Security & Privacy Are Critical To Connected Cars

Automated vehicle system technology hierarchy

The automotive industry is rapidly evolving to transform the car from a simple mode of transport to a personalized information hub:

There will be an estimated 220 million connected cars on the road globally by 2020. Each of those cars will be equipped with more than 200 sensors, more than double the number of sensors in connected cars on the road today.

New features and capabilities get added every year, improving comfort, convenience, safety and efficiency — but also growing is the amount of data cars generate, process, exchange and store. Connected cars provide benefits such as better traffic flow, improved fuel economy and better infotainment consoles. But at the same time, the number of attack vectors increases, which potentially leaves personal, financial and vehicle information vulnerable, making the connected car attractive to hackers.

Already we’ve seen security researchers demonstrate attacks, and have seen hacks on Chryslers, Jeep Cherokees and Volkswagens. These demonstrations and hacks are leaving consumers and lawmakers, as well as cybersecurity and privacy experts, concerned.

As the market for connected cars is expected to grow at a five-year compound annual growth rate of 45 percent, standardized frameworks are necessary to provide customers assurance that a car’s security attributes can be trusted and that the customer’s security needs are protected.

Discussions have commenced, such as in July when Senators Ed Markey and Richard Blumenthal detailed plans to introduce new legislation called the Security and Privacy in Your Car Act of 2015 (SPY Car Act). The SPY Car Act should ensure that cars sold in the US meet certain standards of protection against digital attacks and restrict what type of data is vehicle collected. These standards should be developed by the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) and the legislation also recommends, auto manufacturers be fined up to $100,000 in civil penalties for each violation of unauthorized access to data in connected cars.

Additionally, technology organizations are joining the fight. Intel, for example, created the Automotive Security Review Board to conduct security audits and tests of its automotive hardware platform and offer design recommendations. Lastly, the Fast Identity Online (FIDO) Alliance has made efforts to improve interoperability among strong authentication devices, which was originally created to help Google resolve enterprise security issues. But over time, there was value realized for the automotive industry. Efforts by the FIDO have anonymised Internet users via their physical possessions and aims to protect their digital identities.

The connected car is a complex IT system on wheels

System performance and reliability has had (and will always have) high attention from vehicle manufacturers, with a strong focus on safety hazards. Cybersecurity threats, however, represent a largely unexplored field for the automotive industry.

But like safety, security is a quality aspect — threats of either type can have a negative impact on the reliability and safety of the connected car. By adding wireless interfaces to their cars and connecting their vehicles to external networks, manufacturers are all of a sudden confronted with new threats that stem from an uncontrolled and evolving environment.

The fact that one can remotely access in-vehicle systems also implies that these systems face security threats coming from the outside world. And thus, there is a risk that these systems can be hacked and that data contained therein can be stolen. This poses a threat to the reliability and safety of the car — the hacker can potentially take control of the car — as well as to the privacy of the driver — vehicle data can be used to build a profile of car owners.

Law enforcement has used bait cars to draw out would-be thieves, then remotely lock and disable the car before arresting them. What if bad guys could take over cars and remotely initiate the brakes on a car traveling at high speeds on the freeway? This not only impacts data, but the safety of drivers and passengers. Beyond just cars for personal use, cars being operated by companies like Uber and other car services are impacted.

Today, the ISO 26262 standard addresses systematic failures and random hardware failures. Such safety hazards are quite predictable — systematic failures are deterministic and random hardware failure rates can be predicted with reasonable accuracy — and the nature of the hazards will not change over time. Furthermore, the likelihood that multiple failures occur simultaneously is considered to be rather unlikely in safety engineering.

Cybersecurity threats, on the other hand, are generally less predictable, and they also will change over time. Furthermore, hackers do not hesitate to manipulate various parts of a system simultaneously if that increases the chance of a successful attack. As a consequence, security threats are not necessarily covered within a safety framework such as ISO 26262.

Security must become part of the entire life cycle of the vehicle

Cybersecurity frameworks are fairly new to the automotive industry and it will likely take some time, as was the case with functional safety, before they are widely embraced. To successfully protect connected cars from cyberattacks, a paradigm shift is needed in automotive vehicle design: Security must become part of the entire life cycle of the vehicle. It needs to become an integral part of the design process, as opposed to an afterthought, because security is only as strong as the weakest link.

