编者语:
随着国家对网络安全工作的重视,以汽车“四化”趋势发展,汽车的信息安全问题也日益成为汽车行业的热点话题,由于汽车产业链长,开发周期长,以及控制单元构成的电气架构较为复杂,不管是从管理,还是从技术都存在一定的难度。本篇文章来源是麦肯锡近期发布的:数字时代的信息安全《Cybersecurity in a digital era》白皮书。原文初稿发布于去年末麦肯锡官网观点文章,由于整体的观点均是切中要害的故在此进行编译分享,核心观点先抛个砖:1.随着智能网联汽车的数字化,导致车辆的暴露面也越来越多,软件的代码行数也已过亿,汽车非常容易受到攻击。2.攻击成本低,防护成本高昂,造成的损失后果也很严重。3.行业缺乏统一的信息安全标准,进而监管部门也缺乏统一的信息安全监管手段4. 建议在开发初期就考虑信息安全,将信息安全的工作落实到汽车产品开发的全生命周期过程中,同时通过提高信息安全专业水平,在产品研发过程中,提高汽车安全保障能力。
以上算是导语部分,我们对原文进行了编译,由于译者水平有限避免产生理解偏差采用中英双语方式放出。
汽车行业的数字化转型面临着新的网络安全威胁。可以学习了解OEM可以采取哪些措施来保护其汽车和客户免受黑客攻击。The car industry’s digital transformation exposes new cybersecurity threats. Learn what OEMs can do to protect their cars and customers from hackers.在过去一段时间里,您车中发生的问题还停留在你的车上,但现在已经不是这种情况了。从信息娱乐系统连接,到OTA软件更新的的数字创新涌入,汽车正在变成信息交互场所。这些转变为客户带来巨大价值的同时,也使汽车暴露在数字革命的另一面。黑客和其他黑帽入侵者正试图获得车载关键电子单元和数据的访问权限,从而危及到车辆安全和客户隐私。In the past, what happened in your car typically stayed in your car. That is no longer the case. The influx of digital innovations, from infotainment connectivity to over-the-air (OTA) software updates, is turning cars into information clearinghouses. While delivering significant customer value, these changes also expose vehicles to the seamier side of the digital revolution. Hackers and other black-hat intruders are attempting to gain access to critical in-vehicle electronic units and data, potentially compromising critical safety functions and customer privacy.1.网络安全成为核心产品和价值链问题 Cybersecurity becomes a core product and value-chain issue随着新的个人出行概念,自动驾驶,车辆电气化和汽车网联驱动的汽车行业经历转型,网络安全的重要性也日益提高。实际上,考虑到车载系统的数字化,软件的传播以及新的全数字移动服务的创建,它已经成为核心考虑因素。这些服务包括一系列汽车应用程序,在线产品,客户可以在线购买和解锁的汽车功能以及与车载电子设备“对话”的电子汽车充电站。Cybersecurity has risen in importance as the automotive industry undergoes a transformation driven by new personal-mobility concepts, autonomous driving, vehicle electrification, and car connectivity. In fact, it has become a core consideration, given the digitization of in-car systems, the propagation of software, and the creation of new, fully digital mobility services. These services include arrays of car apps, online offerings, vehicle features that customers can buy and unlock online, and charging stations for e-vehicles that “talk” to on-board electronics.当今的汽车差不多150个电子控制单元。到2030年,许多观察家预计他们将拥有大约3亿行软件代码。相比之下,今天的汽车有大约1亿行代码。从一个角度来看,一架客机估计有1500万行代码,一架现代战斗机约为2500万行,大众市场PC操作系统接近4000万行。过去35年中,以特定方式设计电子系统的传统,以及联网和自动驾驶汽车中对系统不断增长的要求和日益复杂的结果,都是导致复杂软件代码过多的原因。它不仅在汽车中,而且在整个价值链中都为网络攻击提供了充足的机会(图1)。Today’s cars have up to 150 electronic control units; by 2030, many observers expect them to have roughly 300 million lines of software code. By way of comparison, today’s cars have about 100 million lines of code. To put that into perspective, a passenger aircraft has an estimated 15 million lines of code, a modern fighter jet about 25 million, and a mass-market PC operating system close to 40 million. This overabundance of complex software code results from both the legacy of designing electronics systems in specific ways for the past 35 years and the growing requirements and increasing complexity of systems in connected and autonomous cars. It generates ample opportunity for cyberattacks—not only in the car but also along the entire value chain (Exhibit 1).2.