Today’s cars are as much defined by the power of their software as the power of their engines. Almost any car feature you can name is now digitized to provide drivers with easier operation and better information. Technological innovation is accelerating, enabling automobiles to monitor and adjust their position on the highway, alerting drivers if they’re drifting out of their lane, even automatically slowing down when they get too close to another car.
More and more vehicles are “connected,” equipped with Internet access, often combined with a wireless local area network to share that access with other devices inside as well as outside the vehicle. And whether we’re ready or not, we’ll soon be sharing the roads with autonomous vehicles.
Built on a Core of Open Source
Driving the technology revolution in the automotive industry is software, and that software is built on a core of open source. Open source use is pervasive across every industry vertical, including the automotive industry. When it comes to software, every auto manufacturer wants to spend less time on what are becoming commodities — such as the core operating system and components connecting the various pieces together — and focus on features that will differentiate their brand. The open source model supports that objective by expediting every aspect of agile product development.
But just as lean manufacturing and ISO-9000 practices brought greater agility and quality to the automotive industry, visibility and control over open source will be essential to maintaining the security of automotive software applications.
Innovation May Be Outpacing Security in Cars
When you put new technology into cars, you ran run into security challenges. For example:
- When security researchers demonstrated that they could hack a Jeep over the Internet to hijack its brakes and transmission, it posed a security risk serious enough that Chrysler recalled 1.4 million vehicles to fix the bug that enabled the attack.
- For nearly half a decade, millions of GM cars and trucks were vulnerable to a remote exploit that was capable of everything from tracking vehicles to engaging their brakes at high speed to disabling brakes altogether.
- The Tesla Model S’s infotainment system contained a four-year-old vulnerability that could potentially let an attacker conduct a fully remote hack to start the car or cut the motor.
Vehicle manufacturers need to adopt a cybersecurity approach that addresses not only obvious exposures in their car’s software, but also the hidden vulnerabilities that could be introduced by open source components in that software.
Best Practices for Managing Open Source Risk Across the Automotive Supply Chain
As auto OEMs work with software providers, a growing set of open source components is making its way into automobile systems. Open source code is being channeled through countless supply chains in almost every part of the automotive ecosystem.
When a supplier or auto OEM is not aware all the open source in use in its product’s software, it can’t defend against attacks targeting vulnerabilities in those open source components. Any organization leveraging connected car technology will need to examine the software eco-system it is using to deliver those features, and account for open source identification and management in its security program.
To make progress in defending against open source security threats and compliance risks, both auto OEMS and their suppliers must adopt open source management practices that:
FULLY INVENTORY OPEN SOURCE SOFTWARE: Organizations cannot defend against threats that they do not know exist. A full and accurate inventory (bill of materials) of the open source used in their applications is essential.
MAP OPEN SOURCE TO KNOWN SECURITY VULNERABILITIES: Public sources, such as the National Vulnerability Database provide information on publicly disclosed vulnerabilities in open source software. Organizations need to reference these sources to identify which of the open source components they use are vulnerable.
IDENTIFY LICENSE AND QUALITY RISKS: Failure to comply with open source licenses can put organizations at significant risk of litigation and compromise of IP. Likewise, use of out-of-date or poor quality components degrades the quality of applications that use them. These risks also need to be tracked and managed.
ENFORCE OPEN SOURCE RISK POLICIES: Many organizations lack even basic documentation and enforcement of open source policies that would help them mitigate risks. Manual policy reviews are a minimum requirement, but as software development becomes more automated so too must management of open source policies.
ALERT ON NEW SECURITY THREATS: With more than 3,500 new open source vulnerabilities discovered every year, the job of tracking and monitoring vulnerabilities does not end when applications leave development. Organizations need to continuously monitor for new threats as long as their applications remain in service.
As open source use continues to increase in the auto industry, effective management of open source security and license compliance risk is becoming increasingly important. By integrating risk management processes and automated solutions into their software supply chain, automakers, suppliers, and technology companies servicing the automotive industry can maximize the benefits of open source while effectively managing their risks.