It is good practice to apply a defense-in-depth strategy, using multiple security techniques to mitigate the risk of one component of the defense being compromised or circumvented. This calls for security-by-design and privacy-by-design, which may also have a significant impact on the architecture and the in-vehicle electronics. Furthermore, the security architecture requires regular maintenance.

In addition, standardization is needed. On the process side, one can think of standardized life-cycle management, from development to deployment to maintenance. Something based on or comparable to Common Criteria could form the basis for such a framework, but automotive-specific adaptations may be needed, as was also the case for ISO 26262 (which was derived from a generic safety standard, IEC 61508).

But technical specifications also are a must-have. It’s not uncommon for straightforward mistakes to be made in security architectures and implementations. A seamless integration of features like secure boot and secure communication into a well-reviewed specification like the AUTOSAR software stack is therefore highly beneficial.

The standardization bodies are currently taking initial steps to create such standards. For example, the SAE Vehicle Electrical System Security Committee is working on a cybersecurity guidebook (J3061) and requirements for hardware-protected security (J3101), and ISO’s TC22 plans to identify the need for communication channels between functional safety and cybersecurity in ISO 26262 Edition 2.

The connected car is a complex IT system on wheels, consisting of many electronic control units (ECU) that are linked together via the in-vehicle network. To secure all of this, an integral approach is needed, where countermeasures are applied at all levels. While standardization efforts have commenced, we’ve only scratched the surface — all the more reason there should be a sense of urgency to get security and privacy standardized and adopted.

TechCrunch: http://tcrn.ch/1PDxL0g

« Social Media Helped Create The Arab Spring, But Could Not Save It
Protecting US Innovation From Cyberattack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Opengear

Opengear

Opengear designs, manufactures and delivers the most feature-rich, cost-effective, flexible solutions for secure remote infrastructure management. Wit

Aves Netsec

Aves Netsec

Aves is a deceptive security system for enterprises who want to capture, observe and mitigate bad actors in their internal network.

Neoteric Networks

Neoteric Networks

We deliver a no nonsense procedure to implementing technology. The technology selection process ensures that all customers enjoy an engineered methodology implementing technology.

Rogue Wave Software

Rogue Wave Software

At Rogue Wave, our mission is to simplify your hardest problems, improve software quality and security, and shorten the time it takes to deliver value.

Fraugster

Fraugster

Fraugster provides the most precise anti-fraud solution for e-commerce businesses.

UNIDIR Cyber Policy Portal

UNIDIR Cyber Policy Portal

The UNIDIR Cyber Policy Portal is an online reference tool that maps the cybersecurity and cybersecurity-related policy landscape.

Go Grow

Go Grow

Go Grow is a business oriented accelerator program at Copenhagen School of Entrepreneurship. Targeted technologies include IoT, AI and Cybersecurity.

McIntyre Associates

McIntyre Associates

McIntyre Associates is an Executive Search boutique specialized in recruiting for the Cybersecurity industry. Our clients range from Venture Capital backed startups to Fortune 100 companies.

Brighterion

Brighterion

Brighterion solutions stop payment and acquirer fraud, reduce credit risk and delinquency, fight financial crime, prevent healthcare fraud, waste and abuse, and more.

GateKeeper Enterprise

GateKeeper Enterprise

The GateKeeper Enterprise software is an identity access management solution. Automated proximity-based authentication into computers and websites. Passwordless login and auto-lock PCs.

SEMNet

SEMNet

SEMNet is an IT solutions provider and an infrastructure and security consulting firm.

SolCyber

SolCyber

SolCyber, a Forgepoint company, is the first modern MSSP to deliver a curated stack of enterprise strength security tools and services that are accessible and affordable for any organization.

Trusted Security Solutions (TSS)

Trusted Security Solutions (TSS)

TSS are specialist in IT Security and providing Cybersecurity Solutions & Services combined with storage and backup.

Web3fied

Web3fied

Web3fied is a seed stage company building the future of decentralized digital identity and credentials management.

endpointX

endpointX

endpointX is a preventative cyber security company. We help companies minimize their risk of breach by improving cyber hygiene.

Incyber

Incyber

Incyber is a fully integrated network and cybersecurity solutions provider contracted to safeguard public and private enterprise, high value data and sensitive industries.