网络安全领域倾向于攻击者 The cybersecurity playing field tilts in favor of attackers可以肯定的是,汽车网络安全的经济学本质上是不公平的:使用正确的最新工具,攻击是相对负担得起的,省力的事情。另一方面,为复杂的价值链及其产品建立一致的防御需要越来越多的努力和投资。到目前为止,这种现实使比赛环境向攻击者倾斜。整个行业都有很多例子。例如,白帽黑客以电动汽车模型控制了信息娱乐系统。他们在黑客大赛中利用了车载网络浏览器中的漏洞,导致电动汽车制造商发布了软件更新来缓解该问题。在另一起白帽黑客事件中,一家中国安全公司在2018年发现了一家欧洲高档汽车制造商的车辆中的14个漏洞。另一家全球汽车制造商在2015年召回了约140万辆汽车,这是涉及汽车网络安全风险的首批案件之一。召回的影响是巨大的,根据我们的计算,OEM的潜在成本近6亿美元。To be sure, the economics of car cybersecurity are inherently unfair: with the right state-of-the-art tools, attacks are relatively affordable, low-effort affairs. Mounting a coherent defense for the complex value chain and its products, on the other hand, requires increasingly higher effort and investment. So far, this reality tilts the playing field in favor of the attackers. Examples abound across the industry. For example, white-hat hackers took control of the infotainment system in an electric-vehicle model. They exploited a vulnerability in the in-car web browser during a hacking contest, causing the electric-vehicle maker to release a software update to mitigate the problem. In another white-hat hack, a Chinese security company found 14 vulnerabilities in the vehicles of a European premium-car maker in 2018. Another global automaker recalled approximately 1.4 million cars in 2015 in one of the first cases involving automotive cybersecurity risks. The impact of the recall was significant, with a potential cost for the OEM of almost $600 million, based on our calculations.3.汽车行业缺乏处理网络安全的标准方法 The automotive industry lacks a standard approach for dealing with cybersecurity对于一个习惯于解决复杂挑战和标准化响应的行业,网络安全仍然是一个未标准化的异常现象。到目前为止,汽车供应商很难满足其OEM客户的各种要求。因此,他们试图通过使用针对各个OEM的软件调整来平衡其核心产品中使用的通用安全要求与这些要求之间的平衡。但是,当前的供应商关系和合同安排通常不允许OEM测试由各种供应商提供的零件组成的车辆平台或技术堆栈的端到端网络安全。这可能会使供应商和OEM难以在汽车软件开发和测试期间共同努力以实现有效的网络安全。For an industry used to breaking down complex challenges and standardizing responses, cybersecurity remains an unstandardized anomaly. Thus far, automotive suppliers have a hard time dealing with the varying requirements of their OEM customers. Consequently, they try to balance the use of common security requirements that go into their core products against those via the software adjustments made for individual OEMs. However, current supplier relationships and contractual arrangements often do not allow OEMs to test the end-to-end cybersecurity of a vehicle platform or technology stack made up of parts sourced from various suppliers. That can make it difficult for both suppliers and OEMs to work together to achieve effective cybersecurity during automotive software development and testing.4.产品网络安全的监管变化迫在眉睫 Regulatory change in product cybersecurity is imminent困难即将改变。监管机构正在为影响整个价值链的车辆软件和网络安全制定最低标准。现在,网络安全问题已经以监管机构和类型批准机构提出的要求的形式渗透到每辆现代汽车中。例如,2018年4月,加利福尼亚州有关无人驾驶汽车测试和部署的最终法规生效,要求无人驾驶汽车符合有关网络安全的适当行业标准。尽管这些法规对有限的车队具有立竿见影的影响,但联合国欧洲经济委员会(UNECE)领导的世界车辆统一法规论坛预计将于2020年最终确定其关于网络安全和软件更新的法规。这将使网络安全成为未来汽车销售的明确要求;相关法规将影响60多个国家/地区的新车型认证(图表2)。业内专家认为,即将到来的UNECE法规仅仅是汽车行业技术合规法规新时代的开始,以解决行业内软件和连接性的增长和重要性。