Automotive companies are well versed in physical bills of material (BOMs) – the list of components required to build a vehicle. They now have to master intangible BOMs in the form of software, some of which can be over a decade old.
Companies selling vehicles in the United States market could be forced to provide security BOMs through “Executive Order 14028, Improving the Nation’s Cybersecurity” signed by President Joe Biden in May 2021. Among the regulations is the obligation to include a Software Bill of Materials (SBOM) with every product supplied to the US government. The SBOM should provide full transparency of the software supply chain, including components used, licenses, and information on authors.
Automotive Industries (AI) asked Adam Boulton, CTO of BlackBerry Technology Solutions, what the impact of the SBOM executive order is on the automotive industry.
Boulton: The immediate short-term impact is minimal. Over the longer-term the regulations could become more widespread. The automotive industry is affected by the dramatic shift to the use of software in the vehicle. For many automotive OEM engineers, the software just sort of just appeared. They were great at bending metal and creating gorgeous cars that are reliable. Now there’s a race to catch up on the software.
What is more relevant is the UN EC WP 29 cyber security regulations. In the European Union, the new regulation on cyber security will be mandatory for all new vehicle types from July 2022 and will become mandatory for all new vehicles produced from July 2024. OEMs are not going to be able to meet the requirements of either without having a software bill of materials, which provides a foundation for being able to then meet all the other requirements.
AI: How important is it to have an in-depth software composition and security posture analysis?
Boulton: It’s going to lay the foundation for meeting regulatory requirements and whatever the executive order morphs into. It’s not a luxury. It’s not a competitive advantage. Ultimately it determines your future as an organization.
AI: Will a 10- to 20-year-old code ever have a reasonable SBOM?
Boulton: The age of the code does not really matter. BlackBerry® Jarvis® 2.0 is a software composition analysis and security testing solution that lets you detect and list open-source software and software licenses within your embedded systems as well as their cybersecurity vulnerabilities and exposures. The power of Jarvis is that you’re looking at the real world. So, producing a software bill of materials for legacy code for code that is 10 years old is not really an issue. We’ve solved those challenges.
AI: How do automakers manage the increasing cybersecurity risks?
Boulton: The short answer is they don’t. This is because the software and techniques are entirely new to them. It is only over the past five years that OEMs have become involved in advanced software. So, they’re playing catch up. Making it more complex is that they typically don’t have access to source code. Transparency was not an issue previously. Contracts with suppliers focused on functional reliability and safety, not access to source code.
AI: What are the advantages of analyzing binary images and files over the source code?
Boulton: Source code is a representation of the system, a bit like a recipe. A food critic does not critique the recipe, but the end product. And this analogy is exactly what we do, with often surprising results.
For example, there are vehicles on the road today that have Microsoft Word documents and PDFs and spreadsheets in the infotainment system. You can’t determine that through source code analysis. You are dealing with complexity and almost chaos where things just got bundled together. A vehicle domain controller may have over 120,000 files and different technologies. That’s just one ECU. There’s around 100 on many vehicles. Binary analysis provides assurances on the product that you are shipping. I don’t want assurances on the recipe, I need assurances that the end product does not include ingredients to which I am allergic.
AI: How can you reduce the time to securely assess code?
Boulton: Because of the way the software supply chain is structured, it is difficult to scale up. We can’t do that with individuals doing analysis on their respective laptops. Depending on the scale, we may want to use cloud platforms.
There is a further challenge with automotive companies because they really do like their proprietary file formats. There are no common standards. One major OEM took a file format used for maps and bundled other software into it. There is no artificial intelligence solution here.
The big question when I’m writing software security strategies for an OEM is “what is our inventory? What do we have? If we don’t know what we have? What are we securing? I can’t tell you where we are today. I can’t tell you the investment. I can’t tell you the risks are constantly the complexity”. Not knowing what you have presents residual risk.
So we put all the software together that the company has used over the last 10 years. Mostly we can categorize about 90% of it and produce an inventory. Often the other 10% is a whole other can of worms which can dwarf the 90%. It really begs the question of how companies go about securing their platforms and investing in the necessary technologies and the skill sets if they don’t know what they have.
So, you can see now the importance of the executive order and the relevance of it. Sooner or later OEMS will have to be able to meet the requirements of WP 29 and Executive Order 14028. They cannot give assurances against something they do not know exists. It really is common sense when you sit down and break it all down. The main challenge is how to do it practically. That is the problem we have been tackling over the past decade.
AI: What’s next for BlackBerry?
Boulton: There is a real-time certified operating system called IVY, that is the next-generation operating system to build connected vehicles. Then it’s the cybersecurity and safety around that as well.
With BlackBerry Jarvis we are now up to 120 patents filed over the last two or three years. You can see it gives you an idea of the greenfield nature of this industry and where the investments are going. There is a huge investment in security, not to just Jarvis, but things like an intrusion detection system, or an intrusion protection system or even an anti-virus lock awake on vehicles.
The challenge is to determine how we are going to develop and apply technologies that do not even exist today. BlackBerry has determined that the future is clearly connected vehicles. Everybody acknowledges that we need a real-time operating system to make that happen.
And then the challenge is to provide really detailed technical assurances around the technology. And that’s where the professional service security and safety come in. That’s when Jarvis comes in.
Then there are other products in our portfolio. Things like AtHoc® which helps government agencies prepare for, respond to and recover from critical events and emergencies, as well as communication platforms. OEMs need to be able to capture and communicate risk and manage liabilities.