Who would have thought a few years ago that even with a proper firewall a hacker could force entry by triggering a buffer overflow bug in a JPEG library?
My previous company spent a lot of engineering time and effort at least a decade ago detecting and then prevent buffer overflows in its pretty wildly used products. I suspect they still do.
Tesla needs to understand the potential risks first. One obvious thing is protecting Model S from using firmware not provided by Tesla. A public-private signing/encryption key pair is probably a good secure choice there (sign with private key, verify with public), but that can't be the end. Tesla also wants to protect its firmware from being reverse engineered and then used to figure out either other potential hacks on Model S or the theft of trade secrets on how the car works. That means that "public" decryption keys really can't be public. As we saw with the DVD (CSS) and Blu-Ray (AACS) exploits, that's harder to accomplish.
It's interesting that what happened with DVDs and Blu-Rays was not that any algorithm was hacked, it was that the decryption keys were stolen. On a PC, it's literally impossible to completely protect decrypted decryption keys from being stolen (see
http://en.wikipedia.org/wiki/Security_of_Advanced_Access_Content_System for instance). Those are easier to protect in closed systems like a car. And, even if the keys do get stolen, since Model S is a relatively small closed system, Tesla could always issue a recall to load new keys and load firmware to disregard firmware encrypted with the old keys - that's something that was impractical for DVD players.
Like I said, a security risk analysis needs to be performed. For instance, rather than hacking the firmware, I would expect that the first attempts will be made on any mobile phone software Tesla ships that lets people control their cars remotely. That's almost certainly an easier platform on which to monitor what's being transmitted and what is being used to encode/decode and authenticate those transmissions than getting a hold of a Model S and tapping into its hardware.
That all said, I'd be surprised if Tesla wasn't on top of all this.
BTW, as real security experts can probably tell, I'm not an expert on cyber security.