2nd Edition

Tracking the trends and news for IT and IT Security

Paul

Holding the Hot Potato of Cybersecurity

apple-touch_180x180.pngHolding the Hot Potato of Cybersecurity>
Wards Auto – Steve Tengler
Nobody wants to be THAT company. The one holding the hot potato. The one responsible or liable for the first death tied to a cybersecurity attack on the automotive industry. A KPMG study suggests 80% of customers wouldnât buy a vehicle from a compromised automotive OEM. #1: How Much Is Enough? The industry answer is ⦠wait for it ⦠undefined. Standards committees wonât specify testing procedures because thatâs a blueprint for hackers. Government regulators wonât impose specific rules because they cannot keep up with the speed of the Dark Web or nefarious organizations. And automotive companies donât know the answer because most of them do not presently know how many industry attacks have truly happened, nor do they know the size of future threat(s). So how much is enough. I would suggest each OEM must look at the value pricing of connected cars (supposedly near $220 billion, according to MarketsandMarketsâ¢), define a target margin that investors would require (e.g., 40%), and then put aside the available Cost of Goods Sold money as required spending. #2: How Much Do I Do In-House? think the best way for the OEM to answer that is to look at each portion of the process separately: System Architecture: This cannot be outsourced because it is fundamental and confidential. Answer: In-House Threat Modeling: This could go either way. It depends upon available resources, but if you outsource it, make sure you use a different source for penetration testing. Answer: Either Module Design: Let the suppliers design their own modules and include requirements for various elements of cybersecurity Answer: Outsource Tool Creation: Creating your own testing or analyzing tools is never a good idea. Answer: Outsource Penetration Testing: This one could go either way. Answer: Outsource Operational Oversight: This might need to be a mixed bag. Certainly, the OEM wants the brick and mortar of the Security Operation Center and to staff it for collecting data, reflashing vehicles and understanding the fleet dynamics. But doing the detective work on information sent from the IDPS might require assistance. That said, the OEM can learn this over time and DATA IS MONEY. Answer: In-House #3: Whoâs Liable. So, whoâs liable. In a way, it doesnât matter: the OEM absolutely must protect the brand, or itâs game over. They might as well realize the buck stops there and truly own the liability or theyâll pay a premium price for indemnification, and still end up defunct if their global fleet is bricked by a super-virus.
Link: https://www.wardsauto.com/industry-voices/holding-hot-potato-cybersecurity

Categories:

Tags: