As a pioneer in automotive cybersecurity, Thomas Wollinger has brought ESCRYPT from its beginnings in 2004 to a position as one of the world’s leading providers of system solutions for vehicle data security. Today, ESCRYPT has some 400 associates at 19 locations worldwide and is part of the Bosch Group. ESCRYPT solutions are an integral part of large-scale automotive production in many places and are used in millions of vehicles all over the world.
Thomas Wollinger’s special focus lies on the strategic development and integration of ESCRYPT's product and solution portfolio. At FuzzCon - Automotive Edition he took up a managerial perspective, to talk about some uncomfortable truths in automotive cybersecurity.
At ESCRYPT, we basically design, enable and manage IT security. As security consultants, we are specialized in security strategy, trainings and a variety of other fields within the automotive software domain. We consider ourselves experts in all kinds of testing methods, including functional testing, vulnerability scans, penetration testing, everything from automated testing to manual testing, and of course fuzzing.
In our testing efforts, we like to take a holistic approach, which means that we test electronic control units individually, but also the entire vehicle platform. Our goal is basically to secure the whole ecosystem of a connected car.
“In a connected world, cybersecurity is as important for your safety as the brakes” – Ralf Speth, CEO Jaguar/Land Rover
When I started with automotive security, we were securing all electronic control units (ECUs) individually. Since then, the complexity and connectivity of vehicles have increased dramatically, creating more opportunities for potential attackers to infiltrate those systems. This change requires a completely different approach and a new set of security skills. To sum up the key developments I have witnessed during my career, I have summarized 5 uncomfortable truths about automotive cybersecurity:
In 2023, there will be 775.000.000 connected cars worldwide. The titanic syndrome states that those who put themselves in danger, will perish. In the development of increasingly software-driven connected vehicles, this means that those car manufacturers (OEMs) who don’t have a security strategy will not survive, as security can be seen as an indispensable foundation of interconnectivity.
However, the main challenge is that security vulnerabilities only become visible to the public when it's already too late. Customers usually don't notice when security is cut for profits (until their car fails them). And this is why there are still so many managers who see security primarily as a cost driver.
Cyberattacks on vehicles have increased by a factor of seven over the last four years. Even if only a small number of those attacks are successful, the consequences can be devastating, especially as they are a potential threat to an entire fleet of vehicles.
There are 100 million lines of code (LoC) in the new Golf 8. For comparison, in a Boeing 787 there are only 14 Million LoC! Even if your team has an excellent bug detection rate, you will still, almost certainly, miss some bugs or vulnerabilities. The challenge here is balancing the risk and the investment, meaning that you will have to decide how much risk you are willing to take.
According to the German Federal Office for Information Security (BSI), each day there are 322,000 new malware threats. If you don't find those vulnerabilities first, someone else will exploit them. The complexity of our systems is increasing dramatically. Since vehicles have quite a long lifecycle, the software complexity will increase even further while the car is on the road. This means that you will need to put in some extra effort to keep your car secure in the long run.
It's important to comply with new regulations such as the new UNECE regulations and the upcoming ISO 21434. Even if these norms aren't mandatory yet, OEMs who do not follow the rules will soon be disqualified. As if automotive software wasn’t complicated enough, these norms and regulations increase the complexity even further, which is why many developers perceive them as additional requirements.
Don’t get this wrong, regulations are very important to facilitate the use of effective security measures, but in some cases, they can lead to over-regulation. This means that complying with norms and standards becomes more important than the actual task at hand. Regulations certainly create pressure within the industry, but they can also be an opportunity, for example to convince the upper management to reassess their priorities. Security must come first!
“Security is not a product, but a process” - Bruce Schneier, Cryptographer & Security Expert
I'm glad to see that testing methods such as feedback-based fuzzing are emerging as a new standard in the automotive sector. Nevertheless, we need to think about automotive security in a much broader way. The security perspective has to be kept in mind during the entire software development lifecycle (SDLC). This includes the management of processes, security strategy and company culture.
Dr. Thomas Wollinger has been the managing director of ESCRYPT since 2007. As a pioneer in automotive cyber security, he has brought the company from its beginnings in 2004 to a position as one of the world’s leading providers of system solutions for vehicle data security. Today, his special focus is on the strategic development and integration of ESCRYPT's product and solution portfolio for automotive security and beyond.