You’ve probably heard this phrase more than a few times by now: Every company today is a software company. On the surface, it’s easy to connect a few dots and understand why this phrase rings true. The digital transformation is, quite literally, changing every aspect of our world so that it is in some way digitally connected. For instance, instead of going to a bank to cash a check, your bank now has an app on your phone to accomplish this.
Regardless of industry, every organization today truly must be a software company. On the customer-facing front, this usually means an easy-to-use, high-quality, accessible application. But what does it mean for organizations themselves? The automotive industry is offering some surprising and helpful lessons on the depths to which every sector and company are embracing software as part of everyday business, and why cybersecurity is directly linked to this.
The Automotive Industry’s Software Evolution
Like every other industry, the automotive industry has been evolving and embracing new technology. In the past few decades, building a car has gone from being almost entirely hardware focused to adding a full fleet of software capabilities. Most modern cars today have features that weren’t even around 20 years ago, including:
● Information and entertainment systems with voice assistants, connectivity for navigation, and streaming services
● Sensors to assist with safe driving or, in some cases, full self-driving capabilities
To accomplish this, car manufacturers that have been around for decades had to adapt, investing in adding an entire division dedicated to software development. For example, Volkswagen created Cariad, its in-house software company, which employs 5,000 software engineers and makes Volkswagen one of the largest software companies in Germany.
The quick pivot many manufacturers have made to modern “smart” cars is impressive. But it also has come with added risk and responsibility. Traditionally, the automotive industry’s security regulations and standards have been focused on functional safety, like ISO 26262, which addresses compliance for safety-related systems that include electrical or electronic components. But with software added to the mix of what makes up today’s vehicles, industry standards have needed to evolve.
Automotive Cybersecurity Standards Are Increasing
Wherever software exists, so too does the risk of a cybersecurity-related incident. When we evolved the concept of a car from four wheels and an engine to include entertainment, connectivity, and so on, we accepted increased risk. And like with the software used in every other type of business, cybersecurity vulnerabilities, risks, and hacks are all on the rise. In December, a Sirius XM radio connected vehicle service exposed several car brands to remote hackers attacks due to a vulnerability. The connected service is currently used by more than 12 million cars in North America, including Acura, BMW, Honda, Hyundai, and Toyota.
The International Organization of Standardization is addressing the makeup of modern cars with ISO/SAE21434:2021. The standard includes engineering requirements for cybersecurity risk management, from concept to development, production, operation, and maintenance. Only software that complies with this ISO standard is allowed to be built into cars today.
At first, automotive developers might feel apprehensive that these added cybersecurity requirements could be a pain point that would slow the production and shipping of their software. After all, it’s another bullet point of responsibility added to their job description, and one for which they likely didn’t sign up.
Luckily, modern cybersecurity tools are allowing security testing to fit into the software development life cycle (SDLC). A variety of approaches to security scanning, including static application security testing (SAST), dynamic application security testing (DAST), and feedback-based application security testing can be used together to effectively test applications for vulnerabilities and bugs while an application is still in development.
What automotive developers have learned through this process is that contrary to their initial fears of development being slowed by added cybersecurity requirements, once security scanning is up and running within their continuous integration/continuous delivery (CI/CD) development process, the pipeline is faster and more efficient than before. As bugs and flaws are discovered earlier and earlier in development, they’re fixed before they get to production. This saves on the costs and time traditionally associated with going back later to fix these issues. The further a bug or flaw moves through the software development life cycle, the more it costs to fix, and of course, if it makes its way to production, the more vulnerable the software is to a potential cybersecurity attack.
Cybersecurity: A Competitive Advantage
The automotive industry is just one of many sectors that are seeing added ISO standards focused on cybersecurity. Healthcare, aviation, energy, finance, and many more are keeping pace or following closely behind with new cybersecurity standards of their own, as software becomes an increasingly critical component in every part of our world. All organizations need to be prepared to prioritize and implement cybersecurity capabilities (if they haven’t already). They also need to have developers with the experience and expertise required to understand that when correctly implemented, security testing can improve the speed of development and the overall quality and security of software.