The difficulty is about to change. Regulators are preparing minimum standards for vehicle software and cybersecurity that will affect the entire value chain. Cybersecurity concerns now reach into every modern car in the form of demands made by regulators and type-approval authorities. For example, in April 2018, California’s final regulations on autonomous-vehicle testing and deployment came into effect, requiring autonomous vehicles to meet appropriate industry standards for cybersecurity. While these regulations have an immediate impact on a limited fleet, the World Forum for Harmonization of Vehicle Regulations under the United Nations Economic Commission for Europe (UNECE) is expected in 2020 to finalize its regulation on cybersecurity and software updates. This will make cybersecurity a clear requirement for future vehicle sales; the associated regulations will affect new vehicle-type approvals in more than 60 countries (Exhibit 2). Industry experts see the upcoming UNECE regulation only as the beginning of a new era of technical compliance regulation in the automotive sector addressing the increase and significance of software and connectivity within the industry.
5.改变策略使网络安全成为核心考虑因素 Shifting gears to make cybersecurity a core consideration
尽管相对较新,但车载网络安全威胁仍将是一个持续关注的问题。因此,汽车制造商现在必须将网络安全视为其核心业务功能和开发工作的组成部分。而且,该行业不再将网络安全视为纯粹的IT主题。相反,汽车制造商需要在核心价值链活动中(包括在其众多供应商之间)分配所有权和责任,并在核心团队中拥护安全文化。同样,汽车行业的供应商需要接受OEM对网络安全的关注,开发能力以将安全最佳实践嵌入其组件中,并与OEM有效协作以集成和验证端到端网络安全解决方案。考虑到整个价值链中普遍存在的网络安全威胁,这就需要创建一种真正的,以软件为中心的网络安全文化。汽车制造商本身在建立安全文化方面有很强的记录,但是在网络安全方面还没有。纵观汽车工业的边界,很明显,许多数字原生代已经展示了如何在其工程部门(不仅仅是在IT部门)建立强大的安全文化。在最好的数字公司中,每个人都了解网络安全编码做法的重要性,并且组织维护旨在对人员进行网络安全培训的工程推广和教育计划,以诱使他们从表面上看并不断提高网络安全标准。While still relatively new, the in-car cybersecurity threat will remain an ongoing concern. As such, automakers must now consider cybersecurity an integral part of their core business functions and development efforts.
What is more, the industry can no longer view cybersecurity as purely an IT topic. Instead, automakers need to assign ownership and responsibility for it along core value-chain activities (including among their numerous suppliers) and embrace a security culture among core teams. Likewise, suppliers in the automotive industry need to embrace OEM concerns on cybersecurity, develop capabilities to embed security best practices in their components, and collaborate effectively with OEMs on integration and verification of end-to-end cybersecurity solutions.
This requires the creation of a real, software-centric cybersecurity culture, given the pervasiveness of the cybersecurity threat along the entire value chain. Carmakers themselves have a strong record of establishing a culture of safety—but not yet in cybersecurity. Looking beyond automotive-industry borders, it becomes clear that many digital natives have demonstrated how to build strong security cultures in their engineering departments (not just in IT). At the best digital companies, everyone understands the importance of cybersecure coding practices, and the organizations maintain engineering-outreach and -education programs that train people in cybersecurity, enticing them to look below the surface and raise the cybersecurity bar constantly.
