Internet of things has been a concept used frequently in the latest trends of information technology. It is all over the headlines and has many cyber security experts concerned as well. Last year GM announced the roll out of a partnership Synchronoss Technologies and GM’s Onstar system which they claim has put them at the forefront of IOT technology in the automotive industry. And it very may well have done just that.
But as we have seen in cyber security usually the forefront is where you bear the brunt of security problems. New systems and previously untested systems can be a serious challenge. Their goal as stated in their press release is “is an extension of the company’s mission to enable a seamless connected experience regardless of channel, device, or operating platform.” And I wholeheartedly support this goal and other initiatives that companies develop in order to further their business objectives. I only ask that companies take as much effort with security as they do the new initiative.
Which Comes First?
So this begs the question what is going to come first the attack or the security controls. If history has been any indication it will be shoot first and ask questions later. There is a gold rush of sorts going on in the automotive space with respect to internet of things, all you have to do is look at the headlines.
But in their zeal to be the first to claim a connected fleet of cars, will there be as much careful attention to security? There have been opportunities for “malicious HTTP requests,” this is a form of hack that has allowed attackers to infiltrate these systems. Once in the possibilities are huge including the opening of doors and controlling a vehicle. There was a study last year done by Senator Ed Markey’s office that said that “IOT security among car manufacturers while being addressed is haphazard and inconsistent.”
Prevention Vs Reaction
So I ask you the reader as this new frontier of technology rolls out. Is this going to be another case of reaction to security challenges or are we going to handle this possible security risk in a more preventative fashion? When asked only two manufacturers were even able to diagnose and respond to an attack in real time. The rest had nothing. There is a series of specifications for the automotive industry called ISO26262 which governs automotive software development but it says little about cyber security.
On a promising note, there is a bug bounty program by GM to locate vulnerabilities. This is a program where if a bug or vulnerability is found GM will pay the finder a fee, in hopes of preventing an attack in this way. It is an initiative that can help. On another promising front Argus, an Israeli company that builds automotive security systems and Checkpoint a very large player in the security appliance business have teamed up to build an intrusion prevention system for connected vehicles. These types of visionary initiatives are crucial.
But it is no replacement for a concerted preventive security posture. One that promises to be diligent about looking for security vulnerabilities and weaknesses before the attack occurs. Initiatives that are preventive in nature as opposed to reactive. This is particularly true in the internet of things.
This posture should be built into policies and goals that work hand in hand with development to ensure security is built into these designs. The opportunities for profit are huge, and the opportunity for a catastrophic security failure is even larger. We have too long of a track record in business of letting the excitement of a new technology opportunity get in the way of understanding. We also need a good security focus.