New technology can drive huge innovation but it also often means new opportunities for cybercriminals to exploit vulnerabilities for financial gain. Unfortunately, it is no different for the automotive industry. By 2020, 150 million connected cars are expected to be on the roads. This offers 150 million plus new targets for cybercriminals keen to hunt down vulnerable data.
As connected cars hit the public eye, everyone is starting to sit up and take notice of this technological advance. In the Queen’s speech earlier this year, even Her Royal Highness addressed the future of the connected car. Her Majesty introduced changes to insurance policies which will allow driverless cars to be insured under ordinary policies.
Interest in connected vehicles is no surprise. Set to be a fantastic boost to the UK economy, they could transform transport systems and the automotive industry. The UK government has even launched a major consultation to ensure British roads are ready for connected cars. Many hope they will result in fewer car crashes, advancements in freedom to travel for those who find it difficult, safer and more efficient transport networks and the creation of new high value jobs in the technology and automotive sectors. With Intel recently confirming that connected cars are the third-fastest growing technological device following phones and tablets, it is clear we should all be keeping an eye on this innovation.
Yet, just as it is important to protect our mobile devices from cyber security threats, it is equally vital that steps are taken to ensure connected cars are safe. If not, the industry runs the risk of seeing the success and innovation of this new technology destroyed – as well as endangering the safety of users. While there are yet to be any attacks on driverless cars, the threat is very real. A number of demos have highlighted just how easy it is to hack and control a connected car. Crime is driven by motive: as soon as criminals work out how hacking a connected vehicle can become profitable, they will target this sector.
The automotive industry needs to act quickly
Introducing internet connectivity in cars offers a range of new exciting features, including autonomous driving, smart intersections and real-time telematics. It does however also provide cybercriminals with an opportunity to exploit this technology and make some cash. As a result, built-in security solutions are required to ensure next-generation cars can reach their full potential while operating securely in a risky environment.
In response to this, Intel Security has collaborated with a group of top security and automotive industry experts from across the globe to form the Automotive Security Review Board (ASRB). This board was created to stay one step ahead of cybercriminals and secure any vulnerabilities before hackers can take advantage of them. The Automotive Security Review Board aims to ensure that connected vehicle systems are placed under the greatest scrutiny. It is key that vehicle security is a priority during the design phase.
An intentional and proactive security design is required for the consolidation and interconnection of vehicle systems. It must include areas such as secure boot, trusted execution environments, tamper protection, isolation of safety critical systems, message authentication, network encryption, data privacy, behavioural monitoring, anomaly detection, and shared threat intelligence.
Security from design
Like safety and reliability, vehicle security starts in the design phase. Consolidation and interconnection of vehicle systems requires a security design that is intentional and proactive. Expanding on experience from related industries, such as defence and aerospace, there are some foundational principles that can be utilised: defence-in-depth, similar to the layers of protection analysis (LOPA) methodology used for safety and risk reduction, and designing secure systems from the hardware to the cloud with identified best practices and technologies for each discrete building block.
These include such things as secure boot, trusted execution environments, tamper protection, isolation of safety critical systems, message authentication, network encryption, data privacy, behavioural monitoring, anomaly detection, and shared threat intelligence.
On the production line
But it doesn’t stop with design, automotive security needs to continue right through to the production and operation stages. Best practices for production processes ensure that the design components are correctly implemented and their implementation is linked back to the properties in the secure design, giving customers confidence that the platform is secure. These include code reviews, component and system-level penetration tests, continuous validation of security assumptions, inbound and outbound materials processes, maintenance and upgrade plans, and a feedback loop for continuous learning and improvement.
On the road and beyond
Threat analysis and risk assessment continues throughout the life of the car as old vulnerabilities are patched and new ones come to light, so the risk of attack can even increase with time. Detailed incident response plans in the event of a newly discovered vulnerability or security breach provide confidence to the consumer and manufacturer. Techniques such as over-the-air software or firmware patches and upgrades quickly close vulnerabilities and significantly reduce recall costs.
Threat intelligence guides the identification and understanding of potential criminal business models to help prioritise threats, their associated risks, and appropriate incident response. These operational measures require secure chains of trust that are designed into the vehicle and meant to last for its deployed lifetime.
Before connected cars become the norm, we want to see the security design of this new technology strengthened to the point where attacks are close to impossible to execute. Additionally, mitigation and preventive techniques need to be implemented in order to react to vulnerabilities as rapidly as possible and limit any potential damage. The ultimate objective for the Automotive Security Review Board is to help create an industry of self-healing cars which can detect malicious intent, combat attacks and repair any damage done to themselves.
With ongoing collaboration between the automotive industry, security experts and standards organisations, connected cars can be safeguarded against the increasingly sophisticated threat landscape.
Raj Samani, CTO EMEA, Intel Security
Image source: Shutterstock/LifetimeStock