Are there acceptable levels of cyber-security protection in connected cars?
Cyber-security protection is becoming an evermore urgent priority for integrating electronics technology into our lives, but the level of protection attained is a moving target. As one vulnerability is found and closed, others are detected. The National Institute of Standards and Technology (NIST) has established a framework that recommends an acceptable level of protection that can be used as a guide. So how might the automotive and mobility industries, focusing on large-scale adoption of connected vehicles and determine where that minimum standard is set?
The Society of Automotive Engineers (SAE) hosted a panel focused on just that at their Connect2Car Executive Leadership Forum in Silicon Valley in June 2017. IBM’s Giuseppe Serio, Solution Leader for Automotive Cyber Security was part of the panel.
Giuseppe Serio talks about cyber-security in autos at SAE event
Cars are becoming data centers on wheels
Cars have transformed in the last 20+ years from a largely mechanical device focused exclusively on transportation, to a mostly software and electronics-driven data center on wheels. A typical vehicle today may contain 15-20 Electronic Control Units (ECU), while a premium luxury vehicle might have more than a hundred. While there may be some ECU consolidation in the future, it is expected to be gradual. As we move into Advanced Driver Assistance (ADAS) and autonomous driving, the potential for threats is magnified further.
Beyond the complexity of individual vehicles, comes the interconnection of all vehicles on the roads, with a developing smarter traffic infrastructure that further complicates the landscape. Cars are now commonly endpoints as a logical extension of the Internet of Things. The vehicle attack surface is broad and only some of it is owned and controlled by the companies who built and sold the car. Third party services such as satellite radio, telecommunications services and other connection points may be outside automakers’ direct control.
Cars also routinely collect vast amounts of data. Some cities already capture information through Bluetooth recorders to better understand traffic patterns. Data is anonymized and aggregated, but vehicles are already broadly transmitting information that cities are collecting, utilizing and opening up to its citizens.
A comprehensive threat management strategy is key
The cybersecurity world is highly dynamic and threats have been mushrooming as well. Today, there are over 600m known forms of malware in circulation. Here’s a staggering fact: 140m of those came to light just in the past year! It’s not possible to create systems that will defend against them all. A comprehensive threat management strategy is key to staying ahead of problems and to being able to respond to issues in close to real-time. There won’t be a comprehensive “hands off” system for automakers and fleet providers to rely on, there has be some manner of manual intervention at some point in most attacks.
Effective security management is also about creativity. We are often retrofitting a system that was created decades ago. Security information is spread across the entire system and should be managed as a process, not as an engineering exercise. One of the unresolved issues in automotive organizations, is where in the organization cyber-security capabilities should be contained?
The automotive industry needs a new mindset
The ability to be dynamic, to communicate and respond to issues as quickly as possible, to intervene in threats requires a mindset that automotive companies are not accustomed to. New opportunities will bring new risks. In order to develop effective security and risk models, automakers need to think outside their accustomed environment. Attackers will likely have an outside view and attack unconventionally. So a culture change is also required to adopt a security mindset.
Fortunately, the automotive industry has a collective recognition that they are all in this together. Attacks against one automaker will affect others in terms of public perception. There’s opportunity and a necessity to collaborate industry-wide on threat intelligence.
The impact of shorter car lifecycles
Security must be part of the DNA of the enterprise and manifest itself throughout the full lifecycle of the vehicle. Lifecycles will also be affected by the cyber-security question as we think ahead. Today lifecycle duration is very clear, but as we start to consider connected vehicles, lifecycles may be shorter. Consider an antique ’60s muscle car or classic BMW or Mercedes. These cars are still on the roads and may be 40 or 50+ years old. They are threat-free as they’re fully mechanical vehicles. But, will today’s Tesla, loaded with electronics and connectivity still be able to be on the road in 20 or 30, much less 50 years?
Security – the newest consideration in auto purchase
In the eyes of consumers, the big pillars had been quality, safety and fuel economy. Now we have to add security as another capability that consumers will be making vehicle selections on. Fifty-six percent of consumers say security and privacy will be key differentiators in their future vehicle purchasing decisions
To start cracking this nut, we have to think about standards…or more realistically can standards even exist? Today there’s no comprehensive security standard for connected vehicles, and there likely won’t be. Things change too fast. There’s room for standards in some areas, but would be very difficult in others. Vehicles also need to be designed to be aware of their status regarding a cyber threat. Vehicles have to be able to self-heal.
Security is a combination of prevention, detection and response
In summary, security is a combination of prevention, detection and response. Automotive enterprises are mostly focused on prevention and detection, as yet, they are falling short on response.
To read more about IBM’s ideas on Automotive security solutions, please download our study Accelerating Security: Winning the race to vehicle integrity and data privacy.