Security & Privacy Are Critical To Connected Cars

Automated vehicle system technology hierarchy

The automotive industry is rapidly evolving to transform the car from a simple mode of transport to a personalized information hub:

There will be an estimated 220 million connected cars on the road globally by 2020. Each of those cars will be equipped with more than 200 sensors, more than double the number of sensors in connected cars on the road today.

New features and capabilities get added every year, improving comfort, convenience, safety and efficiency — but also growing is the amount of data cars generate, process, exchange and store. Connected cars provide benefits such as better traffic flow, improved fuel economy and better infotainment consoles. But at the same time, the number of attack vectors increases, which potentially leaves personal, financial and vehicle information vulnerable, making the connected car attractive to hackers.

Already we’ve seen security researchers demonstrate attacks, and have seen hacks on Chryslers, Jeep Cherokees and Volkswagens. These demonstrations and hacks are leaving consumers and lawmakers, as well as cybersecurity and privacy experts, concerned.

As the market for connected cars is expected to grow at a five-year compound annual growth rate of 45 percent, standardized frameworks are necessary to provide customers assurance that a car’s security attributes can be trusted and that the customer’s security needs are protected.

Discussions have commenced, such as in July when Senators Ed Markey and Richard Blumenthal detailed plans to introduce new legislation called the Security and Privacy in Your Car Act of 2015 (SPY Car Act). The SPY Car Act should ensure that cars sold in the US meet certain standards of protection against digital attacks and restrict what type of data is vehicle collected. These standards should be developed by the National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC) and the legislation also recommends, auto manufacturers be fined up to $100,000 in civil penalties for each violation of unauthorized access to data in connected cars.

Additionally, technology organizations are joining the fight. Intel, for example, created the Automotive Security Review Board to conduct security audits and tests of its automotive hardware platform and offer design recommendations. Lastly, the Fast Identity Online (FIDO) Alliance has made efforts to improve interoperability among strong authentication devices, which was originally created to help Google resolve enterprise security issues. But over time, there was value realized for the automotive industry. Efforts by the FIDO have anonymised Internet users via their physical possessions and aims to protect their digital identities.

The connected car is a complex IT system on wheels

System performance and reliability has had (and will always have) high attention from vehicle manufacturers, with a strong focus on safety hazards. Cybersecurity threats, however, represent a largely unexplored field for the automotive industry.

But like safety, security is a quality aspect — threats of either type can have a negative impact on the reliability and safety of the connected car. By adding wireless interfaces to their cars and connecting their vehicles to external networks, manufacturers are all of a sudden confronted with new threats that stem from an uncontrolled and evolving environment.

The fact that one can remotely access in-vehicle systems also implies that these systems face security threats coming from the outside world. And thus, there is a risk that these systems can be hacked and that data contained therein can be stolen. This poses a threat to the reliability and safety of the car — the hacker can potentially take control of the car — as well as to the privacy of the driver — vehicle data can be used to build a profile of car owners.

Law enforcement has used bait cars to draw out would-be thieves, then remotely lock and disable the car before arresting them. What if bad guys could take over cars and remotely initiate the brakes on a car traveling at high speeds on the freeway? This not only impacts data, but the safety of drivers and passengers. Beyond just cars for personal use, cars being operated by companies like Uber and other car services are impacted.

Today, the ISO 26262 standard addresses systematic failures and random hardware failures. Such safety hazards are quite predictable — systematic failures are deterministic and random hardware failure rates can be predicted with reasonable accuracy — and the nature of the hazards will not change over time. Furthermore, the likelihood that multiple failures occur simultaneously is considered to be rather unlikely in safety engineering.

Cybersecurity threats, on the other hand, are generally less predictable, and they also will change over time. Furthermore, hackers do not hesitate to manipulate various parts of a system simultaneously if that increases the chance of a successful attack. As a consequence, security threats are not necessarily covered within a safety framework such as ISO 26262.

Security must become part of the entire life cycle of the vehicle

Cybersecurity frameworks are fairly new to the automotive industry and it will likely take some time, as was the case with functional safety, before they are widely embraced. To successfully protect connected cars from cyberattacks, a paradigm shift is needed in automotive vehicle design: Security must become part of the entire life cycle of the vehicle. It needs to become an integral part of the design process, as opposed to an afterthought, because security is only as strong as the weakest link.

