Re: Need to apply basic secure design principles.
I worked for a few years developing new drivetrain components, so let me chime in.
Firstly, the address from which a CAN signal is sent can be spoofed. The engine we were using, as is standard, would only accept commands from a limited number of places, including up to a maximum of 2 transmission controllers (with allowable source addresses hard-coded into the engine ECU). Once we knew that, we simply told our component to pretend to be the second transmission. Bingo. Complete control over the engine.
Secondly, the messages that control a drivetrain are completely standardised. Once you understand it ( see https://en.wikipedia.org/wiki/SAE_J1939 ), you can figure out pretty much how to make the engine, gearbox etc do anything you want it to. If you have a compromised node in the powertrain CAN system, I don't think there is any way currently to protect against it.
From this point of view, separation of the essential (powertrain) systems from non-essential (infotainment, radios, lights, HEVAC etc) systems on separate CANs, with a carefully designed translator between them, strikes me as the only sensible way forward.
Now on heavy vehicles, this is already done, as there are so many components, from different manufacturers, each with their own complete ECUs that a single CAN would be too crowded (there are probably dozens of other attack vectors though, as there are so many programmable ECUs around). But in cars, where the engine, gearbox and other functions are often run from one super-ECU, and so less communication is required between them, there is more room to put other things on that CAN. So it's technically feasible to only have one CAN, and of course it's cheaper.
Once exploits like this become more public, and especially if they are used in the wild, I would expect the security of these systems to increase massively.