6.从一开始就将网络安全纳入设计 Including cybersecurity in design from the start汽车制造商必须从一开始就安全地设计车辆平台和相关的数字移动服务。这是因为车辆平台固有的复杂性,较长的开发周期和复杂的供应链,无法进行后期架构更改。此外,监管机构对原始设备制造商(OEM)提出了严格的要求,以使其获得新车辆的型式认可(图表3)。Carmakers must securely design vehicle platforms and related digital mobility services from the start. That is because the inherent complexity of vehicle platforms, with their long development cycles and complex supply chains, do not allow for late-stage architectural changes. Furthermore, regulators form strict requirements for OEMs to obtain type approvals for new vehicles (Exhibit 3).汽车行业的参与者必须在整个产品生命周期中考虑网络安全,而不仅仅是在将汽车出售给客户时才考虑,因为任何时候都可能出现新的技术漏洞。这些问题可能直接影响已经在路上的客户和汽车,因此有效地要求OEM厂商在汽车拥有生命周期中提供与安全相关的软件补丁。
当前,诸如智能手机供应商之类的高科技公司通过在首次销售后发布其产品的软件更新和安全修复程序来解决此问题(在许多情况下,新的操作系统修复程序也支持某些较早的产品)。然而,这通常被限制为两到三年,而车辆的平均使用寿命为十年甚至更长。随着OTA软件升级的到来,与经销商对汽车电子控制单元进行昂贵的重新编程(“重新刷写”)的当前做法相比,汽车制造商可以以具有成本效益的方式将车队维持在路上。因此,汽车行业必须制定通用的网络安全标准,以控制开发和维护成本。在此问题上,OEM和供应商必须使用一种语言,以确保可管理的端到端安全解决方案。Automotive players must consider cybersecurity over the entire product life cycle and not just up to when the car is sold to a customer, because new technical vulnerabilities can emerge at any time. These issues can have a direct impact on customers and cars already on the road, thus effectively requiring OEMs to provide security-related software patches well into the car’s ownership life cycle.
High-tech companies, such as smartphone suppliers, currently deal with this issue by releasing software updates and security fixes for their products after the initial sales (in many cases, new operating-system fixes also support some older-generation products). However, this is typically limited to a period of two to three years, while vehicles have an average service life of a decade or even more. With the advent of OTA software upgrades, automakers could maintain the fleets on the road in a cost-effective way, in contrast with the current practice of costly reprogramming (“reflashing”) of car electronic control units at the dealer.
The automotive industry must therefore develop common cybersecurity standards to keep development and maintenance costs under control. On this issue, OEMs and suppliers must speak one language to ensure manageable, end-to-end secure solutions.
7.专注于四个核心网络安全主题 Focusing on four core cybersecurity themes我们认为,汽车制造商应在价值链和汽车数字生命周期中应对新的网络安全和软件更新挑战。为此,他们应该关注四个核心主题:We believe automakers should attack the new cybersecurity and software-update challenges both along the value chain and across the digital life cycle of their cars. To do this, they should focus on four core themes:1.建立明确的基准来执行。良好基准的本质在于理解OEM市场相关法规的要求,并利用有关网络安全和软件工程的现有国际标准。这样做将使OEM能够按照监管机构和国际标准的要求提供网络安全实践,并开发和维护安全的软件。网络安全管理系统(CSMS)可以帮助确保在汽车和数字交通生态系统中无情地应用网络实践。1.Establish a clear baseline to execute against. The essence of a good baseline involves understanding requirements from relevant legislation in the OEM markets and leveraging existing international standards around cybersecurity and software engineering. Doing so will enable OEMs to deliver cybersecurity practices as demanded by regulatory authorities and international standards and to develop and maintain secure software. A management system for cybersecurity (CSMS) can help ensuring a relentless application of cyber practices across cars and the digital-mobility ecosystem.2.在工程上,质量保证和其他核心价值链功能中创建一种真正的按设计数字安全文化,并推广内置安全性的汽车软件体系结构。这可能需要OEM对其软件工程和软件质量保证实践进行彻底改革,而这种实践通常不遵循软件原生行业中所见的严格的软件工程过程。