Ontario emerging as leader in automotive cybersecurity research
‘Infections’ can turn vehicles into dangerous projectiles, experts warn
New technology developed by BlackBerry records driver inputs and can determine within seconds whether an operator is authorized for that vehicle, the Canadian software supplier said.
Ontario is emerging as a leader in automotive cybersecurity research and development as computer viruses, worms and other types of malware (malicious software) present a growing threat to the industry and the public.
Companies including BlackBerry QNX, headquartered in Ottawa, and Escrypt, based in Waterloo, Ont., are among those leading the charge on vehicle cybersecurity.
Computers inside a vehicle can be infected by outside sources, said Sebastian Fischmeister, an expert in embedded software security for vehicles at the University of Waterloo.
A cyber infection in a car on the road is dangerous, he said.
“You are in a computer that is driving down the road at 100 kilometres per hour.”
A 2016 report commissioned by the by Ontario Centres of Excellence and the Toronto Financial Services Alliance ranked Canada as the fourth largest innovation hub in the world for cybersecurity, with Ontario leading the way in venture capital deals in the cybersecurity sector. Since then, research and development in the province has only accelerated, Fischmeister said.
SUPPLY CHAIN COMPLIANCE
Vulnerabilities can also be introduced from within a supply chain.
“All these computers come from different suppliers. The worry is also about manipulated firmware or counterfeit parts that come in from other points in the supply chain,” he said.
Once that particular part is installed, “hackers can take over the car at any point they want.”
To deal with the threats, automakers are now requiring parts to be compliant with cybersecurity standards established through the International Organization for Standardization (ISO) and SAE International.
This involves significant investments by suppliers, and Fischmeister acknowledges it’s a challenge in the cost-driven world of automotive industry.
Unlike a flashy infotainment system, cybersecurity is not exactly a selling feature that people can see on a car lot, he said.
“The question is whether the consumer is willing to pay a premium for a feature that they don’t actually see.”
CYBER ‘HYGIENE’ URGED
But just as with biological viruses, there are huge economic consequences for companies if an attack does happen.
“You need to have good cyber hygiene within your company,” Fischmeister said. “You have to operate your company with security in mind.”
Fischmeister said he and researchers at the Waterloo Centre for Automotive Research (WatCAR) are working with industry partners including AVL and Magna, on safety and security for advanced driver assistance systems. The team will be building an automotive safety and security testbed in order to develop prototypes for software security in the next generation of those features, as well as the talented workforce for the industry needing to keep those systems secure.
“Other Canadian and international companies have already expressed interest in also participating in this effort, as there is a large demand for the talent and the technology,” he said.
Escrypt, part of Germany-based ETAS GmbH, a division of Bosch Group, makes security solutions for electronic control units (ECUs) that communicate with each other inside the vehicle. Hardware security technology that in the past secured information on web servers, is now moving into vehicles, said Rob Lambert, principal security consultant at Escrypt.
“Vehicles of the future will have all kinds of new functionality because of these connections, but that also means that there are many more ways to penetrate the epidermis of this cell that you think of as your car, and it can become infected,” Lambert said.
“We work on the immune system of the vehicle.”
Ken Schultz, general manager at Escrypt, stressed that computer code in a vehicle is distributed among dozens of tiny computers that individually might have relatively simple functionality, like controlling the brakes or turning on the entertainment system, “but they all represent places where, if they are not secured appropriately, malware can get in and cause havoc.”
In the Internet-of-things era, roadway infrastructure increasingly communicates with vehicles. Also, the information from sensors in one vehicle can be sent to another to detect, for example, if a vehicle ahead has applied its brakes. Escrypt is working on securing that communication as well, said Kevin Henry, a standards and security expert and part of the Escrypt consulting team.
‘UNIQUE AS DNA’
BlackBerry QNX has been developing a technology that harnesses machine learning, or artificial intelligence, to collect and interpret data from the sensors inside vehicles, in order to help fleet operators detect intrusions and problems.
If, for example, a company vehicle is started with the correct key but the driver’s behaviour – from seat adjustment to steering inputs to gas and brake pedal pressure – doesn’t match the profile of the authorized user, then the technology can send an alert to a fleet analyst’s screen. It will give the analyst choices, such as call the vehicle; take a photo of the driver with the dashboard camera; notify authorities; even cut engine power.
BlackBerry expects to find a ready market for the technology among automakers and fleet operators looking to protect cars and trucks from existing risks and “future-proof” them to coming threats.
“We’re basically ready to integrate it,” chief technology officer Charles Eagan told Automotive News Canada in an interview.
Vehicle monitoring, from GPS trackers for transport fleets to phone apps that tattle on speeding teenagers is nothing new, but BlackBerry’s platform employs machine-learning to build user profiles as unique as DNA.
The BlackBerry platform will also be able to reach deep into the vehicle’s coding to identify potential problems and shepherd over-the-air software updates, Egan