Security & Privacy Are Critical To Connected Cars

Automated vehicle system technology hierarchy

The automotive industry is rapidly evolving to transform the car from a simple mode of transport to a personalized information hub:

There will be an estimated 220 million connected cars on the road globally by 2020. Each of those cars will be equipped with more than 200 sensors, more than double the number of sensors in connected cars on the road today.

New features and capabilities get added every year, improving comfort, convenience, safety and efficiency — but also growing is the amount of data cars generate, process, exchange and store. Connected cars provide benefits such as better traffic flow, improved fuel economy and better infotainment consoles. But at the same time, the number of attack vectors increases, which potentially leaves personal, financial and vehicle information vulnerable, making the connected car attractive to hackers.

Already we’ve seen security researchers demonstrate attacks, and have seen hacks on Chryslers, Jeep Cherokees and Volkswagens. These demonstrations and hacks are leaving consumers and lawmakers, as well as cybersecurity and privacy experts, concerned.

As the market for connected cars is expected to grow at a five-year compound annual growth rate of 45 percent, standardized frameworks are necessary to provide customers assurance that a car’s security attributes can be trusted and that the customer’s security needs are protected.

Discussions have commenced, such as in July when Senators Ed Markey and Richard Blumenthal detailed plans to introduce new legislation called the Security and Privacy in Your Car Act of 2015 (SPY Car Act). The SPY Car Act should ensure that cars sold in the US meet certain standards of protection against digital attacks and restrict what type of data is vehicle collected. These standards should be developed by the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) and the legislation also recommends, auto manufacturers be fined up to $100,000 in civil penalties for each violation of unauthorized access to data in connected cars.

Additionally, technology organizations are joining the fight. Intel, for example, created the Automotive Security Review Board to conduct security audits and tests of its automotive hardware platform and offer design recommendations. Lastly, the Fast Identity Online (FIDO) Alliance has made efforts to improve interoperability among strong authentication devices, which was originally created to help Google resolve enterprise security issues. But over time, there was value realized for the automotive industry. Efforts by the FIDO have anonymised Internet users via their physical possessions and aims to protect their digital identities.

The connected car is a complex IT system on wheels

System performance and reliability has had (and will always have) high attention from vehicle manufacturers, with a strong focus on safety hazards. Cybersecurity threats, however, represent a largely unexplored field for the automotive industry.

But like safety, security is a quality aspect — threats of either type can have a negative impact on the reliability and safety of the connected car. By adding wireless interfaces to their cars and connecting their vehicles to external networks, manufacturers are all of a sudden confronted with new threats that stem from an uncontrolled and evolving environment.

The fact that one can remotely access in-vehicle systems also implies that these systems face security threats coming from the outside world. And thus, there is a risk that these systems can be hacked and that data contained therein can be stolen. This poses a threat to the reliability and safety of the car — the hacker can potentially take control of the car — as well as to the privacy of the driver — vehicle data can be used to build a profile of car owners.

Law enforcement has used bait cars to draw out would-be thieves, then remotely lock and disable the car before arresting them. What if bad guys could take over cars and remotely initiate the brakes on a car traveling at high speeds on the freeway? This not only impacts data, but the safety of drivers and passengers. Beyond just cars for personal use, cars being operated by companies like Uber and other car services are impacted.

Today, the ISO 26262 standard addresses systematic failures and random hardware failures. Such safety hazards are quite predictable — systematic failures are deterministic and random hardware failure rates can be predicted with reasonable accuracy — and the nature of the hazards will not change over time. Furthermore, the likelihood that multiple failures occur simultaneously is considered to be rather unlikely in safety engineering.

Cybersecurity threats, on the other hand, are generally less predictable, and they also will change over time. Furthermore, hackers do not hesitate to manipulate various parts of a system simultaneously if that increases the chance of a successful attack. As a consequence, security threats are not necessarily covered within a safety framework such as ISO 26262.

Security must become part of the entire life cycle of the vehicle

Cybersecurity frameworks are fairly new to the automotive industry and it will likely take some time, as was the case with functional safety, before they are widely embraced. To successfully protect connected cars from cyberattacks, a paradigm shift is needed in automotive vehicle design: Security must become part of the entire life cycle of the vehicle. It needs to become an integral part of the design process, as opposed to an afterthought, because security is only as strong as the weakest link.