这种设计安全性文化应关注安全开发实践,增强的软件测试流程以及包括网络问题在内的新的供应商审核流程。其他有用的元素包括允许测试组件的网络安全性的最新供应商合同,以及对相关技术人员和面向客户的人员进行的网络意识培训。2.Create a true digital-security-by-design culture in engineering, quality assurance, and other core value-chain functions and promote car-software architectures with security built-in. This might require OEMs to overhaul their software engineering and software quality-assurance practices that oftentimes do not follow rigorous software-engineering processes as seen in software-native industries. This security-by-design culture should focus on secure development practices, enhanced software-testing processes, and new supplier-audit processes that include cyber issues. Other helpful elements include state-of-the art supplier contracts that allow the testing of a component’s cybersecurity, and cyber-awareness training for involved technical personnel and customer-facing staff.3.加强专业知识和能力,以监控道路上汽车的网络安全。重点应包括及时解决问题,而不会造成昂贵的产品召回和媒体审查。这可能意味着要完全管理汽车的数字生命周期,并对汽车的配置具有完全的透明度(例如,使用数字双胞胎),并最终为汽车建立一个安全操作中心,以接收来自汽车和更广泛的数字的数据生态系统-符合数据隐私法律(例如,后端系统)。安全运营中心将使用关联和人工智能来检测不良事件并启动明确的事件响应活动,最终导致向汽车提供软件更新。3.Ramp up expertise and capabilities to monitor the cybersecurity of cars on the road. The focus should include fixing issues in a timely manner without costly product recalls and media scrutiny. That likely means fully managing the digital life cycle of cars and having full transparency over a vehicle’s configuration (for example, using digital twins) and, ultimately, setting up a security-operations center for cars that receives data from the vehicles and the broader digital ecosystem—in line with data-privacy laws (for instance, back-end systems). The security-operations center would use correlation and artificial intelligence to detect adverse events and to launch clear incident-response activities, eventually leading to the provision of software updates to cars.4.适应包含基于功能的开发,可靠版本控制和集成测试的软件工程实践。这种方法有效地使OEM可以评估单个软件更新对其车辆及其相关的安全和类型批准系统的潜在影响。建立这样的系统(用于车辆软件的版本控制,配置管理和软件更新管理),从而有助于确保在更新车辆中的软件时的操作安全性。在考虑更改车辆配置并评估对汽车的影响时,该方法也有帮助。4.Adapt software-engineering practices that embrace function-based development, solid version control, and integration testing. This approach effectively allows an OEM to assess the potential impact of individual software updates to its vehicles and their relevant safety- and type-approval systems. Establishing such systems—version control for vehicle software, configuration management, and software-update management—thus helps to ensure operational safety when updating software in vehicles. The approach can also help when considering changes to a vehicle’s configuration and assessing the impact on a car.意识到机遇,黑客已经开始将更多精力集中在破坏联网汽车上,这对汽车制造商和供应商都构成了新的挑战。尽管消费者在第一次发生重大违规之前将网络安全视为理所当然,但监管机构将加大对汽车制造商和供应商的压力,以确保他们免受攻击。现代出行服务的整体安全性将取决于行业如何解决联网汽车内部和周围的网络风险,以及关键参与者今天为未来攻击做准备所采取的战略行动。Sensing an opportunity, hackers have begun to focus more energy on compromising connected cars, posing a new challenge for automakers and suppliers alike. While consumers will largely take cybersecurity for granted until the first consequential breach, regulators will increase pressure on automakers and suppliers to ensure greater protection against attacks. The overall security of modern mobility services will depend on how well the industry addresses cyberrisks in and around connected cars, as well as on the strategic actions key players take today to prepare for future attacks.
