‘Security by design' is wishful thinking

The automotive cybersecurity industry is in the midst of a hugely positive upswing that is promising for the future of connected, autonomous, shared and electric — or CASE — vehicles. With connected vehicle architecture being more complex and computerized than ever before, there are exciting conversations happening across the automotive supply chain that promise to make cybersecurity a higher priority for the protection of passengers, drivers and automakers alike. As a result of this progress, buzzwords and phrases are emerging that describe this industry shift. Among them is "security by design."

No doubt an intriguing concept, security by design has been described in other industries as the process of creating a "proactive, pragmatic and strategic approach that considers risk and security from the onset of any new initiative and nurtures trust at every stage." Viewing the concept through this lens explains why the term has taken hold in the automotive industry. Under this definition, security by design is hugely beneficial: trust, visibility and a considered approach to risk assessment produce a desirable automotive cybersecurity outcome.

However, when contextualized within the automotive industry's supply chain and product development cycle, security by design may be wishful thinking. With the current realities of vehicle design, planning and production, the concept could be interpreted as an excessively idealistic one that is difficult to enforce in just the preproduction phase, let alone throughout the entire vehicle life cycle.

As the industry is just beginning to approach automotive cybersecurity holistically, it's important that the other phases of the life cycle are not forgotten once the vehicle is on the road. For example, risk assessment, and the monitoring and management of the vehicle security posture, should be an ongoing task. With this in mind, it's important to explore what the industry really means in using the phrase "security by design," how it conflicts with reality and why it is not currently feasible for the automotive industry.

Compared with other industries, automotive cybersecurity demands are exceptionally complex. A holistic approach to cybersecurity life cycle management requires input from multiple parties at every step of the value chain. Coordination among those suppliers is essential to implementing comprehensive cybersecurity measures and should fall on automakers.

However, many automakers are just beginning to come to grips with the complexity of different vehicle cybersecurity systems and are approaching the problem differently, preventing the entire supply chain from adopting a single approach applicable across the industry.

In other industries, security by design is more achievable because there is one manufacturer acting as its own supplier and creating a product end to end. Apple does this with the iPhone; because it owns the entire supply chain, it is able to implement security by design down to the chip level. For the automotive industry, security by design in its intended definition is not transferable.

Which leaves the question: Who must own the process? As outlined in a McKinsey report, "OEMs must develop secure vehicles from step one of the production process by adopting state-of-the-art practices in hardware and software engineering, [ensuring] that vehicle types [and adjacent ecosystem components that might impact vehicle safety and security] are designed, built and tested for security issues and any cyber risks are mitigated properly."

This is what the industry should aim for with "security by design": Ensuring that security is assessed and addressed in the first stage of the vehicle life cycle, and ensuring ongoing accountability. All participants in the value chain must contribute to cybersecurity goals throughout the vehicle life cycle by equipping automakers with the tools to execute effective cybersecurity supply chain management. At present, the true definition of security by design does not recognize these additional stages or offer guidance during the ongoing management of the cybersecurity life cycle. Now, automakers must define enforceable measures for the new security by design and hold all industry players accountable for their freshly defined roles.

Yes, security by design can be idealistic, but that doesn't mean we can't be inspired by it. To create a culture in engineering teams that embraces the concept, automakers must overhaul their software engineering and quality-assurance practices that may not follow the same rigorous processes that other industries have perfected.

This dovetails with ongoing industry efforts to approach cybersecurity as a safety issue, which sees cyber engineers working closely with their functional safety counterparts to define cybersecurity and safety goals and requirements to meet those ends. Now is the opportune moment to build a new approach to software engineering for the automotive industry, one that puts safety and security first and accounts for it throughout the vehicle life cycle.

The popularity of the phrase "security by design" is a positive sign that the automotive industry is beginning to understand the importance of cybersecurity in its products and processes. It is a useful aspiration, but it will not be truly achieved. Realistically, the closest the automotive industry can come to achieving security by design is through assertive automakers taking responsibility for the entire life cycle, as many currently do.

As an industry, and as members of the supply chain, we can support these efforts by empowering automakers with the tools they need to give them visibility over the life cycle, which will allow them to take action to protect it. With support from the industry, this new dynamic will allow automakers to remediate identified weaknesses and apply additional levels of security inside their vehicles.