At this point, car hacking is practically a sport.
A quick YouTube search pulls an endless stream of videos depicting grinning researchers and pranksters hacking into their cars' steering and operation systems with old school Nintendo controllers or custom iPhone apps. There are even some virus-encrypted audio CDs floating about that can hijack a car's total software system to gain remote access and control of everything from dashboard readings to anti-lock brakes.
And these are just a few of the techniques being explored on some already outdated car models. As the industry moves more toward the next generation of self-driving cars and vehicle-to-vehicle communication, carmakers are starting to worry about the risks that are accompanying all of the perks of the technologies driving it: the Internet of Things (IoT).
And they're not the only ones.
"By 2020, we expect to see 20 billion smart objects connected to the Internet," says Rob Soderbery, senior vice president and general manager, Enterprise Networking Group, at Cisco (IW 500/30).
Of those billions, he says, the connections with the most to gain are in manufacturing and industrial automation. And that puts the whole industry at risk.
Just as hackers are drawn to the unprotected architectures of automobile software, other nefarious agents are attracted to unprotected connected control systems, smart tools and online architectures of massive online manufacturing enterprise systems. But security breaches in the manufacturing space can have much greater consequences.
On the financial side, studies indicate that even mild attacks cost the industry $40 to $80 billion each year, escalating as the threats target operations.
And beyond that, "there are lives at stake," Soderbery says. "There are societal issues; there are compliance and regulatory issues. The threat diversity is fundamentally different in this field."
Changing the Security Game
Even with this risk, however, Michael Assante, advisor and director, National Board of Information Security Examiners (NBISE), argues that manufacturers must continue to embrace the technology.
"For organizations to thrive in this connected market, they need to be connected," he says. "That transcends even the security concerns. You need to be connected to do the job you need to do."
So it's not a question of isolation anymore, he says. It's a matter of facing these new security challenges head on. And doing so requires a whole new cybersecurity plan.
"We're going to have to share cybersecurity responsibility across a much wider spectrum than ever before," Assante explains.
"Security is going to be part of an engineer's job. It's getting more into design and planning, even to operations. Soon, it's going to be part of everyone's business."
Evolving cybersecurity to a more safety-inspired model, he says is essential to take on an evolving threat source.
"We're seeing adversaries that are actually picking your organization out of the crowd," he explains. "We're seeing targeted attacks, more structured. And they're investing."
While security firms are pumping millions into new antivirus and firewall programs, he says, the cyber underground has pumped as much as $3 billion into attack capability. Worse, almost all of the compromised organizations he has worked with had up-to-date antivirus solutions in place and used industry security practices.
"That tells us that our traditional security approaches are not working in this environment," Assante says.
"Working together, we can lock these systems down," he argues. "Our goal is not to turn an engineer into a cybersecurity professional. The goal is to inform them in a better way so they can make better engineering decisions.
To do that, he says, "We've got to work as integrated teams."