The pace of transformation within the automotive industry has been unparalleled. It was only ten years ago that the very concept of self-driving cars and heavy goods vehicles was regarded as far-fetched science fiction; today, they are already a common sight on many roads around the world. The physical safety of cars is of course paramount, however, as cars become more connected, with onboard systems designed to network with the public internet, now is the time that cybersecurity is given the same focus as physical security.
Innovations in the automotive industry have the potential to be revolutionary. Increased internet connectivity means there are more than 21 million smart cars on our roads, promising increased efficiency in terms of both fuel economy and at reducing congestion and accidents. Gartner has estimated that this figure will rise to 250 million by 2020, but in the competitive rush to bring more connected cars to market, it is important that manufacturers don't skip the basics of cybersecurity and compromise the safety of their vehicles.
Learning lessons from other industries
There have been dramatic headlines concerning cybersecurity in cars already – although thankfully they have been few and far between. Most notable was the 2015 incident in which security researchers were able to take control of an SUV using a mobile phone. The attack method, in which they used an internet-connected head unit to access the universal CAN Bus, which isn’t meant to be accessible from outside the car, is a specific example of the types of weaknesses we find when new technologies are introduced to legacy environments.
This is a problem that is synonymous with many other industries, from manufacturing to maritime. Connecting legacy devices to the internet, those of which were never designed to function in this way, has opened a whole new attack surface that hackers are trying to exploit.
That said, there are also many lessons that the industry can learn from these other sectors. Techniques that are routinely deployed on corporate networks to identify and quarantine anomalous behaviours – identifying attacks early, in other words – must be developed for the specific interplays of an in-vehicle network. Furthermore, network segregation has played a vital role in critical industries, such as nuclear and water, and can do so too in the automotive sector to ensure that mechanical functions are not accessible through non-critical technologies, such as entertainment systems.
As these problems begin to be successfully tackled in other sectors, the automotive industry is beginning to understand that it needs to improve, and last year’s adoption of a six-point policy on cybersecurity by the European Automobile Manufacturers Association (ACEA) is a good start. The pace of progress when it comes to implementing best practice is still slow, however. Earlier this year, another team of researchers demonstrated vulnerabilities in many new cars which allowed them to take control of the critical Electronic Control Unit (ECU).
Addressing the problem
From the point of view of both customer safety and reputational damage, it’s vital that manufacturers address these issues as quickly as possible. They must develop an internal culture which prioritises cybersecurity at all stages of the design process, understand where their own weaknesses are and when outside consultants need to be brought in.
They also need to engage in constant testing and hardening of their defences before and after product release. Some firms have been pioneering in offering over-the-air-updates for their vehicles, which will be vital in the future to keep security up-to-date. At the same time, however, these exercises have revealed the importance of transparency and clear communication with customers, who have already shown that there’s a lack of trust in unknown updates.
Manufacturers must, in other words, prove themselves to be as serious about the digital security of vehicles as the physical security. And they must do it now. As the car becomes ever smarter, in order to realise the benefits of such innovations it is imperative that every new smart or autonomous car is designed, manufactured and sold with cybersecurity in mind.
To learn more about how Applied Risk can help ensure the security of connected vehicles, visit: https://applied-risk.com/solutions/services/iot-security-assurance-services