Security rivals safety as primary concern in automotive software development
By onMarket Trends | Technology
Perforce Software and Automotive IQ’s annual “State of Automotive Software Development” survey of automotive development professionals found that “security is now a major concern and is as important as safety,” even more so with the growing scale of connected, electric, and semi-autonomous vehicles on the market.
Six hundred professionals, mostly software developers or engineers, were surveyed. Of the respondents, 24% have more than 10 years of professional experience with amounts of the rest ranging from less than one year to 10. The majority of respondents, 51%, are based in Europe, the Middle East, or Africa while 32% are in North America, 14% in the Asia-Pacific region, and 3% in Latin America. The largest group of respondents (30%) are Tier 1 suppliers followed by Tier 2 suppliers (28%), OEMs (19%), “other” (14%), and Tier 3 suppliers (9%). Thirty-three percent of them work for companies that have 101-999 employees.
Perforce Software Director of Compliance Jill Britton told Repairer Driven News security concerns have been “bubbling” in the automotive industry for years.
“Because of the way that the development of automotive components is changing… we’re getting a lot more software components in the vehicle replacing some of the hardware components,” she said. “These components are speaking to each other on their networks and also to the outside world and that’s where we’re getting these security concerns because anything that goes outside of its own space is going to be a security risk.”
There was a 5% increase in security concerns by respondents compared to last year’s survey and safety concerns saw a decrease of 9% below last year.
“One of the most significant highlights was that ‘tool qualification for compliance takes too long’ saw a steep decrease of 11% to 0%,” Britton wrote in the survey report. “A possible explanation for this staggering decline is that those surveyed are using pre-qualified tools so they no longer need to qualify the tools themselves. …the ‘[expectation of customers for organizations] to comply with safety coding standards’ increased by 5% for a total of 45%. Although compliance with a safety coding standard is not mandatory for functional safety, it is an essential aspect of automotive software, which can also make it one of the most challenging.”
The third top concern of respondents is quality, which 4% more respondents listed as a top concern. One of the most notable changes was that “our code is too complex” increased by 9% for a total of 34%, according to the report.
“This jump could be attributed to the increasing number of software components being added to vehicles and the consequential complexity in the interfaces. Meanwhile, ‘our testing efforts are not exhaustive, and we do not have time to test more’ saw a decrease of 5% for a total of 25%. This is great news as testing should always be given priority.”
The earlier coding standards, as part of the required functional safety and security standards, are applied the easier it is for issues to be resolved, and doing so is what Perforce is seeing now in the automotive industry, Britton told RDN. For example, developers are starting to look at the quality of their piece of code and checking it against the coding standards before putting it into the system to be built with lots of other pieces of software followed by testing, she said. And 86% of those surveyed are using at least one coding standard.
Quality of the components within the vehicle is vastly improved so that you don’t have to have the component switched out or you don’t have to have an update applied to them as often,” Britton said. “You can’t get rid of every single vulnerability; every single defect, but you can get a huge reduction in the number of defects within that component.”
Another finding that stood out in this year’s survey but “wasn’t really a surprise” to Britton is an increase in the number of respondents that are working on electric vehicles (EVs). [[numbers]]
As for expectations by customers to comply with functional coding standards, the highest expectations are put on lidar, dealer management, manufacturing, and supply chain, the survey found. “At the same time, the struggle to ensure safety across the supply chain in
no other area of automotive development focus is higher than with Hybrid Electric Control Systems (HEV/EV).”
Concerns about unauthorized access to onboard and off-board systems are the highest for instrument clusters/HVAC/lighting, access control, and comfort systems.
Seven percent of those surveyed cited security testing as their top concern in automotive software development, which was nearly unchanged from 2021. Forty-nine percent of respondents found it a struggle to test efficiently and called it as well as software validation time-consuming.
Britton found that to be worrisome because security should be “baked in” so that the whole development team is aware of what constitutes a security problem and cyber attacks on components in the field, she said.
“It’s really important that the developers are trained so they understand what this is all about,” Britton said. “There’s two ways to look at that – one, to look at security testing and make it more streamlined or possibly, two, your dates may have to move. You can’t let insecure software out into the big, wide world.”
Comparatively, 27% said they’ve not tested early enough and found bugs too late.
Recalls and “vulnerabilities”
The most recent data available, from 2019, shows there were 964 automotive recalls for 53.1 million vehicles worldwide with an estimated cost of roughly $26.5 million, according to the report.
“Aside from the financial impact, a recall can affect a company’s reputation and impact market performance.
“It’s always better to find things earlier. It makes it cheaper to resolve and also makes it less likely that something will get out in the field and harm somebody,” Britton said. “With any sort of recall or any sort of action like that. It could be a crash or security vulnerabilities being found. It not only damages the profit margin but it damages the reputation.”
Thirty-eight percent of organizations that develop automotive software and components have been impacted by recalls and vulnerabilities, which Britton noted in her report is “higher than it should be, as it should be close to 0% as possible.”
Connected, electric, semi-autonomous, and autonomous vehicles
By 2030, nearly every vehicle will feature built-in connectivity, according to Britton’s report. However, only 28% are extensively working on connected vehicles, a decrease of 8% from last year. Fifty-five percent of respondents are working on connectivity components, up 6% over last year.
“This seems to indicate that as built-in connectivity is becoming more common, it has become more of an expected feature of the automotive development process, rather than it being something novel that requires additional attention,” Britton wrote.
“We really are moving into a whole new world,” she told RDN. “We were really surprised that 81% of our respondents were actually working in either artificial intelligence or machine learning. Components that use those processes could be an electric vehicle. In theory, they could be in an internal combustion engine type vehicle but it’s amazing that that is moving on so quickly. People that you talk to still are very dubious that we will get to the autonomous everywhere in the near future but semi-autonomous is definitely moving on.”
And with semi-autonomous, she added, comes a whole new area for software development because it usually requires new languages. Perforce plans to research in the future how AI issues will be dealt with by repairers, Britton said.
The 2021 survey found that EVs were becoming the norm when 47% of respondents said they were working on some EV components and 39% stated it was driving their design and development efforts.
“This year, we have seen an even greater increase in the development of electric vehicles. 45% of respondents indicated that they are working extensively on electric vehicles, which is a 6% increase from a year ago. The response for electric vehicles, somewhat impacting design and development efforts, went down 5% to 42%, and the response for ‘not at all’ remained the same.”
Automotive IQ Divisional Director Alishba Jan said vehicles, whether internal combustion engine (ICE), electric or autonomous, “are more connected now than ever before.” He also echoed what Britton said, that more hardware has been replaced by software.
“This has only heightened the number of safety and security concerns among automotive companies,” Jan said. “The majority of companies are currently relying on coding standards and static code analysis tool[s] to aid in compliance and ensure safety and security. OEMs want to prevent costly attacks, unauthorized access, and/or manipulation to automotive systems, and ensuring their code is secure is the first step to some of these incidents.”
The full results of the survey are for download here. Last year’s report is also available for download here. A survey wasn’t conducted in 2020 due to the COVID-19 pandemic but 2019’s is available here.
IMAGES
Featured image credit: gorodenkoff/iStock
All graph images were taken with permission from the “2022 State of Automotive Software Development Survey Report.”