As software becomes more important than ever, how can engaging the security industry make the road ahead less winding?
Here at CES, the car manufacturers race to launch the latest gadgets in their new models before the competition. And that’s hard to do without breaking down the software silos. That would mean using widely developed, open-source toolsets with rich histories, not developing similar functionality that’s already available, but in your own black box. Auto manufacturers have resisted this for years.
For example, why aren’t car makers standardizing around Automotive Grade Linux (AGL)? While some are warming to the idea, it’s taken years to make even modest progress. An open-source initiative aimed squarely at providing the underpinnings for a new generation of automotive innovation – it’s been a long time coming.
Why? Historically, the car manufacturers have been busy perfecting their technology silos, complete with specialized developers, piles of legacy code (that will last forever) with technology they (mostly) understand. Still, it’s not a smooth way forward.
No? Ask operating system manufacturers who built the whole stack themselves. Later, they understood the differentiator in the market was in the magic they built on the foundation perfected by others. It worked. Using a foundation of open source yields a product with better features, sooner, which consumers are happy to buy. Not so much in the car market. Yet.
Still, with the advocacy of The Linux Foundation and seemingly glacial pace of buy-in – first from the tier one providers in a sort of begrudging forward motion of the automotive manufacturers themselves – we’re finally seeing progress.
I spoke with one proponent of AGL who said he’d come from a tier one provider where he’d been advocating for using a standardized development environment for graphics for its automotive systems – they said ‘no’. Viewed with suspicion, standardized build environments were verboten. Years later, they’re starting to see the light.
RELATED ARTICLE: CES – Singularity and securing the car
Now AGL seems to be moving down the stack from the infotainment systems to the instrument cluster. It makes sense. Linux has been doing network duties almost since there was a Linux. Now, with the increasing support from their employers, developers in the automotive industry can rapidly accelerate the development process itself, standardize testing, engage a host of experts and, basically, make cars a lot better, very quickly.
It won’t be any too soon, as security pundits have been warning for years. But progress is progress, and at CES it’s as refreshing as a cool desert breeze to see them all huddled in an area facing the same direction – forward.
For example, there were several companies at CES offering what seem like standard security techniques for cars, things like network monitors, intrusion detection, whitelisting and the like. But they’re sort of bolt-on patches, because car communication protocols themselves lag far behind current network technology. Most cars on the road today have little, if any, authentication on the systems that control the car itself.
It’s most welcome that for the past couple of years there has been significant energy toward upgrading the control communication to be robust enough to have more meaningful authentication, which is a start.
In the future, hopefully, we can get to the business of bringing robust toolsets to bear, and the companies that already have the experience using them, and on to the business of baking in security.
And since your next car will have more networks and electronics than your last one – probably much more – this can result in lower prices, fuller feature sets and more confidence that the industry is moving in the direction the experts have already paved. If you engage the security industry in this manner, the road ahead just might be a bit smoother.
written by Cameron Camp, ESET We Live Security