It is good practice to apply a defense-in-depth strategy, using multiple security techniques to mitigate the risk of one component of the defense being compromised or circumvented. This calls for security-by-design and privacy-by-design, which may also have a significant impact on the architecture and the in-vehicle electronics. Furthermore, the security architecture requires regular maintenance.

In addition, standardization is needed. On the process side, one can think of standardized life-cycle management, from development to deployment to maintenance. Something based on or comparable to Common Criteria could form the basis for such a framework, but automotive-specific adaptations may be needed, as was also the case for ISO 26262 (which was derived from a generic safety standard, IEC 61508).

But technical specifications also are a must-have. It’s not uncommon for straightforward mistakes to be made in security architectures and implementations. A seamless integration of features like secure boot and secure communication into a well-reviewed specification like the AUTOSAR software stack is therefore highly beneficial.

The standardization bodies are currently taking initial steps to create such standards. For example, the SAE Vehicle Electrical System Security Committee is working on a cybersecurity guidebook (J3061) and requirements for hardware-protected security (J3101), and ISO’s TC22 plans to identify the need for communication channels between functional safety and cybersecurity in ISO 26262 Edition 2.

The connected car is a complex IT system on wheels, consisting of many electronic control units (ECU) that are linked together via the in-vehicle network. To secure all of this, an integral approach is needed, where countermeasures are applied at all levels. While standardization efforts have commenced, we’ve only scratched the surface — all the more reason there should be a sense of urgency to get security and privacy standardized and adopted.

TechCrunch: http://tcrn.ch/1PDxL0g

« Social Media Helped Create The Arab Spring, But Could Not Save It
Protecting US Innovation From Cyberattack »

CyberSecurity Jobsite
Check Point

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Snort

Snort

Snort is an open source intrusion prevention system capable of real-time traffic analysis and packet logging.

Intrinsic-ID

Intrinsic-ID

Intrinsic-ID's authentication technology creates unique IDs and keys to authenticate chips, data, devices and systems.

ManagedMethods

ManagedMethods

ManageMethods Cloud Access Monitor is the only Cloud Access Security Broker (CASB) that can be deployed in minutes, with no special training, and with no impact on users or networks.

Picus Security

Picus Security

Huge gaps often exists between the "perceived"​ and "actual"​ IT security level of an organization. Picus Security continuously assesses security controls and reveals deficient ones before hackers do.

AAROH

AAROH

AAROH helps customers in Government, Law Enforcement, and Enterprises to identify, prevent, detect, resolve and protect from threats, crimes, breaches & fraud.

Elpha Secure

Elpha Secure

Elpha Secure provides a comprehensive cybersecurity solution, combining technology and insurance to protect against cyber threats.

QuoIntelligence

QuoIntelligence

QuoIntelligence experts can help your team understand the evolving cyber threats and provide simple yet comprehensive recommendations so you can focus on what matters.

Stefanini Group

Stefanini Group

Stefanini is a global IT services company providing a broad range of solutions for digital transformation including automation, cloud, IoT and cybersecurity.

HORNE

HORNE

HORNE is a professional services firm supporting clients in public, private & government sectors nationwide.

Cyber Legion

Cyber Legion

Cyber Legion Ltd is a UK-based Cyber Security as a Service (CSaaS) start-up that provides IT security testing services to various organizations around the globe.

UK Cyber Cluster Collaboration (UKC3)

UK Cyber Cluster Collaboration (UKC3)

UKC3 has been launched to support Cyber Clusters and encourage greater collaboration across regions and nations of the UK.

One Step Secure IT

One Step Secure IT

One Step provide Managed IT Services, Cybersecurity Protections, and Compliance to businesses in the USA nationwide.

Adaptiva

Adaptiva

Adaptiva, the autonomous endpoint management company, delivers the fastest way to patch and manage endpoints at scale.

Computer Futures

Computer Futures

Computer Futures are a global specialist IT recruitment partner, matching candidates with roles across niche IT markets and core technologies.

Cyber Guru

Cyber Guru

Cyber Guru is an effective cybersecurity awareness training platform, enabling organisations to increase their resistance to cyber-attacks by changing employee behaviour.

Synechron

Synechron

Synechron is a leading global digital consulting firm, providing innovative technology solutions for business.