As vehicles get smarter, cyber security in the automotive industry is becoming an increasing concern. As a result, the UK government has issued new, relevant cyber security guidelines for connected and driverless cars.
Cars are now becoming connected Wi-Fi hotspots, and are well on their way to autonomy. But, this leaves them vulnerable to hacking and data theft.
>See also: The future of driverless cars and data security
Indeed, Mark Noctor, VP EMEA at Arxan Technologies, suggests that “A major cyber-attack on connected vehicles would take a terrible toll on human life, so the security guidelines published by the UK Government on Sunday are an important step in securing this emerging technology.”
“The communications and entertainment systems are particularly vulnerable to attack, and can be reverse engineered to access the API libraries that facilitate data sharing between systems. From here attacks can even inject malicious code into the electronic control units (ECUs) and controller-area-network (CAN) bus, which control critical systems such as electric steering and braking.”
“Preventing application code from being accessed and tampered is one of the biggest priorities in protecting a connected vehicle, and it is encouraging to see the government’s guidelines specifically list the ability to protect code and ensure its integrity as key principles. Manufacturers must deploy code hardening measures to prevent attackers from accessing their source code and removing vital data such as cryptographic keys which can be used to access other systems. Anti-tampering measures should be hidden in the code to alert them if the code has been changed, and prevent systems from starting if alterations are detected.”
>See also: The inevitable road to the autonomous car: are they safe?
In the wake of this growing threat, the UK government has said that it is now essential that all parties involved in the manufacturing supply chain, from designers and engineers, to retailers and senior level executives, are provided with a consistent set of guidelines that support this global industry security-wise.
The Department for Transport, in conjunction with Centre for the Protection of National Infrastructure (CPNI), have created a number of key principles for use throughout the automotive sector, the CAV and ITS ecosystems and their supply chains.
Principle 1 – organisational security is owned, governed and promoted at board level.
Principle 2 – security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain.
Principle 3 – organisations need product aftercare and incident response to ensure systems are secure over their lifetime.
Principle 4 – all organisations, including sub-contractors, suppliers and potential 3rd parties, work together to enhance the security of the system.
Principle 5 – systems are designed using a defence-in-depth approach.
Principle 6 – the security of all software is managed throughout its lifetime.
Principle 7 – the storage and transmission of data is secure and can be controlled.
Principle 8 – the system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail.
Driverless car security
Russell Goodenough, client managing director: Transport Sector at Fujitsu commended the government’s move: “These cyber security principles are an extremely positive development. We know that driverless cars are coming to our roads, and faster than many people anticipate. However, there remain fundamental challenges to be addressed, which are continuing to fuel doubt and even resistance amongst the public regardless of evidence from long term studies. The issues of security and data privacy are crucial: we have already seen numerous cases of road signage and connected cars being hacked, and as autonomous vehicles become more commonplace there could be a very real threat to the public. In addition, the entire connected cars supply chain must work with others in the transport sector to ensure that security is built in from the ground up, to deliver security, integrity and peace of mind.”
>See also: The inevitable road to the autonomous car: are they safe?
“There are also other questions about how exactly we want autonomous vehicles to fit into our society and national transport architecture. For example, driverless cars could revolutionise intercity and rural transport by picking up passengers on an ‘on demand’ basis, if considered in isolation it could diminish the role of buses and local rail services but if thought through could alleviate some of the pressures on what are often expensive and subsidised services. In cities, fleets of driverless cars could significantly reduce the need for parking spaces, opening up space and fundamentally changing the urban landscape, but the impact of congestion is hotly debated. To reap the full benefits of driverless cars, all stakeholders in the transport sector must begin to have these conversations now but these cyber security principles are a welcome first step.”