It is good practice to apply a defense-in-depth strategy, using multiple security techniques to mitigate the risk of one component of the defense being compromised or circumvented. This calls for security-by-design and privacy-by-design, which may also have a significant impact on the architecture and the in-vehicle electronics. Furthermore, the security architecture requires regular maintenance.

In addition, standardization is needed. On the process side, one can think of standardized life-cycle management, from development to deployment to maintenance. Something based on or comparable to Common Criteria could form the basis for such a framework, but automotive-specific adaptations may be needed, as was also the case for ISO 26262 (which was derived from a generic safety standard, IEC 61508).

But technical specifications also are a must-have. It’s not uncommon for straightforward mistakes to be made in security architectures and implementations. A seamless integration of features like secure boot and secure communication into a well-reviewed specification like the AUTOSAR software stack is therefore highly beneficial.

The standardization bodies are currently taking initial steps to create such standards. For example, the SAE Vehicle Electrical System Security Committee is working on a cybersecurity guidebook (J3061) and requirements for hardware-protected security (J3101), and ISO’s TC22 plans to identify the need for communication channels between functional safety and cybersecurity in ISO 26262 Edition 2.

The connected car is a complex IT system on wheels, consisting of many electronic control units (ECU) that are linked together via the in-vehicle network. To secure all of this, an integral approach is needed, where countermeasures are applied at all levels. While standardization efforts have commenced, we’ve only scratched the surface — all the more reason there should be a sense of urgency to get security and privacy standardized and adopted.

TechCrunch: http://tcrn.ch/1PDxL0g

« Social Media Helped Create The Arab Spring, But Could Not Save It
Protecting US Innovation From Cyberattack »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Berkman Klein Center for Internet & Society

Berkman Klein Center for Internet & Society

The Berkman Klein Center for Internet & Society is a research center at Harvard University that focuses on the study of cyberspace.

Research Institute in Science of Cyber Security (RISCS)

Research Institute in Science of Cyber Security (RISCS)

RISCS is focused on giving organisations more evidence, to allow them to make better decisions, aiding to the development of cybersecurity as a science.

BeOne Development

BeOne Development

BeOne Development provide innovative training and learning solutions for information security and compliance.

IDnow

IDnow

IDnow is the world’s fastest, most flexible and most secure identity verification platform, delivering instant verification of the identity documents used by 7 billion people.

Cyfirma

Cyfirma

CYFIRMA offers Cyber threat visibility and intelligence suite and services aimed at keeping your organization’s cybersecurity posture up-to-date.

CONCORDIA

CONCORDIA

Concordia is a Cybersecurity Competence Network with leading research, technology, and competences to build the European Secure, Resilient and Trusted Ecosystem.

Australian Cyber Collaboration Centre (Aus3C)

Australian Cyber Collaboration Centre (Aus3C)

The Australian Cyber Collaboration Centre (Aus3C) is committed to building cyber capacity and securing Australia's digital landscape.

Apptega

Apptega

Apptega is an award-Winning Cybersecurity and Compliance Platform. Our mission is to make cybersecurity and compliance easy for everyone.

Quside

Quside

Quside, a spin-off from The Institute of Photonic Sciences in Barcelona, designs and manufactures innovative quantum technologies for a wide range of applications including cyber security.

Dynamic Quest

Dynamic Quest

Dynamic Quest is a managed IT, cloud and security services companies, providing a comprehensive range of technology services including cybersecurity, backup and disaster recovery.

Outsource Group

Outsource Group

Outsource Group is an award winning Cyber Security and IT Managed Services group working with a range of SME/Enterprise customers across the UK, Ireland and internationally.

RMRF Tech

RMRF Tech

RMRF is a team of cybersecurity engineers and penetration testers which specializes in the development of solutions for early cyber threat detection and prevention.

Elba

Elba

Employee security needs to be reinvented. SaaS security needs to involve end-user and awareness needs to be actionable. Meet elba, the 5-in-one cybersecurity hub with no compromises.

SektorCERT

SektorCERT

SektorCERT is the cybersecurity center for the critical infrastructure sectors in Denmark. We help detect and handle when critical infrastructure is exposed to cyber attacks.

Two99

Two99

Two99 provide tailored excellence in the areas of E-Commerce, Marketing, Consulting, and Cyber Security.

Insane Cyber

Insane Cyber

Insane Cyber make cybersecurity easier to manage through automated, easy-to-use software and expert support and partnership.