The automotive industry is experiencing radical change—and software is the catalyst. Progressively more software, increasingly intelligent components, and new methods of interaction are finding their way into automobiles of all sizes and price. Software empowering the latest features has become a critical differentiator in this industry, beyond improving road safety, convenience, and fuel efficiency for drivers. This opens up entirely new possibilities for auto manufacturers, their OEMs, and third parties to develop and deliver innovation—setting themselves apart from their competition while enhancing our mobility experience. However, the increasing number of applications and software-driven components are also associated with an increase in software-related risks. Every new service, component, endpoint, and API represents a new point of attack that criminals can take advantage of to steal critical data, gain access to upstream maintenance and software update systems, take over rental or transportation fleets, manipulate driving behavior, and the list goes on, only limited by imagination. Damage to reputation is an obvious outcome of successful automotive related cyberattacks, however, protecting drivers, passengers, and innocent bystanders must be of utmost importance. As a result of the overarching cybersecurity concerns in modern automobiles, the United Nations Economic Commission for Europe (UNECE) recently developed two new regulations on cybersecurity and software security designed to help manage the risks moving forward for both manufacturers and consumers. The binding regulations are the first ever globally coordinated effort in the area of automobile security. The regulations will apply to passenger cars, vans, trucks and buses and they will enter into force in January 2021. These regulations are primarily being driven by the fact that today’s automobiles can include 150+ electronic control units (ECUs) and roughly 100 million lines of software code, which is estimated to be about 4x more than a modern fighter jet. Assessments expect lines of code to exceed 300M by 2030. There are already a number of documented examples of attacks against automobiles and a comprehensive list of threats, mitigation approaches, and attack methods can be found in the cybersecurity regulation, Annex 5, beginning on page 18. When trying to decipher any regulatory initiative or requirement, they often take countless hours for a lay person to understand. Through further investigation into the topic, this study was conducted by McKinsey & Company, Inc., in conjunction with the Global Semiconductor Alliance (GSA). In the study, which is directly related to the UNECE WP.291 regulations on cybersecurity and software updates, it simplifies the UN initiatives to four key topics:

1. Cybersecurity is becoming a new dimension of quality for automobiles.
2. The automotive industry is rethinking cybersecurity along the entire value chain.
3. Managing cyber risk throughout the vehicle lifecycle will require new working practices.
4. Automotive executives should prepare their cybersecurity strategy.

Within the fourth topic above, pertaining to automotive executives, the McKinsey and GSA study mentions secure hardware, security-minded software development, and improved security-related processes and solutions. Concerning software development, the study also states that the productivity of software developers and testers can be significantly increased with the right tooling, and given the efficiencies to be achieved, organizations would likely be willing to pay for excellent products. There is a variety of tools that can help developers and security specialists, including testing tools, software version management tools, and software tracking tools. For example, in the context of connected automobiles, there are three types of software that will drive innovation in this area:

• In-vehicle services: Software within the vehicle that runs ECUs or domain control units (DCUs)
• OEM back-end services: Cloud services for both the vehicle and user
• Infrastructure and third-party services: Gas/charging, parking, insurance, etc.

While the industry is investing in innovations across these types of software (to enhance the customer experience and increase the quality of modern autos,) manufacturers must also build in cybersecurity from the beginning to avoid creating attack-prone automobiles and ancillary services.

Checkmarx’s Role in Secure Software Development Initiatives

Our primary objective is helping organization develop more-secure software. Built by highly experienced software developers and cybersecurity experts, Checkmarx solutions are used by organizations worldwide who develop software for their own organizational needs, in addition to those who develop software for consumer- and business-based consumption. Checkmarx is the global leader in security solutions for modern software development and have solutions that can help shore up security for all industries. From manufacturers and cloud providers, to organizations who deliver fuel, energy, insurance, and other supplementary services, all organizations can gain benefit from the Checkmarx approach to improved application security. Checkmarx delivers the industry’s most comprehensive Application Security Testing (AST) solutions that unify with Agile and DevOps initiatives and provide static and interactive application security testing, software composition analysis, and developer AppSec awareness and training solutions to reduce and remediate risk from software vulnerabilities. Checkmarx is trusted by more than 40 of the Fortune 100 companies and half of the Fortune 50, including leading organizations such as SAP, Samsung, and Salesforce.com, as well as global auto makers and transportation companies. Automobile manufacturers, OEM back-end services, and infrastructure/third-party suppliers can gain tremendous benefit from the suite of products and services delivered by Checkmarx. Learn more at www.checkmarx.com.