The Ponemon Institute survey reveals the struggles of automotive industry to deal with cybersecurity risks.
The report “Securing the Modern Vehicle: A Study of Automotive Industry Cybersecurity Practices” released by Synopsys, Inc. and SAE International, a global association of engineers and related technical experts in the aerospace, automotive and commercial-vehicle industries.
“SAE, in partnership with Synopsys, is pleased to present the findings of this study, as it provides real-world data to validate the concerns of cybersecurity professionals across the industry and highlights a path forward,” said Jack Pokrzywa, SAE International director of Ground Vehicle Standards. “SAE members have sought to address cybersecurity challenges in the automotive systems development lifecycle for the last decade and worked together to publish SAE J3061™, the world’s first automotive cybersecurity standard. Armed with the findings of the study, SAE stands ready to convene the industry and lead development of targeted security controls, technical training, standards, and best practices to improve the security, and thus the safety, of modern vehicles.”
To examine current cybersecurity practices in the automotive industry and its capability to address software security risks inherent in connected, software-enabled vehicles Synopsys and SAE commissioned the Ponemon Institute. Ponemon surveyed 593 professionals from global automotive manufacturers, suppliers and service providers. The report focuses on critical cybersecurity challenges and deficiencies affecting many organizations in the automotive industry.
According to the study:
84 % of automotive professionals are concerned about their organizations’ cybersecurity practices, and feel these are not as per the growing cyber risks. They also feel more could be done to keep cyber security best practices in line with the evolving technologies. Some of the key findings are:
- 30 % of organizations do not have an established cybersecurity program or team.
- 63 % test less than half of the automotive technology they develop for security vulnerabilities.
- More than 50% of respondents say their organization doesn’t allocate enough budget and human capital to cybersecurity
- 62 % say they don’t possess the necessary cybersecurity skills in product development.
- Less than 50% of organizations test their products for security vulnerabilities.
- 71 % believe that pressure to meet product deadlines is the primary factor leading to security vulnerabilities.
- 33 % of respondents reported that their organizations educate developers on secure coding methods.
- 60 % say a lack of understanding or training on secure coding practices is a primary factor that leads to vulnerabilities.
- 73% % of respondents expressed concern about the cybersecurity of automotive technologies supplied by third parties.
- 44 % say their organization imposes cybersecurity requirements for products provided by upstream suppliers.
Based on the key findings, the report states:
- There is a marked lack of cybersecurity skills and resources
- For most organisations, proactive cybersecurity testing is not a priority
- By and large, cybersecurity training for Developers is lacking
- In toto, there exists a Cybersecurity risk throughout the supply chain.
“This study underscores the need for a fundamental shift—one that addresses cybersecurity holistically across the systems development lifecycle and throughout the automotive supply chain. Fortunately, the technology and best practices required to address these challenges already exists, and Synopsys is poised to help the industry embrace them.”
Andreas Kuehlmann, co-general manager of the Synopsys Software Integrity Group,