The pace of innovation within the automotive industry has been breath-taking. Only ten years ago, the very concept of self-driving cars and heavy goods vehicles was still regarded as far-fetched science fiction. Today, they are already a common sight on many roads around the world.
Many of these innovations have the potential to be revolutionary: smarter cars promise to be more efficient in terms of both fuel economy and at reducing congestion and accidents. But in the competitive rush to bring more connected cars to market, it is important that manufacturers don’t skip the basics of cybersecurity and compromise the safety of their vehicles.
Until now legislators and manufacturers have, of course, prioritised the physical safety of connected car technology. Now is the time that cyber security is given the same focus.
The two threat areas – physical and cyber
From the point of view of a security practitioner, an automobile is just another complex system that is becoming ever more connected for the purposes of efficiency and customer convenience. The problem this inevitably creates is more connectivity means more attack vectors to protect against, and more opportunities for hackers.
There are two areas of concern that should be addressed by the industry. The first is the risk of physical safety: if vehicle control systems can receive remote connections, there’s always the chance that they are open to being compromised, which means an immediate and unacceptable danger to drivers, passengers and other road users. For example, three years ago US vehicle manufacturer Chrysler issued a formal recall of 1.4 million vehicles in response to a software vulnerability that allowed researchers to take complete control of a car over the air. Surprisingly the incident hasn’t seemed to dampen either consumers’ desire for more automation and internet-enabled services in their vehicles, or the speed with which car makers want to produce them.
The second area of risk that requires increased attention is personal data privacy. Cars have become increasingly valuable generators of personal data. GPS navigation systems log journeys to reduce the time spent in traffic, dealerships are alerted when service intervals are reached, and insurance companies are able to despatch help at the first indications of a serious accident. Manufacturers are also collecting data about vehicle use to improve future designs.
The challenge facing car manufacturers is that many of these systems were not designed with security in mind, because they were never intended to be connected to external communications. Yet in today’s vehicles we find GSMA, Bluetooth, WiFi and other wireless technology – not to mention USB ports – are ubiquitous and can provide gateways to critical control systems. The universal CAN Bus, which has ruled the way in-car components communicate for two decades, has proved especially difficult to secure and isolate. Indeed, it was inadvertent exposure of the CAN Bus that rendered the Chrysler vehicles open to attack. Researchers were not only able to gain access to the CAN Bus via the multimedia head unit, which was in theory segregated from the CAN Bus, but also to install a customized firmware without authorization.
Enhancing cybersecurity measures
As a result, manufacturers are a lot more sensitive to security issues today than they were three years ago, and in October 2017 the 15 members of the European Automobile Manufacturers Association (ACEA) endorsed a set of six principles for cybersecurity. These commitments are highly encouraging and include the adoption of a cybersecurity lifecycle approach for vehicle development, as well as information sharing among industry actors in order to tackle new threats as they arise.
ACEA’s guidelines are to be welcomed as an introduction to “secure by design” concepts for the automotive world. But not all manufacturer’s associations – or indeed manufacturers – are the same, meaning the six principles are not always being treated with the seriousness required industry-wide.
That is perhaps why, in January 2018, researchers were still able to show that the Electronic Control Unit (ECU) in a number of recently built cars from different manufacturers was susceptible to remote takeover via wireless networks even with the engine off. Best practice takes time to propagate in any industry, but it is clear that security is still playing catch up to innovation in the automotive world.
There are lessons that the industry can learn from other sectors. Techniques that are routinely deployed on corporate networks to identify and quarantine anomalous behaviors – identifying attacks early, in other words – must be developed for the specific interplays of an in-vehicle network. It is also vital that manufacturers develop a culture of constant testing and hardening of their defenses before and after product release.
When it comes to integrating connected systems with vehicle controls, a better understanding is required of how to segment network functions and protect legacy systems, while at the same time gaining access to the data that will drive innovation.
As for the risks around personal data collection in modern vehicles, there’s a strong case that manufacturers need to invest more in consumer education around their products. Today, drivers may not even be aware that trip data is being collected and stored by “smart” components in their vehicles, as user agreements and terms and conditions are often buried at the back of manuals. In the event of a major data breach, a lack of perceived transparency will increase the reputational damage manufacturers incur.
If manufacturers are to carry on innovating at the pace of recent years, it’s imperative that the gap between capability and security doesn’t grow any bigger, and indeed that it starts to narrow. It’s a huge task, the full breadth of which may not yet be fully understood. It will certainly require more partnerships with external security experts, who can help with design, testing and lifecycle management of complex and interwoven digital systems.
If manufacturers don’t find the security holes they’re leaving behind on the road to innovation, someone else certainly will.