wollinger, Managing Director, Encrypt GmbH, talked about the importance of automotive secure software updates. In addition to updating various automotive functions and anything that might go wrong, he explained that you’ll be able to “security update your security.”
The trend toward frequent embedded automotive security patches made me think of similar patches in the established PC market. Microsoft has long been the dominant operating system in the PC world and traditionally the king of software patches. Interestingly, the software giant recently contributed open source code to a major Internet-of-Things (IoT) initiative, of which automotive systems will eventually play a part.
Open source isn’t the first idea that springs to mind when one hears “Microsoft,”noted Christopher R. O’Dea, Contributing Business Editor to IoT Embedded Systems. “A more ready association might be “patches,” reflecting the experience of Microsoft’s long march to dominance when the guiding principle for Windows seemed to be ‘release now, code later.’
Expertise in patches, essentially fixing gaps in critical software on the fly, might be very applicate to the kind of automotive security mentioned by Dr. Wollinger. In the case of Microsoft, though, the patching expertise is for the IOT space in general. The company contributed code for a “device system bridge,” or DSB, to the AllSeen Alliance, a cross-industry collaborative project of The Linux Foundation that counts more than 170 companies as members. It’s a key part of the project’s open source IoT software standard, AllJoyn that connects AllJoyn devices in local networks to external networks, enabling remote access, device management and security control.
Does a similar alliance exist for the automotive security space? LarsReger, CTO of NXP Automotive, NXP CTO suggested that, “the auto industry does not need to reinvent the wheel. We can use technology that we have readily available in the banking, e-Health and government sector. The only pressure that we have to act now to get this established in the automotive industry.”
Reger was taking about technology and standards for autonomous and connected cars. Still, I think the same argument works for security standards. Do you agree?